Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Transcription

1 Security Metrics February 25, 2015 Annabelle Lee Senior Technical Executive

2 Cybersecurity Capability Maturity Model (C2M2) Overview Expansion Project and Comparative Analysis

3 Framework Implementation Guidance Mapping (Project #1) CSF Core C2M2 CSF Tiers C2M2 Functions Categories Subcategories Informative References MIL 1 ES-C2M2 Practices MIL 2 MIL 3 CSF Tiers MIL 1 C2M2 Practices MIL 2 MIL 3 IDENTIFY Tier 1: Partial PROTECT Tier 2: Risk Informed DETECT RESPOND Tier 3: Repeatable RECOVER Tier 4: Adaptive

4 C2M2 Comparative Analysis (Project #2) C2M2 Industry Standards Domains Objectives Practices Cyber Security Framework NISTIR 7628 SP NRECA Cyber Security Guidelines Others as requested by industry Risk Management Asset, Change, & Configuration Management Identity and Access Management Cyber Program Management

5 Next Steps Harmonize Converge the various disparate maps Align controls where applicable Vet Vet harmonization with subject matter experts across industry and government Reconfigure map as appropriate based on feedback Map to C2M2 Add as modules to C2M2 expansion project, with the sectorspecific standards Release as v1.0, acknowledging future releases will be needed as industry uses the modules and maps provided.

6 Practical Risk Management Getting Started.. 6

7 7

8 Risk Management in Practice A Guide for the Electric Sector EPRI Technical Update:

9 Background. DOE ES-C2M2 Toolkit Risk Management Process Energy Sector Cybersecurity Framework Implementation Guidance NIST Framework for Improving Critical Infrastructure Cybersecurity, v1.0, Feb 2014 NISTIR 7628, Guidelines for Smart Grid Cyber Security, v1.0, August 2010 EPRI NESCOR Failure Scenarios and Impact Analyses 9

10 Example from the Document

11 Security Posture using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2): EPRI Technical Update

12 Background. Companion document to: Risk Management in Practice A Guide for the Electric Sector EPRI Technical Update: Traces NISTIR 7628 security requirements to ES-C2M2 security practices Identifies assessment methods based on Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security, SGIP CSWG, _1, Version 1.0, August 24, 2012 Includes application guidance for ES-C2M2 assessments against systems 12

13 Security Posture Assessment NISTIR 7628 assessment methods Examine - review, inspect, observe, study, or analyze one or more assessment objects e.g., specifications, mechanisms, or activities). Interview - conduct discussions with individuals or groups of individuals Test - exercise one or more assessment objects under specified conditions to compare actual with expected behavior ES-C2M2 Determination Not Implemented Partially Implemented Largely Implemented Fully Implemented 13

14 Application Guidance Example Manage Asset Configuration MIL3 Configuration Management: The organization should develop and maintain baseline configurations for the groups of control systems. The ES-C2M2 process should include an assessment to ensure the baselines are reviewed and updated and that the configurations are monitored. The GRC requirements should be developed and applied at the system level, and not at the organization level. SG.CM-2: Baseline Configuration 14

15 Logical Interface Category 6: Interface Between Control Systems in Different Organizations 15 Unique Technical Requirements: SG.AC-14: Permitted Actions with Identification or Authentication The associated ES-C2M2 practice is IAM-2a SG.IA-4: User Identification and Authentication The associated ES-C2M2 practices are IAM-1a and IAM-1b SG.SI-7: Software and Information Integrity The associated ES-C2M2 practices are SA-2e and SA-2i

16 Cyber Security Risk Management in Practice Comparative Analyses Tables EPRI Technical Update

17 Comparative Analyses Content Companion document to the Risk Management and Security Posture documents Includes additional crosswalk tables NISTIR 7628, NIST SP , and NIST Cybersecurity Framework NEI 08-09, NRC RG 5.71 and NISTIR 7628 NESCOR Failure Scenarios, Common Mitigations, Common Vulnerabilities and ES-C2M2 NISTIR 7628 Gap Analysis related to the ES-C2M2 and the NIST Cybersecurity Framework 17

18 Discussion 18

19 Together Shaping the Future of Electricity 19