+ All Categories
Home > Technology > Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Date post: 15-Dec-2014
Category:
Upload: energysec
View: 1,363 times
Download: 0 times
Share this document with a friend
Description:
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity, combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The ES-C2M2 was developed as part of a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS) and involved close collaboration with industry, other Federal agencies, and other stakeholders. This presentation covers a real world “case study” of how this ES-C2M2 work can easily be adapted to improve cyber security at your organization.
28
Electricity Subsector Cybersecurity Capability Maturity Model (ESC2M2) Case Study: Snohomish County PUD Ini?al Facilitated Assessment August 2012 Benjamin Beberness Snohomish County PUD John Fry ICF Interna?onal
Transcript
Page 1: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Electricity  Subsector  Cybersecurity    Capability  Maturity  Model  (ES-­‐C2M2)  

Case  Study:      Snohomish  County  PUD      Ini?al  Facilitated  Assessment      August  2012  

Benjamin  Beberness        Snohomish  County  PUD  John  Fry      ICF  Interna?onal  

Page 2: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Background  &  Overview  

•  Challenge:  Develop  capabili?es  to  manage  dynamic  threats  and  understand  cybersecurity  posture  of  the  grid  

•  Approach:  Develop  a  maturity  model  and  self-­‐evalua?on  survey  to  develop  and  measure  cybersecurity  capabili?es  

•  Results:  A  scalable,  sector-­‐specific  model  created  in  partnership  with  industry  

ES-­‐C2M2  Case  Study  2  

ES-­‐C2M2  ObjecCves  

•  Strengthen  cybersecurity  capabiliCes  

•  Enable  consistent  evalua?on  and  benchmarking  of    cybersecurity  capabili?es  

•  Share  knowledge  and  best  prac?ces  

•  Enable  prioriCzed  ac?ons  and  cybersecurity  investments  

Page 3: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Why  Create  a  Maturity  Model?  

If you want to build a ship, don’t herd people together to collect wood and don’t assign tasks and work, but rather, teach them to long for the endless immensity of the sea.

–  Antoine de Saint-Exupery

ES-­‐C2M2  Case  Study  3  

Page 4: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Why  Create  a  Maturity  Model?  

•   Tool  for  u?li?es  (opposed  to  regula?on  from  Government)  

•   Helps  answer  ques?ons  –  Where are we?

–  Where do we go?

–  How do we get there?

ES-­‐C2M2  Case  Study  4  

Page 5: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Domains  

5  

CYBE

R Cybersecurity Program

Management

WOR

KFOR

CE

Workforce Management

DEPE

NDEN

CIES

Supply Chain and External

Dependencies Management RE

SPON

SE Event and

Incident Response,

Continuity of Operations

SHAR

ING Information

Sharing and Communications SI

TUAT

ION

Situational Awareness

THRE

AT

Threat and Vulnerability Management AC

CESS

Identity and Access

Management ASSE

T Asset, Change, and

Configuration Management

RISK

Risk Management

•  Domains  are  logical  groupings  of  cybersecurity  pracCces  

•  Each  domain  has  a  short  name  for  easy  reference  

ES-­‐C2M2  Case  Study  

Page 6: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

6  

Model  Architecture  

ES-­‐C2M2  Case  Study  

PracCce  

Maturity  Indicator  Level  

(MIL)  

ObjecCve  

Domain   Domain  

ObjecCve  1  

MIL  1  

PracCce  1   PracCce  2  

MIL  2  

ObjecCve  2  

Page 7: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

SituaConal  Awareness:  4  ObjecCves  1.  Perform  Logging  

– MIL1, MIL2, MIL3

2.  Monitor  the  FuncCon  – MIL1, MIL2, MIL3

3.  Establish  and  Maintain  a  Common  OperaCng  Picture  – MIL1, MIL2, MIL3

4.  Manage  SITUATION  AcCviCes  (common  objecCve)  – MIL1, MIL2, MIL3

   7  

Example:  Objec?ves  

ES-­‐C2M2  Case  Study  

Page 8: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

8  ES-­‐C2M2  Case  Study  

Example:  Prac?ce  Maturity  Progression  

Page 9: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

9  ES-­‐C2M2  Case  Study  

Example:  Prac?ce  Maturity  Progression  

Page 10: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

SituaConal  Awareness  “Monitor  the  FuncCon”  

•  MIL1  –  Cybersecurity  monitoring  ac?vi?es  are  performed  (e.g.,  periodic  reviews  of  log  data)  

•  MIL2  –  Alarms  and  alerts  are  configured  to  aid  the  iden?fica?on  of  cybersecurity  events  

•  MIL3  –  Con?nuous  monitoring  is  performed  across  the  opera?onal  environment  to  iden?fy  anomalous  ac?vity    

10  

Example:  Prac?ce  Maturity  Progression  

ES-­‐C2M2  Case  Study  

Page 11: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

11  ES-­‐C2M2  Case  Study  

X  Reserved  3  Managed  

2  Performed  

1  Ini?ated  0  Not  Performed  

RISK

10  Model  Domains:  Logical  groupings  of  cybersecurity  prac?ces  

ASSE

T

ACCE

SS

THRE

AT

SITU

ATIO

N

SHAR

ING

RESP

ONSE

DEPE

NDEN

CIES

WOR

KFOR

CE

CYBE

R

4  Maturity  Indicator  Levels:  Defined  progressions  of  prac?ces  

Each  cell  contains  the  defining  prac?ces  for  the  domain  at  that  maturity  indicator  level  

1  Maturity  Indicator  Level  that  is  reserved  for  future  use  

Maturity

 Indicator  Levels  

The  Model  at  a  Glance  

Page 12: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Using  the  Evalua?on  Results    

12  ES-­‐C2M2  Case  Study  

Page 13: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

13  

Using  the  Evalua?on  Results    

Page 14: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Assessed  Domains  

•  Enterprise  versus  func?onal  area  •  Assessed  Domains  

–  Risk Management (RISK) –  Asset, Change, and Configuration Management (ASSET) –  Identity and Access Management (ACCESS) –  Threat and Vulnerability Management (THREAT) –  Situational Awareness (SITUATION) –  Information Sharing and Communications (SHARING) –  Event and Incident Response, Continuity of Operations (RESPONSE) –  Supply Chain and External Dependencies Management

(DEPENDENCIES) –  Workforce Management (WORKFORCE) –  Cybersecurity Program Management (CYBER) 14  

Page 15: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

SNOPUD  Rela?ve  Scoring  

Risk

Asset

Access

Threat

Situation

Sharing

Response

Dependencies

Workforce

Cyber

MIL3

MIL2

MIL1

5

77

5 3

13

9

1 3

127

3 5

5

15

8 6

12

136

11

5 5

15

19

13 5

1013

2 7

1012

92 3

13

13

1

5

2

57

7

1 2

8

4

2 1

10

83

58

2

6

31

7

9

11

1

88

2 4

44

72

811

5

1

3

1

21

5 3 2

3

9

22

6

1

3

11

24 26 33 31 3152 3025 22 38

13 15 19 16 2128 1916 11 19

6 3 412 46 2 62 6

Fully  implemented Partially  implementedLargely  implemented Not  implemented

Maturity  Indicator  Level  (MIL)  1  through  3  indicate  the  stage  of  implementa?on  of  the  domain  with  1  indica?ng  there  is  room  for  improvement  and  3  indica?ng  it  is  fully  implemented  with  very  lidle  room  for  improvement.  Not  all  domains  for  every  organiza?on  need  to  be  at  MIL  3.  Many  organiza?ons,  based  on  the  risk  profile,  may  have  an  adequate  program  at  MIL  1.   15  

Page 16: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Assessment  Results  

•  No  surprises  –  areas  needing  improvement  were  known  

•  Facilitators  were  very  objec?ve  •  Areas  for  improvement  include  risk  management  and  log  management,  

and  areas  of  asset  management  

•  Areas  where  program  elements  are  in  place  include  areas  of  asset  management,  access  control  (policy),  threat/vulnerability  management,  sharing  and  managing  informa?on,  threat  response,  dependencies,  workforce  management,  and  cyber  program  management  

•  The  assessment  provided  quan?ta?ve  guidance  for  program  improvement  –  Review individual function areas (Generation, Water, T&D) –  Determine the individual as well as the functional domain target maturity

goals –  Prioritize objectives in overall cyber security program

16  ES-­‐C2M2  Case  Study  

Page 17: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

17  

No?onal  Sample  Report  Actual  vs.  Desired  Score  

ES-­‐C2M2  Case  Study  

Page 18: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  -­‐  Next  Steps  

18  ES-­‐C2M2  Case  Study  

•  Share  Best  PracCces  within  the  sector  

•  Identify approaches for Capability Development

•  Discussion Opportunities created

•  Develop  anonymous  aggregated  Benchmarking  Data  

•   R&D  Investment  needs  iden?fied  by  result  data  

•  Access  to  Online  Training  Tools    

Page 19: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Next  Steps  

•  Data  collec?on  –  ES-C2M2 compartment within US-CERT Portal –  PCII protections –  Projected timeline

•  Data  Analy?cs  •  Benchmark  Data  

19  ES-­‐C2M2  Case  Study  

Page 20: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

No?onal  Sample  Comparison  Report  

20  ES-­‐C2M2  Case  Study  

Page 21: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Links  

21  ES-­‐C2M2  Case  Study  

ES-C2M2 Model http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-may-2012 ES-C2M2 Self-Evaluation Tool Requests, Questions, or Requests for Facilitation [email protected]

Page 22: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

THANK  YOU  For  ques?ons  or  feedback  please  contact  ES-­‐[email protected]  

22  ES-­‐C2M2  Case  Study  

Page 23: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

Background  Slides  

Page 24: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Domain  Descrip?ons  

Domain   DescripCon  Risk  Management  (RISK)  

Establish,  operate,  and  maintain  an  enterprise  cybersecurity  risk  management  program  to  iden?fy,  analyze,  and  mi?gate  cybersecurity  risk  to  the  organiza?on,  including  its  business  units,  subsidiaries,  related  interconnected  infrastructure,  and  stakeholders.  RISK  comprises  three  objec?ves:  

1.  Establish  Cybersecurity  Risk  Management  Strategy  2.  Manage  Cybersecurity  Risk  3.  Manage  RISK  Ac?vi?es  

Asset,  Change,  and  ConfiguraCon  Management  (ASSET)  

Manage  the  organiza?on’s  opera?ons  technology  (OT)  and  informa?on  technology  (IT)  assets,  including  both  hardware  and  somware,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  ASSET  comprises  four  objec?ves:  

1.  Manage  Asset  Inventory    2.  Manage  Asset  Configura?on    3.  Manage  Changes  to  Assets    4.  Manage  ASSET  Ac?vi?es  

 ES-­‐C2M2  Case  Study  

Page 25: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Domain  Descrip?ons  

Domain   DescripCon  IdenCty  and  Access  Management  (ACCESS)    

Create  and  manage  iden??es  for  en??es  that  may  be  granted  logical  or  physical  access  to  the  organiza?on’s  assets.  Control  access  to  the  organiza?on’s  assets,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  ACCESS  comprises  three  objec?ves:  

1.  Establish  and  Maintain  Iden??es  2.  Control  Access  3.  Manage  ACCESS  Ac?vi?es  

 

Threat  and  Vulnerability  Management  (THREAT)  

Establish  and  maintain  plans,  procedures,  and  technologies  to  detect,  iden?fy,  analyze,  manage,  and  respond  to  cybersecurity  threats  and  vulnerabili?es,  commensurate  with  the  risk  to  the  organiza?on’s  infrastructure  (e.g.,  cri?cal,  IT,  opera?onal)  and  organiza?onal  objec?ves.  THREAT  comprises  three  objec?ves:  

1.  Iden?fy  and  Respond  to  Threats  2.  Reduce  Cybersecurity  Vulnerabili?es  3.  Manage  THREAT  Ac?vi?es  

ES-­‐C2M2  Case  Study  

Page 26: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Domain  Descrip?ons  

Domain   DescripCon  SituaConal  Awareness  (SITUATION)    

Establish  and  maintain  ac?vi?es  and  technologies  to  collect,  analyze,  alarm,  present,  and  use  power  system  and  cybersecurity  informa?on,  including  status  and  summary  informa?on  from  the  other  model  domains,  to  form  a  common  opera?ng  picture  (COP),  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  SITUATION  comprises  four  objec?ves:  

1.  Perform  Logging  2.  Monitor  the  Func?on  3.  Establish  and  Maintain  a  Common  Opera?ng  Picture    4.  Manage  SITUATION  Ac?vi?es  

 

InformaCon  Sharing  and  CommunicaCons  (SHARING)    

Establish  and  maintain  rela?onships  with  internal  and  external  en??es  to  collect  and  provide  cybersecurity  informa?on,  including  threats  and  vulnerabili?es,  to  reduce  risks  and  to  increase  opera?onal  resilience,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  SHARING  comprises  two  objec?ves:  

1.  Share  Cybersecurity  Informa?on  2.  Manage  SHARING  Ac?vi?es  

ES-­‐C2M2  Case  Study  

Page 27: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Domain  Descrip?ons  

Domain   DescripCon  Event  and  Incident  Response,  ConCnuity  of  OperaCons  (RESPONSE)    

Establish  and  maintain  plans,  procedures,  and  technologies  to  detect,  analyze,  and  respond  to  cybersecurity  events  and  to  sustain  opera?ons  throughout  a  cybersecurity  event,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  RESPONSE  comprises  five  objec?ves:  

1.  Detect  Cybersecurity  Events  2.  Escalate  Cybersecurity  Events  3.  Respond  to  Escalated  Cybersecurity  Events  4.  Plan  for  Con?nuity  5.  Manage  RESPONSE  Ac?vi?es  

 

Supply  Chain  and  External  Dependencies  Management  (DEPENDENCIES)    

Establish  and  maintain  controls  to  manage  the  cybersecurity  risks  associated  with  services  and  assets  that  are  dependent  on  external  en??es,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  DEPENDENCIES  comprises  three  objec?ves:  

1.  Iden?fy  Dependencies  2.  Manage  Dependency  Risk  3.  Manage  DEPENDENCIES  Ac?vi?es  

 ES-­‐C2M2  Case  Study  

Page 28: Electricity Subsector Cybersecurity Capability Maturity Model Case Study

ES-­‐C2M2  Domain  Descrip?ons  

Domain   DescripCon    Workforce  Management  (WORKFORCE)  

Establish  and  maintain  plans,  procedures,  technologies,  and  controls  to  create  a  culture  of  cybersecurity  and  to  ensure  the  ongoing  suitability  and  competence  of  personnel,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.  WORKFORCE  comprises  five  objec?ves:  

1.  Assign  Cybersecurity  Responsibili?es  2.  Control  the  Workforce  Lifecycle  3.  Develop  Cybersecurity  Workforce  4.  Increase  Cybersecurity  Awareness  5.  Manage  WORKFORCE  Ac?vi?es  

Cybersecurity  Program  Management  (CYBER)    

Establish  and  maintain  an  enterprise  cybersecurity  program  that  provides  governance,  strategic  planning,  and  sponsorship  for  the  organiza?on’s  cybersecurity  ac?vi?es  in  a  manner  that  aligns  cybersecurity  objec?ves  with  the  organiza?on’s  strategic  objec?ves  and  the  risk  to  cri?cal  infrastructure.  CYBER  comprises  five  objec?ves:  

1.  Establish  Cybersecurity  Program  Strategy  2.  Sponsor  Cybersecurity  Program  3.  Establish  and  Maintain  Cybersecurity  Architecture  4.  Perform  Secure  Somware  Development  5.  Manage  CYBER  Ac?vi?es  ES-­‐C2M2  Case  Study  


Recommended