Tech Advantage Benchmarking Your Cyber Security Program. March 5, 2014

Transcription

1 Tech Advantage Benchmarking Your Cyber Security Program March 5, 2014

2 Elements of Cyber Security Confidentiality Integrity C Security Availability I A Perfect security is unattainable

3 Overview What is the current state of Cyber Security at electric coops? - NARUC Report for the Kentucky PSC - How are decisions made about Cyber Security? - What should you be doing for Cyber Security? Cooperative perspective on audits and reviews - Chuck Gill Owen Electric Cooperative Q&A - Panel Discussion - David Baldwin - Clark Energy Cooperative - David Cox Nolin Rural Electric Cooperative - Chuck Gill Owen Electric Cooperative

4 NARUC Report Goals Review of the cyber security programs at six Kentucky electric distribution cooperatives Comparative view of the condition of the participating cooperatives cyber security programs Identification of control areas that have been effectively implemented and areas that need improvement Identification of areas of competency by some participants that may be leveraged at other cooperatives planning to implement similar controls Identification of areas that the PSC may be able to provide assistance to the cooperative community related to cyber security

5 Participant Profile Profile of participating Coops: Distribution Cooperatives None had NERC-CIP requirments Some did not own SCADA systems others did Main business processes: Billing and collections, Electric system maintenance, HR

6 Defining a Benchmark Realistic expectations for distribution cooperatives Frameworks Maturity Models ISO Standard areas

7 Areas of Focus User Account Management Outsourced Information Processing Password Parameters Documentation of Procedures IT Risk Management Cyber Security Policy Network Management System Acceptance and Configuration Third Party Access Personnel Security Remote Access Physical and Environmental Security Wireless Access System Patching Accountability of Assets System Logging and Monitoring Incident Management Malware Prevention DR & BCP Compliance Requirements Backup and Recovery

8 Methodology Each of the cooperatives participating in the review were asked to discuss their security programs in 21 areas of focus. Score of 1 through 5 for: Development of controls Relative priority of control area

9 Methodology Control Priority - relative priority of the control within the context of a total cyber security program. Average Development of Controls - provides an indication of the progress the cooperatives as a group have made in a particular control area Difference - provides an indication of which for improvement should be given the highest priority

10

11

12

13

14

15

16 Design vs. Effectiveness Areas where security is controlled by manual processes may have scored higher in this review due to the design of controls, however the effectiveness of the controls were not evaluated. Examples of focus areas that are often found to not operate as designed when examined for effectiveness: System patching Backups Accountability of Assets System acceptance and configuration

17

18

19 How Cyber Decisions are Made How are decisions made about what to do and how much to spend on Cyber Security?

20 Sources for Guidance IT managers base decisions on: Past experiences Availability needs Experiences of trusted colleagues Trade magazines Web research Consultants

21 External Drivers State breach disclosure laws State/Federal regulations Industry regulation Self regulation Lawsuits Best practices Contracts Insurance

22 Determining Spend Marginal increase of costs for additional cyber security Marginal Decrease in Costs associated with breaches Likelihood and impact of cyber threats Operating costs for cyber security = Cost savings due to prevention of events such as virus attacks, hacking, break-ins, regulatory fines etc.

23 Summary Every company has some form of cyber security, it is often devices and software, not processes and procedures Decisions come from many sources Increases in security measures are often driven by outside factors Costs associated with cyber security are not always known

24 Measuring Cyber Security How should a cooperative measure and implement Cyber Security?

25 Risk Assessment Continuous risk based approach Compliance requirements Re-assess for environmental and technology changes Likelihood and Impact

26 Program Design Gap analysis Program improvement prioritization Policies and procedures

27 Program Management Management of program improvements Task tracking Audit and assurance practices

28 Thank you Timothy Fawcett, CISSP, CISA, CSSA Sr. Information Security Consultant

29 Cooperative Perspective Chuck Gill Owen Electric Cooperative 57,000 Members in 9 Northern Kentucky Counties HQ, Northern SC, Three Bill Pay Offices Backbone consists of Microwave, Fiber, Radio and Telco Services VM Server Environment with about 150 client PCs

30 Cooperative Perspective Staff has been doing ISO/NIST Checklists since 2009, Scores have been 65, 80 and 95 out of 128 Two IT Audits in 2013, MCM and Guernsey Both Audits requested similar information MCM background was in financial audits PSC/Guernsey more familiar with utilities

31 Cooperative Perspective Approached the Audits as a win-win Open discussions with both audit groups Interaction between staff and audit groups was extremely beneficial Audits reaffirmed what the checklists already exposed Documentation (policies & procedures) to backup the strength the staff has in knowledge and experience

32 Q&A Panel Discussion Tim Fawcett Guernsey David Baldwin - Clark Energy Cooperative David Cox Nolin Rural Electric Cooperative Chuck Gill Owen Electric Cooperative