DOE Cyber Security Policy Perspectives Mike Smith Senior Cyber Policy Advisor to the Assistant Secretary Department of Energy
Overview of DOE Cybersecurity Priorities Protecting the DOE Enterprise from Cyber Threats Bolstering U.S. Government Capabilities to Address Cyber Threats Improving Cybersecurity in the Energy Sector 2
Improving Cybersecurity in the Energy Sector Build robust information sharing and situational awareness architecture Add additional energy sector entities to the Cybersecurity Risk Information Sharing Program (CRISP) Conduct threat briefings Provide tools and technology for owners and operators to strengthen security and resilience Expand implementation of the Cybersecurity Capability Maturity Model, which encourages adoption of best practices and informs cybersecurity investment decisions Develop and demonstrate cutting-edge cybersecurity solutions in the energy sector Develop a robust incident response capability in the energy sector Automate the workflow process for all stakeholders and responders to ensure faster, coordinated incident management Exercise incident response capabilities 3
CRISP Overview Description: The Cybersecurity Risk Information Sharing Program (CRISP) combines software tools, analytical hardware and software, and analytical expertise including private sector industry expertise - to understand and mitigate the threats focused on the nation s energy infrastructure. Vision: An enduring, trusted information sharing partnership between the Department of Energy and its private Energy Sector partners that significantly enhances the security of Energy Sector infrastructure systems while also improving the U.S. Government s critical infrastructure situational awareness 4
Cyber Fed Model (CFM) A near real-time exchange of cyber threat information focused on the reduction and mitigation of cyber security risk across our critical infrastructure Typically every 5-15 minutes Tactical (actionable info) Autonomic (machine-machine) Participant controls sharing Payload Agnostic 5
C2M2 Program ES-C2M2 Public-private collaborative effort Sector specific subject matter expertise Pilot evaluations ONG-C2M2 Tested and refined for ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies. C2M2 Without sector-specific references or terms of art Refined through the ONG pilots, and also via crosssector outreach 6
ES-C2M2 Introduction Challenge: Develop capabilities to manage dynamic threats and understand cybersecurity posture of the grid Approach: Develop a maturity model and self-evaluation survey to develop and measure cybersecurity capabilities Results: A scalable, sector-specific model created in partnership with industry ES-C2M2 Objectives Strengthen cybersecurity capabilities Enable consistent evaluation and benchmarking of cybersecurity capabilities Share knowledge and best practices Enable prioritized actions and cybersecurity investments 7
Framework - Introduction GOALS Reduce cyber risks to critical infrastructure Voluntary and Technology-neutral Improve cyber threat information sharing Incorporate privacy & civil liberties protections Leverage existing regulation to promote cyber security Repeatable and cost-effective design Flexible cross-sector approach DEVELOPMENT PROCESS Collaborative cross-sector workshops and public comments 8
NIST Cybersecurity Framework Released February 12, 2014 Developed in partnership with asset owners and operators, academia, and US Government A risk-based cybersecurity approach composed of the following three parts: Core a set of cybersecurity activities,outcomes, and informative references that are common across critical infrastructure sectors Profile represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories in the core Tiers (1-4) provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk 9
Guidance Development SUMMARY DOE is holding bi-weekly conference calls with the private sector stakeholders to engage them in the development of the Framework Implementation Guidance document. Draft Outline is being circulated for comments. DOE is collaborating with sector specific agencies and other interested government partners to seek their input on the Guidance document. It is anticipated that the Framework Implementation Guidance document for Energy sector will be released in October 2014. 10
Guidance Development APPROACH There are many potential tools for addressing Framework implementation. ES-C2M2 is one of many such tools. For organizations that prefer an implementation approach other than the C2M2, DOE is working with the Sector Coordinating Councils to develop and incorporate a general process addressing how alternative approaches may satisfy the goals of the framework. For organizations that use C2M2, the Implementation Guidance will highlight the interoperability between the NIST Cybersecurity Framework and DOE s C2M2 program. 11
Guidance Development FRAMEWORK AND C2M2 C2M2 Practices, which cover elements of both the Framework Core and Tier, address both sophistication of a cybersecurity program, as well as the culture supporting it. C2M2 Maturity Indicator Levels (MILs) tie with elements of the Framework Tiers. Each of the domain MIL scores in the C2M2 incorporate elements of the risk management characteristics from the Tiers. C2M2 Scorecards, which highlight the level of maturity across C2M2 domains, are almost identical to the concept of Framework Profiles, both current and target. 12
Framework Adoption The White House established a work plan for ten incentive working groups; one of which is the working group: Prudent Cybersecurity Investments and Opportunities for Utilities in the Electric, Natural Gas, Water and Telecom Sectors. The working group was tasked with incentivizing adoption of the Cybersecurity Framework The working group identified three target stakeholder groups: State and local regulators State policy makers Asset owners/operators 13
State and Local Regulators The CSF is a voluntary guideline that can be referenced when evaluating a utility s cybersecurity program Implementing the practices outlined in the CSF is one way to reduce the exposure to risks, which can have significant financial implications for utilities Adopting the CSF can assist both regulators and the entities they regulate as it may reduce risks to the private sector, their customers, and to society as a whole We want to work with you to create a common lexicon between regulators and regulated entities and the public and private sectors for managing cyber risk Using something other than CSF for a cybersecurity discussion with the regulated entities will create undue burden on these entities
State Policy Makers Cybersecurity, as outlined in the CSF, should be considered when developing policies for reducing risks and enhancing the resiliency of critical infrastructure We have identified and collaborated with several groups with existing relationships with regulators and policy makers who can assist in developing these policies (NASEO, NARUC, etc.)
Asset Owners/Operators The CSF can be used as a tool for evaluating cybersecurity programs Increased implementation of the activities in the CSF may lead to better informed documentation and consideration of the recovery of costs for cybersecurity related expenses There are several documents and guides which may be used to implement the activities in the CSF; for example, the American Water Works Association Cybersecurity Tool, the ES-C2M2 and the Draft Energy Sector Framework Guidance
Cybersecurity for Energy Delivery Systems R&D Structure Higher Risk, Longer Term Projects Core NSTB Program Frontier Research Academia Projects Minimum Cost Share Medium Risk, Mid Term Projects National Laboratory Led Projects Lower Cost Share Partnering Lower Risk, Shorter Term Projects Industry Led Projects Higher Cost Share Core & Frontier (NSTB) Argonne National Laboratory Idaho National Laboratory Oak Ridge National Laboratory Los Alamos National Laboratory Lawrence Berkeley National Laboratory Pacific Northwest National Laboratory Sandia National Laboratory Path to Commercialization Academia Led Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) - Cornell University - Dartmouth College - UC-Davis - University of Illinois - Washington State University SEI at Carnegie Mellon Laboratory Led Idaho National Laboratory Oak Ridge National Laboratory Pacific Northwest National Laboratory Industry Led Applied Communication Services Grid Protection Alliance Honeywell Schweitzer Engineering Laboratories, Inc. Siemens Infrastructure & Cities, Energy Automation Sypris 17
Cybersecurity for Energy Delivery Systems R&D Structure The second phase of an expanded academic collaboration that Energy Sector s Roadmap Roadmap to Achieve Energy Delivery Systems Cybersecurity NITRD Networking Information Technology Research and Development Issue a competitive solicitation for an academic collaboration Continue high risk/high payoff Frontier and Core research at the National labs Issue a competitive solicitation for the Energy Sector University-led R&D National Labled R&D Energy Sectorled R&D Combines expertise in power system engineering and the computer science of cybersecurity to innovate and transition capabilities that reduce the risk of power disruption resulting from a cyber incident. Maintains an academic collaboration in CEDS R&D after The Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) receives its final year of funding in FY14 National Lab research areas could include: Analyze the risk posed to the energy sector if energy delivery control systems were exploited by selected malware Tailored Trustworthy Spaces that tailor cybersecurity in all levels of the energy delivery system architecture Energy Sector research areas could include: Detect compromise of supply chain integrity for energy delivery system cyber assets Identify adversarial cyber activity that attempts to hide by misusing normally allowed operation of power grid components Survive a cyber incident while sustaining critical energy delivery functions. 18
Cybersecurity for Energy Delivery Systems Key Success: Lemnos Collaboration Transitions R&D to Practice Prototype Development Commercial prototype and open source configuration profile for interoperable secure routable energy sector communications EnerNex Corporation, Sandia National Laboratories, Schweitzer Engineering Laboratories, Tennessee Valley Authority, 7 Network Security Vendors Applied Research Open Process Control System (PCS) Security Architecture for Interoperable Design, known as OPSAID provides vendors of supervisory control and data acquisition/energy management systems (SCADA/EMS) with the capability to retrofit secure communications for legacy devices, and to design-in interoperable security for future energy delivery control systems Sandia National Laboratories CEDS projects engage national labs, vendors, asset owners, and academia throughout the project lifecycle to deliver relevant projects with clear commercialization paths. Field Demonstration Lemnos has become a broad industry partnership for secure, interoperable communications Increasing numbers of energy delivery system vendors have demonstrated Lemnos, today at least ten Open Source Solution Broad energy sector partnership uses Lemnos Interoperable, secure routable energy sector communications Commercial Product Schweitzer Engineering Laboratories Ethernet Security Gateway SEL-3620 implements Lemnos 19
Integrated National Response to a Cyber Incident In 2012, Deputy Secretary of Energy Daniel Poneman directed senior staff at DOE to develop a Cyber Incident Response Plan for integrated national response for the Energy Community. This kicked off a multi-year effort to organize internally and externally to develop a timely, coordinated, effective, and efficient Cyber Incident Management Capability for integrated national response. The capability will utilize governmental and non-governmental resources to prevent, protect, mitigate, respond, and recover from a high-impact cyber incident. 16
DOE s Goal Operational Energy and Resilience Steady State Understand & Communicate Threats Serve as a steady-state operations center that can monitor, receive, and analyze real-time energy threat and operations information and coordinate information sharing of that information with all Energy Sector Stakeholders Emergency Response Facilitate Return to Normal Provide Immediate Assistance During emergencies, the E-ROC facilitates the collaboration with governments, energy sector partners to include owners, operators, and associations thru the analysis and dissemination of actionable information Risk Management Engage with domestic and international partners to ensure reliability, survivability and resiliency of the Energy Sector Enhance Resilience Implement energy resilience policies and guidelines for facility owners and States (including territories and tribal) to mitigate, prepare, prevent, respond, and recover from disasters and threats that might impact energy infrastructure Provide Immediate Assistance During emergencies, deploy and coordinate with regional Federal, States (including territories and tribal) and energy infrastructure owners and operators and serve on the National I-MAT Teams Faster restoration and recovery of energy systems Cutting Edge Solutions Rapid identification of potential technical solutions, as appropriate, drive the innovation and introduction of new science and technology to the Energy Sector 21
DOE s PICERF Capability Segments Energy Sector-Cybersecurity Incident Management Capability Framework for People, Tools, and Processes Contain Lesson s Learned / Post-mortem / Follow-up Operations: e.g., Requirements, CONOPS, Roles, Playbook, MOUs, Areas, SLAs/Metrics, Exercises, Supply Chain, Reports Information: e.g., Data Standards, Adapters, Aggregation, Cross-domain, Variety, Velocity, Historical data Technology: e.g., Capabilities, Analytics, Lines of Communication, IM System, Portal, B2B 2014 goal: Finalize an Incident Management roadmap developed with federal partners and industry for incident response capabilities needed over the next five years. 22 22
Energy Sector-Cybersecurity Incident Management Capability Gap Observations: Executive Summary Compliance Focus: Increased focus to response and recovery while sustaining appropriate levels of preparation and compliance Data Protection: Protection for any submitted data against regulatory or public use beyond narrowly-defined incident management Customer convenience: Mobility, ease of use, portal access, timely access to sensitive information, hours of operation Personalization of information: Based on DOE and stakeholder needs, in the desired form, and using the communications channel they d prefer Centralized reporting, wide dissemination: Elimination of redundant efforts and confusion about who and where to go for answers and resources Shared Situational Awareness: Integrated data exchange amongst stakeholders to enable effective decision-making Asset owners increase data production: Increased bi-direction data exchange with asset owners and access to their insights 23
Building Incident Management Capacity Playbooks & Capabilities Electricity Subsector Playbook to address a cyber attack: Part of a larger DHS-led effort to identify incident response processes in critical infrastructure sectors Collaboration between government and industry to identify responsibilities and activities Specific types of attack addressed Government and Industry Capabilities in the Electricity Subsector: Part of a larger DHS-led effort to identify incident response capabilities in critical infrastructure sectors Collaboration between government and industry to identify existing capabilities Executive-level Playbooks: ESCC directed a Senior Executive Industry Playbook that addresses all-hazards Government entities have similar playbooks for executive communications and alert levels 24 24
Questions? Mike Smith Senior Cyber Policy Advisor to the Assistant Secretary Department of Energy Email: Mike.Smith2@hq.doe.gov Phone: 202-586-8710 25