Security Management Seminar

Transcription

1 SSID PSAV_Event_Solutions Passcode NERC0001 Security Management Seminar Ross Johnson, CPP Capital Power Edmonton, Alberta

2 Security Management Programs Agenda Security Risk Management Design Basis Threat Security Measures Selection Threat Response Planning

3 Security Management Programs 3

4 Security Management Program Sets organization-wide policies and procedures that define how the program integrates into the company s overall management system Includes management commitment and accountability Includes: Accountability Implementation Competence External Practices Internal Practices 4

5 Advantages Ensures that all aspects of security are considered Provides 'best practice' guidance Developed by a large group of security practitioners, ensuring that it is based on a broad base of experience Provides guidance on requirements, objectives, and metrics Demonstrates professionalism to senior management and external stakeholders Tells you what to do, not how to do it 5

6 Security Management Program Elements 1. Security Management Program 2. Security Risk Management 3. Information Security Management 4. Information Technology/Control Systems Security 5. Personnel Security 6. Physical Security Measures 7. Security Incident Management 8. Contingency Planning 9. Threat Response Planning 10. Change Management Process 11. Evaluation & Review 12. Continuous Improvement Based on the Canadian Standard Association s Z Security Management for Petroleum and Natural Gas Industry Systems 6

7 Security Risk Management Identify and classify security risks Develop and implement strategies and security controls to eliminate or mitigate risks Security risk management activities must consider asset: Type Size Location Criticality Risk should be continually assessed across the organization by determining the likelihood and impact of potential threats 7

8 Information Security Management Policies and procedures for protecting both hard-copy and digital information from the time of conception through to its final disposition Should include documented policies and procedures Areas to consider include classification and labelling, handling, destruction, training, incident reporting and investigation, and audit, compliance, and disaster recovery Determination of what to protect is done by risk assessment: what information could hurt the company if it got into the wrong hands, either accidently or on purpose? 8

9 Information Technology Security Information technology is protected by a combination of controls, processes, procedures, organizational structures, software, and hardware The aim is to protect data confidentiality, integrity, and availability ISO provides best practice recommendations on information security management 9

10 Industrial Control Systems Security Control systems run industrial production equipment, and are heavily used in the energy industry Often targeted by hackers or other threat actors NIST SP Guide to Industrial Control Systems (ICS) Security is an excellent resource on this subject NERC CIP standards might have a thing or two to say on this 10

11 Personnel Security Protection of personnel Workplace Violence Assessment & Prevention Security Training and Awareness Personnel Screening Personnel Termination Employee Travel 11

12 Physical Security Measures Minimum physical security guidelines Vehicle searches Signage standards Chain-link fencing standards CCTV cameras Copper/metal theft prevention Guard force management 12

13 Access Control Facility Type Fence with Top Guard Fenceline Intrusion Detection CCTV/Lighting Electronic Card Access Interior Intrusion Detection Locked Fence Gates with CCTV Locked Exterior Access Doors Visitor Management Background Checks for all Unescorted Personnel Signage Critical Asset Manned Power Plant During Silent Hours Unmanned Power Plant Control Room PEECC Switchyard Non-Critical Asset Thermal Power Plant See Note 1. During Silent Hours Wind Facility Solar Facility Control Room PEECC Optional Switchyard 13 Office Building/Data Centre Construction Site

14 Construction Site Facility Type Fixed Post Mobile Patrols Guards SafeWalk Program Security Shuttle Regulatory Requirements NERC EOP 004/ARS CIP-001 NERC/ARS CIP- 002 to CIP-014 Critical Asset Manned Power Plant Unmanned Power Plant Control Room PEECC Switchyard Non-Critical Asset Control Room PEECC Thermal Power Plant Switchyard Wind Facility Solar Facility Office Building/Data Centre Guards may be used if deemed necessary because of local security conditions 14

15 Security Incident Management Incident reporting Investigations Workplace violence incident management Lessons Learned Security Management Program upgrades 15

16 Investigations 5 Oct :27

17 Investigations 6 Oct :27

18 Investigations 7 Oct :28

19 Contingency Planning Business Continuity Management Emergency Response Program Crisis Management Planning 19

20 Contingency Planning Business Continuity Management Emergency Response Program Includes loss of: People Office space Critical IT systems Crisis Management Planning 20

21 Contingency Planning Business Continuity Management Emergency Response Program Crisis Management Planning o Used at the production facility level o Includes communications, equipment, and tactical response plans for all the scenarios deemed of concern during a Hazard Risk Vulnerability Assessment 21

22 Contingency Planning Business Continuity Management Emergency Response Program Ø Crisis Management Planning o Used at the corporate level to marshal resources and senior executive leadership to solve problems that threaten the company's people, assets, or reputation o Part of the emergency response program 22

23 Threat Response Planning Threat and vulnerability assessment Security measures Observation plan Random security measures TRPs bring together a number of elements of the security management program: they are not part of the CSA standard Response plan Communications Training and review 23

24 Conclusion Use of a standardized security managementprogram template can help you to ensure that all elements of security are considered in your security plan They add dignity to what would otherwise be a vulgar brawl We are trying to develop an security management program template in the electricity sector, and we could use your help 24

25 Questions? 25