PROPOSED AGENDA

JOINT NYPA & CANAL CYBER & PHYSICAL SECURITY COMMITTEE MEETING

January 30, 2018 – 8:45 a.m.

Clarence D. Rappleyea Building, White Plains, NY

1. Adoption of the January 30, 2018 Proposed Meeting Agenda

2. Motion to Conduct an Executive Session

3. Motion to Resume Meeting in Open Session

4. Cyber Risk Overview (Thomas Spencer)

5. Industry Cyber Security Initiatives and Programs (Randy Crissman)

6. Security Program Overview (Kenneth Carnes)

7. Next Meeting

January 30, 2018 Motion to Conduct an Executive Session

I move that the Board conduct an executive session pursuant to the Public Officers Law

of the State of New York §105 to discuss matters regarding public safety and security.

January 30, 2018

Motion to Resume Meeting in Open Session

Mr. Chairman, I move to resume the meeting in Open Session.

Cyber Risk OverviewTom SpencerSenior Director – Risk Management

January 30, 2018

2

Risk Management in a Digital WorldIdentify

AssessMonitor

Respond

• Cyber Security is a Top Enterprise Risk

• Annual Risk Assessment• Vendor Reviews

• Chances in Cyber Risk Profile• Appropriate resource and

capital allocation• Cyber Security Capability

Maturity Model (C2M2)

• NYPA Secure committee

• Active threat and vulnerability management

• Business Resiliency Implemented• Reputation Management Program• Cyber Insurance• Training and Awareness

What we are protecting:• Physical Assets and Systems• Business Operations• Reputation• People• Data

• Security is IT/OT/Physical and Cyber partnering with Risk Management to actively manage and escalate risk

• The core principles of Risk Management apply as with digitize NYPA

• Leveraging the Cyber Security work in place today to appropriately positions for future Cyber challenges

• Enhanced 3rd Party Vendor Management

• Insider Threat Evaluation and Analysis

• Business Resiliency Stress Testing of alternative future scenarios

Industry Cyber Security Initiatives and ProgramsRandy CrissmanSenior Consultant – Utility Operations

January 30, 2018

2

Organizations with Cyber Security Initiatives and Programs

3

Examples of Cyber Security Initiatives and ProgramsElectricity Subsector Coordinating Council (ESCC)

• SICC – Electricity Subsector, Telecom, and Finance Coordination• Cyber Mutual Assistance Program

Large Public Power Council (LPPC)• Established a Cyber Security Task Force in 2016• Sharing of Cyber Security Program Practices

American Public Power Association (APPA)• Multi-Year DOE Grant to Elevate Cyber Security Programs of its Members• Cyber Security Insurance Program for its Members (via 3rd party)

North American Electric Reliability Corporation (NERC)• Mandatory Cyber Security Standards (10 with 28 requirements)

Electricity Information Sharing and Analysis Center (E-ISAC)• E-ISAC Industry Augmentation Program (pilot with LPPC)

North American Transmission Forum (NATF)• “Spare Tire” Initiative – Operation With Loss of EMS or SCADA Control

4

Products of LPPC Cyber

Security Task Force

Security Program OverviewKenneth CarnesVP & Chief Information Security Officer

January 30, 2018

2

•Awareness•Phishing / Training

•Threats•Background Checks / Insider Threat

•Intelligence•Gathering & Sharing

People

•Monitoring• Integrated Visibility

•Threats & Vulnerabilities•Active Management in iSOC

•Regular Assessments•Risk

Process•Protect•Defense in Depth

•Detect•Leading capabilities

•Compliant•NERC /PCI / State

Technology

Coordinated Response Overall Resiliency

Secure Committee

iSOCProcess

CYBER/ PHYSICAL

OPERATIONS / EM

RISK

NYPA Secure

Holistic Focus

Security Program Overview

January 30, 2018 Next Meeting

The next regular meeting of the Cyber & Physical Security Committee is to be held at a date to be determined.