Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integration of Technology & Compliance Presented by John Heintz, CPS Energy

1,230 views

Published on

August 02, 2012 2012 Technologies for Security & Compliance Summit Austin, Texas

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Integration of Technology & Compliance Presented by John Heintz, CPS Energy

  1. 1. Page 1 Integration of Technology & Compliance August 02, 2012 2012 Technologies for Security & Compliance Summit Austin, Texas
  2. 2. Page 2 John Heintz, CISSP, CISM, CRISC Senior Manager, Enterprise IT Security
  3. 3. Page 3 • The city of San Antonio out bid other entities to purchase the SAPs Co for $34 million. • The city sold off the street car business and retained the power generation, distribution and gas network. • Changed the name to City Public Service and changed through out the years to CPS Energy. • Oldest utility in Texas. Gas light system started in 1860’s. • In 1917, San Antonio Public Service Company (SAPs CO), under the ownership of American Light and Traction company ran the city’s power plants, gas network and street car lines. • In 1942, Anti-trust laws required American Light and Traction company to sell some of it’s assets. CPS Energy History (The early days)
  4. 4. Page 4 CPS Energy (Current) • Based in San Antonio (7th largest city in the nation) • Largest Municipally owned energy utility that provides both natural gas and electric service • Serve over 717,000 electric customers • Over 325,000 gas customers • 1,514 square mile service area. • Over 3,600 employees • $2 Billion in annual revenues • $9.7 Billion in assets • Provide roughly $250 - $280 million annual revenue to the City of San Antonio.
  5. 5. Page 5 Generation • Generation Assets  Own and operate 4 major generation facilities in the San Antonio area (Gas and Coal).  Generates approximately 7000 Megawatts of power  Own 40% of South Texas Project (STP) units 1 and 2.  Provides 1088 megawatts of power for CPS Energy customers  Has invested additional 7.625 % into additional units at STP.  Would generate additional 200 megawatts of power for our customers. • Fuel Mix  Coal - 32%  Nuclear - 16%  Natural gas and purchased power - 39%  Renewable (Wind, solar and landfill methane gas) - 13%  To increase to 20% by 2020.
  6. 6. Page 6 Transmission & Distribution • Transmission & Distribution Assets  Own and maintain 1400 Miles of transmission lines.  Own and maintain 7600 miles of overhead distribution lines. Over 408,000 poles  Own and maintain additional 4300 miles of underground distribution lines.
  7. 7. Page 7 Enterprise IT Security Organization • Enterprise IT Security Organization (EITS)  Formed in May of 2007  John Heintz began with CPS Energy almost 2 years ago • EITS moved to Legal Department under General Council in 2009  Provides true segregation of duties  Reports to Senior Council and Director of Compliance. • Baseline the EITS security program utilizing the Forrester Information Security Maturity Model.  Benchmarking tool to access the information security program.  Provides framework that describes all of the required functions and components of a comprehensive information security program.  Forrester model is objective, prescriptive, process oriented, modular and uncomplicated.
  8. 8. Page 8 Forrester Information Security Maturity Model Oversight • Strategy • Governance • Risk Management • Compliance Management • Audit and Assurance People • Security Services • Communication • Security Organization • Business Relationship • Roles/Responsibilities Technology • Network • Databases • Systems • Endpoints • Application Infrastructure • Messaging and content • Data Process • Identity and Access Management • Threat and vulnerability management • Investigations and records management • Incident management • Sourcing and vendor management • Information Asset Management • Application/systems development • Business Continuity and Disaster Recovery
  9. 9. Page 9 Maturity Model Self Assessment 0- Nonexistent •Not understood •Not formalized •Need is not recognized 1-Ad Hoc •Occasional •Not Consistent •Not Planned •Disorganized 2- Repeatable •Intuitive •Not documented •Occurs only when necessary 3-Defined •Documented •Predictable •Evaluated occasionally •Understood 4-Measured •Well managed •Formal •Often Automated •Evaluated Frequently 5-Optimized •Continuous and effective •Integrated •Proactive •Usually Automated Most mature companies are at this stage. Our corporate network results
  10. 10. Page 10 Doing Well and What has already improved • EITS - What are we doing well – Endpoint Anti-Malware – Network Intrusion Detection – Anti-spam – Policy Creation – Security Event Management • Other improvements already made – Security Metrics – Endpoint Protection – Network Vulnerability – Application Developer Security Awareness – Vulnerability Management – Security Testing – Forensics and e-Discovery – Threat Modeling – Threat Research – Client Encryption – Project Integration
  11. 11. Page 11 Key Security / Compliance Challenges • Technology – Databases • Encryption is ad hoc – Systems • Host based Firewalls and IPS – Application Infrastructure • XML gateway • Application Firewall – Messaging and Content • Message Encryption • Instant Message Filtering • Anti-Malware – Data • Digital Rights Management • Process – Identity and Access Management • Web SSO • Access Control • Enterprise SSO • People – Security Organization • Staffing
  12. 12. Page 12 Corporate Information Security Goal 0- Nonexistent •Not understood •Not formalized •Need is not recognized 1-Ad Hoc •Occasional •Not Consistent •Not Planned •Disorganized 2- Repeatable •Intuitive •Not documented •Occurs only when necessary 3-Defined •Documented •Predictable •Evaluated occasionally •Understood 4-Measured •Well managed •Formal •Often Automated •Evaluated Frequently 5-Optimized •Continuous and effective •Integrated •Proactive •Usually Automated Key Security issues are addressed, could move here…
  13. 13. Page 13 James Grimshaw Critical Cyber Infrastructure Manager, Transmission Compliance
  14. 14. Page 14 Control Systems Cyber Security (or Compliance?) • NERC Compliance Events  January 2009 – One year to be fully compliant  January 2010 - Fully compliant date  October 2010 – TOP CFR Certification  November 2011 – 1st Full TO/TOP/LSE CIP Audit  2012 – Documented lessons learned (LL) and begin to implement LL during annual updates 1. Manage and Communicate Compliance Activities 2. CIP-004 -3, R4 – Access Program 3. Management Dashboard
  15. 15. Page 15 Manage and Communicate Compliance Activities • Annual reviews (Policies, Programs, Procedures etc…) • Create compliance periodic reports • Where to file (sensitive) associated reports and evidence • Complete Reliability Standards Audit Worksheets (RSAWs) • Create workflows for accountability, accuracy, & oversight • Risk management – Escalation of non-completed workflows, security trends • Manage Technical Feasibility Exceptions, Mitigation Plans etc. • Decrease interruption to Subject Matter Expert daily work schedule
  16. 16. Page 16 Physical & Cyber Access Program • Automate performance reviews and system generated reports • Integrate systems to decrease risk & increase efficiency • Physical Security Perimeter & Electronic Security Perimeter • PSP Area Owners & Cyber System Owners • Corporate Enterprise Resource Planning program for PRAs • Corporate learning management system for NERC training records • Weekly access report fed into management dashboard • Automate position organizational changes, terminations and new hires • CIP Version 5 – Role based access (and other changes)
  17. 17. Page 17 Management Compliance Dashboard • One of top ranked challenges is getting management support  NERC Committee (Steering Group)  Provide senior management with high level insight (drill down) • Properly prioritize projects vs. compliance • Properly prioritize funding • Corporate level risk mitigation
  18. 18. Page 18 The Future for Control Systems Environments • Working together with other Utilities  CIP Working Group • Continuous Process Improvement  Invest to automate processes  Integrate systems to decrease risk • Stay informed and utilize resources  NERC and ICSJWG Workshops  Keep up with NERC & TxRE communications  DOE/DHS
  19. 19. Page 19 Questions

×