Your SlideShare is downloading. ×
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cybersecurity Goverence for Boards of Directors

1,119

Published on

This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. …

This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf

Published in: Food, Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,119
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 | P a g e
  • 2. 2 | P a g e Energy Company Boards, Cybersecurity, and Governance 1.11 http://www.EnergyCollection.us/456.pdf The purpose of this paper is to provide some thoughts related to Energy Company Boards and the question of Cybersecurity Governance.2 Board Governance, like Cybersecurity is a complicated subject. Both abound in Best Practice claims, but agreed-upon Best Practices are more scarce. Both require a thoughtful understanding of the situation, careful consideration of the implications, and then decision making as to how to proceed given unique circumstances. In short, not one size fits all – for either Board Governance or Cybersecurity – so it should be no surprise that when the two concepts are combined it becomes even murkier. A recent report sums up the situation however: “It has long been recognized that directors and officers have a fiduciary duty to protect the assets of their organizations. Today, this duty extends to digital assets, and has been expanded by laws and regulations that impose specific privacy and cyber security obligations on companies. This is the third biennial survey that Carnegie Mellon CyLab has conducted on how boards of directors and senior management are governing the security of their organizations’ information, applications, and networks (digital assets). First conducted in 2008 and carried forward in 2010 and 2012, the surveys are intended to measure the extent to which cyber governance is improving. The 2012 survey is the first global governance survey, comparing responses from industry sectors and geographical regions.” “For the third time, the survey revealed that boards are not actively addressing cyber risk management. While placing high importance on risk management generally, there is still a gap in understanding the linkage between information technology (IT) risks and enterprise risk management. 1 June 15, 2014 2 It is important to make it clear when talking with IT people the distinctions between Board Governance and IT Governance. The term “IT Governance “is in widespread and useful use but is entirely different than Board Governance. This can get confusing as no other business function would typically use the term “Substitute-the-Function-Name Governance” The IT Governance Institute however tries to mix the two with their definition of IT Governance “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.” Finally, “Internet Governance” is also an entirely separate matter from Board Governance.
  • 3. 3 | P a g e Although there have been some measureable improvements since the 2008 and 2010 surveys, boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks. Involvement in these areas would help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches of personal information.” 3 Organization of the paper includes the following sections (Table of Contents): 1. Board Expertise and Structure 2. Boards, Management, and Cybersecurity 3. Risk Management and Cybersecurity 4. Questions a Director Should Ask 5. Traps Not to Fall Into 6. IT vs. OT (ICS) 7. FERC NERC and CIP 8. NERC CIP Auditing 9. Best Practices 10. Technology and Other Things to Think About 11. Attachment A - Version History The body of the paper attempts to address the most important considerations related to Boards and Cybersecurity. Each Board will have to find their own way – but this paper may be useful in teeing-up the discussion and decision process. The Paper contains many references in the form of page foot notes to assist with clarity and/or further research. In addition – a much longer document can be downloaded that is a Collection of terms, articles, reports and other references that a Director might want to access to deepen their understanding of the subjects discussed here. It can be downloaded at http://www.EnergyCollection.us/457.pdf Board Expertise and Structure Top At a minimum, Boards should do the following: 1. Discuss and Decide – have a discussion of the subject of cybersecurity. Recognize it as a risk – but a special pervasive and permanent risk. In that discussion(s), evolve the Boards specific policies and procedures for addressing the subject. 2. Assign Board Responsibility – within the Board structure – address the question of who is responsible (more on this below). 3 See Governance of Enterprise Security: Cylab 2012 Report http://www.EnergyCollection.us/Energy-Security/Governance-Enterprise-Security.pdf
  • 4. 4 | P a g e 3. Get Regular Reports – normally, a Committee assigned the task of overseeing the Company’s activities in the cyber area will receive regular reports (updates) from Management. This may be an integral part of the Company’s Risk Management Process. 4. Stay Informed – Cybersecurity is not part of the background of most Board members but it is now a critical area of business. Therefore, most Board members do not have experience to rely on to assist in their “duty of care” obligation and so need to purposefully bring up their knowledge level in this area. Boards are typically made up of a collected skill set that is aligned with the purpose and successful execution of the Corporation’s Mission. Knowledge in Financial Matters, Generation, Transmission, Markets, and industry workings are all needed-expertise for an Energy Company Board. Duty of Care4 requires Directors to exercise reasonable care in executing their duties. Directors may rely on the Business Judgment Rule5 for some protection – and that makes sense to the extent that the Directors are qualified to make judgments in the cybersecurity area. Reliance on Experts is often the route for exercising duty of care – using the opinions of others as a substitute for personal expertise. An operable description of Reliance on Experts is: “Unless an officer or director has knowledge that makes reliance unwarranted, an officer or director, in performing his or her duties to the organization, may rely on written or oral information, opinions, reports, or statements prepared or presented by: (i) officers or employees of the association whom the officer or director believes in good faith to be reliable and competent in the matters presented; (ii) legal counsel, public accountants, or other persons as to matters which the officer or director believes in good faith to be within the person's professional or expert competence; or (iii) in the case of reliance by directors, a committee of the board on which the director does not serve if the director believes in good faith that the committee merits confidence.”6 Reliance on Experts should be closely considered in the case of cybersecurity and Boards for the following reasons: 1. No Director can hope to be a cybersecurity expert – it is beyond a full time job to understand and stay current with Cyber risk and technology. Therefore, Reliance on Experts is inescapable. Experts may include selected Management and/or outside experts. 2. Cybersecurity is a pervasive and permanent risk. It applies to almost all business operations and all people in the business. While some might have more responsibility than others – cybersecurity is everyone’s business. Given the importance of cyber security, and that Boards have typically been compiled with the traditional business in mind – it brings up the question: 4 See http://en.wikipedia.org/wiki/Duty_of_care 5 See http://en.wikipedia.org/wiki/Business_Judgement_Rule 6 See http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12217
  • 5. 5 | P a g e “How much cyber knowledge do we need on the Board to exercise our duty of care, and to appropriately rely on experts? Generally, reliance on experts is confirmed via enough knowledge to evaluate the efficacy of experts, and then execution of a Q&A phase when the experts make conclusions available to the Board. Boards must have enough cyber knowledge to properly rely on experts – otherwise it is blind faith. However, just as no Director can aspire to be a cybersecurity expert, there may be no need to make all Directors cyber-literate – and a Committee designated to the purpose may be the appropriate solution. 4.1. The Audit Committee – a possible home, but concerns with defocusing from the primary Committee role may arise. Committee talent issues may arise. Generally, Audit Committee advisors include cybersecurity in their product/service offering – but a Board should not assume this is the right place without careful thought. 4.2. The Risk Management Committee – a possible home. Need to ensure Board talent is appropriate.7 4.3. The IT or Technology Committee – if the Board has such a Committee, it may be the logical place for executing the Board’s responsibilities with respect to cyber risk and to keep the full Board informed and advised.8 There is an argument however, that IT project budgets may stifle proper cyber expenditures in trade-off decisions. 4.4. Cybersecurity Committee – an obvious placement of responsibility, but Committee proliferation and drains on Director’s time have to be considered as well. A drawback that should be overtly recognized to any Committee assignment is that cybersecurity – as a pervasive risk – virtually cuts across all operations of the Company and therefore all Board Committees. Given the pervasive nature of the cyber risk – it may make sense for all the Board Committees to at least have written into their Charter – consideration for the Cyber Risk that specifically applies to their own governance area (Committee). To fulfill that obligation they may need assistance from the Committee of the Board that has the cyber responsibility directly assigned. Another policy Boards may want to consider is a periodic meeting of the entire Board to hear about cybersecurity from Management and from the Board Committee on how it is executing its role. 7 In MISO (www.misoenergy.org), the Corporate Governance Committee has responsibility for the Risk Management Process – but each of the separate Board Committees has responsibility for Risks that fall within their areas of responsibility. The Corporate Governance Committee also has the responsibility for ensuring no risk is unassigned to a Committee of the Board. 8 MISO (www.misoenergy.org) has such a Committee and has assigned cyber responsibility to that Committee.
  • 6. 6 | P a g e Boards, Management, and Cybersecurity Top Like all other issues – there needs to be an understanding of the Board’s Role and Management’s Role in cybersecurity. Perhaps a useful analogy is with the Sarbanes-Oxley implementation we are familiar with over the last decade. SOX not only requires that the Board attest to the validity of the financials, but to have Controls in place to inform that attestation. Cyber can be handled similarly – we need someone to tell the Board all is well, but we need to have additional insight into why that is so. Each Board deals with this subject in different ways, but certainly it would be a Best Practice to have a discussion of the subject and a resulting understanding of the “rules” that will govern the interaction between Management and the Board with respect to Cybersecurity. Here is an example set9 , but others may have adopted different policies depending on their own circumstances: 1. The Board takes its responsibilities for cybersecurity seriously in combination with the CEO – “tone at the top” to support appropriate cybersecurity protections is required. 2. Management is responsible for cybersecurity – and will be fully responsible for achieving a cyber-secure state at all times. 3. No matter how Management chooses to execute its responsibilities – the CEO is ultimately responsible and the Board’s main task is to hold the CEO accountable. 4. The XYZ Committee of the Board has primary responsibility for Management oversight and duty of care execution related to cybersecurity, including advising the full Board on such matters. The Committee only acts in an advisory capacity to the full board and Committees of the Board. 5. The Board may elect to put certain “Guiding Principles” in place to guide Management actions on cybersecurity: 5.1. Management must assign total cyber responsibility to a single high level manager with direct access to the CEO. This may be a CISO10 , or another individual that would have CISO responsibilities in addition to other responsibilities. The Board Committee will have full access to this CISO for Q&A. 5.2. Compliance must be accomplished within the context of being cybersecure – not vice versa. 5.2.1. A singular focus on CIP11 Compliance can be counterproductive.12 5.3. Where we have compliance violations – the company policy is to self-report. Failure to self-report is a serious performance shortfall. NERC CIP standard violations must be considered in context by the Board – with care taken not to cause unwarranted action by Management. 5.4. Where an employee observes non-compliance with a Best Practice (non-NERC-CIP) – the policy is to report it to the CISO. 9 This is more attune to the MISO (www.misoenergy.org) approach. 10 CISO = Chief Information Security Officer (a common approach). 11 See http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx 12 See Patrick Miller comments at http://www.EnergyCollection.us/Companies/FERC/TC- 2014-04-29/Anfield-Group-Patrick-Miller.pdf
  • 7. 7 | P a g e 5.5. Management shall maintain a set of Best Practices with respect to cybersecurity and measure and report against these Best Practices. These Best Practices must additionally result in full compliance with NERC CIP and other legal requirements. Contradictions between compliance/legal obligations and Best Practices will be surfaced as information to the responsible Board Committee. 5.6. Management will secure and periodically rotate an outside entity to perform a cyber- assessment of the Company’s cybersecurity condition. Such assessment will be made available to the responsible Board Committee as will the Assessor for Director Q&A. 5.7. All successful cyber intrusions will be timely reported to the responsible Committee Chair. 5.8. After adopting any Best Practice – all deviations from this Best Practice will be reported to the responsible Board Committee, as will all NERC CIP violations and self-reports. 5.9. The Board Committee should consider budgetary responsibility. While typically the Audit and Finance Committee of the Board oversees and advises the Board on the Budget – it may make sense to have the cyber-responsible Committee have a strong hand in approving the cybersecurity budget. In any case, the budget request of the CISO should get scrutiny by the responsible Committee and not be altered arbitrarily without discussion with the responsible Committee. Of course, there are always temptations13 to step over the line – things like ordering the “gluing shut of all USP ports on OT/ICS machines” might be a good idea – but it is Management’s call and not for the Board to decide. Excessive Board intervention into how to be cybersecure shifts the burden of responsibility and lessens the probability of actually being cybersecure. That said, there are also legitimate reasons – related to duty of care – to step over an otherwise clear demarcation of Management/Board. Such a case might be repeated failure to maintain metrics, repeated breaches, repeated shortfalls in implementing Best Practices, unreasonable schedule slips, etc. Where the required results are not forthcoming, the Board has a deeper responsibility to understand why and not to stop until they do understand why and are satisfied with the resulting recovery plan. Finally, the CEO has to play a role in cybersecurity even though it is customary to delegate to a CISO. Because cybersecurity is everyone’s business in a Company – the CEO needs to: 1. Choose a CISO wisely and closely monitor performance. 2. Personally approve and support the Company cybersecurity Plan/Policies. 3. Display visible support for the cybersecurity effort. 4. Increase his or her own skills and knowledge about this risk and mitigation. 5. Be an active part of the bridge between the Board and Management. 6. Ensure proper budget and expenditure prioritization. 13 Subject matter passion, subject matter expertise, misunderstanding of roles, or showmanship.
  • 8. 8 | P a g e Risk Management and Cybersecurity Top Certainly cybersecurity is a risk to the Company, and therefore it needs to be considered within the Company’s Risk Management Platform. However, cybersecurity does have some special characteristics that make it perhaps deserving of specialized attention: 1. The Bit14 -To-Electron Ratio is growing exponentially in the electricity business – and will continue to do so into the foreseeable future. 2. The emerging interdependencies between customer actions and the Bulk Electric System – all driven by software – will increase in the future as the “Internet of Things”15 , the evolving role of markets, and shrinking capacity margins approach. 3. Cyber-attacks can happen in many ways – it is everyone’s job to think about cybersecurity. 4. Cyber-attacks are a permanent phenomenon – the risk will not go away – we can only offer mitigation and build resilient16 systems. 5. Cyber-attacks are unstoppably growing – the elements at risk, the threat actors, and the threat capabilities are growing and there is probably nothing we can do about that side of the ledger as individual companies Certainly, cybersecurity can be evaluated within the common Risk equation: Risk = Threat X Vulnerability X Impact Or another similar expression Risk = Probability X Impact But then, it needs to be recognized that Threats are on a steep ramp up, Vulnerability is increasing as noted above, and Impact is always high. Of course, Impact needs to be evaluated based on the particular action or project being contemplated – but some useful thoughts to keep in mind are that the electricity bills in the US add to about $300B, and that outages (95% of which are Distribution related) cause customers $100B in losses. The 2003 Bulk Electric System outage cost $6B. The San Diego outage of 2011 cost over $100M. On the pure fines issue – the Florida 2008 outage resulted in a fine of $25M. These are all big Impacts. 14 Bits are essentially the raw material of software programs and associated communications. 15 See Wikipedia at http://en.wikipedia.org/wiki/Internet_of_Things 16 See Nexus of Cybersecurity and Public Policy – Some Basic Concepts and Issues" at http://www.EnergyCollection.us/Energy-Security/Nexus-Cybersecurity-Public.pdf at 61 of 103 for a good discussion of resilient systems.
  • 9. 9 | P a g e Questions a Director Should Ask Top A Board’s responsibilities include “Duty of Care”17 which is often displayed, informed, and executed in the form of Q&A to Management and Subject Matter Experts. Below is a list of questions (bolded, and some containing non-bolded comment to assist the question) that a Board or Board Committee might ask in the area of cybersecurity to help carry out their duties in the cyber area: 1. Do we have the skills on the Board to properly execute our duty of care in the area of cybersecurity? 2. What is the entire set of Compliance obligations and laws we have to follow in the IT and Cybersecurity areas? 2.1. Make sure state laws are considered as well as federal. 2.2. Discuss legal liabilities. 3. What is our cyber-risk tolerance? 3.1. Are there parts of the overall system that need to be protected more than others? 4. Are the responsibilities for cybersecurity clearly spelled out, communicated, and being enacted across the entire organization? 4.1. Look for centralization of overall responsibility. 4.2. Do not separate IT from OT/ICS18 responsibility with respect to cybersecurity. 4.3. Make clear the role of the internal auditor. 4.4. Heavily consider a CISO reporting to the CEO rather than the CIO19 5. How are you thinking about Cybersecurity vs. Compliance? 5.1. Hopefully, compliance is being accomplished within the context of being cyber secure and that true cybersecurity is the first line of defense. 5.2. No CIO or CISO should believe that Compliance will make the Company secure. 6. How do we measure cyber risk and our activities to address it? 6.1. Not an easy question to answer. The state of the art is evolving and initial tries will likely improve over time. 6.2. Once Best Practices for the Company are established – number of deviations may be appropriate as one of the metrics. 7. What are our Best Practices, where did you get them from, why did you select them, and how are we keeping them up to date? 7.1. Not an easy question. There are lots of sources for best practices and NERC CIP is not likely to be one of them due to the severe time lag in the process. 7.2. NIST standards and the new NIST Cyber Security Framework, directed by Executive Order20 , might be acceptable answers – many think it is a de facto standard.21 17 See http://en.wikipedia.org/wiki/Duty_of_care 18 See the IT vs. OT (ICS) section of this paper starting on page 10 or click here 19 See http://energy.gov/oe/services/cybersecurity/electricity-subsector-cybersecurity- capability-maturity-model-es-c2m2 20 See Presidents Executive Order directing NIST to develop a voluntary Framework - http://tinyurl.com/b7ag5fr 21 See Patrick Miller comments at http://www.EnergyCollection.us/Companies/FERC/TC- 2014-04-29/Anfield-Group-Patrick-Miller.pdf
  • 10. 10 | P a g e 8. What is our present status as to implementing our Best Practices and schedule going forward? 9. When considering the various systems that we control – have you asked and answered the question: “What is the worst thing a person or group could do to a critical asset if they possessed the intent, access, and knowledge to perform a malicious act? 9.1. This reference22 is worth reading before engaging Management in the cyber discussion. 10.How are we incorporating the concepts of resilient systems23 into our operations? 10.1. This is a complicated subject in its own right, but generally refers to our ability to “harden” our capabilities to survive, and/or partially function and quickly recover from a cyber-attack. 11. Do we have a Security Operations Center (SOC24 )? 11.1. Security Operations Center (SOC)25 – many companies have found this to be a beneficial approach. “A security operations center (SOC) is a centralized unit in an organization that deals with security issues, on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology. Typically, it is equipped for access monitoring, and controlling of lighting, alarms, and vehicle barriers.”26 12. Do we have a Security Information and Event Management (SIEM27 ) System? 12.1. A SIEM28 is a widely used and accepted Best Practice – it collects logs and event information into a centralized location, for analysis and event correlation. 13.Are we testing for Advanced Persistent Threats29 ? 13.1. APT activity is not detected by traditional security monitoring. Specialized firms (e.g. Mandiant) that have done government or military consulting have the expertise to identify fingerprints left by APT attempts or actual APT infestation. 14.Are we training our software developers to build security into their code? 14.1. This is becoming more critical since security was historically an afterthought or add-on for most software development. 15.How do we stand relative to others that have the same challenges as our Company? 15.1. It is often common for like companies to form formal and informal groups do discuss Best Practices and results – however, disclosures are normally opaque within the group. 22 Quoted from Industrial Control Systems Cyber Threat Research - http://www.EnergyCollection.us/Energy-Security/Industrial-Control-Systems.pdf The Question for Management is taken directly from the reference. 23 See Resilient Control Systems - http://en.wikipedia.org/wiki/Resilient_control_systems 24 SOC is pronounced with a short “O”. 25 See http://en.wikipedia.org/wiki/Security_operations_center 26 Quote from Wikipedia 27 SIEM is pronounced with a long “I” and silent “E” as in SIM. 28 Security Information and Event Management - http://en.wikipedia.org/wiki/Siem 29 Advanced Persistent Threat - http://en.wikipedia.org/wiki/Advanced_persistent_threat
  • 11. 11 | P a g e 16.Do you have adequate budget, and how are you prioritizing? 17.How do our cybersecurity policies extend into the supply chain, and how are we protected from supply chain vulnerabilities? 17.1. Note – e.g. there have been cases of shrink wrapped USB memory sticks that were already infected. 17.2. Note – we buy and use a lot of third party software – how do we ensure it is free of infection and backdoor30 vulnerabilities. 18.What special risks are we running by being so interconnected with other parts of the grid and Balancing Authorities; and what risks do we potentially expose them to? 19.What qualifications do our employees have in the cyber area to be able to identify and put in place Best Practices? 20.Do we have a training program for all employees? 20.1. Consider using Social Engineering31 Testing - Generally, the weakest entry point into our systems is through humans/employees. Awareness programs coupled with specific testing of social engineering approaches tends to improve the security profile. 20.2. CIOs report that it is very difficult to reduce employee’s clicking links in test fraudulent emails to a level even below 10%. 21.What is our recovery plan if we suffer a successful cyber-attack? 22.Do we have Cyber-Insurance? Should we? 23.How is our D&O Insurance connected to the question of being cybersecure? 24.What Organizations (including government) are we working with to lessen our chances of a successful attack? 25.What question haven’t we asked that we should have asked? Some of these questions might trigger questions when the Cyber-Responsible Committee meets with the external organization hired to assess the state of the Company’s cyber security posture. The Committee also ought to ask them: “Has anyone tried to influence the content of the report and is there any information being withheld?” It is also a good idea to ask the outside expert the open ended trigger: “What question haven’t we asked that we should have asked? As an additional reference - the National Association Of Corporate Directors (NACD) has a report available32 – Cybersecurity: Boardroom Implications – that provides a perspective based on interviewing Board members, Management, and Cyber-Experts. A useful part of the 16 page document is “Ten Questions Directors Can Ask Management Once A Breach Is Found.” 30 See http://en.wikipedia.org/wiki/Backdoor_(computing) 31 See http://en.wikipedia.org/wiki/Social_engineering_(security) 32 See http://tinyurl.com/pdcwva7
  • 12. 12 | P a g e Traps not to Fall Into Top It is almost impossible to not have violations from a NERC CIP Audit, or through a Self- Report regime. It is important to understand the particular violation in context and to react accordingly. The Management team needs to know that the Board is focused on Cybersecurity within its risk context – and not an all-out effort to ensure compliance no matter what – i.e. do not take your eye off the Cyber-Ball by pretending the real game is Compliance. “Gotcha” questions related to a drill-down on some specific cyber technology will rarely move the ball along in terms of Management/Board relations or Company Cybersecurity. Cybersecurity is a complicated and wide-ranging subject and the Board needs to take a holistic top-down approach that can increase in sophistication over time. Trust is not a substitute for duty. It may well be that the Company has great cyber resources in terms of people and budget, but Management claims to being cyber secure need to be tested by the Board via direct Q&A with both Management and outside experts that have done their own evaluation. Insisting on outside experts to look at the cyber posture of the Company is not a lack of trust in Management – it is a Best Practice in Cybersecurity and should not be resisted by Management. IT vs. OT (ICS) Top IT is classic Information Technology – email, billing, Customer Information Systems (CIS), and the normal systems found in any company. OT is Operational Technology – software and hardware systems that are unique to a class of industries that produce goods and services reliant on these OT systems. This is normally the case in ICS – Industrial Control Systems – are really just another term for OT. At the core of our OT/ICS systems is our SCADA33 network. The Industries that most use OT/ICS systems are also generally the Industries defined by DHS as Critical Infrastructure Sectors.34 Many OT/ICS systems used in the energy business were not designed with security in mind – for basically two reasons: 1. Many are old and designed when cybersecurity was not a prevalent risk 2. Many were designed with the thought that they would be “air gapped” from other systems – i.e. not connected physically (or wirelessly) to other (typically IT systems and the Internet) systems that had a higher exposure to the threat and may be a carrier for an attack. Today newer systems are being designed with cybersecurity in mind for 3 reasons: 33 MISO has 290,000 points on its SCADA network. 34 See http://www.dhs.gov/critical-infrastructure-sectors
  • 13. 13 | P a g e 1. Cyber-attacks are now a persistent and permanent threat. 2. OT/ICS systems are becoming more and more linked to IT type systems (i.e. IT/OT Convergence) 1. It is now recognized that air-gapped systems are still vulnerable despite the air gap. (most notable example is Stuxnet35 ). Despite the fact that air-gapping is now recognized as not sufficient protection for an IT system – it is still considered a good practice. A methodology to bridge IT and OT/ICS systems is the common practice in nuclear plants to use a unidirectional gateway to replicate the Data Historian on the OT/ICS side over to the IT side on a real-time basis. In this configuration it is impossible for the IT side to infect the OT/ICS side as the data can only flow one way.36 It also needs to be recognized that wholesale change-out of legacy systems that do not contain cyber protections as an integral part of the design – may not be feasible. In these cases, other cyber protections are needed until newer systems are implemented. A mixed IT environment of legacy and new is likely to exist for several years. FERC, NERC37 and CIP Top FERC and NERC want the same thing when it comes to cybersecurity – properly protected systems. However, the tools they have at their disposal are almost entirely Compliance related. NERC makes CIP standards based on a long, drawn-out process culminating in an industry vote, followed by NERC Board of Trustee approval, and ultimately FERC approval. While FERC cannot dictate standards, the give-and-take between FERC and NERC has evolved to where FERC can execute enough push back to get what it desires appropriate albeit with a very long time-lag – but still within the confines of the Federal Power Act. The fundamental issue with a Compliance based approach to cybersecurity is that it cannot achieve – but only contribute - to cybersecurity. NERC CIP Standards are many years out of date by the time they become effective. During the time between standard development and it taking effect – the fast moving world of Cybersecurity threats and counter-technology has changed considerably. Recognizing the industry reaction to a purely Compliance based approach, and that it is insufficient to actually achieve the objective of secure systems – there are movements in the direction of new approaches. NERC has established the ES-ISAC38 which attempts to establish "situational awareness, incident management, coordination, and communication 35 Stuxnet - http://en.wikipedia.org/wiki/Stuxnet and http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet# 36 A LASER transmitter is on the OT/ICS side and transmits over a fiber to the IT side that only contains a photo-receiver. There is no receiver on the Nuclear OT/ICS side. 37 The Nuclear Regulatory Commission sets standards for the nuclear plants rather than NERC. 38 See Electricity Sector Information Sharing and Analysis Center (ES-ISAC) - https://www.esisac.com/SitePages/Home.aspx
  • 14. 14 | P a g e capabilities within the electricity sector through timely, reliable and secure information exchange. The ES-ISAC, in collaboration with the Department of Energy and the Electricity Sector Coordinating Council (ESCC), serves as the primary security communications channel for the electricity sector and enhances the ability of the sector to prepare for and respond to cyber and physical threats, vulnerabilities and incidents." FERC has established the Office of Energy Infrastructure Security39 (OEIS) which “provides leadership, expertise and assistance to the Commission to identify, communicate and seek comprehensive solutions to potential risks to FERC-jurisdictional facilities from cyber-attacks and such physical threats as electromagnetic pulses.” Both the ES-ICAS and OEIS are positive NERC and FERC reactions to a Compliance system that will not make us cyber-secure, and needs to be ultimately changed in congress. Presidential Policy Directive 21 and the resulting NIST Framework also fits the general theme that we need to do more and probably need comprehensive legislation. NERC CIP Auditing Top NERC auditors audit against the NERC CIP Standards on a regular basis. Auditors typically are confined to discovery and findings within the narrow context of what is written in the standards. Fines can only be rendered against violations of the then-in-effect CIP Standards. In summary, it is a narrowly designed system that is not ideally suitable to actually being cybersecure. When a CIO/CISO/CSO/CTO/CRO40 is asked the question: “Would you be cybersecure by adopting NERC CIP as Best Practices, and meeting every standard 100%, but not having separate or augmented cybersecurity policies in place?” Every CIO/CISO/CSO/CTO/CRO will answer that question: “No.” And yet, we spend hundreds of millions in the industry to make/comply/audit/fine against these CIP Standards. While there seems to be little alternative under current laws – it leaves a Company and its Board in a quandary: If being Compliance will not make us cybersecure – what Best Practices will? That central question is perhaps the most important for Management to answer and for the responsible Committee of the Board to understand the process. 39 See https://www.ferc.gov/about/offices/oeis.asp 40 CIO =Chief Information Officer; CISO = Chief Information Security Officer; CSO = Chief Security Officer; CTO = Chief Technical officer; CRO = Chief Risk Officer. These are the most-senior positions often vested with overall cybersecurity responsibility. Given that the Chief Compliance Officer (CCO) responsibility that is a subset of Cybersecurity – the Board may want to think twice about such an assignment.
  • 15. 15 | P a g e Best Practices Top (this section still under development) Although we cannot rely on Standards alone to be cyber-secure, a Best Practice is to participate in Standard development activities where possible. These include” 1. The NIST Framework and Roadmap for Smart Grid Interoperability Standards.41 2. NERC Critical Infrastructure Standards42 3. GridWise Architecture Council43 Contacts and relationships with other involved organizations should also be fostered and considered Best Practice: 1. DHS – see below 2. FBI Cyber Crime44 3. FBI InfraGard - is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.45 4. State and Local authorities 5. State Commissions In addition to evolving Standards to improve the level of protection, companies should be accessing various sources to constantly improve their level of understanding the possibilities and building an appropriate protection system. These include: Tier I – industry specific efforts 1. CRISP - is a pilot program that provides a near-real-time capability for critical infrastructure owners and operators to share and analyze cyber threat data and receive machine-to-machine mitigation measures. A number of power sector companies, in conjunction with the ES-ISAC, DOE, Pacific Northwest National Laboratory, and Argonne National Laboratory, are participating.46 2. DHS US-CERT - US-CERT has established several important collaboration groups and programs to foster and facilitate information sharing on cybersecurity issues among government agencies. 47 3. DHS ICS-CERT - The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works to reduce risks within and across all critical infrastructure sectors 41 See http://nist.gov/smartgrid/framework3.cfm - release 3 available for comments -2014- 06-04 42 See http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx 43 See http://www.gridwiseac.org/about/mission.aspx 44 See http://www.fbi.gov/about-us/investigate/cyber 45 See https://www.infragard.org/ 46 See http://tinyurl.com/jvn2fcc 47 See http://www.us-cert.gov/government-users
  • 16. 16 | P a g e by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. 48 4. DOE Electricity Subsector Cybersecurity Capability Maturity Model.49 5. DOE Argonne National Lab50 6. DOE Idaho National Lab51 7. DOE Pacific Northwest National Laboratory52 8. DOE Sandia National Lab53 9. DOE Industrial Control Systems Joint Working Group (ICSJWG)54 - The Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) established the Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing and reduce the risk to the nation’s industrial control systems. The ICSJWG is a collaborative and coordinating body operating under the Critical Infrastructure Partnership Advisory Council (CIPAC) requirements. The ICSJWG provides a vehicle for communicating and partnering across all Critical Infrastructure and Key Resources Sectors (CIKR) between federal agencies and departments, as well as private asset owners/operators of industrial control systems. The goal of the ICSJWG is to continue and enhance the collaborative efforts of the industrial control systems stakeholder community in securing CIKR by accelerating the design, development, and deployment of secure industrial control systems. 10. FERC Cyber and Grid Security55 - 11. FERC Office of Energy Infrastructure Security (OEIS) - The Office of Energy Infrastructure Security (OEIS) provides leadership, expertise and assistance to the Commission to identify, communicate and seek comprehensive solutions to potential risks to FERC-jurisdictional facilities from cyber-attacks and such physical threats as electromagnetic pulses.56 12. NERC ES-ISAC Tier II – Professional Organizations and Recommendations 1. Aberdeen Group - The IT security practice examines technologies used to ensure the confidentiality, integrity, availability, and authenticity of enterprise data and data transactions, from application security, endpoint encryption, master material data 48 See https://ics-cert.us-cert.gov/ 49 See http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2- program/electricity-subsector-cybersecurity 50 See http://www.dis.anl.gov/projects/cybersecurity.html 51 See http://www.inl.gov/nationalsecurity/capabilities/security/ 52 See http://cybersecurity.pnnl.gov/ 53 See http://www.sandia.gov/missions/defense_systems/cybersecurity.html 54 See https://ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG 55 See http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity.asp 56 See http://www.ferc.gov/about/offices/oeis.asp
  • 17. 17 | P a g e management, Cloud and Web security, data loss prevention, data protection, email security, Web security and others.57 2. EnergySec - The Energy Sector Security Consortium, Inc. (EnergySec) supports organizations within the energy sector in securing their critical technology infrastructures, as well as collaborative programs and projects that improve the cyber security posture of these organizations.58 3. Forrester, reports and analysis.59 4. Frost & Sullivan, Network Security – performing continuous monitoring and evaluate the Intrusion Detection & Prevention Systems, Security Event Correlation, Managed Security Services, Web Application Firewalls, SSL VPN, Hardware Authentication Devices, Endpoint Security, Content Filtering, Anti-Virus, WLAN Security, Identity Management, Firewall/VPN, and Biometrics.60 5. Gartner, Security & Risk Management – cyber related events, research, and reports.61 6. Ponemon Institute - conducts independent research on privacy, data protection and information security policy.62 7. SANS Internet Storm Center - gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe.63 Tier III – Vendor Recommendations A very long list of vendor declared Best Practices can be compiled – a few are shown below as examples. These claims should be vetted carefully before being added to a company’s approved Best Practices list Technology and Other Things to Think About Top Cybersecurity is not only complicated, but it is quickly evolving as vendors develop new products and services to counteract the ever increasing attack vectors. Some specific items a Board might want to explore further are discussed below: 57 See http://www.aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx 58 See http://www.energysec.org/ 59 See http://www.forrester.com/search?N=10001+40004+200518&sort=3&range=504005&labelT ext= 60 See http://www.frost.com/prod/servlet/svcg.pag/ITNT 61 See http://www.gartner.com/technology/research/security-risk- management.jsp?fnl=search&srcId=1-3478922254 62 See http://www.ponemon.org/ 63 See https://isc.sans.edu/
  • 18. 18 | P a g e Communications between Machines Energy companies are dependent on the accuracy of data to operate properly. One point64 of exposure are the communication channels (and transmission protocols) between machines – e.g. between SCADA devices and Control Centers or even between Control centers. CIP5 as approved by FERC does not directly address these vulnerabilities – but the Energy Companies must examine these connections and deploy appropriate safeguards. Digital Certificates and Keys – these are authentication and encryption software mechanisms to allow and protect access. Typically companies have done a good job on person based access, but machine-to-machine access has not had the same focus. Very few CIOs know how many digital certificates they have in use, or have a quality management system for these certificates or encryption keys.65 Many of the high profile and more recent attacks take advantage of this lack of focus – e.g. Stuxnet, Snowden and the NSA attack, and others. Many keys in use today have low key strengths and longer expiration limits than are what are written into NIST standards. CIP standards are silent on this subject and Grid Operators not following NIST or some other set of Best Practices that do not address this subject are vulnerable. This is likely to become even more important as a push to more encryption on our communications systems (DNP66 , ICCP67 ) becomes more likely.68 Physical and Cybersecurity – should these two responsibilities be housed together in terms of responsibility? There are arguments on both sides. It is certain that they take somewhat different skill sets – but equally certain that the skills needed on the physical side are increasingly reliant on IT components and the cybersecurity of those components. IT Vs. OT and Air Gaps - Traditionally OT/ICS Utility hardware and software connections have been “air gaped” from the IT side of the business and from the Internet. The air gap represents a lack of physical and wireless connectivity between these two network enclaves. However, there are many ways to bridge this air gap and expose the OT/ICS side to attacks. It is no longer appropriate to rely on air gaps as anything more than part of a strategy. Indeed, some companies are migrating away from an air gap philosophy by replicating OT/ICS data into the IT network using unidirectional gateways69 . Some are also allowing direct access to the OT/ICS networks driven by the “Internet of Things”70 and deploying other security strategies for protection in order to achieve greater functionality and performance. 64 See discussion by Kevin Perry at FERC Technical Conference - http://www.EnergyCollection.us/Companies/FERC/TC-2014-04-29/SPP-Kevin-Perry.pdf 65 See 4 of 34 at http://www.slideshare.net/Prolifics/prolifics-ibm-cybersecurity 66 DNP - http://en.wikipedia.org/wiki/Distributed_Network_Protocol 67 IEC 60870-6 – see ICCP section - http://en.wikipedia.org/wiki/IEC_60870-6 68 A very excellent explanation of Certificate Authorities is at "Nexus of Cybersecurity and Public Policy – Some Basic Concepts and Issues" at http://www.EnergyCollection.us/Energy- Security/Nexus-Cybersecurity-Public.pdf at page 58 of 103. 69 See Unidirectional Networks - http://en.wikipedia.org/wiki/Unidirectional_network 70 See Internet of Things - http://en.wikipedia.org/wiki/Internet_of_Things
  • 19. 19 | P a g e Joining a Cyber Group and Sharing Information – many energy companies have joined groups (5-10 or more companies) that cooperate in terms of sharing cyber knowledge – what works and what doesn’t, etc. This process is advantageous because it fits with the need to keep up to date and pursuit of Best Practices. Sharing actual attack information is a subject in flux. Everyone agrees that a system to share real-time attack data would be beneficial – but legal and practical problems persist. These are slowly being worked out and ultimately should be another source of progress. The NERC ES-ISAC71 may play a larger role in this regard – although many companies remain concerned that it is a part of NERC and the compliance implications. NERC has taken steps to separate the ES-ISAC from Compliance activities, but full bifurcation may be ultimately needed. The author believes that ES-ISAC membership and cooperation is indeed a Best Practice. Another group that is likely to play a larger role going forward is the Electricity Sub-Sector Coordinating Council72 . The Federal Government cannot be relied on to share all vulnerabilities they are aware of and so cannot be anything more than another source of data. Firewalls – Firewalls73 are typically software solutions that are used to protect an area of higher security from an area of potentially lower security. As software solutions in the very dynamic world of cybersecurity – they require considerable maintenance in the form of configuration and updates. For high security systems, DHS ICS-CERT74 is recommending that companies explore unidirectional gateways which are hardware based solutions that offer higher levels of protection. Unidirectional gateways can also handle applications that require data collection/processing/result-communication (two way applications) through the use of multiple gateways. Social Media – Social Media75 encompasses a wide range of possibilities – but for threat- actors it represents a treasure-trove of information to assist in attack design. While many pages have been written on this subject – it might be instructive to just consider LinkedIn76 . Thousands of security professionals in the utility business have profiles in LinkedIn – many of those have in excess of 500 connections each. These connections provide access to email addresses for all connections, and most often personal email addresses. This set of information is ideal to construct “Watering Hole Attacks”77 and other phishing attacks. All an attacker has to do is crack 1 password78 to gain access to a lot of data – perfect data to 71 The Electricity Sector Information Sharing and Analysis Center (ES-ISAC) - http://www.nerc.com/pa/CI/ESISAC/Pages/default.aspx referenced 2014-05-18 72 See Electricity Sub-Sector Coordinating Council - http://tinyurl.com/mb2zajg - referenced 2014-05-18 73 Firewalls - http://en.wikipedia.org/wiki/Firewall_(computing) 74 DHS Industrial Control Systems Cyber Emergency Response Team - https://ics-cert.us- cert.gov/ - referenced 2014-05-18 75 Social Media - http://en.wikipedia.org/wiki/Social_media 76 Some companies have issued policies to help reduce this exposure. 77 Watering Hole Attacks - http://en.wikipedia.org/wiki/Watering_Hole 78 No Password is save from new breed of cracking software - http://tinyurl.com/n6qnpkd - referenced 2014-05-18
  • 20. 20 | P a g e populate sophisticated Phishing79 attacks. The common term for using Social Media as a cyber-weapon is “Social Engineering”80 Self-Reports and Compensation - Generally, compliance performance is measured and an element of pay/bonus consideration. Violations of mandatory compliance standards (NERC CIP) should be Self-Reports to NERC even though there is some chance that it would not be discovered in a NERC Audit.81 Self-Reports are still violations – and if they are counted in compensation metrics – it sets up a possible conflict of interest dilemma. The two different schools of thought on this include: excluding Self-Reports from the Compensation Metrics; or making a non-Self-Report grounds for employee dismissal. Paul Feldman PaulFeldman@Gmail.com LinkedIn - www.linkedin.com/in/paulfeldman/ Thanks to Michael Gent (ERCOT Director), Daniel Hill (New York ISO Director), and Douglas Chapman (MISO Management) for useful comments on the paper. Any errors in this paper are my own. Any options expressed are also my own and should not be attributed to any organization with whom I have an association. Comments on how to improve this resource are welcome at the above address. It my intent to maintain and improve this resource over time as an assist to Boards of Directors involved in the Electricity and Natural Gas Sector. 79 Phishing – see http://en.wikipedia.org/wiki/Phishing 80 Wikipedia - http://en.wikipedia.org/wiki/Social_engineering_%28security%29 See also: Social Engineering: The Basics - http://www.EnergyCollection.us/Energy-Security/Social- Engineering-Basics.pdf Original referenced 2014-06-01 - http://www.csoonline.com/article/2124681/security-awareness/social-engineering-the- basics.html 81 It lessens the chances of a fine if discovered, it strengthens the Company’s security posture by being able to address the violation immediately, and it builds good-will with the regulators.
  • 21. 21 | P a g e Attachment A Version History Top 1. Version 1.0 1.1. Prepared originally for a meeting of the IRC82 Board of Directors in New Orleans 2014-05-21 2. Version 1.1 2.1. Moved from a focus on companies involved in organized markets to a broader field of companies involved in electricity and natural gas – per several requests to broaden the scope. 2.2. Combined References Attachments into a single set of references and separated from this paper – the collected materials are now at http://www.EnergyCollection.us/457.pdf 2.3. Various updates and changes as I thought appropriate were added. 2.4. Some intra-document hyperlinks have been included to move about the document more easily – they are in red. Any link to an external document or website is in blue. 2.5. Added a section on Best Practices – but it is incomplete 82 See http://www.isorto.org/Pages/Home

×