Tech AdvantageBenchmarking Your Cyber Security Program

March 5, 2014

Elements of Cyber Security

Confidentiality

Integrity

Availability

C

I

Security

A

Perfect security is unattainable

OverviewWhat is the current state of Cyber Security at electric coops?

- NARUC Report for the Kentucky PSC- How are decisions made about Cyber Security?- What should you be doing for Cyber Security?

Cooperative perspective on audits and reviews- Chuck Gill – Owen Electric Cooperative

Q&A - Panel Discussion- David Baldwin - Clark Energy Cooperative- David Cox – Nolin Rural Electric Cooperative - Chuck Gill – Owen Electric Cooperative

NARUC Report Goals• Review of the cyber security programs at six Kentucky electric

distribution cooperatives

• Comparative view of the condition of the participating cooperatives cyber security programs

• Identification of control areas that have been effectively implemented and areas that need improvement

• Identification of areas of competency by some participants that may be leveraged at other cooperatives planning to implement similar controls

• Identification of areas that the PSC may be able to provide assistance to the cooperative community related to cyber security

Participant Profile

Profile of participating Coops:– Distribution Cooperatives– None had NERC-CIP requirments– Some did not own SCADA systems others did– Main business processes: Billing and

collections, Electric system maintenance, HR

Defining a Benchmark

• Realistic expectations for distribution cooperatives

• Frameworks• Maturity Models• ISO 27002 Standard areas

Areas of Focus• User Account Management • Outsourced Information Processing• Password Parameters• Documentation of Procedures • IT Risk Management• Cyber Security Policy• Network Management• System Acceptance and Configuration• Third Party Access • Personnel Security• Remote Access

• Physical and Environmental Security

• Wireless Access• System Patching• Accountability of Assets• System Logging and Monitoring• Incident Management• Malware Prevention• DR & BCP• Compliance Requirements• Backup and Recovery

Methodology

• Each of the cooperatives participating in the review were asked to discuss their security programs in 21 areas of focus.

• Score of 1 through 5 for:

– Development of controls

– Relative priority of control area

Methodology

• Control Priority - relative priority of the control within the context of a total cyber security program.

• Average Development of Controls - provides anindication of the progress the cooperatives as a group have made in a particular control area

• Difference - provides an indication of which for improvement should be given the highest priority

Design vs. EffectivenessAreas where security is controlled by manual processes may have scored higher in this review due to the design of controls, however the effectiveness of the controls were not evaluated. Examples of focus areas that are often found to not operate as designed when examined for effectiveness:

• System patching• Backups• Accountability of Assets• System acceptance and

configuration

How Cyber Decisions are Made

How are decisions made about what to do and how much to spend on Cyber Security?

Sources for Guidance

IT managers base decisions on:– Past experiences– Availability needs– Experiences of trusted colleagues– Trade magazines– Web research– Consultants

External Drivers

• State breach disclosure laws

• State/Federal regulations

• Industry regulation

• Self regulation • Lawsuits• Best practices• Contracts• Insurance

Determining Spend• Marginal increase of costs for additional cyber

security• Marginal Decrease in Costs associated with

breaches• Likelihood and impact of cyber threats

Operating costs for cyber security

Cost savings due to prevention of events such as virus attacks, hacking, break-ins, regulatory fines etc.

=

Summary

• Every company has some form of cyber security, it is often devices and software, not processes and procedures

• Decisions come from many sources• Increases in security measures are often driven by

outside factors• Costs associated with cyber security are not always

known

Measuring Cyber Security

How should a cooperative measure and implement Cyber Security?

Risk Assessment

• Continuous risk based approach• Compliance requirements• Re-assess for environmental and

technology changes• Likelihood and Impact

Program Design

• Gap analysis• Program improvement prioritization• Policies and procedures

Program Management

• Management of program improvements

• Task tracking• Audit and assurance practices

Thank you

Timothy Fawcett, CISSP, CISA, CSSASr. Information Security Consultanttimothy.fawcett@guernsey.us

Cooperative Perspective

Chuck Gill – Owen Electric Cooperative• 57,000 Members in 9 Northern Kentucky Counties• HQ, Northern SC, Three Bill Pay Offices• Backbone consists of Microwave, Fiber, Radio and Telco

Services• VM Server Environment with about 150 client PCs

Cooperative Perspective• Staff has been doing ISO/NIST Checklists since 2009,

Scores have been 65, 80 and 95 out of 128• Two IT Audits in 2013, MCM and Guernsey• Both Audits requested similar information• MCM background was in financial audits• PSC/Guernsey more familiar with utilities

Cooperative Perspective• Approached the Audits as a win-win• Open discussions with both audit groups• Interaction between staff and audit groups was

extremely beneficial• Audits reaffirmed what the checklists already exposed• Documentation (policies & procedures) to backup the

strength the staff has in knowledge and experience

Q&A – Panel Discussion

• Tim Fawcett – Guernsey• David Baldwin - Clark Energy Cooperative • David Cox – Nolin Rural Electric Cooperative• Chuck Gill – Owen Electric Cooperative