MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...
Transcript of MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...
MRO SAC and CMEPAC Webinar
“Industry Organizations' Aligned Approach for Supply Chain Cyber Security”
Valerie Agnew, Program Manager, Compliance, North American Transmission Forum (NATF)
Tony Eddleman, NERC Compliance Manager, Nebraska Public Power District/MRO SAC Member
Mahmood Safi, NERC Compliance Manager, Omaha Public Power District/MRO CMEPAC Member
Michael Spangenberg, MRO CIP Risk Assessment & Mitigation Engineer
April 8, 2020
MRO SAC Update
MRO SAC Quarter 2 Meeting on June 24, 2020 (In Person or Via WebEx) REGISTRATION IS NOW OPEN!MRO Regional Security Risk Assessment will be in place of the MRO SAC Quarter 3 Meeting on October 8, 2020 (In Person Only and Registration is not open)MRO SAC Quarter 4 Meeting on November 5, 2020 (Via WebEx) REGISTRATION IS NOW OPEN!MRO Security Conference October 7, 2020
2
Industry Organizations' Aligned Approach for Supply Chain Cyber SecurityMRO SAC Webinar NERC Supply ChainApril 8, 2020
Valerie AgnewProgram Manager, ComplianceNorth American Transmission Forum
Tony EddlemanNERC Compliance ManagerNebraska Public Power District
Supply Chain Risk Management Regulatory Requirements
• The Federal Energy Regulatory Commission (FERC) approved new Supply Chain Risk Management requirements and these will be effective on July 1, 2020▫ CIP-013-1 (new); CIP-005-6 (updated);
CIP-010-3 (updated)▫ Initial scope is limited to Control Centers and more
impactful substations and generators
4
Overview
• MRO SAC and CMEPAC Webinar (March 18, 2020)▫ New and Updated NERC Reliability Standards▫ NERC Website Resources▫ NERC Supply Chain Working Group (SCWG) Security Guidelines
▫ North American Transmission Forum (NATF)▫ Future Directions
• Today▫ Deeper Dive into Industry Organizations' Aligned
Approach
5
Industry CoordinatedSupply Chain
Activities
Open DistributionCopyright © 2020 North American Transmission Forum. Not for sale or commercial use. All rights reserved.
Community Confidentiality Candor Commitment
Objectives for Today’s Webinar Provide an overview of the Supplier Cyber Security Assessment Model
• Convergence on use of the Model• How the Model Works • Contributing Organizations• Where to find information
7
Overview - Objectives of Supply Chain Activities
Industry Convergence• Achieve industry convergence on the approach (Model) to facilitate
addressing the following objectivesSecurity
• Identifying and addressing cyber security risks introduced via supply chain
Efficiency and Effectiveness• Convergence on common approaches to achieve reasonable assurance
of suppliers’ security practicesCompliance
• Implementation guidance to meet supply chain related CIP standards (CIP-013-1; CIP-005-6 R2.4; CIP-010-3 R1.6)
8
Overview – Build on existing Supply Chain Work
9
Overview - Supply Chain Activities to Date• June 2019 NATF Criteria Version 0• July 2019 NATF Criteria Application Guide• October 2019 NATF Proof of Concept Team
Strawman• December 2019 Industry Organizations’ Team
alignment on Supplier Assessment Model
• January 30 NATF Criteria Refinement, EEI Procurement Language Refinement
• In Progress Questionnaire, Additional Projects
10
NATF Supply Chain Criteria
Team
NATF Proof of Concept Team
NATF-led Industry
Organizations Team
NATF Supply Chain
Steering Team
Alignment of Organizations
A list of participating organizations is available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination
Value Proposition• Broader than Industry Organizations• The Supplier Cyber Security Assessment Model and
complementary products provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices, which, if applied widely, will
• reduce the burden on suppliers, • provide entities with more and better information and • improve cyber security.
12
Industry Organization Team MembersOrganizations, Forums and Working Groups
• EEI• LPPC• APPA• TAPS• NAGF• NAESB• ConEd Working
Group• SCWG/CIPC• NERC CCC• NRECA
13
How is a supplier’s
adherence to criteria verified and reported?
Proof of Concept
October 2019
Suppliers
• ABB• GE Grid Software
Solutions• OSI• Siemens Industry,
Inc.• Schneider Electric• Schweitzer
Engineering
Third-Party Assessors
• Ernst & Young• KPMG LLP• PWC• Deloitte
Vendor Organizations for support products or services
• EPRI• Fortress/A2V
The Industry Coordination Web Page
Available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination
NATF-hostedweb page for Industry Coordination
15
The NATF Criteria
Available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination
• Version 1 posted on the NATF Public Website• 60 criteria for supplier supply chain cyber
security practices • 26 organizational information considerations• Maps to existing frameworks
17
What is the criteria or security
framework?
The NATF Criteria
July 2019
Establishing Criteria for Evaluations: The NATF Criteria
NATF Criteria Spreadsheet
18
The Supplier Cyber Security Assessment Model
For further explanation, see the“Industry Organizations’ Supplier Cyber Security Assessment Model” Document
available on the Industry Coordination page of the NATF Public Website
• Adherence to the NATF Criteria• What is the Supplier’s level of adherence to the NATF
Criteria for the product or service to be purchased
• Assurance for information provided• What level of assurance is provided for supplier’s
information/responses and is the level of confidence appropriate for the product or service to be purchased
• Address identified risks• Mitigate (either the entity or supplier) or • Determine if risk can or must be accepted; document
rationale
20
Supplier Cyber Security Assessment: Evaluations
Supplier Evaluation
How is a supplier’s adherence to criteria
verified and reported?
• Obtain information• Evaluate Information• Conduct Risk Assessment• Make Purchase Decision
21
Supplier Cyber Security Assessment: Steps
Supplier Evaluation
How is a supplier’s adherence to criteria
verified and reported?
22
The Model
Purchase Decision
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Identify possible suppliers for needed product or service
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
Evaluate Information
Document
Conduct Risk Assessment
The purchasing entity’s inherent risk and risk appetite
Other factors identified by the purchasing entity (financial, operational, reputational,
regulatory, etc.)
23
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Identify possible suppliers for needed product or service
24
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Open Distribution
25
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
26
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Independent Assessment/Audit(e.g. SOC 2 Type II)
27
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
28
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II) Questionnaire/
Supplier Attestation
29
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
30
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
31
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
32
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
33
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
34
Evaluate the Information Obtained
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Evaluate Information
35
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
36
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
37
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
38
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
39
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
40
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
41
Document!
Document
42
Conduct Risk Assessment
Conduct Risk Assessment
43
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk Assessment
Other factors identified by the purchasing entity (financial, operational, reputational,
regulatory, etc.)
44
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk AssessmentOther factors identified by the
purchasing entity (financial, operational, reputational,
regulatory, etc.)
45
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk AssessmentOther factors identified by the
purchasing entity (financial, operational, reputational,
regulatory, etc.)
The purchasing entity’s inherent risk and risk appetite
46
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk AssessmentOther factors identified by the
purchasing entity (financial, operational, reputational,
regulatory, etc.)
The purchasing entity’s inherent risk and risk appetite
47
Make Purchase Decision
Purchase Decision
48
The Model
Purchase Decision
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Identify possible suppliers for needed product or service
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
Evaluate Information
Document
Conduct Risk Assessment
The purchasing entity’s inherent risk and risk appetite
Other factors identified by the purchasing entity (financial, operational, reputational,
regulatory, etc.)
Implementation of the Model• Tools are being developed that can assist entities and suppliers
in sharing supplier information• Locating supplier data
• Adherence to NATF Criteria (at various levels of assurance)• Responses to the Questionnaire• Shared Assessments
• Streamlining Risk Assessments• Organization of Data
49
Next Steps
Next Steps• Continued collaboration across industry• Socializing Model with suppliers and third-party assessor
industries• Completing current projects• Addressing implementation issues that arise and creating
projects where needed• Continue on our Journey!
51