NIST Cybersecurity Framework What It Means for Energy Companies

Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013

Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2

Overview The Cyber Threat to the Energy Sector Cybersecurity Executive Order NIST Cybersecurity Framework Incentives What It Means for Energy Companies 3

What Is Cybersecurity? Activities to (a) identify vulnerabilities of computers and computer systems and networks, and (b) protect information, information systems, computer systems and networks, etc. from unauthorized access, use, disclosure, disruption, modification, or destruction Two goals: Data security and privacy protection Critical infrastructure protection 4

Nature of the Threat Targeting critical infrastructure: Cyberterrorists Cyberwarriors Cyberhacktivists Targeting data and information: Cyberspies Cyberthieves Not mutually exclusive 5

The Threat Is Real DHS s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Responded to 198 cyber incidents in FY 2012 Of these, 41% were in the energy sector In first half of FY 2013, highest percentage of reported incidents occurred in the energy sector (53%) Identified in 2012 an active series of cyber intrusions targeting natural gas pipeline companies dating back to Dec. 2011 McAfee Report Reported incidents of cyber attacks originating in China to collect competitive information about oil and gas fields Dating back to 2009 6

The Threat Is Real (cont d) Markey / Waxman Report (May 2013) The electric grid is the target of numerous and daily cyber attacks ranging from phishing to malware infection to unfriendly probes One utility reported approximately 10,000 attempted cyber attacks each month The Bottom Line Since 2010, DOE has invested more than $100 million in cybersecurity R&D But utilities are predicted to spend $7.25 billion in security from 2013 until 2020 7

So what is to be done? 8

Cybersecurity Executive Order Improving Critical Infrastructure Cybersecurity Issued Feb. 12, 2013 Intended to address cybersecurity of owners / operators of critical infrastructure But only governs federal agencies, not private companies Includes all sectors: Utilities electric, gas, water, telecom Banking and finance Health care industry Any physical or virtual assets or systems the incapacity or destruction of which could have a debilitating impact on national security, the economy, or public health or safety 9

New Processes Underway 10 DHS-led consultative process among agencies to improve cybersecurity of critical infrastructure NIST-developed Cybersecurity Framework To identify and mitigate cyber risks to critical infrastructure using voluntary consensus standards and industry best practices Framework must provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach Framework must be technology neutral, allow for use of competitive markets, and offer guidance for measuring performance DHS-led effort to establish voluntary program to support adoption of Framework by owners / operators of critical infrastructure

NIST Cybersecurity Framework Timeline Preliminary Framework issued Oct. 22, 2013 Final Framework due Feb. 12, 2014 Issuance of Preliminary Framework based on rulemakings at NIST RFIs, comments, workshops Additional workshop underway Comments on Preliminary Framework due Dec. 13, 2013 Available at: http://www.nist.gov/itl/cyberframework.cfm 11

Framework Overview 12 Framework uses risk management processes to enable organizations to inform and prioritize cybersecurity decisions a common language and mechanism for organizations to: Describe their current cybersecurity posture Describe their target state Identify and prioritize ways to improve Assess progress Communicate internally and externally Tools to build or improve cybersecurity risk management processes and activities Not intended to be a checklist

Framework Structure Framework Core a means of organizing cybersecurity activities across the enterprise Functions highest level of structure for organizing activities Categories for organizing activities closely tied to programmatic needs Subcategories tactical groupings within each Category Informative References specific standards, guidelines and practices to accomplish cybersecurity activities within each Subcategory Framework Profile Framework Implementation Tiers 13

Framework Five Core Functions Identify Activities to develop institutional understanding of what needs to be protected, what the risks are, and what the priorities are Protect Activities to safeguard systems and services Detect Activities to identify a cybersecurity event Respond Activities to address a detected cyber event Recover Activities to restore capabilities and services 14

Framework Categories Categories and Subcategories within each function Examples: Category Asset Management (Function = Identify) Access Control (Function = Protect) Detection Processes (Function = Detect) Subcategory Inventory physical devices and systems within the organization Inventory software platforms and applications within the organization Manage identities and credentials for authorized devices and users Manage and secure physical access Ensure accountability by defining roles and responsibilities Conduct exercises to ensure readiness 15

Framework Informative References Informative References existing standards, guidelines and practices common among critical infrastructure structures that are linked to Categories and Subcategories For example, ISO standards Not exhaustive can include additional standards adopted by the organization or industry 16

Framework Profile The goal of the Framework is to enable an organization to build a cybersecurity profile how the organization: Manages cybersecurity risk Sets its goals and priorities Achieves its goals Basically a roadmap : What is my current cybersecurity posture? What do I want it to be? How do I get there? How do I assess progress and the end state? Not a one-size-fits-all approach 17

Framework Implementation Tiers Implementation Tiers demonstrate the implementation of the Core Functions and Categories and indicate how cybersecurity risk is managed Tiers: Measures level of maturity the degree of formality and sophistication in the organization s cybersecurity program Tier 1 Partial: not formalized, ad hoc, reactive Tier 2 Risk-Informed: practices approved, no formal policy Tier 3 Repeatable: practices and policy established Tier 4 Adaptive: proactive, adapts to emerging threats Helps the organization determine what its current and target cybersecurity postures are in each Category 18

Framework Privacy Concerns Framework includes an appendix on protecting privacy and civil liberties Identifies activities that can be taken within relevant Categories and Subcategories to protect personally identifiable information (PII) Goes beyond what U.S. law currently requires to protect PII 19

Incentives to Adopt Framework White House blog post (Aug. 6, 2013) on incentives to adopt NIST Framework being evaluated Recommendations provided by DHS, Commerce, and Treasury pursuant to Executive Order Incentives include: Cybersecurity Insurance collaboration to develop underwriting practices promoting adoption of cyber riskreducing measures and risk-based pricing and fostering a competitive cyber insurance market Grants adoption of Framework as condition or consideration in awarding grants Process Preference participation in Framework as a consideration in expediting existing government service delivery 20

Incentives (cont d) 21 Incentives include (cont d): Liability Limitation reduced tort liability, limited indemnity, higher burdens of proof, and creation of federal legal privilege preempting state disclosure requirements to encourage participation Streamline Regulations make compliance easier by eliminating overlaps among laws and regulations, enabling equivalent adoption across regulatory structures, and reducing audit burdens Public Recognition optional public recognition to encourage participation Rate Recovery for price-regulated industries (utilities and pipelines), allow recovery of cybersecurity investments Cybersecurity Research R&D to meet needs where commercial solutions not available

What It Means for Energy Companies On the surface, the Framework looks good Provides a process, conceptual structure, and tools to develop and improve your cybersecurity risk management program And everyone should have such a program Especially energy companies Energy companies are high-risk targets for cyber attacks Energy companies have unique concerns: Traditional IT concerns plus operational systems 22

But Some Concerns How voluntary is the EO-directed program? Some Incentives appear coercive Use of Framework by internal and external auditors check the box approach effectively makes it mandatory Framework as de facto industry standard adopt and implement to avoid liability in the event of a cyber attack Compliance vs. security 23

Some Uncertainties & Unknowns What is critical infrastructure covered by the EO and Framework? Duplicative requirements? E.g., electric utilities and compliance with NERC CIP Standards Liability protections Need legislative fix, so no liability protections provided in Framework or Incentives But, may need to follow to avoid liability in the event of a cyber attack Framework does not identify legal or regulatory requirements that may apply Gaps in supply chain management 24

Some Final Thoughts Uncertainties in legislative and regulatory developments will continue Framework as guide used by states adopting cybersecurity laws and regulations But still some things that can be done today Internal self-assessment of cyber vulnerabilities and priorities Develop, test and update incident response and recovery plans Implement cyber training Get management buy-in now 25

Questions? Dan Frank 202.383.0838 daniel.frank@sutherland.com J.J. Herbert 202.383.0822 jj.herbert@sutherland.com Mark Thibodeaux 713.470.6104 mark.thibodeaux@sutherland.com