Facilitated Self-Evaluation v1.0



Similar documents
Working to Achieve Cybersecurity in the Energy Sector

DOE Cyber Security Policy Perspectives

Working to Achieve Cybersecurity in the Energy Sector. Cybersecurity for Energy Delivery Systems (CEDS)

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Protecting Your Organisation from Targeted Cyber Intrusion

Smart Grid Cybersecurity Lessons Learned

SANS Top 20 Critical Controls for Effective Cyber Defense

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Critical Controls for Cyber Security.

IEEE-Northwest Energy Systems Symposium (NWESS)

Attachment A. Identification of Risks/Cybersecurity Governance

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

RuggedCom Solutions for

future data and infrastructure

IT Networking and Security

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Ovation Security Center Data Sheet

Dr. György Kálmán

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cyber Security for NERC CIP Version 5 Compliance

OCIE CYBERSECURITY INITIATIVE

THE TOP 4 CONTROLS.

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

IT Security and OT Security. Understanding the Challenges

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

FISMA / NIST REVISION 3 COMPLIANCE

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Summary of CIP Version 5 Standards

Industrial Control Systems Security Guide

Cyber Security Seminar KTH

Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Network Security Administrator

74% 96 Action Items. Compliance

Looking at the SANS 20 Critical Security Controls

Defending Against Data Beaches: Internal Controls for Cybersecurity

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

GE Measurement & Control. Cyber Security for NEI 08-09

NERC CIP VERSION 5 COMPLIANCE

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

The Protection Mission a constant endeavor

How To Protect Water Utilities From Cyber Attack

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Cybersecurity and internal audit. August 15, 2014

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

IT Networking and Security

Securing Distribution Automation

IoT Security Platform

The Comprehensive Guide to PCI Security Standards Compliance

Rebecca Massello Energetics Incorporated

Seven Strategies to Defend ICSs

Patch and Vulnerability Management Program

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

GE Measurement & Control. Cyber Security for NERC CIP Compliance

SecFlow Security Appliance Review

A Systems Approach to HVAC Contractor Security

Cisco Advanced Services for Network Security

Update On Smart Grid Cyber Security

Ovation Security Center Data Sheet

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Industrial Security for Process Automation

Cyber Security nei prodotti di automazione

Fundamentals of a Windows Server Infrastructure MOC 10967

Industrial Security Solutions

SonicWALL PCI 1.1 Implementation Guide

Cybersecurity considerations for electrical distribution systems

Remote Services. Managing Open Systems with Remote Services

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

ITL BULLETIN FOR JANUARY 2011

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Security in the smart grid

CorreLog Alignment to PCI Security Standards Compliance

Security + Certification (ITSY 1076) Syllabus

Implementing Cisco IOS Network Security v2.0 (IINS)

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Enterprise Cybersecurity: Building an Effective Defense

ICS-CERT Incident Response Summary Report

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Cyber Security Metrics Dashboards & Analytics

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

What is Really Needed to Secure the Internet of Things?

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Transcription:

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Patricia Hoffman Facilitated Self-Evaluation v1.0 Assistant Secretary Office of Electricity Delivery and Energy Reliability U.S. Department of Energy www.oe.energy.gov

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) ES-C2M2 enables consistent evaluation of the maturity of an organization s cybersecurity capabilities; allowing the entity to prioritize its cybersecurity investments. The ES-C2M2 is available for download at: http://energy.gov/oe/downloads/electricitysubsector-cybersecurity-capability-maturitymodel-may-2012 ES-C2M2 program information can be obtained by emailing ES-C2M2@HQ.DOE.GOV 2

ES-C2M2 Program Metrics 2012 JAN: Program kickoff APR: 17 Pilot Facilitations MAY: Functional Model Developed MAY DEC: 7 DOE Facilitated Self-Evaluations 2013 JAN FEB: 1 DOE Facilitated Self-Evaluation ES-C2M2 toolkit requests 199 requests since June 2012 103 utilities, 17 international, 79 non-utilities 3

Cyber Security Framework Comprised of Capability and Risk Management Risk Management (analyze risk) Asset Configuration Management (inventory, architecture, software upgrades Identity and Access Management (role base access for application and physical access Threat and Vulnerability Management (new IT, OT technologies) Situational Awareness (Monitoring tools, intrusion detection tools) Information Sharing and Communications Event and Incident Response (Detect and Respond) Supply Chain and External Dependencies Management Workforce Management

ES-C2M2 Capability Development Illustration Situational Awareness Situational awareness activities may include: Performance of logging Monitoring logs Aggregating monitoring information Developing a Common Operating Picture Example MIL Progression for Monitor the Function MIL1 Cybersecurity monitoring activities are performed (e.g., periodic reviews of log data) MIL2 Alarms and alerts are configured to aid the identification of cybersecurity events MIL3 Continuous monitoring is performed across the operational environment to identify anomalous activity 5

ES-C2M2 Capability Development Illustration Incident Response Incident response activities may include: Analyzing incidents to identify patterns and trends Logging, tracking and reporting incidents Performing root-cause and lessons-learned analysis Example MIL Progression for Plan for Continuity MIL1 The sequence of activities necessary to return the function to normal operation is identified MIL2 Recovery time objectives for the function are incorporated into continuity plans MIL3 Recovery time objectives are aligned with the function s risk criteria 6

Example: Shodan Description: Readily available search engine that identifies configuration of industrial control systems connected to the internet Attack Vector Internet Accessible assets Remote Access Brute Force Attack Known Vulnerability Exploits Capability A network (IT and/or OT) architecture is used to support risk analysis Root privileges, administrative access, emergency access, and shared accounts receive additional scrutiny and monitoring Anomalous access attempts are monitored as indicators of cybersecurity events Cybersecurity vulnerability information is gathered and interpreted for the function US-CERT ICS Alert: http://www.us-cert.gov/control_systems/pdf/ics-alert-10-301-01.pdf 7

Example: Night Dragon Description: Coordinated attack by Advanced Persistent Threat using multiple attack vectors with the goal of data theft Attack Vector Social Engineering Default Hardware Configuration Known Vulnerability Exploits Lack of awareness Capability Cybersecurity awareness content is based on the organization s threat profile, users are educated The design of configuration baselines includes cybersecurity objectives Cybersecurity vulnerability assessments are performed for all assets important to the delivery of the function, at an organization-defined frequency Information sources to support threat management activities are identified (e.g., ES-ISAC, ICS-CERT, US- CERT, industry associations, vendors, federal briefings) ES-ISAC Industry Advisory: http://www.esisac.com/public%20library/alerts/night%20dragon.pdf 8

R&D Success Story: Lemnos Interoperable Configuration Profiles Today, at least ten vendors of power grid devices have implemented the Lemnos for interoperable cybersecurity of energy sector routable communications Secure channels for routable data communications through Internet Protocol Security (IPSec) virtual private networks (VPNs) Secure web communications and terminal connection using the Transport Layer Security (TLS) cryptographic protocol to provide communication security over the Internet and Secure Shell (SSH) for public-key cryptography to authenticate a remote terminal user Centralized Certificate Revocation using the Online Certificate Status Protocol (OCSP) to obtain the revocation status of a digital certificate Central authentication and authorization using the Lightweight Directory Access Protocol (LDAP) for accessing and maintaining distributed directory information services over an IP network Central log collection using Syslog for notification, traceability, and trouble shooting Project Partners: Vendors Using Lemnos: Project Team: EnerNex Corporation, Sandia National Laboratories, Schweitzer Engineering Laboratories, Tennessee Valley Authority

R&D Success Story: exe-guard Protects substation servers and communication processors against malware and unauthorized changes Whitelisting solution for embedded Linux devices Protects against malware at the device level Maintains settings and configuration integrity Minimizes application of security patches Addresses CIP-007-R4, which requires asset owners to employ malicious software prevention tools on assets Addresses the CIP-007-R3 requirement for security patch management Technical Approach Develop a software solution for embedded Linux Systems Leverage deny by default/whitelist approach Implements Autoscopy Jr. developed by the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) for kernel hardening For more information: https://www.controlsystemsroadmap.net/efforts /Pages/exe-Guard.aspx Project Team: Schweitzer Engineering Laboratory, Dominion Virginia Power, Sandia National Laboratories 10

Additional Information NIST Request for Information https://www.federalregister.gov/articles/2013/02/26/2013-04413/developing-aframework-to-improve-critical-infrastructure-cybersecurity Cybersecurity Executive Order http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improvingcritical-infrastructure-cybersecurity Electricity Subsector Cybersecurity Capability Maturity Model http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturitymodel-may-2012 ES-C2M2 Facilitated Self-Evaluation v1.0 11

Backup Slides ES-C2M2 Facilitated Self-Evaluation v1.0 12

Examples of DOE National Laboratory R&D to enhance cybersecurity in energy sector 1. High-Level (4 th Gen) Language Microcontroller Implementation Idaho National Laboratory is implementing a high-level fourth generation programming language for use with microcontrollers that limits direct access to device memory and hardens microcontrollers against low-level cyber attacks Partners: Siemens Corporate Research 2. Control Systems Situational Awareness Technology Interoperable Tool Suite Idaho National Laboratory is developing a situational awareness tool suite for control systems Partners: Idaho Falls Power, Austin Energy, Argonne National Laboratory, University of Illinois, Oak Ridge National Laboratory, University of Idaho 3. Automated Vulnerability Detection for Compiled Smart Grid Software Oak Ridge National Laboratory is developing a system for conducting cybersecurity vulnerability detection of smart grid components and systems by performing static analysis of compiled software and device firmware Partners: Software Engineering Institute, University of Southern Florida, EnerNex Corporation 4. Next Generation Secure, Scalable Communication Nework for the Smart Grid Oak Ridge National Laboratory is a developing a wireless technology that is robust, secure, scalable for smart grid applications using an adaptive hybrid spread-spectrum modulation format to provide superior resistance to multipath, noise, interference, and jamming Partners: Pacific Northwest National Laboratory, Virginia Tech, OPUS Consulting, Kenexis Consulting. 5. Bio-Inspired Technologies for Enhancing Cybersecurity in the Energy Sector Pacific Northwest National Laboratory is demonstrating that a bio-inspired solution using lightweight, mobile agents (Digital Ants) can be deployed across multiple organizational boundaries found in smart grid architectures to correlate activities, produce emergent behavior, and draw attention to anomalous condition Partners: Wake Forest University, University of California-Davis, Argonne National Laboratory, SRI International. 13

Examples of Applied R&D to Enhance Energy Sector Cybersecurity 1. Watchdog Schweitzer Engineering Laboratories is developing a Managed Switch for the control system local area network (LAN) that performs deep packet inspection using a white list configuration approach to establish a set of known, allowed communications Partners: CenterPoint Energy Houston Electric, Pacific Northwest National Laboratory 2. Padlock - Schweitzer Engineering Laboratories is developing a security gateway to help protect field device communications and sense physical tampering to enhance cyber and physical security at the distribution network level. The low-power, low-cost Padlock Gateway will establish encrypted communication between central stations and filed devices while enabling strong access controls, logging, and secure communications with transparent access to the serial port of the existing energy system protection device Partners: Tennessee Valley Authority, Sandia National Laboratories 3. Role Based Access Control -Driven (RBAC) Least Privilege Architecture for Control Systems Honeywell International is developing a role based access control driven least privilege architecture for energy delivery systems Partners: University of Illinois, Idaho National Laboratory 4. SIEGate Grid Protection Alliance is developing a Secure Information Exchange Gateway (SIEGate) that provides secure communication of data between control centers Partners: University of Illinois, Pacific Northwest National Laboratory, PJM, AREVA T&D. 5. Smart Grid Cryptographic Key Management Sypris Electronics is developing a cryptographic key management system scaled to secure communications for the millions of smart meters within the smart grid advanced metering infrastructure Partners: Purdue University Center for Education and Research in Information Assurance and Security, Oak Ridge National Laboratory, Electric Power Research Institute 14

WORKFORCE CYBER SITUATION SHARING RESPONSE DEPENDENCIES RISK ASSET ACCESS THREAT ES-C2M2 Model Structure Risk Management Asset, Change, and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cybersecurity Program Management Domains are logical groupings of Cybersecurity practices Each domain has a short name for easy reference 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information