This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/3iSww5L
The cyber security job is everyone's business including the Board of Directors, even without a cyber security degree. Recent cyber security news proves that. According to several studies, Boards are getting it wrong and are leaving cyber awareness and risk management in the hands of the CEO, CISO, CTOs and cyber security companies. In a sense they are abdicating their responsibility to the shareholders. This slideshare proposes 7 questions every board should be asking their company executives abour IT security. They're not necessarily all encompassing and don't take the place of real cybersecurity training, but will drive the discussion to better and more complete understanding of strategic risk. Questions cover the basics of cyber security training, cyber policies, who briefs and when at board meetings. Thanks.
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/3iSww5L
The cyber security job is everyone's business including the Board of Directors, even without a cyber security degree. Recent cyber security news proves that. According to several studies, Boards are getting it wrong and are leaving cyber awareness and risk management in the hands of the CEO, CISO, CTOs and cyber security companies. In a sense they are abdicating their responsibility to the shareholders. This slideshare proposes 7 questions every board should be asking their company executives abour IT security. They're not necessarily all encompassing and don't take the place of real cybersecurity training, but will drive the discussion to better and more complete understanding of strategic risk. Questions cover the basics of cyber security training, cyber policies, who briefs and when at board meetings. Thanks.
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Most boards of directors don't have someone that understands cyber security issues. As a consequence, they can't provide the proper oversight over the companies they are responsible for. This presentation will cover the issues boards of directors need to understand, what questions board members need to ask and how to communicate with them.
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, at the January 27, 2017 meeting of (ISC)² Dallas Fort Worth Chapter.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
https://www.brighttalk.com/webcast/14723/234829?utm_source=Compliance+Engineering&utm_medium=brighttalk&utm_campaign=234829 :
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
The National Security Agency offers up free cyber security tips on their website www.nsa.gov/ia. This slideshare is a consolidation of those tips for easy reading and understanding.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
Apparently, bank directors are a very worried bunch. Nearly 20 members of Bank Director’s membership program responded to the question posed in last month’s newsletter: “What worries you most about the future?”
Cyber risk tips for boards and executive teamsWynyard Group
Craig Richardson, CEO of crime fighting software company Wynyard Group shares his recommendations for boards and executives on addressing cyber risks for their organisations.
Here are my slides on "Board and Cyber Security" that I presented at the Just People Information Security breakfast this morning. Thanks Adam for arranging the session and those who attended.
Discussion that was held at RSA on the five steps CISO's can use to assess their enterprise security program and architect one that meets the organizations objectives and reduces its exposure to risk.
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
Conventional information security measures continue to fail our businesses in today’s rapidly changing world of cyber-risk. Adverse cyber-events manifest themselves as the usual suspects including data breaches, information theft, ransom- and malware, viruses, payment card fraud, DDOS attacks or physical loss – to name but a few.
Problem is, the tally of adverse events keeps mounting up. While headline adverse cyber incidents are now reported in the media with regularity, this represents the tip of the cyber-risk iceberg. Most known events are either unreported or hidden from public disclosure. Not helping, is the industry analysis suggesting that, on average, nearly half of all adverse cyber-risk events impacting organisations are self-inflicted and avoidable. No industry is untouched.
Delivered at the CIO Summit in Melbourne, Australia in November 2016, in this presentation, Rob offers valuable strategic insights into the problem and why it continues to be a problem.
He outlines some practical steps that will be helpful for CIOs and CISOs in reshaping their own organisation’s approach in building a more effective and resilient information security capability.
Information Security Governance at Board and Executive LevelKoen Maris
Information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
This paper from the Security for Business Innovation Council (SBIC), sponsored by RSA, can help your organization build a state-of-the-art extended security team through seven actionable recommendations.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
At the Smart Technology Privacy Summit 2018, hosted by Feroot and the Privacy & Access Council of Canada, John Beardwood, Partner at Fasken Martineau LLP, explains the four reasons why boards of directors should care about privacy and security measures.
This presentation provides key legal information for any CEO or company leader seeking to fulfill GDPR Access Requests, also known as GDPR DSAR, GDPR DSR, and GDPR SAR.
About Feroot:
Feroot GDPR DSAR Framework helps any organizations understand, prepare for handling access requests, and manage fulfillment of access requests using the self-serve approach from within their mobile, web apps, and portals.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
An accountant is a valuable asset to any organization. He or she is a professional who performs accounting functions. Accounting is not only confined to tax and financial matters as per what people generally think.
What is Cyber Security
What is Cyber Threat and Threat Landscape
Is Cybersecurity an IT Problem? It’s a human Problem
Role of a CFO
Well accepted Cybersecurity Frameworks and common Themes
SOC (Service Organization Control) and SOC for Cybersecurity
Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain
Key Takeaways
Best Practices
It is never possible to guarantee that a company is totally secure or that a breach will not occur, however implementing the latest tools and providing ongoing, end-user education will minimize those risks and allow companies to focus more on growing their business rather than repairing it.
Who is responsible for security in the enterprise? Every company takes a different approach, but in many cases, accountability and authority do not reside in the same role. When this happens, it’s hard to tell who is responsible for securing digital assets. No wonder executives are worried.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
Learn how an integrated approach, strategic reach and measurement systems of Influencers point to a new kind of security organization and a new breed of leader. For more information on IBM Systems, visit http://ibm.co/RKEeMO.
Visit the official Scribd Channel of IBM India Smarter Computing at http://bit.ly/VwO86R to get access to more documents.
Similar to Cybersecurity Goverence for Boards of Directors (20)
Key Features of The Italian Restaurants.pdfmenafilo317
Filomena, a renowned Italian restaurant, is renowned for its authentic cuisine, warm environment, and exceptional service. Recognized for its homemade pasta, traditional dishes, and extensive wine selection, we provide a true taste of Italy. Its commitment to quality ingredients and classic recipes has made it a adored dining destination for Italian food enthusiasts.
Roti Bank Hyderabad: A Beacon of Hope and NourishmentRoti Bank
One of the top cities of India, Hyderabad is the capital of Telangana and home to some of the biggest companies. But the other aspect of the city is a huge chunk of population that is even deprived of the food and shelter. There are many people in Hyderabad that are not having access to
Ang Chong Yi Navigating Singaporean Flavors: A Journey from Cultural Heritage...Ang Chong Yi
In the heart of Singapore, where tradition meets modernity, He embarks on a culinary adventure that transcends borders. His mission? Ang Chong Yi Exploring the Cultural Heritage and Identity in Singaporean Cuisine. To explore the rich tapestry of flavours that define Singaporean cuisine while embracing innovative plant-based approaches. Join us as we follow his footsteps through bustling markets, hidden hawker stalls, and vibrant street corners.
Piccola Cucina is regarded as the best restaurant in Brooklyn and as the best Italian restaurant in NYC. We offer authentic Italian cuisine with a Sicilian touch that elevates the entire fine dining experience. We’re the first result when someone searches for where to eat in Brooklyn or the best restaurant near me.
At Taste Of Middle East, we believe that food is not just about satisfying hunger, it's about experiencing different cultures and traditions. Our restaurant concept is based on selecting famous dishes from Iran, Turkey, Afghanistan, and other Arabic countries to give our customers an authentic taste of the Middle East
2. 2 | P a g e
Energy Company Boards, Cybersecurity,
and Governance 1.11
http://www.EnergyCollection.us/456.pdf
The purpose of this paper is to provide some thoughts related to Energy Company Boards
and the question of Cybersecurity Governance.2
Board Governance, like Cybersecurity is a
complicated subject. Both abound in Best Practice claims, but agreed-upon Best Practices
are more scarce. Both require a thoughtful understanding of the situation, careful
consideration of the implications, and then decision making as to how to proceed given
unique circumstances. In short, not one size fits all – for either Board Governance or
Cybersecurity – so it should be no surprise that when the two concepts are combined it
becomes even murkier.
A recent report sums up the situation however:
“It has long been recognized that directors and officers have a fiduciary duty
to protect the assets of their organizations. Today, this duty extends to digital
assets, and has been expanded by laws and regulations that impose specific
privacy and cyber security obligations on companies. This is the third biennial
survey that Carnegie Mellon CyLab has conducted on how boards of directors
and senior management are governing the security of their organizations’
information, applications, and networks (digital assets). First conducted in
2008 and carried forward in 2010 and 2012, the surveys are intended to
measure the extent to which cyber governance is improving. The 2012 survey
is the first global governance survey, comparing responses from industry
sectors and geographical regions.”
“For the third time, the survey revealed that boards are not actively
addressing cyber risk management. While placing high importance on risk
management generally, there is still a gap in understanding the linkage
between information technology (IT) risks and enterprise risk management.
1
June 15, 2014
2
It is important to make it clear when talking with IT people the distinctions between Board
Governance and IT Governance. The term “IT Governance “is in widespread and useful use
but is entirely different than Board Governance. This can get confusing as no other
business function would typically use the term “Substitute-the-Function-Name Governance”
The IT Governance Institute however tries to mix the two with their definition of IT
Governance “IT governance is the responsibility of the board of directors and executive
management. It is an integral part of enterprise governance and consists of the leadership
and organizational structures and processes that ensure that the organization’s IT sustains
and extends the organization’s strategies and objectives.” Finally, “Internet Governance” is
also an entirely separate matter from Board Governance.
3. 3 | P a g e
Although there have been some measureable improvements since the 2008
and 2010 surveys, boards still are not undertaking key oversight activities
related to cyber risks, such as reviewing budgets, security program
assessments, and top-level policies; assigning roles and responsibilities for
privacy and security; and receiving regular reports on breaches and IT risks.
Involvement in these areas would help them manage reputational and
financial risks associated with the theft of confidential and proprietary data
and security breaches of personal information.” 3
Organization of the paper includes the following sections (Table of Contents):
1. Board Expertise and Structure
2. Boards, Management, and Cybersecurity
3. Risk Management and Cybersecurity
4. Questions a Director Should Ask
5. Traps Not to Fall Into
6. IT vs. OT (ICS)
7. FERC NERC and CIP
8. NERC CIP Auditing
9. Best Practices
10. Technology and Other Things to Think About
11. Attachment A - Version History
The body of the paper attempts to address the most important considerations related to
Boards and Cybersecurity. Each Board will have to find their own way – but this paper may
be useful in teeing-up the discussion and decision process.
The Paper contains many references in the form of page foot notes to assist with clarity
and/or further research. In addition – a much longer document can be downloaded that is a
Collection of terms, articles, reports and other references that a Director might want to
access to deepen their understanding of the subjects discussed here. It can be downloaded
at http://www.EnergyCollection.us/457.pdf
Board Expertise and Structure Top
At a minimum, Boards should do the following:
1. Discuss and Decide – have a discussion of the subject of cybersecurity. Recognize it
as a risk – but a special pervasive and permanent risk. In that discussion(s), evolve the
Boards specific policies and procedures for addressing the subject.
2. Assign Board Responsibility – within the Board structure – address the question of
who is responsible (more on this below).
3 See Governance of Enterprise Security: Cylab 2012 Report
http://www.EnergyCollection.us/Energy-Security/Governance-Enterprise-Security.pdf
4. 4 | P a g e
3. Get Regular Reports – normally, a Committee assigned the task of overseeing the
Company’s activities in the cyber area will receive regular reports (updates) from
Management. This may be an integral part of the Company’s Risk Management Process.
4. Stay Informed – Cybersecurity is not part of the background of most Board members
but it is now a critical area of business. Therefore, most Board members do not have
experience to rely on to assist in their “duty of care” obligation and so need to
purposefully bring up their knowledge level in this area.
Boards are typically made up of a collected skill set that is aligned with the purpose and
successful execution of the Corporation’s Mission. Knowledge in Financial Matters,
Generation, Transmission, Markets, and industry workings are all needed-expertise for an
Energy Company Board. Duty of Care4
requires Directors to exercise reasonable care in
executing their duties. Directors may rely on the Business Judgment Rule5
for some
protection – and that makes sense to the extent that the Directors are qualified to make
judgments in the cybersecurity area. Reliance on Experts is often the route for exercising
duty of care – using the opinions of others as a substitute for personal expertise.
An operable description of Reliance on Experts is:
“Unless an officer or director has knowledge that makes reliance
unwarranted, an officer or director, in performing his or her duties to the
organization, may rely on written or oral information, opinions, reports, or
statements prepared or presented by: (i) officers or employees of the
association whom the officer or director believes in good faith to be reliable
and competent in the matters presented; (ii) legal counsel, public
accountants, or other persons as to matters which the officer or director
believes in good faith to be within the person's professional or expert
competence; or (iii) in the case of reliance by directors, a committee of the
board on which the director does not serve if the director believes in good
faith that the committee merits confidence.”6
Reliance on Experts should be closely considered in the case of cybersecurity and Boards for
the following reasons:
1. No Director can hope to be a cybersecurity expert – it is beyond a full time job to
understand and stay current with Cyber risk and technology. Therefore, Reliance on
Experts is inescapable. Experts may include selected Management and/or outside
experts.
2. Cybersecurity is a pervasive and permanent risk. It applies to almost all business
operations and all people in the business. While some might have more responsibility
than others – cybersecurity is everyone’s business.
Given the importance of cyber security, and that Boards have typically been compiled with
the traditional business in mind – it brings up the question:
4
See http://en.wikipedia.org/wiki/Duty_of_care
5
See http://en.wikipedia.org/wiki/Business_Judgement_Rule
6
See http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12217
5. 5 | P a g e
“How much cyber knowledge do we need on the Board to exercise our duty of
care, and to appropriately rely on experts?
Generally, reliance on experts is confirmed via enough knowledge to evaluate the efficacy of
experts, and then execution of a Q&A phase when the experts make conclusions available to
the Board. Boards must have enough cyber knowledge to properly rely on experts –
otherwise it is blind faith.
However, just as no Director can aspire to be a cybersecurity expert, there may be no need
to make all Directors cyber-literate – and a Committee designated to the purpose may be
the appropriate solution.
4.1. The Audit Committee – a possible home, but concerns with defocusing from the
primary Committee role may arise. Committee talent issues may arise. Generally,
Audit Committee advisors include cybersecurity in their product/service offering –
but a Board should not assume this is the right place without careful thought.
4.2. The Risk Management Committee – a possible home. Need to ensure Board
talent is appropriate.7
4.3. The IT or Technology Committee – if the Board has such a Committee, it may be
the logical place for executing the Board’s responsibilities with respect to cyber risk
and to keep the full Board informed and advised.8
There is an argument however,
that IT project budgets may stifle proper cyber expenditures in trade-off decisions.
4.4. Cybersecurity Committee – an obvious placement of responsibility, but
Committee proliferation and drains on Director’s time have to be considered as well.
A drawback that should be overtly recognized to any Committee assignment is that
cybersecurity – as a pervasive risk – virtually cuts across all operations of the Company and
therefore all Board Committees.
Given the pervasive nature of the cyber risk – it may make sense for all the Board
Committees to at least have written into their Charter – consideration for the Cyber Risk
that specifically applies to their own governance area (Committee). To fulfill that obligation
they may need assistance from the Committee of the Board that has the cyber responsibility
directly assigned.
Another policy Boards may want to consider is a periodic meeting of the entire Board to
hear about cybersecurity from Management and from the Board Committee on how it is
executing its role.
7
In MISO (www.misoenergy.org), the Corporate Governance Committee has responsibility
for the Risk Management Process – but each of the separate Board Committees has
responsibility for Risks that fall within their areas of responsibility. The Corporate
Governance Committee also has the responsibility for ensuring no risk is unassigned to a
Committee of the Board.
8
MISO (www.misoenergy.org) has such a Committee and has assigned cyber responsibility
to that Committee.
6. 6 | P a g e
Boards, Management, and Cybersecurity Top
Like all other issues – there needs to be an understanding of the Board’s Role and
Management’s Role in cybersecurity. Perhaps a useful analogy is with the Sarbanes-Oxley
implementation we are familiar with over the last decade. SOX not only requires that the
Board attest to the validity of the financials, but to have Controls in place to inform that
attestation. Cyber can be handled similarly – we need someone to tell the Board all is well,
but we need to have additional insight into why that is so.
Each Board deals with this subject in different ways, but certainly it would be a Best Practice
to have a discussion of the subject and a resulting understanding of the “rules” that will
govern the interaction between Management and the Board with respect to Cybersecurity.
Here is an example set9
, but others may have adopted different policies depending on their
own circumstances:
1. The Board takes its responsibilities for cybersecurity seriously in combination with the
CEO – “tone at the top” to support appropriate cybersecurity protections is required.
2. Management is responsible for cybersecurity – and will be fully responsible for achieving
a cyber-secure state at all times.
3. No matter how Management chooses to execute its responsibilities – the CEO is
ultimately responsible and the Board’s main task is to hold the CEO accountable.
4. The XYZ Committee of the Board has primary responsibility for Management oversight
and duty of care execution related to cybersecurity, including advising the full Board on
such matters. The Committee only acts in an advisory capacity to the full board and
Committees of the Board.
5. The Board may elect to put certain “Guiding Principles” in place to guide Management
actions on cybersecurity:
5.1. Management must assign total cyber responsibility to a single high level manager
with direct access to the CEO. This may be a CISO10
, or another individual that
would have CISO responsibilities in addition to other responsibilities. The Board
Committee will have full access to this CISO for Q&A.
5.2. Compliance must be accomplished within the context of being cybersecure – not
vice versa.
5.2.1. A singular focus on CIP11
Compliance can be counterproductive.12
5.3. Where we have compliance violations – the company policy is to self-report. Failure
to self-report is a serious performance shortfall. NERC CIP standard violations must
be considered in context by the Board – with care taken not to cause unwarranted
action by Management.
5.4. Where an employee observes non-compliance with a Best Practice (non-NERC-CIP)
– the policy is to report it to the CISO.
9
This is more attune to the MISO (www.misoenergy.org) approach.
10
CISO = Chief Information Security Officer (a common approach).
11
See http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
12
See Patrick Miller comments at http://www.EnergyCollection.us/Companies/FERC/TC-
2014-04-29/Anfield-Group-Patrick-Miller.pdf
7. 7 | P a g e
5.5. Management shall maintain a set of Best Practices with respect to cybersecurity and
measure and report against these Best Practices. These Best Practices must
additionally result in full compliance with NERC CIP and other legal requirements.
Contradictions between compliance/legal obligations and Best Practices will be
surfaced as information to the responsible Board Committee.
5.6. Management will secure and periodically rotate an outside entity to perform a cyber-
assessment of the Company’s cybersecurity condition. Such assessment will be
made available to the responsible Board Committee as will the Assessor for Director
Q&A.
5.7. All successful cyber intrusions will be timely reported to the responsible Committee
Chair.
5.8. After adopting any Best Practice – all deviations from this Best Practice will be
reported to the responsible Board Committee, as will all NERC CIP violations and
self-reports.
5.9. The Board Committee should consider budgetary responsibility. While typically the
Audit and Finance Committee of the Board oversees and advises the Board on the
Budget – it may make sense to have the cyber-responsible Committee have a
strong hand in approving the cybersecurity budget. In any case, the budget
request of the CISO should get scrutiny by the responsible Committee and not be
altered arbitrarily without discussion with the responsible Committee.
Of course, there are always temptations13
to step over the line – things like ordering the
“gluing shut of all USP ports on OT/ICS machines” might be a good idea – but it is
Management’s call and not for the Board to decide. Excessive Board intervention into how
to be cybersecure shifts the burden of responsibility and lessens the probability of actually
being cybersecure.
That said, there are also legitimate reasons – related to duty of care – to step over an
otherwise clear demarcation of Management/Board. Such a case might be repeated failure
to maintain metrics, repeated breaches, repeated shortfalls in implementing Best Practices,
unreasonable schedule slips, etc. Where the required results are not forthcoming, the
Board has a deeper responsibility to understand why and not to stop until they do
understand why and are satisfied with the resulting recovery plan.
Finally, the CEO has to play a role in cybersecurity even though it is customary to delegate
to a CISO. Because cybersecurity is everyone’s business in a Company – the CEO needs to:
1. Choose a CISO wisely and closely monitor performance.
2. Personally approve and support the Company cybersecurity Plan/Policies.
3. Display visible support for the cybersecurity effort.
4. Increase his or her own skills and knowledge about this risk and mitigation.
5. Be an active part of the bridge between the Board and Management.
6. Ensure proper budget and expenditure prioritization.
13
Subject matter passion, subject matter expertise, misunderstanding of roles, or
showmanship.
8. 8 | P a g e
Risk Management and Cybersecurity Top
Certainly cybersecurity is a risk to the Company, and therefore it needs to be considered
within the Company’s Risk Management Platform. However, cybersecurity does have some
special characteristics that make it perhaps deserving of specialized attention:
1. The Bit14
-To-Electron Ratio is growing exponentially in the electricity business –
and will continue to do so into the foreseeable future.
2. The emerging interdependencies between customer actions and the Bulk Electric
System – all driven by software – will increase in the future as the “Internet of
Things”15
, the evolving role of markets, and shrinking capacity margins approach.
3. Cyber-attacks can happen in many ways – it is everyone’s job to think about
cybersecurity.
4. Cyber-attacks are a permanent phenomenon – the risk will not go away – we
can only offer mitigation and build resilient16
systems.
5. Cyber-attacks are unstoppably growing – the elements at risk, the threat actors,
and the threat capabilities are growing and there is probably nothing we can do
about that side of the ledger as individual companies
Certainly, cybersecurity can be evaluated within the common Risk equation:
Risk = Threat X Vulnerability X Impact
Or another similar expression
Risk = Probability X Impact
But then, it needs to be recognized that Threats are on a steep ramp up, Vulnerability is
increasing as noted above, and Impact is always high. Of course, Impact needs to be
evaluated based on the particular action or project being contemplated – but some useful
thoughts to keep in mind are that the electricity bills in the US add to about $300B, and
that outages (95% of which are Distribution related) cause customers $100B in losses. The
2003 Bulk Electric System outage cost $6B. The San Diego outage of 2011 cost over
$100M. On the pure fines issue – the Florida 2008 outage resulted in a fine of $25M. These
are all big Impacts.
14
Bits are essentially the raw material of software programs and associated
communications.
15
See Wikipedia at http://en.wikipedia.org/wiki/Internet_of_Things
16
See Nexus of Cybersecurity and Public Policy – Some Basic Concepts and Issues" at
http://www.EnergyCollection.us/Energy-Security/Nexus-Cybersecurity-Public.pdf at 61 of
103 for a good discussion of resilient systems.
9. 9 | P a g e
Questions a Director Should Ask Top
A Board’s responsibilities include “Duty of Care”17
which is often displayed, informed, and
executed in the form of Q&A to Management and Subject Matter Experts. Below is a list of
questions (bolded, and some containing non-bolded comment to assist the question) that a
Board or Board Committee might ask in the area of cybersecurity to help carry out their
duties in the cyber area:
1. Do we have the skills on the Board to properly execute our duty of care in the
area of cybersecurity?
2. What is the entire set of Compliance obligations and laws we have to follow in
the IT and Cybersecurity areas?
2.1. Make sure state laws are considered as well as federal.
2.2. Discuss legal liabilities.
3. What is our cyber-risk tolerance?
3.1. Are there parts of the overall system that need to be protected more than others?
4. Are the responsibilities for cybersecurity clearly spelled out, communicated,
and being enacted across the entire organization?
4.1. Look for centralization of overall responsibility.
4.2. Do not separate IT from OT/ICS18
responsibility with respect to cybersecurity.
4.3. Make clear the role of the internal auditor.
4.4. Heavily consider a CISO reporting to the CEO rather than the CIO19
5. How are you thinking about Cybersecurity vs. Compliance?
5.1. Hopefully, compliance is being accomplished within the context of being cyber
secure and that true cybersecurity is the first line of defense.
5.2. No CIO or CISO should believe that Compliance will make the Company secure.
6. How do we measure cyber risk and our activities to address it?
6.1. Not an easy question to answer. The state of the art is evolving and initial tries will
likely improve over time.
6.2. Once Best Practices for the Company are established – number of deviations may be
appropriate as one of the metrics.
7. What are our Best Practices, where did you get them from, why did you select
them, and how are we keeping them up to date?
7.1. Not an easy question. There are lots of sources for best practices and NERC CIP is
not likely to be one of them due to the severe time lag in the process.
7.2. NIST standards and the new NIST Cyber Security Framework, directed by Executive
Order20
, might be acceptable answers – many think it is a de facto standard.21
17
See http://en.wikipedia.org/wiki/Duty_of_care
18
See the IT vs. OT (ICS) section of this paper starting on page 10 or click here
19
See http://energy.gov/oe/services/cybersecurity/electricity-subsector-cybersecurity-
capability-maturity-model-es-c2m2
20
See Presidents Executive Order directing NIST to develop a voluntary Framework -
http://tinyurl.com/b7ag5fr
21
See Patrick Miller comments at http://www.EnergyCollection.us/Companies/FERC/TC-
2014-04-29/Anfield-Group-Patrick-Miller.pdf
10. 10 | P a g e
8. What is our present status as to implementing our Best Practices and schedule
going forward?
9. When considering the various systems that we control – have you asked and
answered the question: “What is the worst thing a person or group could do to
a critical asset if they possessed the intent, access, and knowledge to perform
a malicious act?
9.1. This reference22
is worth reading before engaging Management in the cyber
discussion.
10.How are we incorporating the concepts of resilient systems23
into our
operations?
10.1. This is a complicated subject in its own right, but generally refers to our
ability to “harden” our capabilities to survive, and/or partially function and quickly
recover from a cyber-attack.
11. Do we have a Security Operations Center (SOC24
)?
11.1. Security Operations Center (SOC)25
– many companies have found this to be
a beneficial approach. “A security operations center (SOC) is a centralized unit in an
organization that deals with security issues, on an organizational and technical level.
A SOC within a building or facility is a central location from where staff supervises
the site, using data processing technology. Typically, it is equipped for access
monitoring, and controlling of lighting, alarms, and vehicle barriers.”26
12. Do we have a Security Information and Event Management (SIEM27
) System?
12.1. A SIEM28
is a widely used and accepted Best Practice – it collects logs and
event information into a centralized location, for analysis and event correlation.
13.Are we testing for Advanced Persistent Threats29
?
13.1. APT activity is not detected by traditional security monitoring. Specialized
firms (e.g. Mandiant) that have done government or military consulting have
the expertise to identify fingerprints left by APT attempts or actual APT
infestation.
14.Are we training our software developers to build security into their code?
14.1. This is becoming more critical since security was historically an
afterthought or add-on for most software development.
15.How do we stand relative to others that have the same challenges as our
Company?
15.1. It is often common for like companies to form formal and informal groups do
discuss Best Practices and results – however, disclosures are normally opaque
within the group.
22
Quoted from Industrial Control Systems Cyber Threat Research -
http://www.EnergyCollection.us/Energy-Security/Industrial-Control-Systems.pdf The
Question for Management is taken directly from the reference.
23
See Resilient Control Systems - http://en.wikipedia.org/wiki/Resilient_control_systems
24
SOC is pronounced with a short “O”.
25
See http://en.wikipedia.org/wiki/Security_operations_center
26
Quote from Wikipedia
27
SIEM is pronounced with a long “I” and silent “E” as in SIM.
28
Security Information and Event Management - http://en.wikipedia.org/wiki/Siem
29
Advanced Persistent Threat - http://en.wikipedia.org/wiki/Advanced_persistent_threat
11. 11 | P a g e
16.Do you have adequate budget, and how are you prioritizing?
17.How do our cybersecurity policies extend into the supply chain, and how are we
protected from supply chain vulnerabilities?
17.1. Note – e.g. there have been cases of shrink wrapped USB memory sticks that
were already infected.
17.2. Note – we buy and use a lot of third party software – how do we ensure it is
free of infection and backdoor30
vulnerabilities.
18.What special risks are we running by being so interconnected with other parts
of the grid and Balancing Authorities; and what risks do we potentially expose
them to?
19.What qualifications do our employees have in the cyber area to be able to
identify and put in place Best Practices?
20.Do we have a training program for all employees?
20.1. Consider using Social Engineering31
Testing - Generally, the weakest entry
point into our systems is through humans/employees. Awareness programs
coupled with specific testing of social engineering approaches tends to improve
the security profile.
20.2. CIOs report that it is very difficult to reduce employee’s clicking links in
test fraudulent emails to a level even below 10%.
21.What is our recovery plan if we suffer a successful cyber-attack?
22.Do we have Cyber-Insurance? Should we?
23.How is our D&O Insurance connected to the question of being cybersecure?
24.What Organizations (including government) are we working with to lessen our
chances of a successful attack?
25.What question haven’t we asked that we should have asked?
Some of these questions might trigger questions when the Cyber-Responsible Committee
meets with the external organization hired to assess the state of the Company’s cyber
security posture. The Committee also ought to ask them: “Has anyone tried to influence
the content of the report and is there any information being withheld?” It is also a good
idea to ask the outside expert the open ended trigger: “What question haven’t we asked
that we should have asked?
As an additional reference - the National Association Of Corporate Directors (NACD) has a
report available32
– Cybersecurity: Boardroom Implications – that provides a perspective
based on interviewing Board members, Management, and Cyber-Experts. A useful part of
the 16 page document is “Ten Questions Directors Can Ask Management Once A Breach Is
Found.”
30
See http://en.wikipedia.org/wiki/Backdoor_(computing)
31
See http://en.wikipedia.org/wiki/Social_engineering_(security)
32
See http://tinyurl.com/pdcwva7
12. 12 | P a g e
Traps not to Fall Into Top
It is almost impossible to not have violations from a NERC CIP Audit, or through a Self-
Report regime. It is important to understand the particular violation in context and to react
accordingly. The Management team needs to know that the Board is focused on
Cybersecurity within its risk context – and not an all-out effort to ensure compliance no
matter what – i.e. do not take your eye off the Cyber-Ball by pretending the real game is
Compliance.
“Gotcha” questions related to a drill-down on some specific cyber technology will rarely
move the ball along in terms of Management/Board relations or Company Cybersecurity.
Cybersecurity is a complicated and wide-ranging subject and the Board needs to take a
holistic top-down approach that can increase in sophistication over time.
Trust is not a substitute for duty. It may well be that the Company has great cyber
resources in terms of people and budget, but Management claims to being cyber secure
need to be tested by the Board via direct Q&A with both Management and outside experts
that have done their own evaluation. Insisting on outside experts to look at the cyber
posture of the Company is not a lack of trust in Management – it is a Best Practice in
Cybersecurity and should not be resisted by Management.
IT vs. OT (ICS) Top
IT is classic Information Technology – email, billing, Customer Information Systems (CIS),
and the normal systems found in any company. OT is Operational Technology – software
and hardware systems that are unique to a class of industries that produce goods and
services reliant on these OT systems. This is normally the case in ICS – Industrial Control
Systems – are really just another term for OT. At the core of our OT/ICS systems is our
SCADA33
network. The Industries that most use OT/ICS systems are also generally the
Industries defined by DHS as Critical Infrastructure Sectors.34
Many OT/ICS systems used in the energy business were not designed with security in mind
– for basically two reasons:
1. Many are old and designed when cybersecurity was not a prevalent risk
2. Many were designed with the thought that they would be “air gapped” from other
systems – i.e. not connected physically (or wirelessly) to other (typically IT systems
and the Internet) systems that had a higher exposure to the threat and may be a
carrier for an attack.
Today newer systems are being designed with cybersecurity in mind for 3 reasons:
33
MISO has 290,000 points on its SCADA network.
34
See http://www.dhs.gov/critical-infrastructure-sectors
13. 13 | P a g e
1. Cyber-attacks are now a persistent and permanent threat.
2. OT/ICS systems are becoming more and more linked to IT type systems (i.e. IT/OT
Convergence)
1. It is now recognized that air-gapped systems are still vulnerable despite the air gap.
(most notable example is Stuxnet35
).
Despite the fact that air-gapping is now recognized as not sufficient protection for an IT
system – it is still considered a good practice. A methodology to bridge IT and OT/ICS
systems is the common practice in nuclear plants to use a unidirectional gateway to
replicate the Data Historian on the OT/ICS side over to the IT side on a real-time basis. In
this configuration it is impossible for the IT side to infect the OT/ICS side as the data can
only flow one way.36
It also needs to be recognized that wholesale change-out of legacy systems that do not
contain cyber protections as an integral part of the design – may not be feasible. In these
cases, other cyber protections are needed until newer systems are implemented. A mixed
IT environment of legacy and new is likely to exist for several years.
FERC, NERC37 and CIP Top
FERC and NERC want the same thing when it comes to cybersecurity – properly protected
systems. However, the tools they have at their disposal are almost entirely Compliance
related. NERC makes CIP standards based on a long, drawn-out process culminating in an
industry vote, followed by NERC Board of Trustee approval, and ultimately FERC approval.
While FERC cannot dictate standards, the give-and-take between FERC and NERC has
evolved to where FERC can execute enough push back to get what it desires appropriate
albeit with a very long time-lag – but still within the confines of the Federal Power Act.
The fundamental issue with a Compliance based approach to cybersecurity is that it cannot
achieve – but only contribute - to cybersecurity. NERC CIP Standards are many years out
of date by the time they become effective. During the time between standard development
and it taking effect – the fast moving world of Cybersecurity threats and counter-technology
has changed considerably.
Recognizing the industry reaction to a purely Compliance based approach, and that it is
insufficient to actually achieve the objective of secure systems – there are movements in
the direction of new approaches. NERC has established the ES-ISAC38
which attempts to
establish "situational awareness, incident management, coordination, and communication
35
Stuxnet - http://en.wikipedia.org/wiki/Stuxnet and
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet#
36
A LASER transmitter is on the OT/ICS side and transmits over a fiber to the IT side that
only contains a photo-receiver. There is no receiver on the Nuclear OT/ICS side.
37
The Nuclear Regulatory Commission sets standards for the nuclear plants rather than
NERC.
38
See Electricity Sector Information Sharing and Analysis Center (ES-ISAC) -
https://www.esisac.com/SitePages/Home.aspx
14. 14 | P a g e
capabilities within the electricity sector through timely, reliable and secure information
exchange. The ES-ISAC, in collaboration with the Department of Energy and the Electricity
Sector Coordinating Council (ESCC), serves as the primary security communications channel
for the electricity sector and enhances the ability of the sector to prepare for and respond to
cyber and physical threats, vulnerabilities and incidents."
FERC has established the Office of Energy Infrastructure Security39
(OEIS) which “provides
leadership, expertise and assistance to the Commission to identify, communicate and seek
comprehensive solutions to potential risks to FERC-jurisdictional facilities from cyber-attacks
and such physical threats as electromagnetic pulses.”
Both the ES-ICAS and OEIS are positive NERC and FERC reactions to a Compliance system
that will not make us cyber-secure, and needs to be ultimately changed in congress.
Presidential Policy Directive 21 and the resulting NIST Framework also fits the general
theme that we need to do more and probably need comprehensive legislation.
NERC CIP Auditing Top
NERC auditors audit against the NERC CIP Standards on a regular basis. Auditors typically
are confined to discovery and findings within the narrow context of what is written in the
standards. Fines can only be rendered against violations of the then-in-effect CIP
Standards. In summary, it is a narrowly designed system that is not ideally suitable to
actually being cybersecure.
When a CIO/CISO/CSO/CTO/CRO40
is asked the question: “Would you be cybersecure by
adopting NERC CIP as Best Practices, and meeting every standard 100%, but not having
separate or augmented cybersecurity policies in place?” Every CIO/CISO/CSO/CTO/CRO will
answer that question: “No.” And yet, we spend hundreds of millions in the industry to
make/comply/audit/fine against these CIP Standards. While there seems to be little
alternative under current laws – it leaves a Company and its Board in a quandary:
If being Compliance will not make us cybersecure – what Best Practices will?
That central question is perhaps the most important for Management to answer and for the
responsible Committee of the Board to understand the process.
39
See https://www.ferc.gov/about/offices/oeis.asp
40
CIO =Chief Information Officer; CISO = Chief Information Security Officer; CSO = Chief
Security Officer; CTO = Chief Technical officer; CRO = Chief Risk Officer. These are the
most-senior positions often vested with overall cybersecurity responsibility. Given that the
Chief Compliance Officer (CCO) responsibility that is a subset of Cybersecurity – the Board
may want to think twice about such an assignment.
15. 15 | P a g e
Best Practices Top
(this section still under development)
Although we cannot rely on Standards alone to be cyber-secure, a Best Practice is to
participate in Standard development activities where possible. These include”
1. The NIST Framework and Roadmap for Smart Grid Interoperability Standards.41
2. NERC Critical Infrastructure Standards42
3. GridWise Architecture Council43
Contacts and relationships with other involved organizations should also be fostered and
considered Best Practice:
1. DHS – see below
2. FBI Cyber Crime44
3. FBI InfraGard - is a partnership between the FBI and the private sector. It is an
association of persons who represent businesses, academic institutions, state and
local law enforcement agencies, and other participants dedicated to sharing
information and intelligence to prevent hostile acts against the U.S.45
4. State and Local authorities
5. State Commissions
In addition to evolving Standards to improve the level of protection, companies should be
accessing various sources to constantly improve their level of understanding the possibilities
and building an appropriate protection system. These include:
Tier I – industry specific efforts
1. CRISP - is a pilot program that provides a near-real-time capability for critical
infrastructure owners and operators to share and analyze cyber threat data and
receive machine-to-machine mitigation measures. A number of power sector
companies, in conjunction with the ES-ISAC, DOE, Pacific Northwest National
Laboratory, and Argonne National Laboratory, are participating.46
2. DHS US-CERT - US-CERT has established several important collaboration groups and
programs to foster and facilitate information sharing on cybersecurity issues among government
agencies.
47
3. DHS ICS-CERT - The Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) works to reduce risks within and across all critical infrastructure sectors
41
See http://nist.gov/smartgrid/framework3.cfm - release 3 available for comments -2014-
06-04
42
See http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
43
See http://www.gridwiseac.org/about/mission.aspx
44
See http://www.fbi.gov/about-us/investigate/cyber
45
See https://www.infragard.org/
46
See http://tinyurl.com/jvn2fcc
47
See http://www.us-cert.gov/government-users
16. 16 | P a g e
by partnering with law enforcement agencies and the intelligence community and
coordinating efforts among Federal, state, local, and tribal governments and control
systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with
international and private sector Computer Emergency Response Teams (CERTs) to
share control systems-related security incidents and mitigation measures. 48
4. DOE Electricity Subsector Cybersecurity Capability Maturity Model.49
5. DOE Argonne National Lab50
6. DOE Idaho National Lab51
7. DOE Pacific Northwest National Laboratory52
8. DOE Sandia National Lab53
9. DOE Industrial Control Systems Joint Working Group (ICSJWG)54
- The
Department of Homeland Security (DHS) Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT) established the Industrial Control Systems
Joint Working Group (ICSJWG) to facilitate information sharing and reduce the risk to
the nation’s industrial control systems. The ICSJWG is a collaborative and
coordinating body operating under the Critical Infrastructure Partnership Advisory
Council (CIPAC) requirements. The ICSJWG provides a vehicle for communicating
and partnering across all Critical Infrastructure and Key Resources Sectors (CIKR)
between federal agencies and departments, as well as private asset
owners/operators of industrial control systems. The goal of the ICSJWG is to
continue and enhance the collaborative efforts of the industrial control systems
stakeholder community in securing CIKR by accelerating the design, development,
and deployment of secure industrial control systems.
10. FERC Cyber and Grid Security55
-
11. FERC Office of Energy Infrastructure Security (OEIS) - The Office of Energy
Infrastructure Security (OEIS) provides leadership, expertise and assistance to the
Commission to identify, communicate and seek comprehensive solutions to potential
risks to FERC-jurisdictional facilities from cyber-attacks and such physical threats as
electromagnetic pulses.56
12. NERC ES-ISAC
Tier II – Professional Organizations and Recommendations
1. Aberdeen Group - The IT security practice examines technologies used to ensure
the confidentiality, integrity, availability, and authenticity of enterprise data and data
transactions, from application security, endpoint encryption, master material data
48
See https://ics-cert.us-cert.gov/
49
See http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-
program/electricity-subsector-cybersecurity
50
See http://www.dis.anl.gov/projects/cybersecurity.html
51
See http://www.inl.gov/nationalsecurity/capabilities/security/
52
See http://cybersecurity.pnnl.gov/
53
See http://www.sandia.gov/missions/defense_systems/cybersecurity.html
54
See https://ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG
55
See http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity.asp
56
See http://www.ferc.gov/about/offices/oeis.asp
17. 17 | P a g e
management, Cloud and Web security, data loss prevention, data protection, email
security, Web security and others.57
2. EnergySec - The Energy Sector Security Consortium, Inc. (EnergySec) supports
organizations within the energy sector in securing their critical technology
infrastructures, as well as collaborative programs and projects that improve the
cyber security posture of these organizations.58
3. Forrester, reports and analysis.59
4. Frost & Sullivan, Network Security – performing continuous monitoring and
evaluate the Intrusion Detection & Prevention Systems, Security Event Correlation,
Managed Security Services, Web Application Firewalls, SSL VPN, Hardware
Authentication Devices, Endpoint Security, Content Filtering, Anti-Virus, WLAN
Security, Identity Management, Firewall/VPN, and Biometrics.60
5. Gartner, Security & Risk Management – cyber related events, research, and
reports.61
6. Ponemon Institute - conducts independent research on privacy, data protection
and information security policy.62
7. SANS Internet Storm Center - gathers millions of intrusion detection log entries
every day, from sensors covering over 500,000 IP addresses in over 50 countries. It
is rapidly expanding in a quest to do a better job of finding new storms faster,
identifying the sites that are used for attacks, and providing authoritative data on the
types of attacks that are being mounted against computers in various industries and
regions around the globe.63
Tier III – Vendor Recommendations
A very long list of vendor declared Best Practices can be compiled – a few are shown below
as examples. These claims should be vetted carefully before being added to a company’s
approved Best Practices list
Technology and Other Things to Think About Top
Cybersecurity is not only complicated, but it is quickly evolving as vendors develop new
products and services to counteract the ever increasing attack vectors. Some specific items
a Board might want to explore further are discussed below:
57
See http://www.aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx
58
See http://www.energysec.org/
59
See
http://www.forrester.com/search?N=10001+40004+200518&sort=3&range=504005&labelT
ext=
60
See http://www.frost.com/prod/servlet/svcg.pag/ITNT
61
See http://www.gartner.com/technology/research/security-risk-
management.jsp?fnl=search&srcId=1-3478922254
62
See http://www.ponemon.org/
63
See https://isc.sans.edu/
18. 18 | P a g e
Communications between Machines
Energy companies are dependent on the accuracy of data to operate properly. One point64
of exposure are the communication channels (and transmission protocols) between
machines – e.g. between SCADA devices and Control Centers or even between Control
centers. CIP5 as approved by FERC does not directly address these vulnerabilities – but the
Energy Companies must examine these connections and deploy appropriate safeguards.
Digital Certificates and Keys – these are authentication and encryption software
mechanisms to allow and protect access. Typically companies have done a good job on
person based access, but machine-to-machine access has not had the same focus. Very
few CIOs know how many digital certificates they have in use, or have a quality
management system for these certificates or encryption keys.65
Many of the high profile
and more recent attacks take advantage of this lack of focus – e.g. Stuxnet, Snowden and
the NSA attack, and others. Many keys in use today have low key strengths and longer
expiration limits than are what are written into NIST standards. CIP standards are silent on
this subject and Grid Operators not following NIST or some other set of Best Practices that
do not address this subject are vulnerable. This is likely to become even more important as
a push to more encryption on our communications systems (DNP66
, ICCP67
) becomes more
likely.68
Physical and Cybersecurity – should these two responsibilities be housed together in
terms of responsibility? There are arguments on both sides. It is certain that they take
somewhat different skill sets – but equally certain that the skills needed on the physical side
are increasingly reliant on IT components and the cybersecurity of those components.
IT Vs. OT and Air Gaps - Traditionally OT/ICS Utility hardware and software connections
have been “air gaped” from the IT side of the business and from the Internet. The air gap
represents a lack of physical and wireless connectivity between these two network enclaves.
However, there are many ways to bridge this air gap and expose the OT/ICS side to attacks.
It is no longer appropriate to rely on air gaps as anything more than part of a strategy.
Indeed, some companies are migrating away from an air gap philosophy by replicating
OT/ICS data into the IT network using unidirectional gateways69
. Some are also allowing
direct access to the OT/ICS networks driven by the “Internet of Things”70
and deploying
other security strategies for protection in order to achieve greater functionality and
performance.
64
See discussion by Kevin Perry at FERC Technical Conference -
http://www.EnergyCollection.us/Companies/FERC/TC-2014-04-29/SPP-Kevin-Perry.pdf
65
See 4 of 34 at http://www.slideshare.net/Prolifics/prolifics-ibm-cybersecurity
66
DNP - http://en.wikipedia.org/wiki/Distributed_Network_Protocol
67
IEC 60870-6 – see ICCP section - http://en.wikipedia.org/wiki/IEC_60870-6
68
A very excellent explanation of Certificate Authorities is at "Nexus of Cybersecurity and
Public Policy – Some Basic Concepts and Issues" at http://www.EnergyCollection.us/Energy-
Security/Nexus-Cybersecurity-Public.pdf at page 58 of 103.
69
See Unidirectional Networks - http://en.wikipedia.org/wiki/Unidirectional_network
70
See Internet of Things - http://en.wikipedia.org/wiki/Internet_of_Things
19. 19 | P a g e
Joining a Cyber Group and Sharing Information – many energy companies have joined
groups (5-10 or more companies) that cooperate in terms of sharing cyber knowledge –
what works and what doesn’t, etc. This process is advantageous because it fits with the
need to keep up to date and pursuit of Best Practices. Sharing actual attack information is
a subject in flux. Everyone agrees that a system to share real-time attack data would be
beneficial – but legal and practical problems persist. These are slowly being worked out and
ultimately should be another source of progress. The NERC ES-ISAC71
may play a larger
role in this regard – although many companies remain concerned that it is a part of NERC
and the compliance implications. NERC has taken steps to separate the ES-ISAC from
Compliance activities, but full bifurcation may be ultimately needed. The author believes
that ES-ISAC membership and cooperation is indeed a Best Practice. Another group that is
likely to play a larger role going forward is the Electricity Sub-Sector Coordinating Council72
.
The Federal Government cannot be relied on to share all vulnerabilities they are aware of
and so cannot be anything more than another source of data.
Firewalls – Firewalls73
are typically software solutions that are used to protect an area of
higher security from an area of potentially lower security. As software solutions in the very
dynamic world of cybersecurity – they require considerable maintenance in the form of
configuration and updates. For high security systems, DHS ICS-CERT74
is recommending
that companies explore unidirectional gateways which are hardware based solutions that
offer higher levels of protection. Unidirectional gateways can also handle applications that
require data collection/processing/result-communication (two way applications) through the
use of multiple gateways.
Social Media – Social Media75
encompasses a wide range of possibilities – but for threat-
actors it represents a treasure-trove of information to assist in attack design. While many
pages have been written on this subject – it might be instructive to just consider LinkedIn76
.
Thousands of security professionals in the utility business have profiles in LinkedIn – many
of those have in excess of 500 connections each. These connections provide access to
email addresses for all connections, and most often personal email addresses. This set of
information is ideal to construct “Watering Hole Attacks”77
and other phishing attacks. All
an attacker has to do is crack 1 password78
to gain access to a lot of data – perfect data to
71
The Electricity Sector Information Sharing and Analysis Center (ES-ISAC) -
http://www.nerc.com/pa/CI/ESISAC/Pages/default.aspx referenced 2014-05-18
72
See Electricity Sub-Sector Coordinating Council - http://tinyurl.com/mb2zajg - referenced
2014-05-18
73
Firewalls - http://en.wikipedia.org/wiki/Firewall_(computing)
74
DHS Industrial Control Systems Cyber Emergency Response Team - https://ics-cert.us-
cert.gov/ - referenced 2014-05-18
75
Social Media - http://en.wikipedia.org/wiki/Social_media
76
Some companies have issued policies to help reduce this exposure.
77
Watering Hole Attacks - http://en.wikipedia.org/wiki/Watering_Hole
78
No Password is save from new breed of cracking software - http://tinyurl.com/n6qnpkd -
referenced 2014-05-18
20. 20 | P a g e
populate sophisticated Phishing79
attacks. The common term for using Social Media as a
cyber-weapon is “Social Engineering”80
Self-Reports and Compensation - Generally, compliance performance is measured and
an element of pay/bonus consideration. Violations of mandatory compliance standards
(NERC CIP) should be Self-Reports to NERC even though there is some chance that it would
not be discovered in a NERC Audit.81
Self-Reports are still violations – and if they are
counted in compensation metrics – it sets up a possible conflict of interest dilemma. The
two different schools of thought on this include: excluding Self-Reports from the
Compensation Metrics; or making a non-Self-Report grounds for employee dismissal.
Paul Feldman
PaulFeldman@Gmail.com
LinkedIn - www.linkedin.com/in/paulfeldman/
Thanks to Michael Gent (ERCOT Director), Daniel Hill (New York ISO Director), and Douglas
Chapman (MISO Management) for useful comments on the paper.
Any errors in this paper are my own. Any options expressed are also my own and should
not be attributed to any organization with whom I have an association.
Comments on how to improve this resource are welcome at the above address.
It my intent to maintain and improve this resource over time as an assist to Boards of
Directors involved in the Electricity and Natural Gas Sector.
79
Phishing – see http://en.wikipedia.org/wiki/Phishing
80
Wikipedia - http://en.wikipedia.org/wiki/Social_engineering_%28security%29 See also:
Social Engineering: The Basics - http://www.EnergyCollection.us/Energy-Security/Social-
Engineering-Basics.pdf Original referenced 2014-06-01 -
http://www.csoonline.com/article/2124681/security-awareness/social-engineering-the-
basics.html
81
It lessens the chances of a fine if discovered, it strengthens the Company’s security
posture by being able to address the violation immediately, and it builds good-will with the
regulators.
21. 21 | P a g e
Attachment A
Version History
Top
1. Version 1.0
1.1. Prepared originally for a meeting of the IRC82
Board of Directors in New Orleans
2014-05-21
2. Version 1.1
2.1. Moved from a focus on companies involved in organized markets to a broader field
of companies involved in electricity and natural gas – per several requests to
broaden the scope.
2.2. Combined References Attachments into a single set of references and separated
from this paper – the collected materials are now at
http://www.EnergyCollection.us/457.pdf
2.3. Various updates and changes as I thought appropriate were added.
2.4. Some intra-document hyperlinks have been included to move about the document
more easily – they are in red. Any link to an external document or website is in
blue.
2.5. Added a section on Best Practices – but it is incomplete
82
See http://www.isorto.org/Pages/Home