Cyber Security Requirements for Supply Chain. June 17, 2015

Similar documents
PSEG Nuclear Cyber Security Supply Chain Guidance

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Why you should adopt the NIST Cybersecurity Framework

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NW NATURAL CYBER SECURITY 2016.JUNE.16

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Medical Device Cybersecurity: FDA Perspective

External Supplier Control Obligations. Cyber Security

Standard Development Timeline

Cybersecurity & Privacy Enhancements

COMPUTER SECURITY DESIGN METHODOLOGY FOR NUCLEAR FACILITY & PHYSICAL PROTECTION SYSTEMS

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Carbon Black PCI Compliance Mapping Checklist

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Continuous protection to reduce risk and maintain production availability

Critical Information Infrastructure Protection Law

INFORMATION ASSURANCE DIRECTORATE

Ongoing EPRI Plant Modernization and Configuration Management Initiatives

INFORMATION ASSURANCE DIRECTORATE

Smart Grid Standards and Certification

TEL2813/IS2621 Security Management

Cyber Security of Industrial Control Systems and Potential Impacts on Nuclear Power Plants

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

NEI [Revision 5] Cyber Security Control Assessments

Securing Industrial Control Systems

Vulnerability Management Policy

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

locuz.com SOC Services

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

The NIS Directive and Cybersecurity in

INFORMATION ASSURANCE DIRECTORATE

Technical Guidance and Examples

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Chapter 1. Chapter 2. Chapter 3

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

NEN The Education Network

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Just How Vulnerable is Your Safety System?

AUTHORITY FOR ELECTRICITY REGULATION

Department of Public Health O F S A N F R A N C I S C O

Status of Cyber Security Implementation at Canadian NPPs

HIPAA Security and Privacy Policies & Procedures

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Critical Cyber Asset Identification Security Management Controls

CIP Cyber Security Security Management Controls. A. Introduction

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM. Wurldtech Security Technologies

Statement for the Record

CYBERSECURITY MATURITY ASSESSMENT

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Standard Development Timeline

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CIP Cyber Security Systems Security Management

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Best Practices in ICS Security for System Operators

CYBER SECURITY POLICY REVISION: 12

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Seagate Supply Chain Standards and Operational Systems

CIP Cyber Security Personnel & Training

Port Facility Cyber Security

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cybersecurity Risk and Options Considered by IMO

Security Standards for Electric Market Participants

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cybersecurity Auditing in an Unsecure World

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

CCISO Blueprint v1. EC-Council

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

White Paper. View cyber and mission-critical data in one dashboard

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

ISO27001 Preparing your business with Snare

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

New Guidance on Privacy Controls for the Federal Government

CIP Cyber Security Personnel & Training

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Cyber Resilience. Think18. Felicity March IBM Corporation

Standard CIP Cyber Security Critical Cyber Asset Identification

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

DHS Cybersecurity: Services for State and Local Officials. February 2017

Education Network Security

Ensuring System Protection throughout the Operational Lifecycle

NCSF Foundation Certification

University of Pittsburgh Security Assessment Questionnaire (v1.7)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Transcription:

Cyber Security Requirements for Supply Chain June 17, 2015

Topics Cyber Threat Legislation and Regulation Nuts and Bolts of NEI 08-09 Nuclear Procurement EPRI Methodology for Procurement Something to think about Wrap it up!

????? Is my company s cyber security posture creating a vulnerability for my customer? https://www.youtube.com/watch?v=mp4lwipzcvu 3

Cyber Threat to the critical infrastructure? Premature system failures during usage. Access to otherwise secure systems. By-passes of encryption systems. Intimate access to target systems to inflict damage with malicious intent. 4

Cyber Threat what s reality? manufacturing most targeted sector in 2012, accounting for 24% of all targeted attacks. 1(Symantec) The Energy Sector was the target of 40% of cyber attacks in 2013, according to the Department of Homeland Security. largely from sophisticated, wellheeled nation-states looking to inflict damage. 4 Attackers tend to go after systems that can be successfully compromised, and ICS [industrial control systems] have shown themselves to be a target-rich environment. 2(McAfee) State-sponsored data breaches became the second most common variety of data breaches in 2012, following only organized crime 3(Verizon) https://www.youtube.com/watch?v=7g0pi4j8auq 5

Legislation and Nuclear Regulation Critical Infrastructure Protection (CIP) preparedness and response to serious incidents that involve the critical infrastructure of a region or nation. (Presidential Directive PDD-63 of May 1998) National Institute of Standards and Technology (NIST) Government provided Cyber Security Framework (CSF) to help private industries to voluntarily comply with Presidential Executive Order (EO13636) 10 CFR 73.54 Protection of digital computer and communication systems and networks Provides high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat (DBT) as described in 10CFR73.1. NRC RG 5.71 Cyber Security Programs for Nuclear Facilities provides NRC s approach for how to meet the regulation. NEI 08-09 Cyber Security Plan for Nuclear Power Reactors provides a nuclear industry designed approach to meet the regulation. 6

Integrating Cyber Security into Nuclear RG 5.71/NEI 08-09 establishes part of Cyber Security that will be performance based. Part 73 Part 50 RG 1.152 R3 and Design Basis Defense establishes part of Cyber Security subject to prior NRC approval or 50.59 evaluation. RG 5.71 NEI 08-09 Plan and Controls NEI 08-09 E-11 RG 5.71 C-12 RG 1152R3 2.1-2.5 RG1.152 R3, GDC, DB etc. Section E-11 of the NEI 08-09 and C-12 of the RG 5.71 templates provide procurement criteria to address Intelligent malicious adversaries. Functional Handoff Regulatory Positions 2.1-2.5 of RG 1.152 Revision 3 provide protection from unintentional and undesirable non-malicious events

Nuts and Bolts of NEI 08-09 Cyber Security Plan for Nuclear Power Reactors Protect Detect Respond Mitigate Recover SSEP Safety Important to Safety Security Emergency preparedness, including off-site communications Support systems and equipment that if compromised would adversely impact the SSEP functions. 8

Nuts and Bolts of NEI 08-09 Cyber Security Plan for Nuclear Power Reactors Defensive Architecture Model Layer 0 Internet Layer 1 Intranet Layer 2 Nuclear Business Network Layer 3 Nuclear Plant Network Layers segregated by combinations of firewalls and one-directional diodes. Provides layers of network defense. Layer s 3 and 4 acquire physical security by placing these networks into the Protected Area. Layer 4 Nuclear Critical Networks Design criteria must ensure by-pass configurations are not introduced to the architecture. 9

Nuts and Bolts of NEI 08-09 Cyber Security Plan for Nuclear Power Reactors Risk Vector Identification NEI 08-09 recognized risk vectors presenting a vulnerability to the plant critical systems and critical digital assets (CDAs). All except Supply Chain can be managed and controlled independently by the utility. Supply Chain requires a trustworthy relationship based on shared responsibility for cyber security. 10

Nuclear Procurement Component Procurement COTS transactions Shrink-wrapped products Limited/no after sales support Limited/no direct knowledge of the design criteria. Relationship is with a distributor of varying credibility rather than the manufacturer. Distribution Reliability Procurement Contract Specifications Acceptance Criteria Access to service and support Relationship is with the manufacturer or authorized distributor Rogue Trusted Trustworthy

Nuclear Procurement NEI 08-09 Cyber Security Plan for Nuclear Power Reactors Black Box procurement has been replaced... with New Expectations for Nuclear Plants Trusted Distribution paths Vendor Validation Acceptance testing to ensure cyber integrity Controls based on vendor supply chain credibility Audits to ensure cyber controls remain in place Awareness of relevant developing threats Rigorous change management and Vendors & Distributors Trusted distribution paths Tamper proof products or tamper evident seals Sub-contractor and distributor audit validation and Manufacturers & Software Developers Trustworthiness of software developers Security controls integrated at design and development Testing of security controls performed by developers and integrators 12 12

Nuclear Procurement A Path for Component Procurements Plant Procedures and Processes Procurement Orders Baseline Configuration Data Assurance of cyber security integrity Audit records of supply chain integrity Baseline documentation Software version and patch numbers. Check and hash tag data Results of virus scanning performed prior to shipping Configurations describing switch settings, board drawings, internal component serial numbers, parts manufacturer, etc. Description and results of any validation processes applied that confirms component is not counterfeit or compromised. Utilization of a serialized, tamper evident shipping method. Deny receipt of components that appear to be compromised or data is not provided to support the receipt inspection and testing requirements. Plant conduct rigorous receipt inspection and component testing against the technical data provided and any US-Cert notifications identified. 13

Nuclear Procurement A Path for Future Contracts Plant Procedures and Processes Procurement Contracts Implement Safety and Security Procurement Requirements within contracts Conduct cyber aware regulatory reviews and evaluations Follow ISG-06 processes where applicable Contractor Procedures and Processes Vendor established Development Environment including Protected Enclaves meet contract requirements for a Secure Development and Operational Environment (SDOE) Vendor assessments of their Development Environment including audit results available for review 14

UP NEXT EPRI Procurement Methodology 15

Cyber Security Procurement Portfolio Cyber Security Procurement Methodology, Rev. 1-3002001824 Cyber Security Procurement, First Example: Digital Valve Controller -3002003257 Cyber Security Procurement, Second Example: Feedpump TCS - 3002001823 Cyber Security Procurement, Third Example: Digital Feedwater Control -3002002069 Cyber Security Procurement CBT Rev 14.00-3002002499 16

EPRI Procurement Methodology Four Step Method guides the development of Cyber Procurement Specification. Specification results intersect with Utility design and procurement processes Allocates requirements between Utilities and vendors Inventory of controls applied to procurement reduced. 17

EPRI Procurement Methodology Use Case STEP 2 SPECIFICATION DEVELOPMENT 2.1 Determine the Type of Purchase 2.2 2.3 2.4 2.5 Develop/Clarify the Use Case, Data Flow, and Access Points Determine the Security Controls for the Use Case Establish Owner/Operator and Supplier Responsibilities Develop System/Component Specification 18

EPRI Procurement Methodology Purchase Type 19

EPRI Procurement Methodology Controls Allocation STEP 2 SPECIFICATION DEVELOPMENT 2.1 Determine the Type of Purchase 2.2 2.3 2.4 2.5 Develop/Clarify the Use Case, Data Flow, and Access Points Determine the Security Controls for the Use Case Establish Owner/Operator and Supplier Responsibilities Develop System/Component Specification Eliminate: Common Security Controls. Not Applicable (NA) to Use Case and Data Flow Implemented by the Owner Determine: Shared security controls Supplier responsibility 20

EPRI Procurement Methodology Create Specification STEP 2 SPECIFICATION DEVELOPMENT 2.1 Determine the Type of Purchase 2.2 2.3 2.4 2.5 Develop/Clarify the Use Case, Data Flow, and Access Points Determine the Security Controls for the Use Case Establish Owner/Operator and Supplier Responsibilities Develop System/Component Specification 21

EPRI Procurement Methodology Requirement Reduction Example Total # of Security Controls Component Subset of Security Controls that Apply Example 1 Digital Valve Controller 145 Controller 35 Configuration Software 65 Example 2 Feedpump Turbine Speed Control Upgrade 135 Governor Positioner Governor Software Positioner Software 46 46 Hardware Components 72 Example 3 Digital Feedwater Upgrade 145 Engineering & Maintenance Workstation with Software 85 HSI Configuration Data 40 22

EPRI Procurement Methodology Example 1: Digital Valve Controller Guidance for a low complexity component Introduces the interplay between internal architecture functions of the component Introduces external dependencies such as the programming devices and portable media. Justifies the smallest subset of controls (~70 100) 3002003257 23

EPRI Procurement Methodology Example 2: Feedpump Turbine Speed Control Guidance for a medium complexity subsystem Introduces networks and multi-device interfaces. Reinforces the need to address external dependencies such as the engineering workstations and portable media. Justifies the smallest subset of controls (~140) 3002001823 24

EPRI Procurement Methodology Example 3: Digital Feedwater Control Guidance for high complexity system Expands on network and interface management Introduces server and operator workstation requirements. Covers communications to the Business network and higher Enterprise functions such as historians. Illustrates the most comprehensive inventory of controls (>200) 3002002069 25

Cyber Security Procurement Pilots- 2014 The project results include five (5) low to high complexity pilots. A total of 31 lessons learned are documented in the report Insights will be used to revise Cyber Security Procurement Methodology, Revision 1 CBT training was leveraged for the Pilots Information on Secure Development and Operations Environments(SDOE) was identified for addition. 3002003255 26

Something to think about Cyber is not just nuclear All critical infrastructure has the same requirements Only the method for meet the requirements may look different. Are you confident that the products carrying your company s name are of the quality advertised? How is your company vetting the products you provide? How can you prove it to me every time we perform a business interaction? 27

Wrap it up Questions Comments????? 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback