Cybersecurity Special Public Meeting/Commission Workshop ...
Transcript of Cybersecurity Special Public Meeting/Commission Workshop ...
![Page 1: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/1.jpg)
Cybersecurity Special Public
Meeting/Commission Workshop for Natural
Gas Utilities
September 12,2019
![Page 2: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/2.jpg)
Planning - Governance
Director of Infrastructure and
Security
Enterprise Security Committee
CIO / CSO
Guest Speakers
Regular Reporting
Conferences
Board of Directors
Sr. Security ManagerSecurity Workgroups
2
![Page 3: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/3.jpg)
Planning - Governance
Enterprise Security Committee
Members
o Dir. of Transmission Ops
o Dir. of IT and Security
o Dir. of Generation & Production
o Mgr. of Reliability Compliance
o Dir. of Corporate Communications
o Dir. of Electrical Engineering
o Sr. Legal Counsel
o Dir. Human Resources
o Dir. Environmental Affairs
o Dir. of Planning & Asset Management
o Dir of Natural Gas
Enterprise Security
Committee
Work Groups
3
![Page 4: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/4.jpg)
Planning- Security StaffSr. Security Manager
Physical Security
Physical Security
Business Continuity / Emergency
Management
Business Continuity / Emergency
Management
Security Architect
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer -SCADA
Security Engineer -Compliance
Security Team Lead
Access Administration
Access Administration
Access Administration
Security Analyst
Security Analyst
Security Analyst
Security Analyst
2019 - New Staff
Existing Staff
4
![Page 5: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/5.jpg)
Planning – Policy
o Introduction and Scope
o Introduction
o Scope
o Exceptions to the Cyber Security Policy
o Security Risk Management
o Security Awareness
o Incident Response Management
o Information Management
o 100 - Physical Security Policy
o 100 - Policy Objective
o 100 - Policy Statements
o 100.1 Physical Security
o 200 - Exception Request Policy
o 200 - Policy Objective
o 200 - Policy Statements
o 200.1 Exception Request Policy
o 300 - Access Control Policy
o 300 - Policy Objective
o 300 - Policy Statements
o 300.1 Access Control
o 300.2 Separation of Duties
o 300.3 Account Management
o 300.4 Password Management
o 300.5 Account Time-outs
o 400 Configuration Management Policy
o 400 Policy Objective
o 400 Policy Statements
o 400.1 Change Management
o 400.2 Patch Management
o 500 System Acquisition, Development & Maintenance Policy
o 500 Policy Objective
o 500 Policy Statements
o 500.1 System Assessments
o 500.2 System Acquisition
o 500.3 System Development
o 500.4 System Maintenance
o 600 - System and Information Protection Policy
o 600 - Policy Objective
o 600 - Policy Statements
o 600.1 Anti-Virus software
o 600.2 Network Protection
o 600.3 Encryption
o 600.4 File Integrity Monitoring (FIM)
o 600.5 Authorized and Unauthorized Devices
o 600.6 Secure Configurations for Avista Systems
o 600.7 Wireless Device Control
o 600.8 Secure Communications
o 600.9 Audit Logs
o 600.10 Audit Log Storage
o 600.11 Time Synchronization
o 600.12 Logon Banner
o 600.13 Media Protection
![Page 6: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/6.jpg)
Standards - Cyber Security Framework
People, Process, Technology
Identify Detect Respond RecoverProtect
Asset Management
Business Environment
Governance Risk Assessment Risk Management
Strategy
Access Control Awareness &
Training Data Security Information
Protection & Procedures
Maintenance Protective
Technology
Anomalies & Events Security Continuous
Monitoring Detection Processes
Response Planning Communications Analysis Mitigation Improvements
Recovery Planning Improvements Communications
![Page 7: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/7.jpg)
Standards – Effectiveness
Maturity Analysis
Cybersecurity Domain
Iden
tify
Initial Managed Defined Predictable Optimized
Prot
ect
De
tect
Res
pon
d
Response Planning
Communications
Analysis
Mitigation
Improvements
Access Control
Awareness & Training
Data Security
Information Protection & Procedures
Maintenance
Protective Technology
Anomalies & Events
Security Continuous Monitoring
Detection Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Rec
ove
r
Recovery Planning
Improvements
Communications
Current State Desired/Target State
![Page 8: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/8.jpg)
Reporting
o Cybersecurity reporting
![Page 9: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/9.jpg)
Partnerships
![Page 10: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/10.jpg)
Procurement
• Vendor and device selection
• RFP, Contract and Procurement Language.
• Security Reviews
• Background checks
• Employees
• Vendors
![Page 11: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/11.jpg)
Risk Management
• Maturity Models / Best Practices
• Vulnerability assessments
• Internal
• External
• Risk prioritization (Future)
• What’s my exposure in financial terms?
• How should I manage my cyber program?
• Do I have the financial ability to recover from an event?
• Where should I invest?
![Page 12: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/12.jpg)
Response & Recovery:
• Response and recovery plans
• Responsibility
• Exercises
• Sharing & mutual defense
• Communication plan to address customer perceptions
![Page 13: Cybersecurity Special Public Meeting/Commission Workshop ...](https://reader031.fdocuments.us/reader031/viewer/2022020917/61bd236161276e740b0fbf80/html5/thumbnails/13.jpg)
Questions?