benchmarking your cyber security programbenchmarking your cyber security program march 5, 2014....
TRANSCRIPT
Tech AdvantageBenchmarking Your Cyber Security Program
March 5, 2014
Elements of Cyber Security
Confidentiality
Integrity
Availability
C
I
Security
A
Perfect security is unattainable
OverviewWhat is the current state of Cyber Security at electric coops?
- NARUC Report for the Kentucky PSC- How are decisions made about Cyber Security?- What should you be doing for Cyber Security?
Cooperative perspective on audits and reviews- Chuck Gill – Owen Electric Cooperative
Q&A - Panel Discussion- David Baldwin - Clark Energy Cooperative- David Cox – Nolin Rural Electric Cooperative - Chuck Gill – Owen Electric Cooperative
NARUC Report Goals• Review of the cyber security programs at six Kentucky electric
distribution cooperatives
• Comparative view of the condition of the participating cooperatives cyber security programs
• Identification of control areas that have been effectively implemented and areas that need improvement
• Identification of areas of competency by some participants that may be leveraged at other cooperatives planning to implement similar controls
• Identification of areas that the PSC may be able to provide assistance to the cooperative community related to cyber security
Participant Profile
Profile of participating Coops:– Distribution Cooperatives– None had NERC-CIP requirments– Some did not own SCADA systems others did– Main business processes: Billing and
collections, Electric system maintenance, HR
Defining a Benchmark
• Realistic expectations for distribution cooperatives
• Frameworks• Maturity Models• ISO 27002 Standard areas
Areas of Focus• User Account Management • Outsourced Information Processing• Password Parameters• Documentation of Procedures • IT Risk Management• Cyber Security Policy• Network Management• System Acceptance and Configuration• Third Party Access • Personnel Security• Remote Access
• Physical and Environmental Security
• Wireless Access• System Patching• Accountability of Assets• System Logging and Monitoring• Incident Management• Malware Prevention• DR & BCP• Compliance Requirements• Backup and Recovery
Methodology
• Each of the cooperatives participating in the review were asked to discuss their security programs in 21 areas of focus.
• Score of 1 through 5 for:
– Development of controls
– Relative priority of control area
Methodology
• Control Priority - relative priority of the control within the context of a total cyber security program.
• Average Development of Controls - provides anindication of the progress the cooperatives as a group have made in a particular control area
• Difference - provides an indication of which for improvement should be given the highest priority
Design vs. EffectivenessAreas where security is controlled by manual processes may have scored higher in this review due to the design of controls, however the effectiveness of the controls were not evaluated. Examples of focus areas that are often found to not operate as designed when examined for effectiveness:
• System patching• Backups• Accountability of Assets• System acceptance and
configuration
How Cyber Decisions are Made
How are decisions made about what to do and how much to spend on Cyber Security?
Sources for Guidance
IT managers base decisions on:– Past experiences– Availability needs– Experiences of trusted colleagues– Trade magazines– Web research– Consultants
External Drivers
• State breach disclosure laws
• State/Federal regulations
• Industry regulation
• Self regulation • Lawsuits• Best practices• Contracts• Insurance
Determining Spend• Marginal increase of costs for additional cyber
security• Marginal Decrease in Costs associated with
breaches• Likelihood and impact of cyber threats
Operating costs for cyber security
Cost savings due to prevention of events such as virus attacks, hacking, break-ins, regulatory fines etc.
=
Summary
• Every company has some form of cyber security, it is often devices and software, not processes and procedures
• Decisions come from many sources• Increases in security measures are often driven by
outside factors• Costs associated with cyber security are not always
known
Measuring Cyber Security
How should a cooperative measure and implement Cyber Security?
Risk Assessment
• Continuous risk based approach• Compliance requirements• Re-assess for environmental and
technology changes• Likelihood and Impact
Program Design
• Gap analysis• Program improvement prioritization• Policies and procedures
Program Management
• Management of program improvements
• Task tracking• Audit and assurance practices
Thank you
Timothy Fawcett, CISSP, CISA, CSSASr. Information Security [email protected]
Cooperative Perspective
Chuck Gill – Owen Electric Cooperative• 57,000 Members in 9 Northern Kentucky Counties• HQ, Northern SC, Three Bill Pay Offices• Backbone consists of Microwave, Fiber, Radio and Telco
Services• VM Server Environment with about 150 client PCs
Cooperative Perspective• Staff has been doing ISO/NIST Checklists since 2009,
Scores have been 65, 80 and 95 out of 128• Two IT Audits in 2013, MCM and Guernsey• Both Audits requested similar information• MCM background was in financial audits• PSC/Guernsey more familiar with utilities
Cooperative Perspective• Approached the Audits as a win-win• Open discussions with both audit groups• Interaction between staff and audit groups was
extremely beneficial• Audits reaffirmed what the checklists already exposed• Documentation (policies & procedures) to backup the
strength the staff has in knowledge and experience
Q&A – Panel Discussion
• Tim Fawcett – Guernsey• David Baldwin - Clark Energy Cooperative • David Cox – Nolin Rural Electric Cooperative• Chuck Gill – Owen Electric Cooperative