Helping Utilities with Cybersecurity Preparedness: The C2M2
-
Upload
smart-grid-interoperability-panel -
Category
Technology
-
view
624 -
download
1
Transcript of Helping Utilities with Cybersecurity Preparedness: The C2M2
Accelerating Grid ModernizationMore information available on SGIP.org
Helping Utilities with Cybersecurity Preparedness: The C2M2
April 23, 2015
Accelerating Grid ModernizationMore information available on SGIP.org
WELCOME
Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST)Smart Grid Cybersecurity Committee Chair
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Advancing grid modernization through standards innovation, gap filling, interface definitions, and the creation of test frameworks.Multi-stakeholder community with tight coupling to Standards Setting Organizations (SSOs).Disciplined, time-tested processes.
Accelerating Smart Grid Interoperability
The Smart Grid Interoperability Panel (SGIP) is a consortium that securely accelerates and advances Grid Modernization
through interoperability and the leadership talents of its members. SGIP prioritizes topics and issues set by the utilities,
independent power producers and industry members to solution and drives innovation of Grid Modernization.
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Agenda• Welcome – Vicky Pillitteri, SGIP• Main Presentation – Jason D. Christopher, DOE• Questions & Answers• SGIP Cybersecurity Update – Vicky Pillitteri• Closing Reminders – Vicky Pillitteri
This meeting, and all SGIP activities, are governed by SGIP By-laws and policies - Intellectual Property Rights Policy and Antitrust Policy.
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
CYBERSECURITY CAPABILITY MATURITY MODEL UPDATE
Jason D. ChristopherUS Department of Energy
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Defining Security6
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Aligning DOE Activities7
Build a Culture of Security
Training
Education
Improved communication within industry
Assess and Monitor Risk
Electricity Subsector
Cybersecurity Capability
Maturity Model
Situational Awareness Tools
Common Vulnerability
Analysis
Threat Assessments
Consequence Assessments
Develop and Implement New
Protective Measures to Reduce Risk
Support Cybersecurity
Standards Development
Near-term Industry-led
R&D projects
Mid-term Laboratory Academia
R&D projects
Long-term Laboratory Academia
R&D projects
Manage Incidents
NSTB (National SCADA Test Bed)
Outreach
Cyber Exercises
Sustain Security Improvements
Product upgrades to address
evolving threats
Collaboration among all
stakeholders to identify needs and
implement solutions
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Introduction to the C2M2 Program• Since June 2012,
hundreds of organizations have used the C2M2.
• DOE has facilitated self-evaluations for utilities servicing an estimated 39 million US consumers.
• Recently expanded to include oil & natural gas organizations, as well as stakeholders beyond the energy sector
8
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
C2M2 Program9
ES-C2M2 Public-private collaborative
effort Sector specific subject
matter expertise Pilot evaluations
ONG-C2M2 Tested and refined for
ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies.
C2M2 Without sector-specific
references or terms of art Refined through the ONG
pilots, and also via cross-sector outreach
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
The Approach: Maturity Model10
Maturity Model Definition:
• An organized way to convey a path of experience, wisdom, perfection, or acculturation.
• The subject of a maturity model can be an object or things, ways of doing something, characteristics of something, practices, or processes.
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Progression Model Examples11
Progression for Counting
Computer
Calculator
Adding machine
Slide rule
Abacus
Pencil and paper
Fingers
Progression for Authentication
Three-factor authentication
Two-factor authentication
Passwords change every 60 days
Strong passwords
Passwords
Progression for Human
Mobility
Fly
Sprint
Run
Jog
Walk
Crawl
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Capability Model Examples12
Example 1
Practices are optimized
Practices are quantitatively managed
Practices are defined
Practices are managed
Practices are ad hoc
Example 3
Practices are shared
Practices are defined
Practices are measured
Practices are managed
Practices are planned
Practices are performed but ad hoc
Practices are incomplete
Example 2
Practices are externally integrated
Practices are internally integrated
Practices are managed
Practices are performed
Practices are initiated
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
C2M2 Domain DescriptionsRM: Risk Management Establish, operate, and maintain an enterprise cybersecurity risk management program to identify,
analyze, and mitigate cybersecurity risk
ACM: Asset, Change, and Configuration Management
Inventory, manage changes to, and manage configuration of technology assets, including OT (operations technology), IT (information technology), hardware, and software
IAM: Identity and Access Management
Create and manage identities for entities that may be granted logical or physical access to assets and control such access
TVM: Threat and VulnerabilityManagement
Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities
SA: Situational Awareness Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information to form a common operating picture (COP)
ISC: Information Sharing and Communications
Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase operational resilience
IR: Event and Incident Response, Continuity of Operations
Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout such events
EDM: Supply Chain and External Dependencies Management
Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities
WM: WorkforceManagement
Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel
CPM: Cybersecurity Program Management
Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for cybersecurity activities
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
C2M2 Model Architecture
CPM
Cybe
rsec
urity
Pro
gram
M
anag
emen
t
WM
Wor
kfor
ce M
anag
emen
t
EDM
Supp
ly C
hain
and
Ext
erna
l De
pend
enci
es M
anag
emen
tIREv
ent a
nd In
cide
nt R
espo
nse,
Co
ntin
uity
of O
pera
tionsIS
CIn
form
atio
n Sh
arin
g an
d Co
mm
unic
atio
nsSASi
tuat
iona
l Aw
aren
ess
TVM
Thre
at a
nd V
ulne
rabi
lity
Man
agem
ent
IAM
Iden
tity
and
Acce
ss
Man
agem
ent
ACM
Asse
t, Ch
ange
, and
Co
nfig
urat
ion
Man
agem
ent
RMRi
sk M
anag
emen
t
10 Model Domains: logical groupings of cyber security practices — activities that protect operations from cyber-related disruptions
MIL 3(advanced)
MIL 2(intermediate)
MIL 1(beginning)
MIL 04 M
atur
ity In
dica
tor L
evel
s
MIL 1 practices
MIL 2 practices
MIL 3 practices
No practices
Each domain includes a
progression of practices from MIL 1
to MIL 3
MIL 2 & 3 practices are progressively more complete, advanced, and ingrained; target levels should be set for each
domain based on risk tolerance and threat environment
MIL 1 practices are basic activities that any organization may perform; these are the starting blocks
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Organization of a Domain15
Model
One or more per domain, unique to each domain
Approach objectives are supported by a progression of practices that are unique to the domain
Practices at MIL1
Practices at MIL2
Practices at MIL3
Approach Objectives
Domain
One per domain, similar in each domain
Each management objective is supported by a progression of practices that are similar in each domain and describe institutionalization activities
Management Objective
Practices at MIL2
Practices at MIL3
Model contains 10 domains
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
C2M2 Evaluation Tool & Method• Since the program’s inception, DOE has maintained a free
tool for organizations to perform a C2M2 self-evaluation• C2M2 self-evaluation workshops can be completed in a
single day with appropriately limited scope• Output graphically summarizes implementation status for
each of the 312 practices in the model
16
Summary Results — exampleDonut chart key
Number of LargelyImplemented practices
Total number of practices represented by the donut
Number of PartiallyImplemented practices
Number of Not-Implemented practices
Number of FullyImplemented practices
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
NIST Cybersecurity Framework & C2M217
Executive Order 13636Improving Critical Infrastructure Cybersecurity
Section 8(b)“Sector-Specific Agencies, in consultation with the Secretary and otherinterested agencies, shall coordinate with the Sector Coordinating Councilsto review the Cybersecurity Framework and, if necessary, developimplementation guidance or supplemental materials to address sector-specific risks and operating environments.”
• Working stakeholders from the sector, DOE collaborated to develop an implementation guidance document addressing how C2M2 supports framework implementation.
• Available for download at: http://energy.gov/oe/downloads/energy-sector-cybersecurity-framework-implementation-guidance
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
NIST Cybersecurity Framework
Core Tiers Profile
Functions Cate
gorie
s
Subc
ateg
orie
s
Info
rmat
ive
Refe
renc
es
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Tier 1: PartialAd hoc risk managementLimited cybersecurity risk awarenessLow external participation
Tier 2: Risk InformedSome risk management practicesIncreased awareness, no programInformal external participation
Tier 3: RepeatableFormalized risk managementOrganization-wide programReceives external partner info
Tier 4: AdaptiveAdaptive risk management practicesCultural, risk-informed programActively shares information
Current ProfileCurrent state of alignment between Core elements and organizational requirements, risk tolerance, & resources.
Where am I today relative to the Framework?
Target ProfileDesired state of alignment between Core elements and organizational requirements, risk tolerance, & resources.
Where do I aspire to be relative to the Framework?
Roadmap
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Framework Process19
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and
Prioritize Gaps
Step 7: Implement Action Plan
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
C2M2 as a Framework Enabler
C2M2 Output
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and
Prioritize Gaps
Step 7: Implement Action Plan
Select in-scope assets and
requirements
Perform C2M2 self-evaluation
using C2M2 tool
Evaluate risk based on C2M2 output
Create target profile based on C2M2
Prioritize action plan to achieve target profile
Implement the plan, use CSF & C2M2 guidance
Source: Axio Global
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
20
Accelerating Grid ModernizationMore information available on SGIP.org
C2M2 Mapping to CSFCSF Core CSF Tiers
Functions Cate
gorie
s
Subc
ateg
orie
s
Info
rmat
ive
Refe
renc
es
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
CSF Tiers
Tier 1: Partial
Tier 2: Risk Informed
Tier 3: Repeatable
Tier 4: Adaptive
C2M2 Practices
MIL
1
MIL
2
MIL
3
C2M2 C2M2
C2M2 Practices
MIL
1
MIL
2
MIL
3
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
21
Accelerating Grid ModernizationMore information available on SGIP.org
Defining Security22
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Resources
• Cybersecurity Framework and supporting materials: http://www.nist.gov/itl/cyberframework.cfm
• NIST Computer Security Resource Center: http://csrc.nist.gov/
• C3 Voluntary Program: www.dhs.gov/ccubedvp• C2M2 Program:
http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program
23
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
QUESTIONS?Jason D. Christopher, [email protected]
Resource emails: [email protected]; [email protected]
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
SGCC UPDATE
Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST)Smart Grid Cybersecurity Committee Chair
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
Cybersecurity CommitteeThe SGIP Cybersecurity Committee is collaborative forum that develops resources that smart grid stakeholders can leverage to help understand and manage cybersecurity risk.
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Cybersecurity is a critical,
cross-cutting issue for the Smart Grid
Accelerating Grid ModernizationMore information available on SGIP.org
2015 Progress
• Cybersecurity Frameworks Case Study• Privacy Awareness Self-Assessment • Published:
– Risk Management Process Case Study• Continue:
– Collaboration with other smart grid and energy sector communities/groups
– Cybersecurity reviews for SGIP Catalog of Standards
To learn more contact: [email protected]
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
SGIP Reminders• May 12: Engaged in Conversation: Grid 3.0
– Register at SGIP.org/Webinars
• Past webinars and publications available on SGIP.org under “Information Knowledge Base”
• Stay in Touch– Twitter: @SGIPNews– Join our LinkedIn Group– Sign up for SGIP Newsletter, The Conductor
April 23, 2015 Helping Utilities with Cybersecurity Preparedness
Accelerating Grid ModernizationMore information available on SGIP.org
THANK YOU FOR YOUR PARTICIPATION
A FOLLOW-UP EMAIL WILL BE SENT WITH LINK TO RECORDING AND SUPPORTING MATERIALS
April 23, 2015 Helping Utilities with Cybersecurity Preparedness