Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Similar documents
Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Implementing Executive Order and Presidential Policy Directive 21

Overview of the Cybersecurity Framework

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Updates to the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Views on the Framework for Improving Critical Infrastructure Cybersecurity

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

NCSF Foundation Certification

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cybersecurity & Privacy Enhancements

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

FDA & Medical Device Cybersecurity

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Cybersecurity Risk Management:

Medical Device Cybersecurity: FDA Perspective

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Framework for Improving Critical Infrastructure Cybersecurity

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Framework for Improving Critical Infrastructure Cybersecurity

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

NCSF Foundation Certification

Information Security Continuous Monitoring (ISCM) Program Evaluation

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cyber and Supply Chain Policy Issues

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Framework for Improving Critical Infrastructure Cybersecurity

Improving Cybersecurity through the use of the Cybersecurity Framework

ISAO SO Product Outline

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Why you should adopt the NIST Cybersecurity Framework

Information Technology Branch Organization of Cyber Security Technical Standard

Using the NIST Framework for Metrics 5/14/2015

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Digital Service Management (DSM)

HPH SCC CYBERSECURITY WORKING GROUP

Legal and Regulatory Developments for Privacy and Security

Critical Infrastructure Resilience

Kent Landfield, Director Standards and Technology Policy

The Office of Infrastructure Protection

National Policy and Guiding Principles

The Impact of US Cybersecurity Policies on Submarine Cable Systems

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Cyber Security & Homeland Security:

Industry role moving forward

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Exploring Emerging Cyber Attest Requirements

THE POWER OF TECH-SAVVY BOARDS:

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

The Office of Infrastructure Protection

Using Metrics to Gain Management Support for Cyber Security Initiatives

Pre-Decisional Draft Working Product Do Not Cite or Quote

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

National Preparedness System. Update for EMForum June 11, 2014

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Our Comments. February 12, VIA

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

Energy Assurance State Examples and Regional Markets Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials

INFORMATION ASSURANCE DIRECTORATE

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Apr. 10, Vulnerability disclosure and handling processes strengthen security programs

Digital Service Management (DSM)

IMPLEMENTING A RISK-BASE CYBER SECURITY FRAMEWORK FOR HEALTHCARE

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Integrated Cyber Defense Working Group (ICD WG) Introduction

NERC-Led Technical Conferences

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Cybersecurity, safety and resilience - Airline perspective

Statement for the Record

ACR 2 Solutions Compliance Tools

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

WHO Secretariat Dr Oleg Chestnov Assistant Director-General Noncommunicable Diseases and Mental Health

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

DHS Supply Chain Activity: Cross-Sector Supply Chain Working Group and Strategy on Global Supply Chain Security

The Value of Bipartisanship

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Critical Infrastructure Protection Version 5

STRATEGIC PLAN VERSION 1.0 JANUARY 31, 2015

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Transcription:

Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI

Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity Framework EEI Member consensus input

Executive Order 13636 Improving Critical Infrastructure Cybersecurity directs the Executive Branch to: Develop a technology-neutral cybersecurity framework (NIST) Promote and incentivize the adoption of cybersecurity practices Increase the volume, timeliness, and quality of cyber threat information sharing Incorporate strong privacy and civil liberties Explore the use of existing regulation to promote cybersecurity

Presidential Policy Directive -21 Critical Infrastructure Security and Resilience directs the Executive Branch to: Develop a near-real time cyber and physical critical infrastructure situational awareness capability Evaluate and mature the public-private partnership Update the National Infrastructure Protection Plan Develop a comprehensive research and development plan

DHS Integrated Task Force 8 Working Groups: 1. Stakeholder Engagement 2. Cyber-Dependent Infrastructure Identification 3. Planning and Evaluation (NIPP Update) 4. Situational Awareness and Information Exchange 5. Incentives 6. Cybersecurity Framework Collaboration (CSF) with NIST 7. Assessments: Privacy and Civil Rights and Civil Liberties 8. Research and Development

National Infrastructure Protection Plan (NIPP) Update Working Draft of the National Infrastructure Protection Plan Focuses on Critical Infrastructure Partnership to improve security and resilience Encourages partnership to improve information sharing and risk-based decision making Provides a risk management process Final comments due September 20 Concern Too detailed for a plan at this level. Overlapping concepts with the Sector Specific Plan & new Cybersecurity Framework

Cybersecurity Framework NIST must publish a preliminary version of the Cybersecurity Framework within 240 days (i.e., by October 10,2013), final version published by February 12, 2014. 4 Workshops 1. April 3 Washington, D.C. 2. May 29-31 Pittsburgh, PA 3. July 10-12 San Diego, CA 4. September 11-13 Dallas, TX

How will the CSF be developed?

Cybersecurity Framework Discussion Draft posted August 28, 2013 3 Parts of the Framework: Core Implementation Tiers Profiles Current and Target Incorporates risk management, but does not define a process Identifies areas for improvement Concern Too prescriptive for a Framework to apply to all sectors The ES-C2M2 is thought to meet the intent of the CSF but not clear in the latest draft.

How to Use the Framework Establish or Improve a Cybersecurity Program 1. Make Organization Wide Decisions 2. Establish a Target Profile 3. Establish a Current Profile 4. Compare Target and Current Profiles 5. Implement Target Profile Communicate Cybersecurity Requirements with Stakeholders Identify Gaps

Framework Profile Selection of the Functions, Categories, and Subcategories aligned with business requirements, risk tolerance, and organizational resources Does not provide Target Profile templates nor identify Tier requirements Gaps allow creation of roadmap to reduce cybersecurity risk

Framework Core Subcategories Informative References ISA 99.02.01 COBIT ISO/IEC 27001 NIST SP 800-53 CCS Top 20 Critical Security Controls For ES profile ES-C2M2 RMP NERC CIP

Implementation Tiers Tier 0 Partial: no formal, threat-ware risk management process, implementing portions of the Framework Tier 1 Risk-Informed: formal, threat-aware risk management process, staff has adequate cybersecurity resources Tier 2 Repeatable: regularly updates profile to respond to changing cybersecurity landscape, understands dependencies and partners Tier 3 Adaptive: updates profile based on predictive indicators to actively adapt to changing cybersecurity landscape, actively shares information with partners

Areas for Improvement EO 13636 identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. Based on stakeholder input, NIST identified the following areas for improvement: Supply chains and interdependencies Privacy Conformity assessment International aspects, impacts, and alignment Data analytics Automated indicator sharing

EEI Member Consensus input EEI encourages NIST to develop a high-level framework focused on cybersecurity practices that can be applied across all 16 critical infrastructure sectors. EEI encourages NIST to keep the framework flexible enough to allow entities to use existing processes, standards, and guidance to avoid time-consuming and un necessary duplication of cybersecurity efforts. EEI encourages NIST to incorporate a flexible risk management process to keep the framework cybersecurity practices at a high-level and engage executive leadership. EEI encourages NIST to consider who is providing input to the Framework process when developing the framework.

Questions from NIST How can the Preliminary Framework: Adequately define outcomes that strengthen cybersecurity and support business objectives? Enable cost-effective implementation? Appropriately integrate cybersecurity risk into business risk? Provide the tools for senior executives and board of directors to understand risks and mitigations at the appropriate level of detail? Provide sufficient guidance and resources to aid businesses of all sizes while maintaining flexibility?

Questions from NIST Will the Discussion Draft: Be inclusive of, and not disruptive to, effective cybersecurity practices in use today? Enable organizations to incorporate threat information? Is the Discussion Draft: Presented at the right level of specificity? Sufficiently addressing unique privacy and civil liberties needs for critical infrastructure?

References Executive Order http://www.whitehouse.gov/the-pressoffice/2013/02/12/executive-order-improving-criticalinfrastructure-cybersecurity PPD-21 http://www.whitehouse.gov/the-pressoffice/2013/02/12/presidential-policy-directive-criticalinfrastructure-security-and-resil NIST Cybersecurity Framework http://www.nist.gov/itl/cyberframework.cfm

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback