Cybersecurity Special Public
Meeting/Commission Workshop for Natural
Gas Utilities
September 12,2019
Planning - Governance
Director of Infrastructure and
Security
Enterprise Security Committee
CIO / CSO
Guest Speakers
Regular Reporting
Conferences
Board of Directors
Sr. Security ManagerSecurity Workgroups
2
Planning - Governance
Enterprise Security Committee
Members
o Dir. of Transmission Ops
o Dir. of IT and Security
o Dir. of Generation & Production
o Mgr. of Reliability Compliance
o Dir. of Corporate Communications
o Dir. of Electrical Engineering
o Sr. Legal Counsel
o Dir. Human Resources
o Dir. Environmental Affairs
o Dir. of Planning & Asset Management
o Dir of Natural Gas
Enterprise Security
Committee
Work Groups
3
Planning- Security StaffSr. Security Manager
Physical Security
Physical Security
Business Continuity / Emergency
Management
Business Continuity / Emergency
Management
Security Architect
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer
Security Engineer -SCADA
Security Engineer -Compliance
Security Team Lead
Access Administration
Access Administration
Access Administration
Security Analyst
Security Analyst
Security Analyst
Security Analyst
2019 - New Staff
Existing Staff
4
Planning – Policy
o Introduction and Scope
o Introduction
o Scope
o Exceptions to the Cyber Security Policy
o Security Risk Management
o Security Awareness
o Incident Response Management
o Information Management
o 100 - Physical Security Policy
o 100 - Policy Objective
o 100 - Policy Statements
o 100.1 Physical Security
o 200 - Exception Request Policy
o 200 - Policy Objective
o 200 - Policy Statements
o 200.1 Exception Request Policy
o 300 - Access Control Policy
o 300 - Policy Objective
o 300 - Policy Statements
o 300.1 Access Control
o 300.2 Separation of Duties
o 300.3 Account Management
o 300.4 Password Management
o 300.5 Account Time-outs
o 400 Configuration Management Policy
o 400 Policy Objective
o 400 Policy Statements
o 400.1 Change Management
o 400.2 Patch Management
o 500 System Acquisition, Development & Maintenance Policy
o 500 Policy Objective
o 500 Policy Statements
o 500.1 System Assessments
o 500.2 System Acquisition
o 500.3 System Development
o 500.4 System Maintenance
o 600 - System and Information Protection Policy
o 600 - Policy Objective
o 600 - Policy Statements
o 600.1 Anti-Virus software
o 600.2 Network Protection
o 600.3 Encryption
o 600.4 File Integrity Monitoring (FIM)
o 600.5 Authorized and Unauthorized Devices
o 600.6 Secure Configurations for Avista Systems
o 600.7 Wireless Device Control
o 600.8 Secure Communications
o 600.9 Audit Logs
o 600.10 Audit Log Storage
o 600.11 Time Synchronization
o 600.12 Logon Banner
o 600.13 Media Protection
Standards - Cyber Security Framework
People, Process, Technology
Identify Detect Respond RecoverProtect
Asset Management
Business Environment
Governance Risk Assessment Risk Management
Strategy
Access Control Awareness &
Training Data Security Information
Protection & Procedures
Maintenance Protective
Technology
Anomalies & Events Security Continuous
Monitoring Detection Processes
Response Planning Communications Analysis Mitigation Improvements
Recovery Planning Improvements Communications
Standards – Effectiveness
Maturity Analysis
Cybersecurity Domain
Iden
tify
Initial Managed Defined Predictable Optimized
Prot
ect
De
tect
Res
pon
d
Response Planning
Communications
Analysis
Mitigation
Improvements
Access Control
Awareness & Training
Data Security
Information Protection & Procedures
Maintenance
Protective Technology
Anomalies & Events
Security Continuous Monitoring
Detection Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Rec
ove
r
Recovery Planning
Improvements
Communications
Current State Desired/Target State
Reporting
o Cybersecurity reporting
Partnerships
Procurement
• Vendor and device selection
• RFP, Contract and Procurement Language.
• Security Reviews
• Background checks
• Employees
• Vendors
Risk Management
• Maturity Models / Best Practices
• Vulnerability assessments
• Internal
• External
• Risk prioritization (Future)
• What’s my exposure in financial terms?
• How should I manage my cyber program?
• Do I have the financial ability to recover from an event?
• Where should I invest?
Response & Recovery:
• Response and recovery plans
• Responsibility
• Exercises
• Sharing & mutual defense
• Communication plan to address customer perceptions
Questions?