MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...

MRO SAC and CMEPAC Webinar

“Industry Organizations' Aligned Approach for Supply Chain Cyber Security”

Valerie Agnew, Program Manager, Compliance, North American Transmission Forum (NATF)

Tony Eddleman, NERC Compliance Manager, Nebraska Public Power District/MRO SAC Member

Mahmood Safi, NERC Compliance Manager, Omaha Public Power District/MRO CMEPAC Member

Michael Spangenberg, MRO CIP Risk Assessment & Mitigation Engineer

April 8, 2020

MRO SAC Update

MRO SAC Quarter 2 Meeting on June 24, 2020 (In Person or Via WebEx) REGISTRATION IS NOW OPEN!MRO Regional Security Risk Assessment will be in place of the MRO SAC Quarter 3 Meeting on October 8, 2020 (In Person Only and Registration is not open)MRO SAC Quarter 4 Meeting on November 5, 2020 (Via WebEx) REGISTRATION IS NOW OPEN!MRO Security Conference October 7, 2020

2

https://www.mro.net/Lists/Calendar/DispForm_New.aspx?ID=396




Industry Organizations' Aligned Approach for Supply Chain Cyber SecurityMRO SAC Webinar NERC Supply ChainApril 8, 2020

Valerie AgnewProgram Manager, ComplianceNorth American Transmission Forum

Tony EddlemanNERC Compliance ManagerNebraska Public Power District

Supply Chain Risk Management Regulatory Requirements

• The Federal Energy Regulatory Commission (FERC) approved new Supply Chain Risk Management requirements and these will be effective on July 1, 2020▫ CIP-013-1 (new); CIP-005-6 (updated);

CIP-010-3 (updated)▫ Initial scope is limited to Control Centers and more

impactful substations and generators

4

Overview

• MRO SAC and CMEPAC Webinar (March 18, 2020)▫ New and Updated NERC Reliability Standards▫ NERC Website Resources▫ NERC Supply Chain Working Group (SCWG) Security Guidelines

▫ North American Transmission Forum (NATF)▫ Future Directions

• Today▫ Deeper Dive into Industry Organizations' Aligned

Approach

5

Industry CoordinatedSupply Chain

Activities

Open DistributionCopyright © 2020 North American Transmission Forum. Not for sale or commercial use. All rights reserved.

Community Confidentiality Candor Commitment

Objectives for Today’s Webinar Provide an overview of the Supplier Cyber Security Assessment Model

• Convergence on use of the Model• How the Model Works • Contributing Organizations• Where to find information

7

Overview - Objectives of Supply Chain Activities

Industry Convergence• Achieve industry convergence on the approach (Model) to facilitate

addressing the following objectivesSecurity

• Identifying and addressing cyber security risks introduced via supply chain

Efficiency and Effectiveness• Convergence on common approaches to achieve reasonable assurance

of suppliers’ security practicesCompliance

• Implementation guidance to meet supply chain related CIP standards (CIP-013-1; CIP-005-6 R2.4; CIP-010-3 R1.6)

8

Overview – Build on existing Supply Chain Work

9

Overview - Supply Chain Activities to Date• June 2019 NATF Criteria Version 0• July 2019 NATF Criteria Application Guide• October 2019 NATF Proof of Concept Team

Strawman• December 2019 Industry Organizations’ Team

alignment on Supplier Assessment Model

• January 30 NATF Criteria Refinement, EEI Procurement Language Refinement

• In Progress Questionnaire, Additional Projects

10

NATF Supply Chain Criteria

Team

NATF Proof of Concept Team

NATF-led Industry

Organizations Team

NATF Supply Chain

Steering Team

Alignment of Organizations

A list of participating organizations is available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination

https://www.natf.net/industry-initiatives/supply-chain-industry-coordination

Value Proposition• Broader than Industry Organizations• The Supplier Cyber Security Assessment Model and

complementary products provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices, which, if applied widely, will

• reduce the burden on suppliers, • provide entities with more and better information and • improve cyber security.

12

Industry Organization Team MembersOrganizations, Forums and Working Groups

• EEI• LPPC• APPA• TAPS• NAGF• NAESB• ConEd Working

Group• SCWG/CIPC• NERC CCC• NRECA

13

How is a supplier’s

adherence to criteria verified and reported?

Proof of Concept

October 2019

Suppliers

• ABB• GE Grid Software

Solutions• OSI• Siemens Industry,

Inc.• Schneider Electric• Schweitzer

Engineering

Third-Party Assessors

• Ernst & Young• KPMG LLP• PWC• Deloitte

Vendor Organizations for support products or services

• EPRI• Fortress/A2V

The Industry Coordination Web Page

Available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination


NATF-hostedweb page for Industry Coordination

15

The NATF Criteria

Available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination


• Version 1 posted on the NATF Public Website• 60 criteria for supplier supply chain cyber

security practices • 26 organizational information considerations• Maps to existing frameworks

17

What is the criteria or security

framework?

The NATF Criteria

July 2019

Establishing Criteria for Evaluations: The NATF Criteria

NATF Criteria Spreadsheet

18

The Supplier Cyber Security Assessment Model

For further explanation, see the“Industry Organizations’ Supplier Cyber Security Assessment Model” Document

available on the Industry Coordination page of the NATF Public Website

• Adherence to the NATF Criteria• What is the Supplier’s level of adherence to the NATF

Criteria for the product or service to be purchased

• Assurance for information provided• What level of assurance is provided for supplier’s

information/responses and is the level of confidence appropriate for the product or service to be purchased

• Address identified risks• Mitigate (either the entity or supplier) or • Determine if risk can or must be accepted; document

rationale

20

Supplier Cyber Security Assessment: Evaluations

Supplier Evaluation

How is a supplier’s adherence to criteria

verified and reported?

• Obtain information• Evaluate Information• Conduct Risk Assessment• Make Purchase Decision

21

Supplier Cyber Security Assessment: Steps

Supplier Evaluation

How is a supplier’s adherence to criteria

verified and reported?

22

The Model

Purchase Decision

Use existing means to obtain Information regarding supplier’s

adherence to theNATF Criteria

Independent Assessment/Audit(e.g. SOC 2 Type II)

Questionnaire/Supplier Attestation

Shared Entity Assessments or other

data sources

Combination of means

Certification to Existing Framework/Standard

(e.g. IEC 62443, ISO 27001)

Identify possible suppliers for needed product or service

Is Supplier’s level of adherence to the NATF Criteria appropriate

for product or service?

What level of assurance is provided for Supplier’s information/responses

and is the level of confidence appropriate for the product or

service?

Were any cyber security risks identified? Can risks be

mitigated, addressed via contract, or accepted?

Evaluate Information

Document

Conduct Risk Assessment

The purchasing entity’s inherent risk and risk appetite

Other factors identified by the purchasing entity (financial, operational, reputational,

regulatory, etc.)

23

Obtain Information on Supplier’s Adherence




24





(e.g. IEC 62443, ISO 27001)

Open Distribution

25





(e.g. IEC 62443, ISO 27001)

26





27





(e.g. IEC 62443, ISO 27001)

Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)

28





(e.g. IEC 62443, ISO 27001)

Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II) Questionnaire/

Supplier Attestation

29





(e.g. IEC 62443, ISO 27001)



30





(e.g. IEC 62443, ISO 27001)




data sources

31





(e.g. IEC 62443, ISO 27001)




data sources

32





(e.g. IEC 62443, ISO 27001)




data sources


33





(e.g. IEC 62443, ISO 27001)




data sources


34

Evaluate the Information Obtained




35





36





37







service?

38







service?

39







service?Were any cyber security risks identified? Can risks be


40







service?



41

Document!

Document

42



43






regulatory, etc.)

44




Conduct Risk AssessmentOther factors identified by the

purchasing entity (financial, operational, reputational,

regulatory, etc.)

45






regulatory, etc.)


46






regulatory, etc.)


47

Make Purchase Decision

Purchase Decision

48

The Model

Purchase Decision






data sources



(e.g. IEC 62443, ISO 27001)






service?




Document




regulatory, etc.)

Implementation of the Model• Tools are being developed that can assist entities and suppliers

in sharing supplier information• Locating supplier data

• Adherence to NATF Criteria (at various levels of assurance)• Responses to the Questionnaire• Shared Assessments

• Streamlining Risk Assessments• Organization of Data

49

Next Steps

Next Steps• Continued collaboration across industry• Socializing Model with suppliers and third-party assessor

industries• Completing current projects• Addressing implementation issues that arise and creating

projects where needed• Continue on our Journey!

51

Questions?

52

Please email questions to [email protected]

MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...

Documents

Transcript of MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...