C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance

C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance June 18, 2015

Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST) Smart Grid Cybersecurity Committee Chair

Cybersecurity Committee The SGIP Cybersecurity Committee is collaborative forum that develops resources that smart grid stakeholders can leverage to help understand and manage cybersecurity risk. Cybersecurity is a critical, crosscutting issue for the Smart Grid

Update: Cybersecurity Task Force The Cybersecurity Task Force is developing a case study highlighting how different utilities have implemented various voluntary cybersecurity frameworks including results, benefits, and key lessons learned. Next Task Force virtual meeting: Tuesday, June 23 at 10 AM Eastern To learn more contact: victoria.pillitteri@nist.gov and ellisonm@dteenergy.com

Christopher S. Taylor, is currently a senior Engineering Analyst for Southern Company s IT Security Team.

Agenda NIST Cybersecurity Framework and Implementation Guidance C2M2 Overview Southern s C2M2 to NIST Framework Tool Comparative Analysis

NIST Cybersecurity Framework

NIST Cyber Security Framework Developed in response to Executive Order 13636 Calls for development of a voluntary Cybersecurity Framework Framework provides a prioritized, flexible, repeatable, performancebased, and cost effective approach to manage cybersecurity risk The Framework is composed of 3 parts Framework Core Framework Implementation Tiers Framework Profile In January 2015, DOE released the Energy Sector s Cybersecurity Framework Implementation Guidance C2M2 is DOE s recommended implementation tool

Cybersecurity Framework Implementation Guidance Provides standard approach aligned with Framework s 7-step process Create a Target Profile Prioritize and Scope Orient Determine, Analyze, Prioritize Gaps Create a Current Profile Implement Action Plan Conduct a Risk Assessment Advocates use of C2M2 to implement Framework because: Widespread use Supports Benchmarking Sector-specific guidance Descriptive guidance C2M2 mapped to Framework Self-evaluation toolkit

C2M2 Overview

C2M2 Overview ES-C2M2 is a DOE developed tool that helps organizations evaluate, prioritize, and improve cybersecurity capabilities Maturity Model Definition: An organized way to identify competencies and areas of improvement C2M2 is used to evaluate business unit s practices, processes, and procedures

Risk Management Asset, Change and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cyberseacurity Program Management Maturity Indicator Levels C2M2 Components 3 Managed 2 Performed 1 Initiated 0 Not Performed 4 Maturity Indicator Levels: Defined progressions of practices Each cell contains the defining practices for the domain at that maturity indicator level 10 Model Domains: Logical groupings of cyber security practices

Sample C2M2 Evaluation Results The C2M2 Toolkit generates a graphical summary of the results divided by C2M2 domain and MIL level Detailed results and analysis are also provided for each domain

Southern s C2M2 to NIST Framework Tool

Categories Subcategories Informative References C2M2 to NIST Framework Mapping DOE s Implementation Guidance mapped C2M2 practices to NIST s Framework Core and Implementation Tier CSF Core C2M2 CSF Tiers C2M2 CSF Functions CSF Tiers IDENTIFY PROTECT DETECT RESPOND RECOVER Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive

Automating the C2M2 to NIST Process Current Implementation of Framework using C2M2 C2M2 toolkit and assessment process provide data required to implement the Framework Implementation guidance maps C2M2 controls to Framework User must then manually extract data from C2M2 toolkit into the Framework The C2M2 to NIST Framework tool automates the rest of the process Automates extraction of data from C2M2 Toolkit and populates the NIST Framework Uses notes section of C2M2 toolkit to develop target profiles Generates tables and charts of Framework Core Generates tables and charts of Framework Implementation Tier

IDENTIFY Sample C2M2 to NIST Framework Tool Output Functio C2M2 Profiles Function Category Subcategory n MIL Practice Current Target Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried NIST Framework s 7 Steps Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment 1 2 3 3 1 2 3 3 ACM-1a ACM-1c ACM-1e ACM-1f ACM-1a ACM-1c ACM-1e ACM-1f FI FI LI PI FI FI LI PI Create a Target Profile C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity Determine, Analyze, Prioritize Gaps Implement Action Plan Gaps C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes

Sample NIST Framework Function Results MIL 1 MIL 2 MIL 3 TOTALS Identify Protect Detect Respond Recover Fully Implemented 24 23 24 71 Largely Implemented 1 14 23 38 Partially Implemented 2 8 14 24 Not Implemented 2 0 3 5 Subtotals: 29 45 64 138 Fully Implemented 50 28 10 88 Largely Implemented 3 26 32 61 Partially Implemented 3 16 30 49 Not Implemented 0 0 1 1 Subtotals: 56 70 73 199 Fully Implemented 20 2 8 30 Largely Implemented 1 22 10 33 Partially Implemented 1 2 14 17 Not Implemented 0 0 3 3 Subtotals: 22 26 35 83 Fully Implemented 10 4 3 17 Largely Implemented 0 9 9 18 Partially Implemented 0 6 6 12 Not Implemented 0 0 0 0 Subtotals: 10 19 18 47 Fully Implemented 1 0 1 2 Largely Implemented 0 0 3 3 Partially Implemented 0 3 4 7 Not Implemented 0 0 0 0 Subtotals: 1 3 8 12 TOTALS 118 163 198 479 The Framework Core Provides a set of activities to achieve specific cybersecurity outcomes and references examples of guidance to achieve those outcomes NIST Framework Results by Function

Sample NIST Framework Implementation Tier Results Tier 1 (Partial) Tier 2 ( Risk Informed) Tier 3 (Repeatable) Tier 4 (Adaptive) Fully Implemented Largely Implemented Partially Implemented Not Implemented 12 11 8 2 0 4 5 13 0 0 8 7 0 0 5 2 Totals 12 15 26 24 The Implementation Tiers Provides context on how an organization views cybersecurity risk and the processes in place to manage risk.

Displaying the CSF Results by Function Option 1: Map C2M2 by NIST CSF Function and MILs Leverages C2M2 Scoring Criteria (Partial Credit) Preserves MIL Levels to understand complexity of mitigation efforts Many-to-Many relationships so must determine whether to remove duplicates NIST Framework by Function and MIL NIST Framework by Function and MIL (No Duplicates)

Displaying the CSF Results by Function Option 2: Map C2M2 by NIST CSF Function but remove MILs Leverages C2M2 Scoring Criteria (Partial Credit) Removes MILs to conform to NIST CSF s flat architecture Many-to-Many relationships so must determine whether to remove duplicates NIST Framework by Function NIST Framework by Function (No Duplicates)

Displaying the CSF Results by Function Option 3: Map C2M2 by NIST CSF Function but remove MILs and Partial Credit Removes C2M2 Scoring Criteria (Partial Credit) to achieve complete or not complete Removes MILs to conform to NIST CSF s flat architecture Many-to-Many relationships so must determine whether to remove duplicates NIST Framework by Function NIST Framework by Function (No Duplicates)

Displaying the CSF Results by Function Option 4: Map C2M2 by NIST CSF Function and Category Determines average score for each subcategory and rounds down Must determine whether to preserve partial credit NIST Framework by Function and Category NIST Framework by Function and Category (No Duplicates)

Displaying the CSF Results by Tier Map C2M2 by NIST CSF Tier Many-to-Many relationships so must determine whether to remove duplicates Must determine whether to preserve partial credit NIST Framework by Tier NIST Framework by Tier (No Duplicates) Partial Credit No Partial Credit Partial Credit No Partial Credit

C2M2 to NIST Toolkit: Comparative Analysis

Comparative Analysis: Sortable Results Survey Reponses Per Question Ordered By Domain/Objective/Practice Sort: Domain/Obj/ Practice Sort: Domain/MIL/ Practice Sort: Domain/ Average Score Low to High Sort: Average Score Low to High Sort: Domain/ Average Score High to Low Sort: Average Score High to Low Sort: Standard Deviation Domain Objective MIL Practice C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Standard Average Deviation Score Score Score Score 01. Risk Management 01. Establish Cyber Security Risk Management 2 RM-1a Strategy FI FI FI FI 3 0 01. Risk Management 01. Establish Cyber Security Risk Management 2 RM-1b Strategy FI FI FI FI 3 0 01. Risk Management 01. Establish Cyber Security Risk Management 3 RM-1c Strategy FI FI FI FI 3 0 01. Risk Management 01. Establish Cyber Security Risk Management 3 RM-1d Strategy FI FI FI FI 3 0 01. Risk Management 01. Establish Cyber Security Risk Management 3 RM-1e Strategy FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 1 RM-2a FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 1 RM-2b FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 2 RM-2c LI LI FI FI 2.5 0.577350269 01. Risk Management 02. Manage Cyber Security Risk 2 RM-2d FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 2 RM-2e FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 2 RM-2f FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 2 RM-2g FI FI FI FI 3 0 01. Risk Management 02. Manage Cyber Security Risk 3 RM-2h FI PI LI FI 2.25 0.957427108 01. Risk Management 02. Manage Cyber Security Risk 3 RM-2i FI FI LI FI 2.75 0.5 01. Risk Management 02. Manage Cyber Security Risk 3 RM-2j FI LI LI FI 2.5 0.577350269 01. Risk Management 03. Management Activities 2 RM-3a PI LI FI FI 2.25 0.957427108 01. Risk Management 03. Management Activities 2 RM-3b FI FI FI FI 3 0 01. Risk Management 03. Management Activities 2 RM-3c FI LI FI LI 2.5 0.577350269 01. Risk Management 03. Management Activities 2 RM-3d FI FI FI FI 3 0 01. Risk Management 03. Management Activities 3 RM-3e FI LI FI LI 2.5 0.577350269 01. Risk Management 03. Management Activities 3 RM-3f PI FI FI FI 2.5 1 01. Risk Management 03. Management Activities 3 RM-3g FI FI FI FI 3 0 01. Risk Management 03. Management Activities 3 RM-3h FI LI FI FI 2.75 0.5 01. Risk Management 03. Management Activities 3 RM-3i FI FI FI FI 3 0 Takes C2M2 input from multiple assessments and puts them in a sortable results table Only focused on C2M2, not the NIST CSF

Comparative Analysis: Summary (Avg Scores) Domain Average Score Domain C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Score Score Score Score Avg Score 01. Risk Management 2.79 2.67 2.88 2.92 2.81 02. Asset, Change, and Configuration Management 2.58 2.00 2.77 2.81 2.54 03. Identity and Access Management 3.00 2.32 3.00 2.96 2.82 04. Threat and Vunerability Management 2.36 1.61 2.24 2.33 2.14 05. Situational Awareness 2.19 1.48 2.29 2.26 2.06 06. Information Sharing and Communications 2.23 2.23 2.82 2.77 2.51 07. Event and Incident Response, Continuity of Operations 2.27 2.23 2.33 2.46 2.32 08. Supply Chain and External Dependencies Management 1.90 1.80 2.00 2.23 1.98 09. Workforce Management 2.53 1.97 2.47 2.18 2.29 10. Cybersecurity Program Management 2.81 2.71 2.52 2.77 2.70 Domain Average Score Creates a summary worksheet of the C2M2 assessment results 1 st section is an average score for each domain by organization assessed

Comparative Analysis: Summary (Low Scores) Average (Partial or Less) Practice C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Score Score Score Score Avg Score TVM-1h 0.00 0.00 0.00 0.00 0.00 TVM-1j 0.00 0.00 0.00 0.00 0.00 TVM-2m 0.00 0.00 0.00 0.00 0.00 EDM-2c 0.00 0.00 0.00 0.00 0.00 CPM-4b 0.00 0.00 0.00 0.00 0.00 IR-3m 0.00 1.00 0.00 1.00 0.50 TVM-1e 1.00 0.00 1.00 1.00 0.75 SA-3b 1.00 0.00 1.00 1.00 0.75 EDM-3a 0.00 0.00 1.00 2.00 0.75 TVM-1d 1.00 1.00 1.00 1.00 1.00 SA-2d 1.00 1.00 1.00 1.00 1.00 SA-2e 1.00 1.00 1.00 1.00 1.00 SA-2f 1.00 1.00 1.00 1.00 1.00 SA-2h 1.00 1.00 1.00 1.00 1.00 SA-3d 1.00 1.00 1.00 1.00 1.00 IR-1g 1.00 1.00 1.00 1.00 1.00 IR-2g 1.00 1.00 1.00 1.00 1.00 IR-2h 1.00 0.00 1.00 2.00 1.00 IR-3f 1.00 1.00 1.00 1.00 1.00 IR-3g 1.00 1.00 1.00 1.00 1.00 EDM-2d 1.00 1.00 1.00 1.00 1.00 EDM-2e 1.00 1.00 1.00 1.00 1.00 EDM-2f 1.00 1.00 1.00 1.00 1.00 EDM-2h 1.00 1.00 1.00 1.00 1.00 EDM-2i 1.00 1.00 1.00 1.00 1.00 EDM-3g 0.00 1.00 0.00 3.00 1.00 WM-1g 2.00 0.00 1.00 1.00 1.00 WM-3g 1.00 1.00 1.00 1.00 1.00 WM-4c 1.00 1.00 1.00 1.00 1.00 WM-4d 1.00 1.00 1.00 1.00 1.00 CPM-1g 1.00 1.00 1.00 1.00 1.00 Domain Average Score 2 nd section is all activities that average Partial or less Only focused on C2M2, not the NIST CSF

Comparative Analysis: Summary (Low Scores) Standard Deviation - Top 10 Domain C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Score Score Score Score Std Deviation ACM-2d PI NI FI FI 1.50 IAM-3a FI NI FI FI 1.50 TVM-3a FI NI FI FI 1.50 TVM-3g FI NI FI FI 1.50 SA-4g FI NI FI FI 1.50 EDM-3d FI NI FI FI 1.50 EDM-3g NI PI NI FI 1.41 IAM-2i FI NI FI LI 1.41 IR-2e PI NI LI FI 1.29 SA-3f PI PI NI FI 1.26 Domain Average Score 3 rd section is the 10 activities with the greatest deviation in responses Only focused on C2M2, not the NIST CSF Ideal for benchmarking and determining why there are differences Possible reasons include: maturity, size, mission, or interpretation of survey questions

Proof of Concept Demonstration Demonstrated to DOE that process can be automated Next release of C2M2 toolkit should incorporate new capabilities (ECD 2016) Identify Industry Requirements for Implementing Framework Currently adoption of NIST Framework is a labor-intensive manual process Need to identify requirements to make adopting the Framework practical Automated Tools Standardized Charts Standardized Tables Standardized Reports Comparative Analysis Next Steps Role of Cybersecurity Framework Taskforce? Other Stakeholder Participation DOE, SGIP, NIST, C 3? Mechanism for providing feedback?