VALUE OF A CYBERSECURITY SELF-ASSESSMENT

Transcription

1 VALUE OF A CYBERSECURITY SELF-ASSESSMENT

2

3 RC3 Self-Assessment Research Program

4 RC3 Self-Assessment Research Program

5 Directors Cybersecurity Ecosystem CEO/GM E&O Member Services Marketing Information Technology (IT) Accounting Finance HR

6 RC3 Self-Assessment Research Program

7 RC3 Self-Assessment Research Program

8 RC3 Self-Assessment Research Program

9 RC3 Self-Assessment Research Program Initial findings

10 RC3 Self-Assessment Panel Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC Justin Luebbert, Information Security and Business Technology Manager, Central Electric Power Cooperative, MO Sherry Fix, Manager of Information Technology, Grand Valley Power, CO Jim Haler, Member Services Manager, South Central Electric Association & Redwood Electric Cooperative, MN

11 RC3 and Cybersecurity Awareness Bobby Smith VP of Information Technology

12 Board Awareness This is two hours of my life that I will never get back. IDENTIFY PROTECT DETECT RESPOND RECOVER

13 Management Awareness Cybersecurity is not limited to IT Importance of Cyber-specific Policies

14 IT Awareness Inventory of Assets Importance of Documentation Trace every cable

15 Contact Information Bobby Smith VP of Information Technology

16 Justin Luebbert Manager of Information Security & Business Technology Central Electric Power Cooperative (G&T) Jefferson City, Missouri

17 CENTRAL ELECTRIC POWER COOPERATIVE TRANSMISSION COOPERATIVE 8 Distribution Cooperatives Collectively we deliver power to a 22,000 square mile area in central Missouri. 1. Boone Electric 2. Callaway Electric 3. Central Missouri Electric 4. Co-Mo Electric 5. Consolidated Electric 6. Cuivre River Electric 7. Howard Electric 8. Three Rivers Electric

18 What is the value of a cybersecurity self-assessment? What are some of our key takeaways from participating in the NRECA RC3 program?

19 PROVIDES A COMMON LANGUAGE NRECA RC3 Self Assessment \ NIST IDENTIFY PROTECT DETECT RESPOND RECOVER CEO to CSR Communicate risk in ways everyone can understand, from Server Room to the Board Room.

20 ABILITY TO EVALUATE CYBERSECURITY POSTURE BENCHMARKING Creates a benchmark to evaluate your current cybersecurity state. Helps you understand your cyber posture and what your biggest vulnerabilities and risk are related to your cooperative. BENCHMARKING MEASURE PLAN ANALYZE PRIORITIZATION Allows you to set security priorities based on risks, resources and investment. Enables you to have a better understanding how you can merge: cybersecurity priorities and initiatives with business priorities and initiatives. COLLECT IMPLEMENT

21 ABILITY TO EVALUATE CYBERSECURITY POSTURE EFFICIENCY Less chance of duplication of efforts within your organization. Allow different departments to work together toward common goals and set of standards. SECURITY SECURITY SECURITY Decreases the chance of shadow IT. SECURITY SECURITY GOALS Allows your cooperative to set realistic goals and to measure success of current initiatives and future initiatives. SECURITY SECURITY IS A NEVER ENDING GOAL

22 IT IS NOT JUST AN IT DEPARTMENT PROBLEM Cybersecurity is no longer just a technology issue, it is also a business issue. Understanding of the different roles and needs within an organization related to cybersecurity We must embrace cyber security as a business risk, not merely a technology risk. Staff and General Manager need to be discussing risk management. Review Cooperative Policies: Cybersecurity Integration Cyber Insurance & Data Ownership Legal Team: Regulatory or Compliance issues, State Laws Information Technology & Operational Technology Convergence Cyber Incident Response Planning: Table Top Exercises Cyber Communications Planning and Media Communications

23 YOUR VENDORS ROLE IN CYBERSECURITY Self-Assessment highlights importance of choosing your vendors & cloud providers Not all vendors are taking the required steps when it comes to cybersecurity and can pose huge risk for a cooperative. You must manage your cybersecurity risk when making purchasing decisions. Get vendor security practices in writing before you sign the contract. Create minimum vendor security requirements that all vendors must follow: How they connect? When they connect? What security practices does the vendor have in place? Don t make assumptions in regards to security responsibilities. Follow Up.

24 IMPORTANCE OF PHYSICAL SECURITY THE HUMAN FIREWALL Know what visitors and contractors are coming in and out of your organizations. Controlling access into facilities entry and exist points, exterior building doors and critical server or data room doors. if you SEE something SAY something EDUCATION - EDUCATION - EDUCATION The importance in educating your employees on their role in: DEFENDING THEIR COOPERATIVE AGAINST CYBER THREATES You must empower your employees. Let them know what you are doing and what they can do. Employees are the first line of defense and the biggest asset.

25 EDUCATION - EDUCATION - EDUCATION THE HUMAN FIREWALL Educate employees on cyber crime and who is carrying it out. Cybercrime is a business Nations State actors are a real threat (US CERTS) What are my cooperatives risk associated with a cybersecurity breach? Financial, Reputational, Regulatory How can it negatively affect the cooperative? Create Cybersecurity Program similar to cooperative Safety Programs. Keeps everyone on the same page, focused toward the same goals.

26 FINAL POINTS: THE VALUE OF SELF-ASSESMENT THE BIG PICTURE An effective cyber security self-assessment will: Define clear strategic goals within your organization. Establish security standards to ensure that your cooperative has the best chance to defend itself in the event of a breach. Empower your employees and departments to take charge of their own role related to security. Identify cybersecurity initiatives and how to merge those with the overall business strategy. Helps define the role cybersecurity plays in the delivery of the cooperatives critical services. KEEPING THE LIGHTS ON

27 Grand Valley Power Changes & Challenges Sherry Fix, IT Manager

28 Grand Valley Power 18,000 meter coop in Western Colorado Founded in 1936 Employed for 36 years 43 Employees

29 Changes & Challenges Increased cyber security training with KnowBe4 Replaced Access Control system/added 7 new cameras Locked ports to known mac addresses Insured unused ports not patched Beginning work on Policy creation Enhancing our asset management application

30 Cyber Security Self-Assessment Southwestern Minnesota Co-ops Jim Haler South Central Electric Association Redwood Electric Cooperative

31 Southwest Minnesota Co-ops 5 Cooperatives with no IT staff. Each with a different IT vendor. South Central Electric Association Redwood Electric Cooperative Brown County REA Federated REA Nobles Cooperative Electric

32 What we learned We need a plan. We need to educate our employees and board.

33 Why the self-assessment is important. You need a place to start! 155 Questions 36 Not applicable 78 No or partial

34 RC3 Self-Assessment Panel Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC Justin Luebbert, Information Security and Business Technology Manager, Central Electric Power Cooperative, MO Sherry Fix, Manager of Information Technology, Grand Valley Power, CO Jim Haler, Member Services Manager, South Central Electric Association & Redwood Electric Cooperative, MN

35 2018 Self-Assessment Research Program Training!! SANS Voucher Program (Andre Joseph) EnergySec s Security Education Week, April (from $3,495 to $2,500 with NRECA/APPA discount) Cybersecurity Summits 5 planned in 2018

36 TechUpdate Twice-monthly newsletter containing the latest information on RC3 Program opportunities and technical publications, articles, reports, webinars, and conferences. Sign-up at:

37

38 Accessible

39 Accessible Affordable

40 Accessible Affordable Appropriate

41 Robin Christianson Senior Manager, Engagement & Strategy, NRECA Maureen Gatti Consultant Andre Joseph Cybersecurity Principal, NRECA Dr. Craig Miller Chief Scientist, NRECA Dr. Cynthia Hsu Cybersecurity Program Manager Office: Mobile: Bob Gibson Consultant Dr. Tim Heidel Deputy Chief Scientist, NRECA Adaora Ifebigh Project Manager, NRECA Lauren Khair Regional Economic Analyst, NRECA Sarah Kiely Principal, IT Community Support, NRECA Jona Okoth Senior Consultant, Synopsys Alvin Razon Senior Director, Distribution Optimization, NRECA