Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Similar documents
Cyber Hygiene: A Baseline Set of Practices

Information Security Is a Business

Implementing Executive Order and Presidential Policy Directive 21

The Need for Operational and Cyber Resilience in Transportation Systems

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Defining Computer Security Incident Response Teams

Cyber Security & Homeland Security:

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Researching New Ways to Build a Cybersecurity Workforce

Smart Grid Maturity Model

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

The CERT Top 10 List for Winning the Battle Against Insider Threats

Designing and Building a Cybersecurity Program

Julia Allen Principal Researcher, CERT Division

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

NCSF Foundation Certification

Cyber Threat Prioritization

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

NW NATURAL CYBER SECURITY 2016.JUNE.16

Why you should adopt the NIST Cybersecurity Framework

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Software Assurance Education Overview

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

Framework for Improving Critical Infrastructure Cybersecurity

10 Things Every Auditor Should Do Before Performing a Security Audit

Information Security Continuous Monitoring (ISCM) Program Evaluation

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Roles and Responsibilities on DevOps Adoption

PIPELINE SECURITY An Overview of TSA Programs

The NIST Cybersecurity Framework

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Industry role moving forward

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Australian Energy Sector Cyber Security Framework. Frequently Asked Questions FINAL V1-0

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Components and Considerations in Building an Insider Threat Program

Updates to the NIST Cybersecurity Framework

DHS Cybersecurity Services and Resources

CYBERSECURITY MATURITY ASSESSMENT

Information Technology Branch Organization of Cyber Security Technical Standard

Improving Cybersecurity through the use of the Cybersecurity Framework

The Confluence of Physical and Cyber Security Management

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Using CERT-RMM in a Software and System Assurance Context

Long-Term Power Outage Response and Recovery Tabletop Exercise

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Cyber Resilience. Think18. Felicity March IBM Corporation

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

NCSF Foundation Certification

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

The Office of Infrastructure Protection

Situational Awareness Metrics from Flow and Other Data Sources

The Insider Threat Center: Thwarting the Evil Insider

Cybersecurity for Health Care Providers

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Overview of the Cybersecurity Framework

Rethinking Cybersecurity from the Inside Out

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Framework for Improving Critical Infrastructure Cybersecurity

THE POWER OF TECH-SAVVY BOARDS:

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

Framework for Improving Critical Infrastructure Cybersecurity

ISAO SO Product Outline

Kent Landfield, Director Standards and Technology Policy

Analyzing 24 Years of CVD

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

The Perfect Storm Cyber RDT&E

Framework for Improving Critical Infrastructure Cybersecurity

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Medical Device Cybersecurity: FDA Perspective

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Securing an IT. Governance, Risk. Management, and Audit

Control Systems Cyber Security Awareness

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Cybersecurity Risk Management:

Statement for the Record

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Engineering Improvement in Software Assurance: A Landscape Framework

The Office of Infrastructure Protection

IoT & SCADA Cyber Security Services

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Cyber Security Program

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

RSA Cybersecurity Poverty Index

Ontario Energy Board Cyber Security Framework

FISMA Cybersecurity Performance Metrics and Scoring

Transcription:

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie Mellon University http://www.cert.org/resilience/ 2014 Carnegie Mellon University

Notices Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by Department of Energy under Contract No. FA8721-05- C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM-0002207 2

Outline Electric Grid: Yesterday vs. Today Development Approach A Family of Cybersecurity Maturity Models Model Architecture Domains Scaling Diagnostic Methodology Using the Model Relationship to NIST Cybersecurity Framework 3

CMU SEI CERT Division Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Basic and applied research in partnership with government and private organizations Helps organizations improve development, operation, and management of software-intensive and networked systems CERT Division Anticipating and solving our nation s cybersecurity challenges Largest technical program at SEI Focused on internet security, digital investigation, secure systems, insider threat, operational resilience, vulnerability analysis, network situational awareness, and coordinated response 4

Cyber Risk and Resilience Management Team Engaged in Applied research Education & training Putting into practice Enabling our federal, state, and commercial partners In areas dealing with Maturity models Operational resilience Resilience management Operation risk management Cybersecurity maturity models Integration of cybersecurity, business continuity, & disaster recovery 5

YESTERDAY: Legacy Electric Grid 6

TODAY: Smart Grid Legacy Electrical Grid Modern Smart Grid I N C R E A S E D F U N C T I O N A L I T Y & E F F I C I E N C Y I N C R E A S E D O P E R A T I O N A L R I S K 7

Challenge from the White House Challenge: Develop capabilities to manage dynamic threats and understand cybersecurity posture of the grid 8 8

Strong Sponsorship & Collaboration White House initiative Led by Department of Energy In partnership with DHS In collaboration with energy sector asset owners and operators SEI model architect 9 9

Development Approach Public-Private Partnership Best Practices and existing cybersecurity resources Review of cyber threats to the subsectors Descriptive, Not Prescriptive Fast-Paced Development Pilot to Test, Validate, and Improve 10

The Approach: Maturity Model An organized way to convey a path of experience, wisdom, perfection, or acculturation. A Maturity Progression for Authentication Three-factor authentication Two-factor authentication Addition of changing every 60 days Use of strong passwords Use of simple passwords` 11

A Family of Cybersecurity Maturity Models ES-C2M2 ONG-C2M2 C2M2 for IT Services Electricity Subsector Version C2M2 Facilitator Guide Toolkits FAQs (Core Model) Enabling Consistent Applicability to Complex Organizations 12

Electricity Subsector Electricity portion of the energy sector Includes Generation Transmission Distribution Marketing 13

Model Architecture A Maturity Model Domains (a.k.a. Process Areas) Scaling Diagnostic Methodology 14

WM CPM SA ISC IR EDM RM ACM IAM TVM Domains that C2M2 Examines Risk Management Asset, Change, and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cybersecurity Program Management Domains are logical groupings of cybersecurity practices 15

Model Architecture A Maturity Model Domains (a.k.a. Process Areas) Scaling Diagnostic Methodology 16

RISK ASSET ACCESS THREAT SITUATION SHARING RESPONSE DEPENDENCIES WORKFORCE CYBER Maturity Indicator Levels C2M2 Structure 3 Managed 4 Maturity Indicator Levels: Defined progressions of practices 2 Performed 1 Initiated 0 Not Performed 10 Model Domains: Logical groupings of cybersecurity practices 17 17

RM ACM IAM TVM SA ISC IR EDM WM CPM Maturity Indicator Levels C2M2 Structure 3 Managed 2 Performed 1 Initiated 4 Maturity Indicator Levels: Defined progressions of practices Each cell contains the defining practices for the domain at that maturity indicator level 0 Not Performed 10 Model Domains: Logical groupings of cybersecurity practices 18

C2M2 Maturity Indicator Levels Level Name Description MIL0 Not Performed MIL1 has not been achieved in the domain MIL1 Initiated Initial practices are performed, but may be ad hoc MIL2 Performed Practices are documented Stakeholders are involved Adequate resources are provided for the practices Standards or guidelines are used to guide practice implementation Practices are more complete or advanced than at MIL1 MIL3 Managed Domain activities are guided by policy (or other directives) Activities are periodically reviewed for conformance to policy Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge Practices are more complete or advanced than at MIL2 19

Domain Structure Model Domain Model contains 10 domains Purpose Statement Introductory Notes Approach Objectives Summarizes the overall intent of the domain Provide an overview of the domain objectives One or more per domain; unique to each domain Specific Practices at MIL1 Specific Practices at MIL2 Specific Practices at MIL3 Each specific objective is supported by a progression of practices that are unique to the domain and are ordered by maturity indicator level (MIL) Management Objective One per domain; similar across domains Common Practices at MIL2 Common Practices at MIL3 The Management Objective is supported by a progression of practices at MIL2 and MIL3 that are similar in each domain. 20

Model Architecture A Maturity Model Domains (a.k.a. Process Areas) Scaling Diagnostic Methodology 21

C2M2 Self-Evaluation The C2M2 models are supported by a survey-based self-evaluation An organization can use the survey (and associated scoring tool) to evaluate its implementation of the model practices To complete the survey, an organization selects its level of implementation for the model practice from a 4-point answer scale 22

4-Point Answer Scale 4-point answer scale The organization s performance of the practice described in the model is Fully implemented Complete Largely implemented Complete, but with a recognized opportunity for improvement Partially implemented Incomplete; there are multiple opportunities for improvement Not implemented Absent; the practice is not performed in the organization 23

C2M2 Sample Summary Score There are 2 practices at MIL1 for the Risk Domain Outer ring and number(s) summarize implementation state of those practices; in this case, both practices are fully implemented 24

C2M2 Sample Summary Score 2 practices are not implemented To achieve MIL2, requires 13 practices in total, including the 2 from MIL1 11 practices are fully implemented 25

C2M2 Sample Summary Score 26

C2M2 Sample Summary Score MIL 1 0 2 3 3 3 3 1 2 0 Rating 27

C2M2 Sample Summary Score 28

C2M2 Sample Summary Score Risk Management 1 1 5 1 2 4 2 1 10 9 4 3 2 3 Fully implemented Largely implemented Partially implemented Not implemented Establish Cybersecurity Risk Management Strategy Manage Cybersecurity Risk Management Activities 29

Model Architecture A Maturity Model Domains (a.k.a. Process Areas) Scaling Diagnostic Methodology 30

Using the C2M2 Models Perform Evaluation Implement Plans Analyze Identified Gaps Prioritize and Plan 31

Recommended Process for Using Results Perform Evaluation Analyze Identified Gaps Prioritize and Plan Inputs Activities Outputs 1. C2M2 Self-Evaluation 2. Policies and procedures 3. Understanding of cybersecurity program 1. C2M2 Self-Evaluation Report 2. Organizational objectives 3. Impact to critical infrastructure 1. List of gaps and potential consequences 2. Organizational constraints 1. Conduct C2M2 Self-Evaluation Workshop with appropriate attendees 1. Analyze gaps in organization s context 2. Evaluate potential consequences from gaps 3. Determine which gaps need attention 1. Identify actions to address gaps 2. Cost benefit analysis (CBA) on actions 3. Prioritize actions (CBA and consequences) 4. Plan to implement prioritize actions C2M2 Self- Evaluation Report List of gaps and potential consequences Prioritized implementation plan Implement Plans Prioritized implementation plan 1. Track progress to plan 2. Re-evaluate periodically or in response to major change Project tracking data 32

Relationship to NIST Cybersecurity Framework The U.S. Department of Energy (DOE) has developed guidance on using the NIST Cybersecurity Framework for the Energy Sector DOE guidance highlights C2M2 models as an approach to using the NIST Cybersecurity Framework 33

http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program 34 34

For More Information DOE Cybersecurity Capability Maturity Model Program http://energy.gov/oe/services/cybersecurity/cybersecurity-capabilitymaturity-model-c2m2-program ONG-C2M2 http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2- program/oil-and-natural-gas-subsector-cybersecurity ES-C2M2 http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2- program/electricity-subsector-cybersecurity Core C2M2 http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2- program/cybersecurity-capability-maturity-model-c2m2 SEI Resilience Management Program http://www.cert.org/resilience/ 35

Thank you for your attention 36

Additional Material 37

Model Domains (1-2 of 10) Domain Asset, Change, and Configuration Management (ACM) Workforce Management (WM) Description Manage the organization s operational technology (OT) and information technology (IT) assets, including both hardware and software, commensurate with the risk to critical infrastructure and organizational objectives, including activities to: Identify, inventory, and prioritize assets, Manage asset configurations, and Manage changes to assets and to the asset inventory. Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives. Responsibilities Workforce controls Knowledge, skills, and abilities Awareness 38

Model Domains (3-4 of 10) Domain Identity and Access Management (IAM) Risk Management (RM) Description Create and manage identities for entities that may be granted logical or physical access to the organization's assets. Control access to the organization's assets, commensurate with the risk to critical infrastructure and organizational objectives. Identity management Access management Establish, operate, and maintain a cybersecurity risk management and mitigation program to identify and manage cybersecurity risk to the organization and its related interconnected infrastructure and stakeholders. Strategy Sponsorship Program 39

Model Domains (5-6 of 10) Domain Supply Chain and External Dependencies Management (EDM) Threat and Vulnerability Management (TVM) Description Establish and maintain controls to manage the cybersecurity risk associated with services and assets that are dependent on external entities, commensurate with the organization's business and security objectives. Dependency identification Risk management Cybersecurity requirements Establish and maintain plans, procedures, and technologies to identify, analyze, and manage cybersecurity threats and vulnerabilities, commensurate with the risk to critical infrastructure and organizational objectives. Threat management Vulnerability management Cybersecurity patch management Assessments 40

Model Domains (7-8 of 10) Domain Event and Incident Response, Continuity of Operations (IR) Situational Awareness (SA) Description Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity incidents and to sustain critical functions throughout a cyber event, commensurate with the risk to critical infrastructure and organizational objectives. Detect events Declare incidents Respond to incidents Manage continuity Establish and maintain activities and technologies to collect, analyze, alarm, present, and use power system and cybersecurity information, including status and summary information from the other model domains, to form a common operating picture, commensurate with the risk to critical infrastructure and organizational objectives. Logging Monitoring Awareness 41

Model Domains (9-10 of 10) Domain Information Sharing and Communications (ISC) Cybersecurity Program Management (CPM) Description Establish and maintain relationships with internal and external entities to share information, including threats and vulnerabilities, in order to reduce risks and increase operational resilience, commensurate with the risk to critical infrastructure and organizational objectives. Communication Analysis Coordination Establish and maintain a cybersecurity program that provides governance, strategic planning, and sponsorship for the organization s cybersecurity activities in a manner that aligns cybersecurity objectives with the organization s strategic objectives and the risk to critical infrastructure. Strategy Sponsorship Program Architecture 42

C2M2 Maturity Indicator Levels Example MIL0 MIL1 MIL2 MIL3 Specific Characteristics for the ASSET domain 1. Asset inventory a. There is an inventory of OT (operational technology) and IT (information technology) assets that are important to the delivery of the function 1. Asset inventory a. The asset inventory is current and complete for assets of defined categories that are selected based on risk analysis b. Asset prioritization is informed by risk analysis Progress from one MIL to the next involves more complete or more advanced implementations of the core activities in the domain. The organization is also expected to be performing additional activities at higher levels consistent with their risk strategy. 43

A Dual-Progression Model The C2M2 is a dual progression model Two things are progressing across the maturity indicator levels: 1. Approach the completeness, thoroughness, or level of development/sophistication of the activity 2. Management the extent to which the practices are ingrained/institutionalized in the organization s operations 44

Example of Dual Progression MIL1 MIL2 MIL3 Manage Cybersecurity Risk a. Cybersecurity risks are identified b. Identified risks are mitigated, accepted, tolerated, or transferred c. Risk assessments are performed to identify risks in accordance with the risk management strategy d. Identified risks are documented e. Identified risks are analyzed to prioritize response activities in accordance with the risk management strategy f. Identified risks are monitored in accordance with the risk management strategy g. A network (IT and/or OT) architecture is used to support risk analysis a. The risk management program defines and operates risk management policies and procedures that implement the risk management strategy b. A current cybersecurity architecture is used to support risk analysis c. A risk register (a structured repository of identified risks) is used to support risk management Management Practices 1. Initial practices are performed but may be ad hoc 1. Practices are documented 2. Stakeholders of the practice are identified and involved 3. Adequate resources are provided to support the process (people, funding, and tools) 4. Standards and/or guidelines have been identified to guide the implementation of the practices 1. Activities are guided by policies (or other organizational directives) and governance 2. Activities are periodically reviewed to ensure they conform to policy 3. Responsibility and authority for performing the practice is clearly assigned to personnel 4. Personnel performing the practice have adequate skills and knowledge 45

4-Point Answer Scale Fully Implemented 4-point answer scale The organization s performance of the practice described in the model is Fully implemented Complete Largely implemented Partially implemented Complete, but with a recognized opportunity for improvement The practice is performed as described in the model Incomplete; there are multiple opportunities for improvement Not implemented Absent; the practice is not performed in the organization 46

4-Point Answer Scale Largely Implemented 4-point answer scale The organization s performance of the practice described in the model is Fully implemented Complete Largely implemented Complete, but with a recognized opportunity for improvement Partially implemented Not implemented Incomplete; there are multiple opportunities for improvement The practice is performed substantially as described in the model, but there is some recognized opportunity for improvement that is not material with respect to achieving model, organizational, or critical infrastructure objectives Absent; the practice is not performed in the organization 47

4-Point Answer Scale Partially Implemented 4-point answer scale The organization s performance of the practice described in the model is Fully implemented Largely implemented Partially implemented The practice is performed substantially as described in the model, but there is some recognized opportunity for improvement that is not material with respect to achieving model, organizational, or critical infrastructure objectives Complete Complete, but with a recognized opportunity for improvement Incomplete; there are multiple opportunities for improvement Not implemented Absent; the practice is not performed in the organization 48

4-Point Answer Scale Not Implemented 4-point answer scale The organization s performance of the practice described in the model is Fully implemented Complete Largely implemented Partially implemented Complete, but with a recognized opportunity for improvement The practice is not performed in the organization Incomplete; there are multiple opportunities for improvement Not implemented Absent; the practice is not performed in the organization 49

NIST Cybersecurity Framework The National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity (Framework) in February 2014 The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. 50

Elements of the Framework The three main elements of the Framework are the Core, the Implementation Tiers, and the Profile. The Core is a set of cybersecurity activities, desired outcomes, and applicable informative references that are common across critical infrastructure sectors within five functions: Identify, Protect, Detect, Respond, and Recover. Tiers describe an organization s approach to cybersecurity risk and the processes in place to manage that risk, ranging from Tier 1 (Partial) to Tier 4 (Adaptive). Profiles align the Framework core elements with business requirements, risk tolerance, and organizational resources. 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback