SGIG Cyber Security Program Review Process



Similar documents
Panel Session: Lessons Learned in Smart Grid Cybersecurity

Smart Grid Cybersecurity Lessons Learned

Cybersecurity & Public Utility Commissions

National Institute of Standards and Technology Smart Grid Cybersecurity

Cybersecurity: Lessons Learned from DOE Projects

Office of Electricity Delivery & Energy Reliability ANALYSIS AND REPORTING OF METRICS AND BENEFITS FOR ARRA SMART GRID PROJECTS

Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

ADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D

IEEE-Northwest Energy Systems Symposium (NWESS)

Cyber Security in Europe

OEB Smart Grid Advisory Committee

How Much Cyber Security is Enough?

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

DOE Smart Grid Investment Grant Program: Dynamic Pricing & Consumer Behavior Studies

Logging In: Auditing Cybersecurity in an Unsecure World

National Cybersecurity Assessment and Technical Services

ARRA Grant Case Studies SMUD s Smart Grid Program

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

Cyber Security Working Group

What Risk Managers need to know about ICS Cyber Security

Cybersecurity Risk Assessment in Smart Grids

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

How To Write A Cybersecurity Framework

STREAM Cyber Security

Cyber Security Working Group

NAVFAC EXWC Platform Information Technology (PIT) Cyber Security Initiatives

SmartSacramento. Green Summit Jim Parks Program Manager SmartSacramento Team. April 19, 2011

Risk-Based IT Change Management

Cyber attack on Twitter, 250,000 accounts hacked

RESEARCH CALL TO DOE/FEDERAL LABORATORIES. Cybersecurity for Energy Delivery Systems Research Call RC-CEDS

Securing the Electric Grid with Common Cyber Security Services Jeff Gooding

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

Remote Services. Managing Open Systems with Remote Services

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Facilitated Self-Evaluation v1.0

N-Dimension Solutions Cyber Security for Utilities

Working to Achieve Cybersecurity in the Energy Sector

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

Why we Need Standards for Breaking the Smart Grid

Altius IT Policy Collection Compliance and Standards Matrix

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cyber Security and Privacy - Program 183

1. Summary. electric grid, strengthen saving programs sponsored by utilities. The project

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Tehachapi Wind Energy Storage Project (TSP)

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Update On Smart Grid Cyber Security

Effective Use of Assessments for Cyber Security Risk Mitigation

Business Continuity for Cyber Threat

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Automation Suite for NIST Cyber Security Framework

Vendor Management for Critical Access Hospitals

Smart Grid and Privacy An International View

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Obtaining Enterprise Cybersituational

Privacy Risk Assessments

Transcription:

SGIG Cyber Security Program Review Process A. DAVID MCKINNON, PH.D. Cyber Security Group, National Security Directorate TCIPG Industry Workshop 2014 November 14, 2014 PNNL-SA-106570 1

SGIG Cyber Security Program Overview Smart Grid Investment Grant (SGIG) was funded by the 2009 ARRA 99 Grants awarded $3.4B of federal funding, matched by $4.4B of private sector funding Cyber security was built in FOA required that each proposal address cyber security Each awardee had to submit a cyber security plan (CSP) for review and approval DOE established a cybersecurity subject matter expert (CS-SME) team Team consisted of leading cyber security experts from PNNL, ANL, CMU SEI, and private industry CS-SME team members joined the DOE technical project officer (TPO) on their annual site visits CS-SME team conducted several outreach activities November 14, 2014 2

Cyber Security Requirements (DE-FOA-0000058) Submitted Project Plans are also required to include a section on the technical approach to cyber security. The technical approach to cyber security should include: A summary of the cyber security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact). A summary of the cyber security criteria utilized for vendor and device selection. A summary of the relevant cyber security standards and/or best practices that will be followed. A summary of how the project will support emerging smart grid cyber security standards. DOE intends to work with those selected for award but may not make an award to an otherwise meritorious application if that applicant cannot provide reasonable assurance that their cyber security will provide protection against broad based systemic failures in the electric grid in the event of a cyber security breach. November 14, 2014 3

www.arrasmartgridcyber.net Online information resource for SGIG & SGDP cyber security Overview of baseline cyber security principles Guidance on cyber security plan development and execution References to cyber security standards and regulations Prescriptive templates for cyber security plans were not provided 4

99 Cyber Security Plans Cyber security one size does *NOT* fit all Grant awards varied from $1M to $200M Technologies varied Electric transmission systems Electric distribution systems Advanced metering infrastructure (AMI) Customer systems Cross-cutting deployments Awardees used their own internal processes and templates DOE technical project officers (TPO) forwarded each project s cyber security plans to the CS-SME team Each plan was independently reviewed by two CS-SMEs Initial reviews were conducted by all team members Secondary reviews were performed by a QC subteam member November 14, 2014 5

Cyber Security Plan Reviews Strong cyber security plans included: Cyber security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact) Cyber security criteria utilized for vendor and device selection Relevant cyber security standards and/or best practices to be followed Plans for supporting emerging smart grid cyber security standards Cyber security plans also had to address the adequacy of their technical approach for addressing interoperability and cyber security Ensuring confidentiality, integrity, availability Secure logging, monitoring, alarming, and notification Demonstrable evidence of the effectiveness of cyber security controls Inadequate cyber security plans were revised and resubmitted CS-SME team frequently held project-specific teleconference calls Interactive discussion quickly resolved issues Many awardees did not have prior experience writing cyber security plans November 14, 2014 6

244 Site Visits SGIG project reviews included cyber security CS-SMEs traveled with the DOE review team Cyber security was a formal topic on the agenda Site visits were conducted 2011-2013 2011-2012: on-site visits 2013: on-site, virtual, or off-line visits at the discretion of the DOE TPOs Guidance was provided to each site prior to the annual site visits Focus on demonstrable evidence Were project-specific risks being identified and addressed? Were implemented cyber security controls adequate? No prescribed format for how evidence was to be provided Site assessment visit report 13 requirements derived from FOA were assessed Scale: meets,, & does not meet FOA requirements November 14, 2014 7

Cyber Security Impact Cyber security was a FOA requirement Senior-level management approved cyber security plans Cyber security was a funded requirement Each project was able to focus on their specific risks Awardees and the CS-SMEs built close working relationships Smart grid cyber security information exchanges Chicago (August 2011) & Washington, D.C. (December 2012) Utilities met & exchanged cyber security best practices Many anecdotal stories of utilities implementing new and/or improved cyber security practices Enhanced staffing, training, policies, tools, etc. November 14, 2014 8

Cyber Security Impact, continued CS-SME team assessment CP Normalized Score (%) Based upon a weighted scoring of each site assessment report 13 questions, Green/ /Red Projects were grouped by category 100.0 80.0 60.0 40.0 20.0-2012 2013 Cities/Public Utility Districts (CP) Rural Electric Cooperatives (RE/COOP) Transmission/Generation (T&G) Compared 2012 and 2013 results CP had the largest score improvement 100.0 80.0 60.0 40.0 20.0 - RE/COOP Norm. Score (%) 2012 2013 RE/COOP had the 2 nd best improvement T&G improved the least Caveat: T&G projects had the best overall scores 100.0 80.0 60.0 40.0 20.0 - T&G Normalized Score (%) 2012 2013 November 14, 2014 9

SGIG Cyber Security Conclusions FOA requirement for cyber security was a key enabler Utilities were able to build-in in cyber security DOE facilitated across-the-board cyber security improvements Project staff, DOE TPOs, and the CS-SME team built strong and trusted working relationships Cyber security plans focused and enhanced cyber security efforts Each project focused on their specific risks Cyber security plans are living documents Approval by senior-level management provided accountability November 14, 2014 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information