Cybersecurity Issues and Impact on Utilities

AGA Cybersecurity Leadership

SEPTEMBER 24 , 2015

AGA Cybersecurity LeadershipAGA Cybersecurity Ramp-UpAGA Cybersecurity Strategy Task ForceAGA Cybersecurity InitiativesONG-C2M2 Reviews and WorkshopsDNG-ISAC Update and StatusAGA Cybersecurity Legislative and Regulatory Update

CybersecurityCyber threats are real and unrelenting for all critical infrastructure. The natural gas industry must continue to employ prudent policies and practices to help ensure the resiliency and safety of natural gas systems.

3

Protecting Natural Gas Systems:

The Oil & Natural Gas Sector

Coordinating Council

Cybersecurity Working Group,

chaired by AGA, is an

operators’ forum supported by

DOE, in coordination with DHS,

to promote effective

cybersecurity strategies and

activities, policy and

communication across the oil

and natural gas sector to

achieve the nation’s homeland

security mission.

AGA Cybersecurity Ramp-Up• Status prior to 2012

• And then the world changed

4

AGA Cybersecurity Ramp-Up (continued)• AGA Board briefed by Eric Cornelius, then of US-CERT• AGA Leadership Commissions AGA Cyber Team

• Brian Caudill, Senior Director, Federal Affairs• Kimberly Denbow, Engineering Services Director• Jim Linn, Managing Director, Information Technology• Rebecca Massello, Security and Operations Manager• John Bryk, (contractor) DNG ISAC Threat Analyst

• AGA Board Cybersecurity Plan of Action• Review and provide guidance on cybersecurity assessments• Educate members and facilitate best practices sharing• Educate stakeholders and advocate

5

AGA Cybersecurity Strategy Task Force• AGA Board prescribes initiation of Cybersecurity Strategy Task Force• AGA Cybersecurity Strategy Task Force (CSTF)

• Information Technology – CIOs • Information Security – CISOs• Physical Security – CSOs• Natural Gas Security – SCADA• Natural Gas Operations – Gas Control

• CSTF to date• Directs AGA Cybersecurity efforts• Supply Chain Workshop • Cyber Threat Workshop

6

AGA Cybersecurity Initiatives• AGA leads Cybersecurity Working Group of Oil & Natural Gas Sector

Coordinating Council • AGA participates on DHS Industrial Control Systems Joint Working

Group Steering Team • AGA Cybersecurity Strategy Task Force Initiatives

• Cybersecurity Threat Analysis Project• Procurement Language Project• Insider Threat Workshop • Department of Energy ONG-C2M2 Reviews and Workshops • Downstream Natural Gas Information Sharing and Analysis

Center (DNG-ISAC) Development

7

ONG-C2M2 Reviews and Workshops• Initiative began with desire to understand Cybersecurity

preparedness at AGA small member companies• Considered building our own tool• Success of Electric Sector – Cybersecurity Capability Maturity Model• Release of Department of Energy Oil and Natural Gas Sector –

Cybersecurity Capability Maturity Model• Reviews at four AGA member companies• Regional reviews

• Mid-Atlantic at LG&E• West at Questar• North-East at Central Hudson• Mid-West at We Energies

• AGA recommends members use the ONG-C2M2 and evaluate and act on its findings

8

What is the ONG-C2M2?A model and evaluation method that supports ongoing evaluation and improvement of cybersecurity capabilities within the ONG subsectorObjectives• Strengthen cybersecurity capabilities in the ONG subsector.• Enable ONG organizations to effectively and consistently evaluate and

benchmark cybersecurity capabilities.• Share knowledge, best practices, and relevant references within the

subsector as a means to improve cybersecurity capabilities.• Enable ONG organizations to prioritize actions and investments to

improve cybersecurity

9

ONG-C2M2 Model Overview

CPM

Cyb

erse

curit

y Pr

ogra

m

Man

agem

ent

WM

Wor

kfor

ce M

anag

emen

t

EDM

Supp

ly C

hain

and

Ext

erna

l D

epen

denc

ies

Man

agem

entIR

Even

t and

Inci

dent

Res

pons

e,

Con

tinui

ty o

f Ope

ratio

nsISC

Info

rmat

ion

Shar

ing

and

Com

mun

icat

ionsSA

Situ

atio

nal A

war

enes

s

TVM

Thre

at a

nd V

ulne

rabi

lity

Man

agem

ent

IAM

Iden

tity

and

Acce

ss

Man

agem

ent

ACM

Asse

t, C

hang

e, a

nd

Con

figur

atio

n M

anag

emen

t

RM

Ris

k M

anag

emen

t

10 Model Domains: logical groupings of cyber security practices — activities that protect operations from cyber-related disruptions

MIL3(advanced)

MIL2(intermediate)

MIL1(beginning)

MIL04 M

atur

ity In

dica

tor L

evel

s

MIL 1 practices

MIL 2 practices

MIL 3 practices

No practices

Each domain

includes a progression of practices

from MIL1 to MIL3

MIL2 & MIL3 practices are progressively more complete, advanced, and ingrained; target levels should be set for

each domain based on risk tolerance and threat environment

MIL1 practices are basic activities that any organization should perform; these are the starting blocks

10

Domain

Objective

Practice

Notes

TVM: Threat and Vulnerability Management

2. Reduce Cybersecurity Vulnerabilities

TVM-2g.Cybersecurity vulnerabilities are addressed according to the assigned priority

Observations• The ONG-C2M2 helped each participant company better

understand its cybersecurity capability maturity level, both validating many cybersecurity practices and identifying areas for improvement

• Generally the strongest domains were Asset, Change and Configuration Management and Identity and Access Management

• Generally the weakest domain was Supply Chain and External Dependencies Management

• Participating companies received a range of overall scores• The review process brings together information technology

professionals and operational technology professionals in an environment to discuss and review cybersecurity

12

Recommendations for Participants• Close maturity level one gaps• Evaluate maturity level two and maturity level three gaps for closure• Institutionalize the cybersecurity program

• Ensure cybersecurity is governed by policy• Ensure company leadership guides cybersecurity governance

• Supply chain management has been identified as the culprit for a number of successful cybersecurity compromises in other industries

• Prioritize separation of Information Technology networks from Operational Technology networks

• Repeat the ONG-C2M2 review• Review / Identify Gaps / Prioritize and Plan / Close Gaps / Repeat

13

The DNG ISAC is an online platform that will help natural gas utilities share and access timely, accurate and relevant threat information and further enhance the security of natural gas utilities.

14

In 2014, AGA launched the Downstream Natural Gas Information Sharing and Analysis Center.

“Information sharing is a

fundamental pillar of a robust

cyber and physical defense effort.

The DNG ISAC is tailored to

address the distinct operational

needs of the downstream natural

gas sector and provides the

technological sophistication and

coordination necessary to meet

the ever-changing threats of the

21st century.”

Dave McCurdyAGA President and CEO

Update and Status• The DNG ISAC, Downstream Natural Gas Information Sharing and

Analysis Center, is the downstream natural gas industry’s resource for cyber and physical threat intelligence analysis and sharing

• It was created for the natural gas industry and operates as nonprofit entity

• The DNG ISAC speeds security alerts to multiple recipients near-simultaneously while providing for user authentication and secure information sharing

• The DNG ISAC employs one full-time threat analyst• The DNG-ISAC coordinates very closely with the Electric Sector

Information Sharing and Analysis Center (ES-ISAC) and shares information back and forth between electric, combination (natural gas and electric) and natural gas utilities

• The DNG ISAC is a member of the National Council of ISACs which facilitates information sharing among other critical infrastructure sectors

15

Legislative Update• AGA considers cybersecurity a top public policy priority. For the

past 5-6 years we have worked individually and as part of broader utility and multi-industry coalitions to draft and pass cybersecurity information sharing legislation that matches our goals:

• Participation is voluntary. Companies must not be forced to participate.

• No top-down regulatory mandates. A prescriptive information sharing program will morph into a compliance program as opposed to a true cybersecurity program.

• Industry received liability protections for participating in an information sharing program.

• AGA maintains its security partnership DHS. AGA has worked hand-in-glove with DHS since 9/11 to ensure our systems and infrastructure are safe from attack. We oppose any cyber program that would impede or replace that relationship with another agency.

16

Legislative Update – House and Senate• In the current Congress the House has passed cybersecurity

information sharing legislation, the National Cybersecurity Prevention Advancement Act. Companion legislation in the Senate, the Cybersecurity Information Sharing Act, passed the Senate Intelligence Committee by a 14-1 vote and awaits Floor time. Both bills feature similar elements:

• Voluntary participation in cyber information sharing program

• Liability, regulatory, and information security protections for companies that participate in the program

• DHS will act as the public-private information sharing conduit

• Privacy of data – particularly personally identifiable information – is protected

17

Legislative Update – Status• The Senate remains a frustration. The online privacy community

has had some success in convincing a few Senators that CISA is less a cyber information sharing bill than it is a domestic surveillance bill. This is wrong-headed, but the tactic has had some political effect. AGA and all other critical infrastructure entities are continuing to push hard for CISA to get Floor time.

• AGA is cautiously optimistic that if CISA sees Floor time in the Senate that it has the votes to pass. Should that happen, CISA will move to conference with the House passed bill and a joint House-Senate “conference committee” will hammer out a final product to pass and present the President. The Administration has - thus far - voiced quiet support for information sharing legislation. We are hopeful he would sign a final product into law.

• Questions: Brian Caudill, AGA Federal Affairs (bcaudill@aga.org)

18

Jim LinnManaging Director, Information Technology202-824-7272jlinn@aga.org

19

Find Us Online

www.aga.org

www.truebluenaturalgas.org

http://twitter.com/naturalgasflk

www.facebook.com/naturalgas

www.linkedin.com/company/50905?trk=tyah