Bridging the Security Governance Divide in Utilities

Similar documents
IEEE-Northwest Energy Systems Symposium (NWESS)

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Building Security In:

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

An Introduction to the Information Security Program Model (ISPM)

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Seamus Reilly Director EY Information Security Cyber Security

NIST Cybersecurity Framework. ARC World Industry Forum 2014

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Cybersecurity Framework: Current Status and Next Steps

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Framework for Improving Critical Infrastructure Cybersecurity

Risk Management in Practice A Guide for the Electric Sector

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

State Governments at Risk: The Data Breach Reality

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Understanding the NIST Cybersecurity Framework September 30, 2014

Barriers to Grid Modernization

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Cyber Security The Leadership Opportunity for Joint Action Agencies APPA Joint Action Workshop

Vendor Risk Management Financial Organizations

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

Business Continuity for Cyber Threat

Pragmatic Approach to Utility Industry Cyber Security

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Domain 1 The Process of Auditing Information Systems

Introduction. Along with consulting, I previously. developing regulatory policy initiatives

Cybersecurity in the States 2012: Priorities, Issues and Trends

Michael Gaudet 2015 PHC 7/23/2015. Key Broker Challenges

Intelligence Driven Security

EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Excerpt From The Small (Under $10 Million Revenues) Private Company Executive Compensation Digest

BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Cyber Security. Doug Houseman Engineering Consulting Research. Modeling Simulation Security. The Practical Grid Visionaries TM

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Defining the Gap: The Cybersecurity Governance Study

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

CIO, CISO and Practitioner Guidance IT Security Governance

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

National Institute of Standards and Technology Smart Grid Cybersecurity

2012 Deloitte-NASCIO Cybersecurity Study State Officials Questionnaire - Aggregate Results (NASACT)

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Chair Mays, Co-Vice Chair Fox, Co-Vice Chair Whitfield and Members of the Committee:

Defending yesterday. Power & Utilities. Key findings from The Global State of Information Security Survey 2014

Cyber Security and Privacy - Program 183

Feature. Developing an Information Security and Risk Management Strategy

April 28, Dear Mr. Chairman:

Cybersecurity: What CFO s Need to Know

Developing National Frameworks & Engaging the Private Sector

How to Lead the People in a Program Based Environment

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

How To Understand The State Of Business Continuity Preparedness

4A Healthcare Data Security & Privacy

Defending Against Data Beaches: Internal Controls for Cybersecurity

Organizational Structure What Works

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

SO YOU WANT TO BE IN CYBER SECURITY?

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

The Changing Threat Surface in. Embedded Computing. Riley Repko. Vice President, Global Cyber Security Strategy

Italy. EY s Global Information Security Survey 2013

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Enterprise Service Management (ESM)

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

BPA Policy Cyber Security Program

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

2015 Global Study on IT Security Spending & Investments

Framework for Improving Critical Infrastructure Cybersecurity

How To Integrate Security Into Your Application Development

Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity & Public Utility Commissions

How To Write A Cybersecurity Framework

ISACA North Dallas Chapter

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Cyber and Data Risk What Keeps You Up at Night?

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Maturation of a Cyber Security Incident Prevention and Compliance Program

Ed McMurray, CISA, CISSP, CTGA CoNetrix

National Initiative for Cyber Security Education

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012

Transcription:

Bridging the Security Governance Divide in Utilities

About Me Energy Security Advisor to utilities, regulators, integrators, energy start-ups Member: GTM GridEdge Exec Council ISC-ISAC Corporate Board SME Contributor to: DOE Electricity Subsector-Cybersecurity Capability Maturity Model (ES-C2M2) & Risk Management Process (RMP) NISTIR 7628 Guidelines for Smart Grid Security & NIST Critical Infrastructure Security Framework (CSF) NARUC Cybersecurity Guidelines for State Regulators DOD Software Assurance Working Groups MIT Future of the Grid Report Founder of Smart Grid Security and DOD Energy blogs 2 2013 Bochman Advisors

Agenda New News Defining Security Governance Government Governance Guidance Utility CEOs and CISOs 3 2013 Bochman Advisors

New News FERC tells NERC we need new physical controls - stat! Financial Services realizing an OT problem of sorts: Windows XP in ATMs Target announces it s time to get a real CISO DOE EAC Security Governance success 4 2013 Bochman Advisors

Security Governance Defined (at the individual business level) Management through measurement and improved communications (vs. guessing, hoping, etc.) Including security considerations in all business decisions Organizational update actions that signal culture change to all stakeholders 5 2013 Bochman Advisors

Government Perspective

Energy: the most critical of all critical infrastructures Energy

The security of the grid is so important we ve assigned government agencies to watch over it States Federal

DOE NARUC NIST NRECA FERC/NERC ISO/IEC EEI CPUC Gov and Industry Guidance

Recent Government Guidance NIST Critical Infrastructure Security Framework (CSF) DOE s Risk Management Process (RMP) Federal government wants to see senior leadership playing a more active role in security risk management

Utility Perspective

That was Then: How Utilities (& others) Secured IT Pre-Smart Grid Protected PCs Protected IT networks Protected physical assets 12 2013 Bochman Advisors

This is Now 13 2013 Bochman Advisors

Organizational blind spots - Senior leaders & org structure dictate what s visible 14

Board of Directors CEO CFO COO GC VP IT / CIO VP Customer VP Transmission VP Distribution VP Risk VP Compliance Mgr / Dir CyberSecurity Security Manager Most utilities are still organized to meet yesterday s threats

Security Questions CEOs Should be able to Answer Am I making the right/best investments in security? Do I have a complete and accurate inventory of all assets requiring protection? Do I have the right security organization for my enterprise and is it aligned with our overall governance structure? CEO How do I communicate effectively to my board on security & privacy matters? 16 Do we have contingencies ready for major cyber security or privacy incidents? Can I trust the integrity of the data that s running our business? 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Security Leadership 17 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Other players & stakeholders Security Leadership CFO GC VP Risk VP Customer VP Operations CIO/ VP IT 18 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Drivers for Increased Other players Understanding & stakeholders & Collaboration Security Leadership CFO GC VP Risk VP Customer VP Operations CIO/ VP IT 19 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Drivers for Increased Understanding & Collaboration Security Leadership 1.Increasing interconnection of important systems CFO GC VP Risk VP Customer VP Operations CIO/ VP IT 20 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Drivers for Increased Understanding & Collaboration 1. Increasing interconnection of important systems Security Leadership CFO GC 2. Security VP breaches Risk viewed VP Customer as material risk VP Operations CIO/ VP IT 21 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Drivers for Increased Understanding & Collaboration 1. Increasing interconnection of important systems Security Leadership 2. Security breaches viewed as CFO GC material VP risk Risk VP Customer 3. Greatly heightened awareness 22 VP Operations CIO/ VP IT 2013 Bochman Advisors

Bridging the Utility Cyber Security Gap CEO & Board of Directors Drivers for Increased Understanding & Collaboration 1. Increasing interconnection of important systems 2. Security breaches viewed as material risk Security Leadership 3. Greatly heightened awareness CFO GC VP Risk VP Customer 4. Attacks growing in strength and frequency VP Operations CIO/ VP IT 23 2013 Bochman Advisors

CEOs: 2 Bridge building places to start

Board of Directors Financial Compliance Safety Environment Security 1: A new governance board or committee

Board of Directors Financial Compliance Safety Environment Risk Security Or add security to existing board or committee

Board of Directors CEO CFO COO GC VP IT / CIO VP Customer VP Transmission VP Distribution VP Risk VP Compliance Mgr / Dir CyberSecurity Security Manager 2: A new security position outside of IT & closer to top

Board of Directors CEO CFO COO GC VP IT / CIO VP Customer VP Security VP Trans VP Dist VP Risk VP Compliance It could go here

Board of Directors CEO CFO COO GC VP IT / CIO VP Customer VP Trans VP Dist VP Security VP Risk VP Compliance Or here

Board of Directors CEO CFO COO GC VP IT / CIO VP Customer VP Trans VP Dist VP Security VP Risk VP Compliance Or here

It s Starting in Some Places Already Feb 2014: Alliant recently created an executive-level opening company for overseeing cyber and physical security Alliant Energy CIO Patricia Kampling The position is designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread

CISOs: Bridge building places to start CTO Erich Gunther

Approaches that Fail Attempt to explain issues technically Deluge with statistics FUD and The Sky is Falling Using regulations to fix problems

Approaches that Work Best practices catalog for practioners Value props w clear business metrics Security built into all processes & quality system Visible lines of ownership & responsibility Risk based model CEOs, lawyers, regulators, insurers can trust

Do these things Improve communications skills Get better versed in core business you re/we re protecting Take business value and risk management approach to security

CEO Grow the Business good things happen when they meet Security informs & supports business decisions CSO Facilitate/Integ rate with Business Reduce Business Risk Security controls align with corp risk tolerance Set & Enforce Security Policy Corporate Governance The human elements of security risk are managed Security & Resiliency Staffing & Training Cultivate Desired Culture Both lead by example with a focus on communication Promote Security-Aware Culture

Thank You ab@bochmanadvisors.com 781.962.6845 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information