EnergySec, profile picture
Uploaded byEnergySec
PPT, PDF683 views

Industry Reliability and Security Standards Working Together

The document discusses the evolving landscape of cybersecurity and compliance standards within the power and utility industry, focusing on the integration of various frameworks like NIST and ISO. It highlights the importance of developing internal compliance programs and risk management practices tailored to organizational needs, while encouraging proactive monitoring of trends for continuous improvement. The presentation is led by experts from Ernst & Young LLP, emphasizing the need for strategic alignment with regulatory changes and effective control measures.

Embed presentation

Downloaded 15 times
Industry Reliability and Security Standards Working Together Where the standards are going and where your program should be heading 21 August 2014
Page 2 About your presenters Josh Axelrod ► Ernst & Young LLP Cybersecurity, Power & Utility lead ► Former NERC CIP auditor ► Former Navy nuclear engineer ► Certifications: CISSP, CISA, CISM, GICSP, CRISC, CGEIT Matt Davis ► Ernst & Young LLP Cybersecurity, Power & Utility team ► Former NERC CIP auditor ► Former ISP/telecom engineer ► Certifications: CISSP, CISA, CISM, GICSP, CRISC, CIPP/IT
Page 3 Overview ► Version Control ► Taking Control ► Framework Alignment ► Reliability Assurance Initiative ► Take a Risk ► Predictions 21 August 2014 Industry Reliability and Security Standards Working Together
Page 4 Version (out of) Control
Page 5 Which version? ► CIP standards are rapidly evolving and fragmenting. ► Current list of draft RSAWs: ► CIP-002-5.1 ► CIP-003-6 ► CIP-004-6 ► CIP-005-5 ► CIP-006-6 ► CIP-007-6 ► CIP-008-5 ► CIP-009-6 ► CIP-010-2 ► CIP-011-2 21 August 2014 Industry Reliability and Security Standards Working Together
Page 6 Not much to see here, keep moving … ► Overview of V6 changes ► Removal of Identify, Assess, Correct (IAC) ► “Cabling” is back with mitigating controls … again ► Physical ports control for PCA ► Transient devices – prior to use ► CIP-014-1 ► Third-party assessments ► Who is qualified? Who is willing? 21 August 2014 Industry Reliability and Security Standards Working Together
Page 7 Take Controls
Page 8 Let It Go ► Moving away from regulatory requirements ► Right-size for your organization based on risk and budget ► Create your own story ► Leverage other frameworks ► Review all controls for need ► Similar to ISO 27000 approach 21 August 2014 Industry Reliability and Security Standards Working Together
Page 9 Keys to Control Success ► Development ► Program – design ► Controls – effectiveness ► Maintain – change control ► Mapping ► Get granular ► Risk management process ► Drive selection 21 August 2014 Industry Reliability and Security Standards Working Together
Page 10 Framework Alignment
Page 11 Why NIST? ► 800-53 is comprehensive and free ► What NERC CIP was supposed to use and will continue to evolve toward ► Strong guidance ► Guidance from other 800 series ► Alignment to federal (EO 13636) ► Alignment to 800-82 (ICS) ► Detonation chambers 21 August 2014 Industry Reliability and Security Standards Working Together
Page 12 Other Options ► ISO 27001 – international and corporate ► Not free ► BITS – third-party assessments ► Not free ► PCI – encryption, virtualization ► Free 21 August 2014 Industry Reliability and Security Standards Working Together
Page 13 Reliability Assurance Initiative
Page 14 Reliability Assurance Initiative (RAI) ► Risk Assessment ► Region will develop a transparent but customized compliance profile based on the Registered Entity’s impact to the grid. ► Assessment will be shared with the Entity so that it understands how it will be monitored as part of the compliance profile. ► Internal Controls Reliance ► Entity’s internal control practices will be provided and reviewed by the Region. ► Region will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the assessment. 21 August 2014 Industry Reliability and Security Standards Working Together
Page 15 A New Hope ► Aggregation of Non-compliance ► Based on the level of controls reliance and the Risk Assessment ► May be able to log minimal risk non- compliance ► Trade-off in internal controls vs. minor deficiencies ► “Extra credit” 21 August 2014 Industry Reliability and Security Standards Working Together
Page 16 Internal Compliance Program ► What is an internal compliance program (ICP)? ► A formal process to achieve and mature compliance objectives through risk management practice enabled by controls ► What are the regulatory benefits? ► Culture of excellence, not compliance ► Reduction in compliance and reliability risks ► Potential for reduced auditing and penalties ► Components of an ICP Objectives  Quality improvement  Assurance  Proactive  Prompt  Preventative Risk Management  Risk management model  Enterprise risk strategy  Governance structure  Compliance management functions  Internal controls assessment  Evaluation with independence Controls  Controls environment  Programmatic processes  SME training program  Communication plans  Industry participation  Metrics reporting Controls Risk Management ICP Industry Reliability and Security Standards Working Together
Page 17 Take a Risk
Page 18 Risk Management ► Executive involvement ► Board-integrated ► Insight-driven and performance- oriented ► Intrinsic to the business and is embedded in key business processes 21 August 2014 Industry Reliability and Security Standards Working Together
Page 19 Maturity ► Defines the appropriate activities ► Helps identify best places for budget ► Builds a road map for the program ► Source: DOE ES-C2M2 Model 21 August 2014 Industry Reliability and Security Standards Working Together
Page 20 Summary
Page 21 V7 Predictions ► Third-party compliance ► Threat management ► Baselines for monitoring ► HIPS or white-listing ► Application security ► Honeypots … just kidding 21 August 2014 Industry Reliability and Security Standards Working Together
Page 22 Summary ► Manage security through risk ► Keep maturing to keep ahead ► Monitor trends to anticipate change ► Let the standards follow you 21 August 2014 Industry Reliability and Security Standards Working Together
Page 23 Q&A ► Thank you! joshua.axelrod@ey.com matt.davis@ey.com

More Related Content

PDF
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
byEnergySec
 
PPT
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
byEnergySec
 
PPTX
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
byEnergySec
 
PPTX
CIP-014-1: Next Steps from an Auditor’s Perspective
byEnergySec
 
PPTX
Top 20 Security Controls for a More Secure Infrastructure
byInfosec
 
PPTX
Information Assurance Metrics: Practical Steps to Measurement
byEnclaveSecurity
 
PDF
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
byGlobal Business Events
 
PPTX
Managed Security Services from Symantec
byArrow ECS UK
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
byEnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
byEnergySec
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
byEnergySec
 
CIP-014-1: Next Steps from an Auditor’s Perspective
byEnergySec
 
Top 20 Security Controls for a More Secure Infrastructure
byInfosec
 
Information Assurance Metrics: Practical Steps to Measurement
byEnclaveSecurity
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
byGlobal Business Events
 
Managed Security Services from Symantec
byArrow ECS UK
 

What's hot

PPSX
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
PPTX
Data Consult - Managed Security Services
byJad Bejjani
 
PDF
Cybersecurity Application Installation with no Shutdown Required webinar Slides
byYokogawa1
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
byLisa Niles
 
PDF
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
PDF
Governance of security operation centers
byBrencil Kaimba
 
PPT
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
byEnergySec
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PPTX
How to Use the NIST CSF to Recover from a Healthcare Breach
bySymantec
 
PPTX
Security and Compliance Initial Roadmap
byAnshu Gupta
 
PPTX
Web Application Security Strategy
byNetwork Intelligence India
 
PDF
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
PPTX
Soc
byMukesh Chaudhari
 
PDF
TrustedAgent GRC for Vulnerability Management
byTuan Phan
 
PDF
The Real Costs of SIEM vs. Managed Security Service
byF-Secure Corporation
 
PDF
Rapid7 NERC-CIP Compliance Guide
byRapid7
 
PDF
Overview
byNathan Burke
 
PDF
Rothke secure360 building a security operations center (soc)
byBen Rothke
 
PDF
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
byVijilan IT Security solutions
 
PDF
Gpc case study_eng_0221
bySALIH AHMED ISLAM
 
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
Data Consult - Managed Security Services
byJad Bejjani
 
Cybersecurity Application Installation with no Shutdown Required webinar Slides
byYokogawa1
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
byLisa Niles
 
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
Governance of security operation centers
byBrencil Kaimba
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
byEnergySec
 
Next-Gen security operation center
byMuhammad Sahputra
 
How to Use the NIST CSF to Recover from a Healthcare Breach
bySymantec
 
Security and Compliance Initial Roadmap
byAnshu Gupta
 
Web Application Security Strategy
byNetwork Intelligence India
 
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
Soc
byMukesh Chaudhari
 
TrustedAgent GRC for Vulnerability Management
byTuan Phan
 
The Real Costs of SIEM vs. Managed Security Service
byF-Secure Corporation
 
Rapid7 NERC-CIP Compliance Guide
byRapid7
 
Overview
byNathan Burke
 
Rothke secure360 building a security operations center (soc)
byBen Rothke
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
byVijilan IT Security solutions
 
Gpc case study_eng_0221
bySALIH AHMED ISLAM
 

Viewers also liked

PPT
What the Department of Defense and Energy Sector Can Learn from Each Other
byEnergySec
 
PPTX
Legacy of Void*
byAdam Crain
 
PDF
Come See What’s Cooking in My Lab
byEnergySec
 
PPTX
RAMS 2013 Establishing product reliability goals
byAccendo Reliability
 
PDF
Mac Klingler: 2013 Sandia National Laboratoies Wind Plant Reliability Workshop
bySandia National Laboratories: Energy & Climate: Renewables
 
PDF
Service Tools and Social Media Data Sharing Use Case
byGe Peng
 
PDF
Peng etal UPQ_AMS2014_P332
byGe Peng
 
PDF
New Paradigm for Ensuring and Improving Data Quality and Usability
byGe Peng
 
PDF
Stewards - Knowledge and Communication Hub
byGe Peng
 
PDF
Peng Privette SMM_AMS2014_P695
byGe Peng
 
PDF
Scientific Data Stewardship Maturity Matrix
byGe Peng
 
PPT
Profeo PRINCE2 MSP MoP P3O and P3M3
byProfeo
 
DOCX
Return on Investment for a Design for Reliability Program
byAccendo Reliability
 
PPT
P3M3 - Discovery Assessment
byProfeo
 
PDF
Non Functional Requirements for Climate Data Records
byGe Peng
 
PDF
Building Human Intelligence – Pun Intended
byEnergySec
 
PPTX
RAMS 2013 Tutorial Introduction to R & M Management
byAccendo Reliability
 
PDF
Turabo School of Engineering
bySandia National Laboratories: Energy & Climate: Renewables
 
PPTX
RAMS 2013 Tutorial Effective Reliability Traits and Management
byAccendo Reliability
 
DOCX
Reliability maturity matrix
byAccendo Reliability
 
What the Department of Defense and Energy Sector Can Learn from Each Other
byEnergySec
 
Legacy of Void*
byAdam Crain
 
Come See What’s Cooking in My Lab
byEnergySec
 
RAMS 2013 Establishing product reliability goals
byAccendo Reliability
 
Mac Klingler: 2013 Sandia National Laboratoies Wind Plant Reliability Workshop
bySandia National Laboratories: Energy & Climate: Renewables
 
Service Tools and Social Media Data Sharing Use Case
byGe Peng
 
Peng etal UPQ_AMS2014_P332
byGe Peng
 
New Paradigm for Ensuring and Improving Data Quality and Usability
byGe Peng
 
Stewards - Knowledge and Communication Hub
byGe Peng
 
Peng Privette SMM_AMS2014_P695
byGe Peng
 
Scientific Data Stewardship Maturity Matrix
byGe Peng
 
Profeo PRINCE2 MSP MoP P3O and P3M3
byProfeo
 
Return on Investment for a Design for Reliability Program
byAccendo Reliability
 
P3M3 - Discovery Assessment
byProfeo
 
Non Functional Requirements for Climate Data Records
byGe Peng
 
Building Human Intelligence – Pun Intended
byEnergySec
 
RAMS 2013 Tutorial Introduction to R & M Management
byAccendo Reliability
 
Turabo School of Engineering
bySandia National Laboratories: Energy & Climate: Renewables
 
RAMS 2013 Tutorial Effective Reliability Traits and Management
byAccendo Reliability
 
Reliability maturity matrix
byAccendo Reliability
 

Similar to Industry Reliability and Security Standards Working Together

PPTX
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
byTripwire
 
PDF
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
PPTX
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
bypromediakw
 
PPTX
Bryan Singer S4 Presentation
bybsinger74
 
PPT
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
byAlgoSec
 
PPTX
Leveraging compliance to raise the bar on security
byMike Lemire
 
PDF
IoT Security Assessment - IEEE PAR Proposal
bySyam Madanapalli
 
PPTX
Institute of Internal Auditors Presentation 2014
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
PDF
NIST Framework for Information System
bynewbie2019
 
PDF
CISSP - Certified Information Systems Security Professional
byCjAce1
 
PDF
Evident io Continuous Compliance - Mar 2017
bySebastian Taphanel CISSP-ISSEP
 
PDF
Treating Security Like a Product
byVMware Tanzu
 
PDF
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
byCohesive Networks
 
PPTX
Aligning Application Security to Compliance
bySecurity Innovation
 
PDF
Cyber Security Program Realization in the Mid Market - Executive Summary
bySteve Leventhal
 
PDF
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
byCohesive Networks
 
PDF
Snyk provides Compliance-Cheat-Sheet.pdf
byStellaNguyen22
 
PPSX
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
byNetLockSmith
 
PPTX
vCISO Overview Virtual CISO Chief Information Security Officer
byabstmsecure
 
PPTX
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
byTripwire
 
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
bypromediakw
 
Bryan Singer S4 Presentation
bybsinger74
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
byAlgoSec
 
Leveraging compliance to raise the bar on security
byMike Lemire
 
IoT Security Assessment - IEEE PAR Proposal
bySyam Madanapalli
 
Institute of Internal Auditors Presentation 2014
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
NIST Framework for Information System
bynewbie2019
 
CISSP - Certified Information Systems Security Professional
byCjAce1
 
Evident io Continuous Compliance - Mar 2017
bySebastian Taphanel CISSP-ISSEP
 
Treating Security Like a Product
byVMware Tanzu
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
byCohesive Networks
 
Aligning Application Security to Compliance
bySecurity Innovation
 
Cyber Security Program Realization in the Mid Market - Executive Summary
bySteve Leventhal
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
byCohesive Networks
 
Snyk provides Compliance-Cheat-Sheet.pdf
byStellaNguyen22
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
byNetLockSmith
 
vCISO Overview Virtual CISO Chief Information Security Officer
byabstmsecure
 
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 

More from EnergySec

PDF
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
byEnergySec
 
PDF
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
PDF
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
byEnergySec
 
PPTX
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
PPTX
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
byEnergySec
 
PPTX
Explore the Implicit Requirements of the NERC CIP RSAWs
byEnergySec
 
PDF
Wireless Sensor Networks: Nothing is Out of Reach
byEnergySec
 
PDF
Please, Come and Hack my SCADA System!
byEnergySec
 
PDF
Unidirectional Network Architectures
byEnergySec
 
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
PDF
Industrial Technology Trajectory: Running With Scissors
byEnergySec
 
PPTX
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
byEnergySec
 
PDF
Where Cyber Security Meets Operational Value
byEnergySec
 
PPTX
Where Are All The ICS Attacks?
byEnergySec
 
PPTX
Third Party Security Testing for Advanced Metering Infrastructure Program
byEnergySec
 
PPTX
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
byEnergySec
 
PPTX
Sea Changes, Strategic Implications, Board Cyber Perspectives
byEnergySec
 
PPTX
Red Teaming and Energy Grid Security
byEnergySec
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
byEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
byEnergySec
 
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
byEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
byEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
byEnergySec
 
Please, Come and Hack my SCADA System!
byEnergySec
 
Unidirectional Network Architectures
byEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
Industrial Technology Trajectory: Running With Scissors
byEnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
byEnergySec
 
Where Cyber Security Meets Operational Value
byEnergySec
 
Where Are All The ICS Attacks?
byEnergySec
 
Third Party Security Testing for Advanced Metering Infrastructure Program
byEnergySec
 
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
byEnergySec
 
Sea Changes, Strategic Implications, Board Cyber Perspectives
byEnergySec
 
Red Teaming and Energy Grid Security
byEnergySec
 

Recently uploaded

PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 

Industry Reliability and Security Standards Working Together

  • 1.
    Industry Reliability andSecurity Standards Working Together Where the standards are going and where your program should be heading 21 August 2014
  • 2.
    Page 2 About yourpresenters Josh Axelrod ► Ernst & Young LLP Cybersecurity, Power & Utility lead ► Former NERC CIP auditor ► Former Navy nuclear engineer ► Certifications: CISSP, CISA, CISM, GICSP, CRISC, CGEIT Matt Davis ► Ernst & Young LLP Cybersecurity, Power & Utility team ► Former NERC CIP auditor ► Former ISP/telecom engineer ► Certifications: CISSP, CISA, CISM, GICSP, CRISC, CIPP/IT
  • 3.
    Page 3 Overview ► VersionControl ► Taking Control ► Framework Alignment ► Reliability Assurance Initiative ► Take a Risk ► Predictions 21 August 2014 Industry Reliability and Security Standards Working Together
  • 4.
  • 5.
    Page 5 Which version? ►CIP standards are rapidly evolving and fragmenting. ► Current list of draft RSAWs: ► CIP-002-5.1 ► CIP-003-6 ► CIP-004-6 ► CIP-005-5 ► CIP-006-6 ► CIP-007-6 ► CIP-008-5 ► CIP-009-6 ► CIP-010-2 ► CIP-011-2 21 August 2014 Industry Reliability and Security Standards Working Together
  • 6.
    Page 6 Not muchto see here, keep moving … ► Overview of V6 changes ► Removal of Identify, Assess, Correct (IAC) ► “Cabling” is back with mitigating controls … again ► Physical ports control for PCA ► Transient devices – prior to use ► CIP-014-1 ► Third-party assessments ► Who is qualified? Who is willing? 21 August 2014 Industry Reliability and Security Standards Working Together
  • 7.
  • 8.
    Page 8 Let ItGo ► Moving away from regulatory requirements ► Right-size for your organization based on risk and budget ► Create your own story ► Leverage other frameworks ► Review all controls for need ► Similar to ISO 27000 approach 21 August 2014 Industry Reliability and Security Standards Working Together
  • 9.
    Page 9 Keys toControl Success ► Development ► Program – design ► Controls – effectiveness ► Maintain – change control ► Mapping ► Get granular ► Risk management process ► Drive selection 21 August 2014 Industry Reliability and Security Standards Working Together
  • 10.
  • 11.
    Page 11 Why NIST? ►800-53 is comprehensive and free ► What NERC CIP was supposed to use and will continue to evolve toward ► Strong guidance ► Guidance from other 800 series ► Alignment to federal (EO 13636) ► Alignment to 800-82 (ICS) ► Detonation chambers 21 August 2014 Industry Reliability and Security Standards Working Together
  • 12.
    Page 12 Other Options ►ISO 27001 – international and corporate ► Not free ► BITS – third-party assessments ► Not free ► PCI – encryption, virtualization ► Free 21 August 2014 Industry Reliability and Security Standards Working Together
  • 13.
  • 14.
    Page 14 Reliability AssuranceInitiative (RAI) ► Risk Assessment ► Region will develop a transparent but customized compliance profile based on the Registered Entity’s impact to the grid. ► Assessment will be shared with the Entity so that it understands how it will be monitored as part of the compliance profile. ► Internal Controls Reliance ► Entity’s internal control practices will be provided and reviewed by the Region. ► Region will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the assessment. 21 August 2014 Industry Reliability and Security Standards Working Together
  • 15.
    Page 15 A NewHope ► Aggregation of Non-compliance ► Based on the level of controls reliance and the Risk Assessment ► May be able to log minimal risk non- compliance ► Trade-off in internal controls vs. minor deficiencies ► “Extra credit” 21 August 2014 Industry Reliability and Security Standards Working Together
  • 16.
    Page 16 Internal ComplianceProgram ► What is an internal compliance program (ICP)? ► A formal process to achieve and mature compliance objectives through risk management practice enabled by controls ► What are the regulatory benefits? ► Culture of excellence, not compliance ► Reduction in compliance and reliability risks ► Potential for reduced auditing and penalties ► Components of an ICP Objectives  Quality improvement  Assurance  Proactive  Prompt  Preventative Risk Management  Risk management model  Enterprise risk strategy  Governance structure  Compliance management functions  Internal controls assessment  Evaluation with independence Controls  Controls environment  Programmatic processes  SME training program  Communication plans  Industry participation  Metrics reporting Controls Risk Management ICP Industry Reliability and Security Standards Working Together
  • 17.
  • 18.
    Page 18 Risk Management ►Executive involvement ► Board-integrated ► Insight-driven and performance- oriented ► Intrinsic to the business and is embedded in key business processes 21 August 2014 Industry Reliability and Security Standards Working Together
  • 19.
    Page 19 Maturity ► Definesthe appropriate activities ► Helps identify best places for budget ► Builds a road map for the program ► Source: DOE ES-C2M2 Model 21 August 2014 Industry Reliability and Security Standards Working Together
  • 20.
  • 21.
    Page 21 V7 Predictions ►Third-party compliance ► Threat management ► Baselines for monitoring ► HIPS or white-listing ► Application security ► Honeypots … just kidding 21 August 2014 Industry Reliability and Security Standards Working Together
  • 22.
    Page 22 Summary ► Managesecurity through risk ► Keep maturing to keep ahead ► Monitor trends to anticipate change ► Let the standards follow you 21 August 2014 Industry Reliability and Security Standards Working Together
  • 23.
    Page 23 Q&A ► Thankyou! joshua.axelrod@ey.com matt.davis@ey.com

Editor's Notes

  • #6 Time to left go of versions <number>
  • #17 <number>