Cyber Security Risk Elements Ben Christensen Senior Compliance Risk Analyst, Cyber Security
2 Agenda What are Risk Elements? Risk Element Identification How will WECC use Risk Elements? What does this mean for you?
3 Overview of Risk Based Framework
4 Why Are Risks Important? Read More
5 Risk Elements Identification
6 Risk Elements Identification NERC Guide describes process for identification and prioritization of enterprise-wide risks Replaces prior actively monitored lists Considers region specific risks
7 Risk Elements Identification What has WECC done so far? During August and September, Compliance Risk Analysis and the auditors collaborated to identify WECC-wide risk elements Some inputs to the process NERC Identified Risk Elements WECC Reliability Challenges Audit and Violation History Professional experience and judgment from Audit, Enforcement and Risks Analysis teams
8 Risk Elements Identification O&P Risks 1. Human Performance 2. Equipment Failure 3. Variable Generation Integration 4. Protection System Reliability 5. Situational Awareness 6. Changing Load Composition 7. Vegetation and Right of Way issues 8. Transmission Planning Adequacy 9. High-Impact Low-Frequency Events 10. Adequacy of Reserves
Risk Elements Identification Cyber Security Risks 9 1. Event and incident response, continuity of operations 2. Threat and vulnerability management 3. Risk management 4. Asset and configuration management 5. Identity and access management 6. Situational awareness
Risk Elements Identification Associated Standards Audit and Risk Analysis team identified NERC Standards and Requirements that mitigate risk elements Mitigation is a relative thing! Each requirement mitigates some risk 10
Risk Elements Identification Associated Standards 11 Event & Incident Response, Continuity of Operations CIP-007 R6 CIP-008 R1 CIP-009 R2
Risk Elements Identification Event and incident response, continuity of operations Establishing & maintaining cyber security plans, procedures, and technologies to: Detect events Analyze events Respond to events Sustain operations Examples: Cyber security events Types and numbers of devices 12
Risk Elements Identification Associated Standards 13 Threat & Vulnerability Management CIP-005-3 R4 CIP-007-3 R8 CIP-008-3 R1
Risk Elements Identification Threat and vulnerability management Identifying & responding to threats Cyber security vulnerabilities Examples: Cyber security events Types and number of systems and devices 14
Risk Elements Identification Associated Standards 15 Risk Management CIP-002 R1 CIP-008 R1
Risk Elements Identification Risk management Establishing, operating, and maintaining an enterprise cyber security risk management program to: Identify Analyze Mitigate Examples: Cyber security events Numbers of Critical Assets, Critical Cyber Assets and Non-Critical Assets 16
Risk Elements Identification Associated Standards 17 Asset & Configuration Management CIP-002-3 R2 CIP-002-3 R3 CIP-003-3 R6 CIP-005-3 R1 CIP-007-3 R1 CIP-007-3 R2 CIP-007-3 R3 CIP-007-3 R4
Risk Elements Identification Asset and configuration management Manage asset inventory Manage asset configuration Manage changes to assets Examples: Numbers and types of devices Numbers of Critical Assets, Critical Cyber Assets, and Non-Critical Assets 18
Risk Elements Identification Associated Standards 19 Identity & Access Management CIP-004-3 R4 CIP-005-3 R2 CIP-006-3 R1 CIP-006-3 R4 CIP-007-3 R5
Risk Elements Identification Identity and access management Establish & maintain identities Control access to assets Logical & physical Examples: Types and numbers of Accounts Users Remote access 20
Risk Elements Identification Associated Standards 21 Situational Awareness CIP-005 R3 CIP-006 R5 CIP-007 R6
Risk Elements Identification Situational awareness Collect, analyze, alarm, present, and use power system and cyber security information Logging Monitoring Establishing the condition of assets Near real-time knowledge of your environment Examples: Numbers and types of devices Cyber security events 22
23 How will WECC use Risk Elements? Used to determine implementation plan and actively monitored standards Provides input into the IRA process Allows to focus internal controls
24 What do Risk Elements mean for you? Act Add new internal controls Improve existing internal controls Plan Know which risks apply to you Check Evaluate internal controls associated with applicable risks Do Categorize the applicable risks Prioritize the applicable risks
25 References NERC Risk Elements guide WECC 2015 CMEP IP CUG RAI Presentation ES-C2M2 WECC Reliability Challenges White Paper NERC RISC Reports Working Group Reports HPWG PSWG
Speaker Contact Info Ben Christensen Senior Compliance Risk Analyst, Cyber Security 801-819-7666 bchristensen@wecc.biz