SGIP April 24 Cybersecurity Framework Webinar

  • 855 views
Uploaded on

“Framework for Improving Critical Infrastructure Cybersecurity” …

“Framework for Improving Critical Infrastructure Cybersecurity”

Addresses topics such as:
• The Cybersecurity Framework;
• The Companion Roadmap to the Cybersecurity Framework;
• Current activities in the Energy Sector around Framework Implementation Guidance; and
• Evolution of the Cybersecurity Framework and next steps.

Expert presenters include:
• Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology (NIST)
• Victoria Pillitteri, ICS and Smart Grid Cybersecurity Engineer, NIST
• Aklesh Kaushiva ,P.E., Office of Electricity Delivery and Energy Reliability, Department of Energy
• Mark Ellison, Principal Analyst, Security Infrastructure Group, DTE Energy

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
855
On Slideshare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
32
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Accelerating Grid Modernization More information available on SGIP.org SGIP Webinar Event: Framework Improving Critical Infrastructure Cybersecurity April 24, 2014
  • 2. Accelerating Grid Modernization More information available on SGIP.org INTRODUCTION & OVERVIEW Patrick Gannon, SGIP Executive Director and President April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 3. Accelerating Grid Modernization More information available on SGIP.org Agenda • Welcome Patrick Gannon • Cybersecurity Framework Adam Sedgewick Kevin Stine • Energy Sector Activities Aklesh Kaushiva • Panel Q&A Victoria Pillitteri • Related SGIP Activities Mark Ellison • Closing Remarks Patrick Gannon April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 4. Accelerating Grid Modernization More information available on SGIP.org Smart Grid Interoperability Panel orchestrates the work behind power grid modernization
  • 5. Accelerating Grid Modernization More information available on SGIP.org • Optimizes resources and time • Avoids proprietary vendor lock-in • Helps build technology roadmaps • Simplifies decision making SGIP Reduces Risks and Costs SGIP is a collaborative, transparent, and trusted forum to share standards information and practical, hands-on knowledge about deployments from industry experts.
  • 6. Accelerating Grid Modernization More information available on SGIP.org Introductions April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity Moderator: Victoria Yan Pillitteri, Information Security Engineer, NIST Adam Sedgewick, Senior IT Policy Advisor, NIST Kevin Stine, Manager, Security Outreach & Integration, NIST Akhlesh Kaushiva, Office of Electricity Delivery and Energy Reliability, DOE
  • 7. Accelerating Grid Modernization More information available on SGIP.org CYBERSECURITY FRAMEWORK EXECUTIVE ORDER 13636 Adam Sedgewick Kevin Stine April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 8. Accelerating Grid Modernization More information available on SGIP.org Presenters Adam Sedgewick, Senior IT Policy Advisor, NIST Adam Sedgewick serves as Senior Information Technology Policy Advisor at the National Institute of Standards and Technology. In this role, Adam represents NIST on the Department of Commerce Internet Policy Task Force and advices NIST leadership on cybersecurity issues. April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity Kevin Stine, Manager, Security Outreach & Integration, NIST Kevin Stine is the Manager of the Security Outreach and Integration Group in NIST's Computer Security Division. The group focuses on the mission-specific application of security standards, guidelines, and technologies to help organizations manage cybersecurity risk.
  • 9. Accelerating Grid Modernization More information available on SGIP.org National Institute of Standards and Technology (NIST) NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. • 3,000 employees / 2,700 guest researchers /1,300 field staff in partner organizations • Two main locations: Gaithersburg, Md., and Boulder, Co. • NIST Laboratories • National measurement standards • Manufacturing Extension Partnership • Centers nationwide to help small manufacturers April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 10. Accelerating Grid Modernization More information available on SGIP.org NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-Physical Systems Advanced Communications April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 11. Accelerating Grid Modernization More information available on SGIP.org Executive Order: Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” President Barack Obama Executive Order 13636, Feb. 12, 2013 • NIST was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure • Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 12. Accelerating Grid Modernization More information available on SGIP.org Based on the Executive Order, the Cybersecurity Framework Must... • Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks • Provide a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk • Identify areas for improvement to be addressed through future collaboration with particular sectors and standards- developing organizations April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 13. Accelerating Grid Modernization More information available on SGIP.org The Cybersecurity Framework Is for Organizations… • Of any size, in any sector in the critical infrastructure • That already have a mature cyber risk management and cybersecurity program • That don’t yet have a cyber risk management or cybersecurity program • With a mission of helping keep up-to-date on managing risk and facing business or societal threats April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 14. Accelerating Grid Modernization More information available on SGIP.org Framework Components Framework Core • Cybersecurity activities and informative references common across critical infrastructure sectors and organized around particular outcomes • Enables communication of cyber risk across an organization Framework Profile • Aligns industry standards and best practices to the framework Core in a particular implementation scenario • Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business needs— including cost-effectiveness and innovation Framework Implementation Tiers • Describes how cybersecurity risk is managed by an organization • Describes degree to which an organization’s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive) April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 15. Accelerating Grid Modernization More information available on SGIP.org Framework Core April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 16. Accelerating Grid Modernization More information available on SGIP.org How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: • Understand security status • Establish/improve a cybersecurity program • Communicate cybersecurity requirements with stakeholders, including partners and suppliers • Identify opportunities for new or revised standards • Identify tools and technologies to help organizations use the Framework • Integrate privacy and civil liberties considerations into a cybersecurity program April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 17. Accelerating Grid Modernization More information available on SGIP.org What’s Next: Using the Cybersecurity Framework • Organizations—led by their senior executives—should use the framework now, and provide feedback to NIST • Industry groups, associations, and non-profits can play key roles in assisting their members to understand and use the framework by: – Building or mapping their sector’s specific standards, guidelines, and best practices to the framework – Developing and sharing examples of how organizations are using the framework • NIST is committed to helping organizations understand and use the framework April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 18. Accelerating Grid Modernization More information available on SGIP.org What’s Next: Areas for Development, Alignment, and Collaboration • The Executive Order calls for the framework to “identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations” • High-priority areas for development, alignment, and collaboration were identified based on stakeholder input: – Authentication – Automated Indicator Sharing – Conformity Assessment – Cybersecurity Workforce – Data Analytics – Federal Agency Cybersecurity Alignment – International Aspects, Impacts, and Alignment – Supply Chain Risk Management – Technical Privacy Standards April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 19. Accelerating Grid Modernization More information available on SGIP.org Recapping Key Points about the Framework • It’s a framework, not a prescription – It provides a common language and systematic methodology for managing cyber risk – It does not tell a company how much cyber risk is tolerable, nor does it claim to provide “the one and only” formula for cybersecurity – Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone • The framework is a living document – It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change – That’s one reason why the framework focuses on questions an organization needs to ask to manage its cyber risk. Practices, technology, and standards will change over time—principals will not April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 20. Accelerating Grid Modernization More information available on SGIP.org Key Points about the Framework (cont.) • Organizations should adopt the framework now: Don’t Wait! – The framework is a flexible, highly adaptable document, and its adoption will be market-driven – Its improvement will depend to a great degree on the experiences of those who have used it – We need to improve cyber protections across the broadest set of stakeholders possible to achieve the collective benefit of security for all. The fastest way to do this is through voluntary adoption • This is a strong public-private partnership – Version 1.0 of the framework strongly reflects the efforts of a broad range of industries that see the value of, and need for, improving cybersecurity and lowering risk April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 21. Accelerating Grid Modernization More information available on SGIP.org Where to Learn More and Stay Current The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 22. Accelerating Grid Modernization More information available on SGIP.org USE OF THE CYBERSECURITY FRAMEWORK IN THE ENERGY SECTOR AKHLESH KAUSHIVA, P.E. Department of Energy Office of Electricity Delivery and Energy Reliability
  • 23. Accelerating Grid Modernization More information available on SGIP.org Presenter: Akhlesh Kaushiva, Office of Electricity Delivery and Energy Reliability, DOE Akhlesh Kaushiva, P.E. is in the Office of Electricity Delivery and Energy Reliability with the Department of Energy. He has been actively involved in the Smart Grid Investment Grant projects sponsored by DOE as part of the American Recovery and Reinvestment Act. He is also involved in the Smart Grid Cybersecurity aspect of the projects. Prior to joining DOE he had a long career in the electric utility industry and served in various capacities in the area of System Planning, Power Distribution, Outage Management, Mobile Dispatch, and GIS. He has a BSEE with Honors from the University of Maryland and a MS degree in Computer Science from the George Washington University. He is a Senior Member of IEEE and a Registered Professional Engineer in the State of Maryland and the District of Columbia. He is also a member of Tau Beta Pi and Eta Kappa Nu Association. April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 24. Accelerating Grid Modernization More information available on SGIP.org FRAMEWORK IMPLEMENTATION GUIDANCE DEVELOPMENT
  • 25. Accelerating Grid Modernization More information available on SGIP.org Sector Specific Agency Role EXECUTIVE ORDER 13636 IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY • “Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.” 3
  • 26. Accelerating Grid Modernization More information available on SGIP.org Guidance Development SUMMARY • DOE is holding bi-weekly conference calls with the private sector stakeholders to engage them in the development of the Framework Implementation Guidance document. Draft Outline is being circulated for comments. • DOE is collaborating with sector specific agencies and other interested government partners to seek their input on the Guidance document. • It is anticipated that the Framework Implementation Guidance document for Energy sector will be released by August 1, 2014. 4
  • 27. Accelerating Grid Modernization More information available on SGIP.org Coordination With Stakeholders 5 ELECTRICITY SUBSECTOR • Electricity Subsector Coordinating Council (ESCC) – Senior Executives Work Group (SEWG) • Cybersecurity Framework Implementation Sub-Team (CFIST) Key POC: Melanie Seader (Edison Electric Institute) OIL & NATURAL GAS SUBSECTOR • Oil & Natural Gas Subsector Coordinating Council (ONG SCC) – Cybersecurity Work Group (CSWG) • Framework Implementation Guidance Development Team Key POC: Kimberly Denbow (American Gas Association) GOVERNMENT PARTNERS • Sector Specific Agency representatives and interested agencies
  • 28. Accelerating Grid Modernization More information available on SGIP.org Guidance Development - Timeline DRAFT Proposed timeline for discussion only 6
  • 29. Accelerating Grid Modernization More information available on SGIP.org Sector Specific Operating Environment DIFFERENT MODELS, STANDARDS, PRACTICES, AND GUIDELINES EXIST INCLUDING ES-C2M2 • Public-private collaborative effort • Sector specific subject matter expertise • Pilot evaluations ONG-C2M2 • Tested and refined for ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies. 7
  • 30. Accelerating Grid Modernization More information available on SGIP.org Guidance Development APPROACH • There are many potential tools for addressing Framework implementation. ES-C2M2 is one of many such tools. • For organizations that prefer an implementation approach other than the C2M2, DOE is working with the Sector Coordinating Councils to develop and incorporate a general process addressing how alternative approaches may satisfy the goals of the framework. • For organizations that use C2M2, the Implementation Guidance will highlight the interoperability between the NIST Cybersecurity Framework and DOE’s C2M2 program. 8
  • 31. Accelerating Grid Modernization More information available on SGIP.org Guidance Development FRAMEWORK AND C2M2 • C2M2 Practices, which cover elements of both the Framework Core and Tier, address both sophistication of a cybersecurity program, as well as the culture supporting it. • C2M2 Maturity Indicator Levels (MILs) tie with elements of the Framework Tiers. Each of the domain MIL scores in the C2M2 incorporate elements of the risk management characteristics from the Tiers. • C2M2 Scorecards, which highlight the level of maturity across C2M2 domains, are almost identical to the concept of Framework Profiles, both current and target. • DOE is collaborating with public and private stakeholders to collect and address comments on the guidance development approach. 9
  • 32. Accelerating Grid Modernization More information available on SGIP.org Cybersecurity Capability Maturity Model (C2M2)
  • 33. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Introduction GOALS • Strengthen cybersecurity capabilities • Enable consistent evaluation and benchmarking of cybersecurity capabilities • Share knowledge and best practices • Enable prioritized actions and cybersecurity investments If requested, DOE facilitates voluntary self-evaluations free of cost. DOE is also working with private sector stakeholders to pilot sector benchmarking based on non-attributable data. 11
  • 34. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Industry Use and Adoption DOE also performs facilitated self-evaluations: Roughly 40 completed to date, covering nearly 39 million consumers Requesting entity type Number of Organizations Utility 128 Non-Utility 107 International 29 TOTAL 264 12
  • 35. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components DOMAINS - logical groupings of cybersecurity practices Risk Management (RM) Asset, Change, and Configuration Management (ACM) Identity and Access Management (IAM) Threat and Vulnerability Management (TVM) Situational Awareness (SA) Information Sharing and Communications (ISC) Event and Incident Response, Continuity of Operations (IR) Supply Chain and External Dependencies Management (EDM) Workforce Management (WM) Cybersecurity Program Management (CPM) 13
  • 36. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components MATURITY INDICATOR LEVELS - Defined progressions of practices 3 Managed 2 Performed 1 Initiated 0 Not Performed RM 10 Model Domains: Logical groupings of cybersecurity practices ACM IAM TVM SA ISC IR EDM WM CPM 4 Maturity Indicator Levels: Defined progressions of practices Each cell contains the defining practices for the domain at that maturity indicator level
  • 37. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components MATURITY INDICATOR LEVELS 3 Managed 2 Performed 1 Initiated 0 Not Performed Practices at levels 2 and 3 are progressively more complete, advanced, and ingrained Level 1 practices are the starting point for any organization No practices at level 0 RM ACM IAM TVM SA ISC IR EDM WM CPM 15
  • 38. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components SCORING 16
  • 39. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components REPORTING 17
  • 40. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components IMPROVEMENT PLANNING 18
  • 41. Accelerating Grid Modernization More information available on SGIP.org C2M2 - Components IMPROVEMENT PLANNING 19
  • 42. Accelerating Grid Modernization More information available on SGIP.org Questions For further information please contact ES-C2M2@HQ.DOE.GOV
  • 43. Accelerating Grid Modernization More information available on SGIP.org Q & A April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 44. Accelerating Grid Modernization More information available on SGIP.org SGIP ACTIVITIES THAT SUPPORT THE NIST CYBERSECURITY FRAMEWORK Mark Ellison – DTE Energy April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 45. Accelerating Grid Modernization More information available on SGIP.org Presenter: Mark Ellison, IT Senior Security Engineer, DTE Energy Mark Ellison is an IT Senior Security Engineer at DTE Energy and has worked in critical infrastructure cybersecurity space for over 10 years. Mark was the subgroup lead for the NISTIR 7628 User’s Guide Subgroup. He is currently active in the SGIP, EEI, and EPRI organizations. He also works in the nuclear cybersecurity space. Mark has his CISSP certification and has a degree in Computer Programming. April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 46. Accelerating Grid Modernization More information available on SGIP.org SGIP Activities that Support the Framework • NISTIR 7628 Users Guide • Mapping the NISTIR 7628 to the Framework • RMP Case Study White Paper • Defense in Depth White Paper • Cloud Computing White Paper • Privacy Awareness Self-Assessment Tool April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 47. Accelerating Grid Modernization More information available on SGIP.org Benefits to Being a Member of SGIP April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 48. Accelerating Grid Modernization More information available on SGIP.org April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 49. Accelerating Grid Modernization More information available on SGIP.org April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 50. Accelerating Grid Modernization More information available on SGIP.org QUESTIONS? April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity
  • 51. Accelerating Grid Modernization More information available on SGIP.org THANK YOU FOR YOUR PARTICIPATION A FOLLOW-UP EMAIL WILL BE SENT WITH LINK TO RECORDING AND SUPPORTING MATERIALS April 24, 2014 Cybersecurity Framework: Improving Critical Infrastructure Cybersecurity