Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015
Before we continue let s get over our fears and myths with some much needed levity The following three slides are based on a briefing given by Daniel Thanos of Telos 2
The Einstein Defense Sum of All Myths Myth: Our systems are so proprietary and esoteric that Einstein himself couldn t figure them out so hackers have no chance 3 Reality: Whatever can be engineered can be reverseengineered and Stuxnet is the proof
Wishful Immunity Sum of All Myths Myth: There is no problems here just happy and trusted people working on reliable and isolated systems Fact: Sophisticated attackers use trusted people and privileged access without the target s knowledge Attackers usually succeed when security is exclusively perimeter and trust based 4
Mordac Syndrome Sum of All Myths Myth: Security reduces reliability and degrades capabilities and prices us out of existence Fact: Correctly engineered security increases reliability and reduces costs and risks due to poor design and systemic failures 5
General Risk Assessment Approach Risk Assessment Methodology Asset /System Characterization Threat Agent Characterization Vulnerability Assessment Impact Analysis Threat Likelihood Assessment Risk Determination Security Requirements/ Controls NO Risk Acceptable? YES 6
Risk Assessment Methodology (2) Implementation and Assessment Phases Ongoing Monitoring Testing and Exercising System Implementation YES Successful Risk Mitigation? Risk Assessment Risk Acceptable? NO Security Controls 7
Cybersecurity Capability Maturity Model (C2M2) Overview Expansion Project and Comparative Analysis
Department of Energy Risk Management Process The risk management cycle: Risk Framing (i) Risk framing (i.e., establish the context for risk-based decisions) (ii) (iii) Risk assessment Risk response once determined, and Risk Monitoring Risk Assessment (iv) Risk monitoring on an ongoing basis. Risk management is carried out as an organization-wide activity Risk Response Risk Management Cycle 9
Categories Subcategories Informative References MIL 1 MIL 2 MIL 3 MIL 1 MIL 2 MIL 3 Framework Implementation Guidance Mapping (Project #1) CSF Core C2M2 CSF Tiers C2M2 C2M2 Practices CSF Tiers C2M2 Practices Functions IDENTIFY Tier 1: Partial PROTECT DETECT RESPOND RECOVER Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive 10
Objectives Practices C2M2 Comparative Analysis (Project #2) C2M2 Industry Standards Domains Cyber Security Framework NISTIR 7628 SP 800-53 NRECA Cyber Security Guidelines Others as requested by industry Risk Management Asset, Change, & Configuration Management Identity and Access Management Cyber Program Management 11
Objectives Practices C2M2 Comparative Analysis Process C2M2 Domains Risk Management Asset, Change, & Configuration Management Identity and Access Management NRECA Cyber Security Guidelines Many sector-specific standards, such as the NRECA Cyber Security Guidelines, have already been mapped directly to the C2M2. In these cases, the maps are easily ported into the C2M2 expansion as a module. Cyber Program Management 12
C2M2 Comparative Analysis Process NIST SP 800-53 With the release of the Framework, even more standards are available. ISO 2700x NIST Cybersecurity Framework NISTIR 7628 By leveraging the maps that apply to the Framework, as well as industry s map of the C2M2-Framework, the expansion can include other modules with very little effort. ISA 99 / IEC 62443 COBIT 5 13
Risk Management in Practice A Guide for the Electric Sector EPRI Technical Update: 3002003333 14
Assessing and Monitoring Risk Issue There are many cyber security risk assessment and security requirements documents, tools and methods, making it difficult for a utility to show how they meet all of the specifications. Project approach Perform a comparative analysis of the NIST Cybersecurity Framework, DOE ES-C2M2, NISTIR 7628, NESCOR Failure Scenarios, NIST SP 800-53, NEI 08-09, NRC 5.71 Create a database to improve the usability of the mappings Value Straightforward reporting to senior management and regulatory agencies to verify conformance with industry frameworks 15
Assessing and Monitoring Risk (2) Department of Energy Electricity Subsector Cybersecurity Capability Maturity Model (DOE ES-C2M2) National Institute of Standards and Technology Interagency Report (NISTIR) 7628 National Electric Sector Cybersecurity Organization Resource (NESCOR) Failure Scenarios NIST Special Publication (NIST SP) 800-53 Nuclear Energy Institute (NEI) 08-09 Nuclear Regulatory Commission (NRC) 5.71 16
17
Example from the Document 18
Moving Forward Cyber security supports both the reliability and privacy of the Smart Grid Address interconnected systems both IT and control systems Cyber security needs to be addressed in all systems, not just critical assets Augment existing protection controls, as applicable Continuously monitor and assess the security status Acknowledge will be some security breaches Focus on response and recovery Fail secure Address both safety and security 19
alee@epri.com 202.293.6345 Discussion 20
Together Shaping the Future of Electricity 21