risk management in practice – a guide for the electric...
TRANSCRIPT
© 2015 Electric Power Research Institute, Inc. All rights reserved.
Annabelle Lee
Senior Technical Executive
ICCS – European Engagement Summit
April 28, 2015
Risk Management in
Practice – A Guide for
the Electric Sector
2© 2015 Electric Power Research Institute, Inc. All rights reserved.
Before we continue let’s get over our fears and myths
with some much needed levity …
The following three slides are based on a briefing given by Daniel Thanos of Telos
3© 2015 Electric Power Research Institute, Inc. All rights reserved.
Myth: Our systems are so proprietary and esoteric that
Einstein himself couldn’t figure them out so “hackers” have no
chance
Reality: Whatever can be engineered can be reverse-
engineered and Stuxnet is the proof
Th
e E
inste
in D
efe
nse
Sum of All Myths
4© 2015 Electric Power Research Institute, Inc. All rights reserved.
Myth: There is no problems here just happy and trusted
people working on reliable and isolated systems
Fact: Sophisticated attackers use trusted people and
privileged access without the target’s knowledge
• Attackers usually succeed when security is exclusively
perimeter and “trust” based
Wis
hfu
l
Imm
un
ity
Sum of All Myths
5© 2015 Electric Power Research Institute, Inc. All rights reserved.
Myth: Security reduces reliability and degrades
capabilities and prices us out of existence
Fact: Correctly engineered security increases reliability
and reduces costs and risks due to poor design and systemic
failures
Mo
rdac
Syn
dro
me
Sum of All Myths
6© 2015 Electric Power Research Institute, Inc. All rights reserved.
Asset /System
Characterization
Impact Analysis
Vulnerability
AssessmentThreat Agent
Characterization
Security
Requirements/
Controls
Threat Likelihood
AssessmentRisk Determination
Risk Assessment Methodology
Risk Acceptable?NO
YES
General Risk Assessment Approach
7© 2015 Electric Power Research Institute, Inc. All rights reserved.
Risk Assessment Methodology (2)
Implementation and Assessment Phases
System
Implementation
Successful Risk
Mitigation?
Ongoing
Monitoring
Testing and
Exercising
YES
Risk Assessment Risk Acceptable?Security
ControlsNO
9© 2015 Electric Power Research Institute, Inc. All rights reserved.
Risk Framing
Risk Assessment
Risk Response
Risk Monitoring
Department of Energy Risk
Management Process
Risk Management Cycle
The risk management cycle:
(i) Risk framing (i.e., establish the
context for risk-based decisions)
(ii) Risk assessment
(iii) Risk response once determined,
and
(iv) Risk monitoring on an ongoing
basis.
Risk management is carried out as an
organization-wide activity
10© 2015 Electric Power Research Institute, Inc. All rights reserved.
Framework Implementation Guidance Mapping
(Project #1)
CSF Core CSF Tiers
Functions Cate
go
rie
s
Su
bca
tegories
Info
rma
tive
R
efe
rences
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
CSF Tiers
Tier 1: Partial
Tier 2: Risk Informed
Tier 3: Repeatable
Tier 4: Adaptive
C2M2 Practices
MIL
1
MIL
2
MIL
3
C2M2 C2M2
C2M2 Practices
MIL
1
MIL
2
MIL
3
11© 2015 Electric Power Research Institute, Inc. All rights reserved.
C2M2 Comparative Analysis
(Project #2)
Domains Ob
jective
s
Pra
ctices
Risk
Management
Asset,
Change, &
Configuration
Management
Identity and
Access
Management
…
Cyber
Program
Management
CyberSecurity
Framework
C2M2
NISTIR 7628
SP 800-53
NRECA Cyber
Security Guidelines
Others as requested by industry
…
Industry Standards
12© 2015 Electric Power Research Institute, Inc. All rights reserved.
C2M2 Comparative Analysis Process
Domains Ob
jective
s
Pra
ctices
Risk
Management
Asset,
Change, &
Configuration
Management
Identity and
Access
Management
…
Cyber
Program
Management
C2M2
NRECA Cyber
Security Guidelines
Many sector-specific standards, such
as the NRECA Cyber Security
Guidelines, have already been mapped
directly to the C2M2.
In these cases, the maps are easily
ported into the C2M2 expansion as a
module.
13© 2015 Electric Power Research Institute, Inc. All rights reserved.
C2M2 Comparative Analysis Process
NIST Cybersecurity Framework
NIST SP 800-53
NISTIR 7628
COBIT 5ISA 99 /
IEC 62443
ISO 2700x
With the release of the Framework, even
more standards are available.
By leveraging the maps that apply to the
Framework, as well as industry’s map of
the C2M2-Framework, the expansion
can include other modules with very little
effort.
14© 2015 Electric Power Research Institute, Inc. All rights reserved.
Risk Management in Practice –
A Guide for the Electric Sector
EPRI Technical Update:
3002003333
15© 2015 Electric Power Research Institute, Inc. All rights reserved.
Assessing and Monitoring Risk
Issue
There are many cyber security risk assessment and security requirements documents, tools and methods, making it difficult for a utility to show how they meet all of the specifications.
Project approach
Perform a comparative analysis of the NIST Cybersecurity Framework, DOE ES-C2M2, NISTIR 7628, NESCOR Failure Scenarios, NIST SP 800-53, NEI 08-09, NRC 5.71
Create a database to improve the usability of the mappings
Value
Straightforward reporting to senior management and regulatory agencies to verify conformance with industry frameworks
16© 2015 Electric Power Research Institute, Inc. All rights reserved.
Assessing and Monitoring Risk (2)
Department of Energy Electricity Subsector Cybersecurity
Capability Maturity Model (DOE ES-C2M2)
National Institute of Standards and Technology Interagency
Report (NISTIR) 7628
National Electric Sector Cybersecurity Organization
Resource (NESCOR) Failure Scenarios
NIST Special Publication (NIST SP) 800-53
Nuclear Energy Institute (NEI) 08-09
Nuclear Regulatory Commission (NRC) 5.71
19© 2015 Electric Power Research Institute, Inc. All rights reserved.
Moving Forward…
Cyber security supports both the reliability and
privacy of the Smart Grid
Address interconnected systems – both IT and
control systems
– Cyber security needs to be addressed in all
systems, not just critical assets
– Augment existing protection controls, as applicable
Continuously monitor and assess the security status
Acknowledge will be some security breaches
– Focus on response and recovery
– Fail secure
Address both safety and security
20© 2015 Electric Power Research Institute, Inc. All rights reserved.
Discussion
202.293.6345