SlideShare a Scribd company logo

SARMA TALLARICO6-11

A
Anita Statman
1 of 26
Download to read offline
Risk-based Security Assessments: A Perspective on How the Energy Industry in Complying with the Critical Infrastructure Protection Reliability Standard Anita Tallarico, Certified Business Resilience Manager June 18, 2009
Outline 1.  The Requirement: NERC’s Reliability Standard CIP 001-009 2.  Research and Findings 3.  My 3 Overall Findings 4.  Recommendations
The Reliability Standard CIP Disaster The Requirement Over 50 million people were left without power on August 14, 2003, when a blackout cascaded across the Mid-West and Northeast U.S. and Canada within a matter of minutes. The Blackout challenged the energy industry and key agencies like DHS and DOE to react in a coordinated manner to the energy emergency. The North American Electric Reliability Corporation (NERC) responded to the event by developing a voluntary standard that the Federal Energy Regulatory Commission (FERC) adopted. Compliance penalties for the Critical Infrastructure Protection (CIP) Reliability Standards for the electric energy industry began July 1, 2008 for parts of the industry, July 1, 2009 for additional segments of the industry, and so on.
Requirements —  CIP-001-1 Sabotage Reporting —  CIP-002-1 Critical Cyber Asset Identification —  CIP-003-1 Security Management Controls —  CIP -004-1 Personnel and Training —  CIP-005-1 Electronic Perimeter(s) —  CIP-006-1 Physical Security —  CIP-006-1a Physical Security —  CIP-007-1 Systems Security Management —  CIP-008-1 Incident Reporting and Response Planning —  CIP-009-1 Recovery Plans for Critical Cyber Assets The Reliability Standard for CIP
Requirement CIP-001 Sabotage Reporting —  R1. Have procedures for the recognition of sabotage on single and multiple facilities affecting the Interconnection. —  R2. Have procedures for the communication of information to parties in the Interconnection. —  R3. Provide emergency contact information and emergency response procedures to operations personnel. —  R4. Develop reporting procedures with FBI or Royal Canadian Mounted Police as appropriate. The Reliability Standard for CIP
Requirement CIP-002 Critical Cyber Asset Identification —  R1. Identify and document a risk-based assessment methodology to use to identify Critical Assets. —  R2. Develop a list of assets through an annual application of the risk-based assessment methodology. —  R3. Develop a list of associated Critical Cyber Assets. —  R4. Approve the list of Critical Assets and Critical Cyber Assets annually by senior management. The Reliability Standard for CIP
Requirement CIP-003 The Reliability Standard CIP Security Management Controls —  R1. Document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. —  R2. Assign a senior manager for leading and managing the entity’s implementation of and adherence to 002-009. —  R4. Implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. —  R5. Document and implement a program for managing access to protected Critical Cyber Asset information. —  R6. Establish a process for document, change control, and configuration management, for Critical cyber Asset hardware or software.
Requirement CIP-004 The Reliability Standard CIP Personnel and Training —  R1. Establish, maintain, and document a security awareness program to ensure personnel having physical access receive on- going training in sound security practices on a quarterly basis. —  R2. Establish, maintain, and document an annual cyber security training program for personnel with access to cyber assets. —  R3. Have a documented personnel risk assessment program in accordance with f/s/l laws, for personnel with access to cyber assets. —  R4. Maintain lists of personnel with access to cyber assets including their electronic and physical access rights to assets.
Requirement CIP-005 Electronic Security Perimeter —  R1. Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. Identify and document the Perimeter and all its access points. —  R2. Implement and document the organizational processes and mechanisms for control of electronic access at all electronic access points to the Perimeter. —  R3. Implement and document electronic or manual processes for monitoring access points 24/7. The Reliability Standard CIP
Requirement CIP-005 Electronic Security Perimeter (cont’d.) —  R4. Perform a cyber vulnerability assessment of the electronic access points to the Perimeter annually. —  R5. Review, update, and maintain all documentation to support compliance with this standard. The Reliability Standard CIP
Requirement CIP-006 Physical Security —  R1. Create and maintain a physical security plan, approved by a senior manager. —  R2. Document and implement the controls to manage physical access at all access points to the Physical Security perimeter 24/7. —  R3. Document and implement the controls for monitoring physical access at all point to the Perimeter 24/7. Unauthorized access shall be reviewed immediately and handled I/A/W CIP-008. The Reliability Standard for CIP
Requirement CIP-006 Physical Security (cont’d.) —  R4. Record sufficient information to uniquely identify individuals and the time of access 24/7. Log physical entry at all access points. —  R5. Retain physical access logs for at least 90 calendar days or in accordance with CIP-008. —  R6. Implement a maintenance and testing program to ensure that all security systems function properly. The Reliability Standard for CIP
Requirement CIP-007 Systems Security Management —  R1. Ensure that new cyber assets and significant changes to existing assets within the Perimeter do not adversely affect cyber security controls, e.g., patches, service packs, version upgrades. —  R2. Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. —  R3. Establish and document a security patch management program for tracking, evaluating, testing, and installing cyber security software patches for all assets within the perimeter. The Reliability Standard for CIP
Requirement CIP-007 Systems Security Management (cont.) —  R4. Use anti-virus software prevention tools to detect, prevent, deter, and mitigate the exposure of malware on all assets within the Perimeter. —  R5. Establish, implement, and document controls that enforce access authentication of and accountability for all user activity. —  R6. Ensure that all assets within the Perimeter have automated controls to monitor system events. The Reliability Standard for CIP
Requirement CIP-008 Incident Reporting and Response Planning —  R1. Develop and maintain a cyber security incident response plan. —  R2. Keep relevant documentation related to cyber security incidents reportable per R.1.1 for 3 calendar years. The Reliability Standard for CIP
Requirement CIP-009 Recovery Plans for Critical Cyber Assets —  R1. Create and annually review recovery plans for critical cyber assets. —  R2. Exercise recovery plans annually. They can range from a paper drill to a full operational exercise, to recovery from an actual incident. —  R3. Update plans to reflect changes or lessons learned and updates communicated to affected personnel within 90 days of change. —  R4. Include procedures for backup and storage of information required to restore cyber assets. —  R5. Store information essential to recovery on backup media. Test it annually. The Reliability Standard for CIP
Research and Findings Small Sample Interviewed —  Two, top twenty utilities —  The Edison Electric Institute (EEI) ◦  The Association of Shareholder-owned Electric Companies —  The Federal Energy Regulatory Commission (staff) The Reliability Standard for CIP
Research and Findings 1.  Industry wrote the CIP Standards, not the North American Electric Reliability Corporation (NERC). The NERC is a facilitating organization. 2.  Big industry says they had already complied with most of the Standard (002-009). 3.  Industry is complying with the letter of the Standard rather than spirit of the Standard or approaching it as a “set of standards,” as required. 4.  Some facilities are using the lack of specificity as a loop hole to not comply. The Reliability Standard for CIP
Research and Findings 5.  When the Federal Energy Regulatory Commission adopted the CIP Standard in January of 2008 it required NERC to revisit certain issues including the lack of a risk-based methodology. Nonetheless, the schedule for compliance marches on. 6.  The Federal Energy Regulatory Commission doesn’t have the authority to write security regulations for the electric industry. 7.  The electric utility industry is very distant from the Department of Homeland Security’s goals and programs. The Reliability Standard for CIP
3 Major Findings 1.  The Standard doesn’t measure up to past preparedness and protection standards because it doesn’t have performance standards. •  Three Mile Island 1979 President creates Radiological Emergency Preparedness Program for off-site preparedness –  Requires industry to fund state and local programs to develop plans and conduct biennial exercises to “ensure public safety and health” as part of the initial and biennial renewal of power plant licenses. •  Bhopal India 1984 (release of methylisocyanate kills thousands) Congress enacted Emergency Planning and Community Right-to-Know Act of 1986 –  Requires industry to report inventories of hazardous chemicals to local government who must make information available to the public. The local government must also develop hazmat emergency response plans for high risk facilities. •  Exxon Valdez 1989 Congress enacted Oil Pollution Act of 1990 (amended Clean Water Act) –  Requires industry to plan for worst-case scenarios for use and storage of oil and to fund and execute full scale exercises.. The Reliability Standard for CIP
3 Major Findings •  The Standard doesn’t measure up to past preparedness and protection standards because it doesn’t have performance standards. (Cont’d.) •  September 11, 2001 Congress enacted the PATRIOT Act that includes the Critical Infrastructure Protection Act of 2001 and subsequently Homeland Security Presidential Directive 7 (HSPD 7) •  HSPD-7 requires the Secretary of DHS to coordinate the overall national effort to enhance the protection of the critical infrastructure and key resources of the United States including coordinating implementation of efforts among Federal departments and agencies and the private sector. •  Further it will establish uniform policies and methodologies for integrating Federal infrastructure protection and risk management activities within and across sectors along with metrics and criteria for related programs and activities. •  Northeast Blackout of 2003 NERC responds with industry standards that are adopted by FERC –  Requires applicable owners/operators to develop risk-based protection program for critical assets. The Reliability Standard for CIP
3 Major Findings 2.  The Standard doesn’t address current emergency management or business continuity best practices. ◦  Business continuity and comprehensive emergency management standards are 20 years old. ◦  A universal tenant is all-hazard. ◦  The industry uses N1 and N2 Standards, but they were not designed to address multiple attacks from terrorists or natural pandemics. The Reliability Standard for CIP
3 Major Findings 3.  The Standard allows a patchwork approach to protecting our nation’s grid. ◦  Each industry owner/operator independently identifies its critical assets and critical cyber assets as if it were a closed system. Whereas the grid operates as a system. ◦  The lack of a risk management methodology in Standard 002 and the closed system concept allows owners to claim that they have no critical assets and thus not comply with Standards 003-009. The Reliability Standard for CIP
Recommendations 1.  A risk-based Standard should address all-hazards. 2.  A Standard similar to the CIP Standard must be complied with as an entire Standard. •  This is best tested through a functional (peer or federal) evaluated exercise. 3.  Congress should give FERC regulatory authority to promulgate nationwide rules that begin to protect the grid from criminals and allow the industry to recover part of the costs of protection. 4.  FERC should continue to work with DHS to implement its role under the National Infrastructure Protection Plan to further the goals of the NIPP through the identification and protection of assets under their control. 5.  Continue to track compliance with the Standard and the evolution of the CIP Standard as required by FERC.
Questions?
SARMA TALLARICO6-11

Recommended

Safety Management System
Safety Management System Safety Management System
Safety Management System Tata Power Delhi Distribution Limited
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™CPaschal
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation Living Online
 
NERC CIP Training - 5 Days Course
NERC CIP Training - 5 Days Course NERC CIP Training - 5 Days Course
NERC CIP Training - 5 Days Course Tonex
 
SSRA engagement theater oct2015
SSRA engagement theater oct2015SSRA engagement theater oct2015
SSRA engagement theater oct2015Brian Farmer
 

Recommended

Safety Management System
Safety Management System Safety Management System
Safety Management System Tata Power Delhi Distribution Limited
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™CPaschal
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation Living Online
 
NERC CIP Training - 5 Days Course
NERC CIP Training - 5 Days Course NERC CIP Training - 5 Days Course
NERC CIP Training - 5 Days Course Tonex
 
SSRA engagement theater oct2015
SSRA engagement theater oct2015SSRA engagement theater oct2015
SSRA engagement theater oct2015Brian Farmer
 
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Living Online
 
Critical Infrastructure Protection (CIP) NERC Training : Tonex Training
Critical Infrastructure Protection (CIP) NERC Training : Tonex TrainingCritical Infrastructure Protection (CIP) NERC Training : Tonex Training
Critical Infrastructure Protection (CIP) NERC Training : Tonex TrainingBryan Len
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction KoenLeekens
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseIQPC
 
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Mike Boudreaux
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 
Cybersecurity in Oil Gas Industry
Cybersecurity in Oil Gas IndustryCybersecurity in Oil Gas Industry
Cybersecurity in Oil Gas IndustryTunde Ogunkoya
 
10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammond10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammondPROFIBUS and PROFINET InternationaI - PI UK
 
News letter jan.14
News letter jan.14News letter jan.14
News letter jan.14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Mike Boudreaux
 
Fgs handbook-rev-d
Fgs handbook-rev-dFgs handbook-rev-d
Fgs handbook-rev-dMuneeb Irfan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Asset Integrity Management approach to achieve excellence in Process Safety
Asset Integrity Management approach to achieve excellence in Process SafetyAsset Integrity Management approach to achieve excellence in Process Safety
Asset Integrity Management approach to achieve excellence in Process SafetyChandrashekhar Kulkarni
 
Audit fieldwork
Audit fieldworkAudit fieldwork
Audit fieldworkShaswat Khatiwada
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security ManagementChristophe Briguet
 
Managing your OnStream Inspection Program and External vs Internal inspections
Managing your OnStream Inspection Program and External vs Internal inspectionsManaging your OnStream Inspection Program and External vs Internal inspections
Managing your OnStream Inspection Program and External vs Internal inspectionsEdwin A Merrick
 
Guidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxGuidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxsrinivascooldude58
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 

More Related Content

What's hot

Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Living Online
 
Critical Infrastructure Protection (CIP) NERC Training : Tonex Training
Critical Infrastructure Protection (CIP) NERC Training : Tonex TrainingCritical Infrastructure Protection (CIP) NERC Training : Tonex Training
Critical Infrastructure Protection (CIP) NERC Training : Tonex TrainingBryan Len
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction KoenLeekens
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseIQPC
 
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Mike Boudreaux
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 
Cybersecurity in Oil Gas Industry
Cybersecurity in Oil Gas IndustryCybersecurity in Oil Gas Industry
Cybersecurity in Oil Gas IndustryTunde Ogunkoya
 
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Mike Boudreaux
 
Fgs handbook-rev-d
Fgs handbook-rev-dFgs handbook-rev-d
Fgs handbook-rev-dMuneeb Irfan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Asset Integrity Management approach to achieve excellence in Process Safety
Asset Integrity Management approach to achieve excellence in Process SafetyAsset Integrity Management approach to achieve excellence in Process Safety
Asset Integrity Management approach to achieve excellence in Process SafetyChandrashekhar Kulkarni
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security ManagementChristophe Briguet
 
Managing your OnStream Inspection Program and External vs Internal inspections
Managing your OnStream Inspection Program and External vs Internal inspectionsManaging your OnStream Inspection Program and External vs Internal inspections
Managing your OnStream Inspection Program and External vs Internal inspectionsEdwin A Merrick
 

What's hot (20)

Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...
 
Critical Infrastructure Protection (CIP) NERC Training : Tonex Training
Critical Infrastructure Protection (CIP) NERC Training : Tonex TrainingCritical Infrastructure Protection (CIP) NERC Training : Tonex Training
Critical Infrastructure Protection (CIP) NERC Training : Tonex Training
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety Case
 
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
 
Cybersecurity in Oil Gas Industry
Cybersecurity in Oil Gas IndustryCybersecurity in Oil Gas Industry
Cybersecurity in Oil Gas Industry
 
10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammond10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammond
 
News letter jan.14
News letter jan.14News letter jan.14
News letter jan.14
 
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
 
Fgs handbook-rev-d
Fgs handbook-rev-dFgs handbook-rev-d
Fgs handbook-rev-d
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Asset Integrity Management approach to achieve excellence in Process Safety
Asset Integrity Management approach to achieve excellence in Process SafetyAsset Integrity Management approach to achieve excellence in Process Safety
Asset Integrity Management approach to achieve excellence in Process Safety
 
Audit fieldwork
Audit fieldworkAudit fieldwork
Audit fieldwork
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security Management
 
Managing your OnStream Inspection Program and External vs Internal inspections
Managing your OnStream Inspection Program and External vs Internal inspectionsManaging your OnStream Inspection Program and External vs Internal inspections
Managing your OnStream Inspection Program and External vs Internal inspections
 

Similar to SARMA TALLARICO6-11

Guidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxGuidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxsrinivascooldude58
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™CPaschal
 
Business Continuity Awareness Week 2009
Business Continuity Awareness Week 2009Business Continuity Awareness Week 2009
Business Continuity Awareness Week 2009Brigitte Theuma
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011dma1965
 
Critical Infrastructure Protection (CIP) NERC Training
Critical Infrastructure Protection (CIP) NERC TrainingCritical Infrastructure Protection (CIP) NERC Training
Critical Infrastructure Protection (CIP) NERC TrainingTonex
 
MICHAEL BILHEIMER Resume v3
MICHAEL BILHEIMER Resume v3MICHAEL BILHEIMER Resume v3
MICHAEL BILHEIMER Resume v3Mike Bilheimer
 
MICHAEL BILHEIMER Resume
MICHAEL BILHEIMER ResumeMICHAEL BILHEIMER Resume
MICHAEL BILHEIMER ResumeMike Bilheimer
 
Maritime Cybersecurity Developments maritimeoutlook.wordpress.com
Maritime Cybersecurity Developments maritimeoutlook.wordpress.comMaritime Cybersecurity Developments maritimeoutlook.wordpress.com
Maritime Cybersecurity Developments maritimeoutlook.wordpress.comNihal Peter Moraes
 
Strategy Basecamp - Cybersecurity Introduction
Strategy Basecamp - Cybersecurity IntroductionStrategy Basecamp - Cybersecurity Introduction
Strategy Basecamp - Cybersecurity IntroductionPaul Osterberg
 
Cyber security regulation strictly regulated by nrc feb 2013
Cyber security regulation strictly regulated by nrc feb 2013Cyber security regulation strictly regulated by nrc feb 2013
Cyber security regulation strictly regulated by nrc feb 2013Yury Chemerkin
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...TheAnfieldGroup
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specificationsSsendiSamuel
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profilepds2k.com
 

Similar to SARMA TALLARICO6-11 (20)

Guidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxGuidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptx
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Business Continuity Awareness Week 2009
Business Continuity Awareness Week 2009Business Continuity Awareness Week 2009
Business Continuity Awareness Week 2009
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
 
Importance of O&M
Importance of O&MImportance of O&M
Importance of O&M
 
Critical Infrastructure Protection (CIP) NERC Training
Critical Infrastructure Protection (CIP) NERC TrainingCritical Infrastructure Protection (CIP) NERC Training
Critical Infrastructure Protection (CIP) NERC Training
 
MICHAEL BILHEIMER Resume v3
MICHAEL BILHEIMER Resume v3MICHAEL BILHEIMER Resume v3
MICHAEL BILHEIMER Resume v3
 
MICHAEL BILHEIMER Resume
MICHAEL BILHEIMER ResumeMICHAEL BILHEIMER Resume
MICHAEL BILHEIMER Resume
 
Maritime Cybersecurity Developments maritimeoutlook.wordpress.com
Maritime Cybersecurity Developments maritimeoutlook.wordpress.comMaritime Cybersecurity Developments maritimeoutlook.wordpress.com
Maritime Cybersecurity Developments maritimeoutlook.wordpress.com
 
Strategy Basecamp - Cybersecurity Introduction
Strategy Basecamp - Cybersecurity IntroductionStrategy Basecamp - Cybersecurity Introduction
Strategy Basecamp - Cybersecurity Introduction
 
Cyber security regulation strictly regulated by nrc feb 2013
Cyber security regulation strictly regulated by nrc feb 2013Cyber security regulation strictly regulated by nrc feb 2013
Cyber security regulation strictly regulated by nrc feb 2013
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profile
 

SARMA TALLARICO6-11

  • 1. Risk-based Security Assessments: A Perspective on How the Energy Industry in Complying with the Critical Infrastructure Protection Reliability Standard Anita Tallarico, Certified Business Resilience Manager June 18, 2009
  • 2. Outline 1.  The Requirement: NERC’s Reliability Standard CIP 001-009 2.  Research and Findings 3.  My 3 Overall Findings 4.  Recommendations
  • 3. The Reliability Standard CIP Disaster The Requirement Over 50 million people were left without power on August 14, 2003, when a blackout cascaded across the Mid-West and Northeast U.S. and Canada within a matter of minutes. The Blackout challenged the energy industry and key agencies like DHS and DOE to react in a coordinated manner to the energy emergency. The North American Electric Reliability Corporation (NERC) responded to the event by developing a voluntary standard that the Federal Energy Regulatory Commission (FERC) adopted. Compliance penalties for the Critical Infrastructure Protection (CIP) Reliability Standards for the electric energy industry began July 1, 2008 for parts of the industry, July 1, 2009 for additional segments of the industry, and so on.
  • 4. Requirements —  CIP-001-1 Sabotage Reporting —  CIP-002-1 Critical Cyber Asset Identification —  CIP-003-1 Security Management Controls —  CIP -004-1 Personnel and Training —  CIP-005-1 Electronic Perimeter(s) —  CIP-006-1 Physical Security —  CIP-006-1a Physical Security —  CIP-007-1 Systems Security Management —  CIP-008-1 Incident Reporting and Response Planning —  CIP-009-1 Recovery Plans for Critical Cyber Assets The Reliability Standard for CIP
  • 5. Requirement CIP-001 Sabotage Reporting —  R1. Have procedures for the recognition of sabotage on single and multiple facilities affecting the Interconnection. —  R2. Have procedures for the communication of information to parties in the Interconnection. —  R3. Provide emergency contact information and emergency response procedures to operations personnel. —  R4. Develop reporting procedures with FBI or Royal Canadian Mounted Police as appropriate. The Reliability Standard for CIP
  • 6. Requirement CIP-002 Critical Cyber Asset Identification —  R1. Identify and document a risk-based assessment methodology to use to identify Critical Assets. —  R2. Develop a list of assets through an annual application of the risk-based assessment methodology. —  R3. Develop a list of associated Critical Cyber Assets. —  R4. Approve the list of Critical Assets and Critical Cyber Assets annually by senior management. The Reliability Standard for CIP
  • 7. Requirement CIP-003 The Reliability Standard CIP Security Management Controls —  R1. Document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. —  R2. Assign a senior manager for leading and managing the entity’s implementation of and adherence to 002-009. —  R4. Implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. —  R5. Document and implement a program for managing access to protected Critical Cyber Asset information. —  R6. Establish a process for document, change control, and configuration management, for Critical cyber Asset hardware or software.
  • 8. Requirement CIP-004 The Reliability Standard CIP Personnel and Training —  R1. Establish, maintain, and document a security awareness program to ensure personnel having physical access receive on- going training in sound security practices on a quarterly basis. —  R2. Establish, maintain, and document an annual cyber security training program for personnel with access to cyber assets. —  R3. Have a documented personnel risk assessment program in accordance with f/s/l laws, for personnel with access to cyber assets. —  R4. Maintain lists of personnel with access to cyber assets including their electronic and physical access rights to assets.
  • 9. Requirement CIP-005 Electronic Security Perimeter —  R1. Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. Identify and document the Perimeter and all its access points. —  R2. Implement and document the organizational processes and mechanisms for control of electronic access at all electronic access points to the Perimeter. —  R3. Implement and document electronic or manual processes for monitoring access points 24/7. The Reliability Standard CIP
  • 10. Requirement CIP-005 Electronic Security Perimeter (cont’d.) —  R4. Perform a cyber vulnerability assessment of the electronic access points to the Perimeter annually. —  R5. Review, update, and maintain all documentation to support compliance with this standard. The Reliability Standard CIP
  • 11. Requirement CIP-006 Physical Security —  R1. Create and maintain a physical security plan, approved by a senior manager. —  R2. Document and implement the controls to manage physical access at all access points to the Physical Security perimeter 24/7. —  R3. Document and implement the controls for monitoring physical access at all point to the Perimeter 24/7. Unauthorized access shall be reviewed immediately and handled I/A/W CIP-008. The Reliability Standard for CIP
  • 12. Requirement CIP-006 Physical Security (cont’d.) —  R4. Record sufficient information to uniquely identify individuals and the time of access 24/7. Log physical entry at all access points. —  R5. Retain physical access logs for at least 90 calendar days or in accordance with CIP-008. —  R6. Implement a maintenance and testing program to ensure that all security systems function properly. The Reliability Standard for CIP
  • 13. Requirement CIP-007 Systems Security Management —  R1. Ensure that new cyber assets and significant changes to existing assets within the Perimeter do not adversely affect cyber security controls, e.g., patches, service packs, version upgrades. —  R2. Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. —  R3. Establish and document a security patch management program for tracking, evaluating, testing, and installing cyber security software patches for all assets within the perimeter. The Reliability Standard for CIP
  • 14. Requirement CIP-007 Systems Security Management (cont.) —  R4. Use anti-virus software prevention tools to detect, prevent, deter, and mitigate the exposure of malware on all assets within the Perimeter. —  R5. Establish, implement, and document controls that enforce access authentication of and accountability for all user activity. —  R6. Ensure that all assets within the Perimeter have automated controls to monitor system events. The Reliability Standard for CIP
  • 15. Requirement CIP-008 Incident Reporting and Response Planning —  R1. Develop and maintain a cyber security incident response plan. —  R2. Keep relevant documentation related to cyber security incidents reportable per R.1.1 for 3 calendar years. The Reliability Standard for CIP
  • 16. Requirement CIP-009 Recovery Plans for Critical Cyber Assets —  R1. Create and annually review recovery plans for critical cyber assets. —  R2. Exercise recovery plans annually. They can range from a paper drill to a full operational exercise, to recovery from an actual incident. —  R3. Update plans to reflect changes or lessons learned and updates communicated to affected personnel within 90 days of change. —  R4. Include procedures for backup and storage of information required to restore cyber assets. —  R5. Store information essential to recovery on backup media. Test it annually. The Reliability Standard for CIP
  • 17. Research and Findings Small Sample Interviewed —  Two, top twenty utilities —  The Edison Electric Institute (EEI) ◦  The Association of Shareholder-owned Electric Companies —  The Federal Energy Regulatory Commission (staff) The Reliability Standard for CIP
  • 18. Research and Findings 1.  Industry wrote the CIP Standards, not the North American Electric Reliability Corporation (NERC). The NERC is a facilitating organization. 2.  Big industry says they had already complied with most of the Standard (002-009). 3.  Industry is complying with the letter of the Standard rather than spirit of the Standard or approaching it as a “set of standards,” as required. 4.  Some facilities are using the lack of specificity as a loop hole to not comply. The Reliability Standard for CIP
  • 19. Research and Findings 5.  When the Federal Energy Regulatory Commission adopted the CIP Standard in January of 2008 it required NERC to revisit certain issues including the lack of a risk-based methodology. Nonetheless, the schedule for compliance marches on. 6.  The Federal Energy Regulatory Commission doesn’t have the authority to write security regulations for the electric industry. 7.  The electric utility industry is very distant from the Department of Homeland Security’s goals and programs. The Reliability Standard for CIP
  • 20. 3 Major Findings 1.  The Standard doesn’t measure up to past preparedness and protection standards because it doesn’t have performance standards. •  Three Mile Island 1979 President creates Radiological Emergency Preparedness Program for off-site preparedness –  Requires industry to fund state and local programs to develop plans and conduct biennial exercises to “ensure public safety and health” as part of the initial and biennial renewal of power plant licenses. •  Bhopal India 1984 (release of methylisocyanate kills thousands) Congress enacted Emergency Planning and Community Right-to-Know Act of 1986 –  Requires industry to report inventories of hazardous chemicals to local government who must make information available to the public. The local government must also develop hazmat emergency response plans for high risk facilities. •  Exxon Valdez 1989 Congress enacted Oil Pollution Act of 1990 (amended Clean Water Act) –  Requires industry to plan for worst-case scenarios for use and storage of oil and to fund and execute full scale exercises.. The Reliability Standard for CIP
  • 21. 3 Major Findings •  The Standard doesn’t measure up to past preparedness and protection standards because it doesn’t have performance standards. (Cont’d.) •  September 11, 2001 Congress enacted the PATRIOT Act that includes the Critical Infrastructure Protection Act of 2001 and subsequently Homeland Security Presidential Directive 7 (HSPD 7) •  HSPD-7 requires the Secretary of DHS to coordinate the overall national effort to enhance the protection of the critical infrastructure and key resources of the United States including coordinating implementation of efforts among Federal departments and agencies and the private sector. •  Further it will establish uniform policies and methodologies for integrating Federal infrastructure protection and risk management activities within and across sectors along with metrics and criteria for related programs and activities. •  Northeast Blackout of 2003 NERC responds with industry standards that are adopted by FERC –  Requires applicable owners/operators to develop risk-based protection program for critical assets. The Reliability Standard for CIP
  • 22. 3 Major Findings 2.  The Standard doesn’t address current emergency management or business continuity best practices. ◦  Business continuity and comprehensive emergency management standards are 20 years old. ◦  A universal tenant is all-hazard. ◦  The industry uses N1 and N2 Standards, but they were not designed to address multiple attacks from terrorists or natural pandemics. The Reliability Standard for CIP
  • 23. 3 Major Findings 3.  The Standard allows a patchwork approach to protecting our nation’s grid. ◦  Each industry owner/operator independently identifies its critical assets and critical cyber assets as if it were a closed system. Whereas the grid operates as a system. ◦  The lack of a risk management methodology in Standard 002 and the closed system concept allows owners to claim that they have no critical assets and thus not comply with Standards 003-009. The Reliability Standard for CIP
  • 24. Recommendations 1.  A risk-based Standard should address all-hazards. 2.  A Standard similar to the CIP Standard must be complied with as an entire Standard. •  This is best tested through a functional (peer or federal) evaluated exercise. 3.  Congress should give FERC regulatory authority to promulgate nationwide rules that begin to protect the grid from criminals and allow the industry to recover part of the costs of protection. 4.  FERC should continue to work with DHS to implement its role under the National Infrastructure Protection Plan to further the goals of the NIPP through the identification and protection of assets under their control. 5.  Continue to track compliance with the Standard and the evolution of the CIP Standard as required by FERC.