Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Similar documents
Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework: Current Status and Next Steps

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Framework for Improving Critical Infrastructure Cybersecurity

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework. ARC World Industry Forum 2014

National Institute of Standards and Technology Smart Grid Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

How To Write A Cybersecurity Framework

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Applying Framework to Mobile & BYOD

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Framework for Improving Critical Infrastructure Cybersecurity

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

NIST Cybersecurity Framework Manufacturing Implementation

PROTIVITI FLASH REPORT

Framework for Improving Critical Infrastructure Cybersecurity

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Envisioning Collaboration for Medical Device and Healthcare Cybersecurity

Industrial Control Systems Security Guide

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Business Continuity for Cyber Threat

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security and Privacy - Program 183

Building Security In:

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Applying IBM Security solutions to the NIST Cybersecurity Framework

Which cybersecurity standard is most relevant for a water utility?

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Cybersecurity Framework Security Policy Mapping Table

NIST Cybersecurity Framework & A Tale of Two Criticalities

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Health Industry Implementation of the NIST Cybersecurity Framework

Risk Management in Practice A Guide for the Electric Sector

How To Understand And Manage Cybersecurity Risk

Delving Into FCC's 'Damn Important' Cybersecurity Report

Cybersecurity & Public Utility Commissions

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Security Risk Management For Health IT Systems and Networks

The NIST Cybersecurity Framework

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Why you should adopt the NIST Cybersecurity Framework

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

No. 33 February 19, The President

NIST Cybersecurity Framework What It Means for Energy Companies

Ed McMurray, CISA, CISSP, CTGA CoNetrix

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Managing Security Risk In a World of Complex Systems and IT Infrastructures

Why you should adopt the NIST Cybersecurity Framework

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Critical Manufacturing Cybersecurity Framework Implementation Guidance

CRR-NIST CSF Crosswalk 1

IEEE-Northwest Energy Systems Symposium (NWESS)

DOE Cyber Security Policy Perspectives

CForum: A Community Driven Solution to Cybersecurity Challenges

Testimony of Patrick D. Gallagher, Ph.D. Deputy Director

Cyber Security for Advanced Manufacturing Next Steps

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Cyber Security Working Group

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

National Initiative for Cyber Security Education

Cybersecurity Risk Assessment in Smart Grids

Billing Code: 3510-EA

Water Sector Approach to Cybersecurity Risk Management

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW

CONCEPTS IN CYBER SECURITY

Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security

Understanding the NIST Cybersecurity Framework September 30, 2014

Transcription:

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security victoria.yan@nist.gov

National Institute of Standards and Technology (NIST) About NIST NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, Md and Boulder, Co NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 2

Utility Cybersecurity: An International Challenge 3 Image source: http://www.nerc.com/comm/oc/rs%20landing%20page %20DL/Related%20Files/BA_Bubble_Map_20140630.jpg

NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 5

The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 6

Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics

Framework Core 8

Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/ regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities 9

How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program 10

NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

Revised: Guidelines for Smart Grid Cybersecurity NIST Interagency Report 7628, Rev. 1, Guidelines for Smart Grid Cybersecurity, released September 2014

Overview of Updates to NISTIR 7628 Updates to reflect feedback from implementations and experience using the guidelines Updates on Volume 2, Privacy and the Smart Grid to reflect changing regulatory requirements New use cases: advanced metering and privacy New sections addressing: relationship between EO 13636 and smart grid guidance, cyber-physical attack, and cybersecurity testing and certification New informative references: NISTIR 7628 User s Guide, published by the Smart Grid Interoperability Panel 13

NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

Revised: Guide to Industrial Control Systems (ICS) Security Draft NIST Special Publication 800-82, Rev. 2 major updates ICS threats and vulnerabilities ICS risk management, recommended practices and architectures Current activities in ICS security Additional alignment with ICS security standards and guidelines New tailoring guidance for NIST SP 800-53, Rev. 4 security controls and overlays ICS Overlay, providing tailored security control baselines for Low, Moderate, and High impact ICS 15

ICS Overlay 16

NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

Emerging: Cybersecurity for Cyber-Physical Systems (CPS) Is a CPS any engineered system with a microprocessor? Do all CPS need to be connected to the internet? What are CPS? Are there a set of basic functions and architectural elements common to all CPS? Join the CPS Public Working Group (www.cpspwg.org) to engage with other experts to chart the path to the future of CPS 18

NIST Cybersecurity Resources www.csrc.nist.gov Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Public Working Group Cybersecurity Framework Industry Academia Government Cybersecurity for Cyber- Physical Systems www.nist.gov/cps www.cpspwg.org 19 www.nist.gov/cyberframework

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information