Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | theanfieldgroup |
View: | 404 times |
Download: | 1 times |
Page 1
Integration of Technology & Compliance
August 02, 20122012 Technologies for Security &
Compliance SummitAustin, Texas
Page 2
John Heintz, CISSP, CISM, CRISCSenior Manager, Enterprise IT Security
Page 3
• The city of San Antonio out bid other entities to purchase the SAPs Co for $34 million.
• The city sold off the street car business and retained the power generation, distribution and gas network.
• Changed the name to City Public Service and changed through out the years to CPS Energy.
• Oldest utility in Texas. Gas light system started in 1860’s.
• In 1917, San Antonio Public Service Company (SAPs CO), under the ownership of American Light and Traction company ran the city’s power plants, gas network and street car lines.
• In 1942, Anti-trust laws required American Light and Traction company to sell some of it’s assets.
CPS Energy History (The early days)
Page 4
CPS Energy (Current)
• Based in San Antonio (7th largest city in the nation)
• Largest Municipally owned energy utility that provides both natural gas and electric service
• Serve over 717,000 electric customers
• Over 325,000 gas customers
• 1,514 square mile service area.
• Over 3,600 employees
• $2 Billion in annual revenues
• $9.7 Billion in assets
• Provide roughly $250 - $280 million annual revenue to the City of San Antonio.
Page 5
Generation
• Generation Assets
Own and operate 4 major generation facilities in the San Antonio area (Gas and Coal). Generates approximately 7000 Megawatts of power
Own 40% of South Texas Project (STP) units 1 and 2. Provides 1088 megawatts of power for CPS Energy customers
Has invested additional 7.625 % into additional units at STP. Would generate additional 200 megawatts of power for our customers.
• Fuel Mix
Coal - 32%
Nuclear - 16%
Natural gas and purchased power - 39%
Renewable (Wind, solar and landfill methane gas) - 13% To increase to 20% by 2020.
Page 6
Transmission & Distribution
• Transmission & Distribution Assets
Own and maintain 1400 Miles of transmission lines.
Own and maintain 7600 miles of overhead distribution lines.Over 408,000 poles
Own and maintain additional 4300 miles of underground distribution lines.
Page 7
Enterprise IT Security Organization
• Enterprise IT Security Organization (EITS) Formed in May of 2007
John Heintz began with CPS Energy almost 2 years ago
• EITS moved to Legal Department under General Council in 2009 Provides true segregation of duties
Reports to Senior Council and Director of Compliance.
• Baseline the EITS security program utilizing the Forrester Information Security Maturity Model. Benchmarking tool to access the information security program.
Provides framework that describes all of the required functions and components of a comprehensive information security program.
Forrester model is objective, prescriptive, process oriented, modular and uncomplicated.
Page 8
Forrester Information Security Maturity Model
Oversight
• Strategy• Governance• Risk Management• Compliance
Management• Audit and Assurance
People
• Security Services• Communication• Security Organization• Business Relationship• Roles/Responsibilities
Technology
• Network• Databases• Systems• Endpoints• Application
Infrastructure• Messaging and content• Data
Process
• Identity and Access Management
• Threat and vulnerability management
• Investigations and records management
• Incident management• Sourcing and vendor
management• Information Asset
Management• Application/systems
development• Business Continuity
and Disaster Recovery
Page 9
Maturity Model Self Assessment
0- Nonexistent
•Not understood•Not formalized•Need is not recognized
1-Ad Hoc•Occasional•Not Consistent•Not Planned•Disorganized
2-Repeatable•Intuitive•Not documented•Occurs only when necessary
3-Defined•Documented•Predictable•Evaluated occasionally
•Understood
4-Measured•Well managed•Formal•Often Automated•Evaluated Frequently
5-Optimized•Continuous and effective
•Integrated•Proactive•Usually Automated
Most mature companies are at
this stage.
Our corporate network results
Page 10
Doing Well and What has already improved
• EITS - What are we doing well– Endpoint Anti-Malware – Network Intrusion Detection – Anti-spam – Policy Creation – Security Event Management
• Other improvements already made– Security Metrics – Endpoint Protection – Network Vulnerability– Application Developer Security Awareness – Vulnerability Management – Security Testing – Forensics and e-Discovery – Threat Modeling – Threat Research – Client Encryption – Project Integration
Page 11
Key Security / Compliance Challenges
• Technology– Databases
• Encryption is ad hoc
– Systems • Host based Firewalls and IPS
– Application Infrastructure • XML gateway • Application Firewall
– Messaging and Content • Message Encryption • Instant Message Filtering• Anti-Malware
– Data • Digital Rights Management
• Process– Identity and Access
Management • Web SSO • Access Control • Enterprise SSO
• People– Security Organization
• Staffing
Page 12
Corporate Information Security Goal
0- Nonexistent
•Not understood•Not formalized•Need is not recognized
1-Ad Hoc•Occasional•Not Consistent•Not Planned•Disorganized
2-Repeatable•Intuitive•Not documented•Occurs only when necessary
3-Defined•Documented•Predictable•Evaluated occasionally
•Understood
4-Measured•Well managed•Formal•Often Automated•Evaluated Frequently
5-Optimized•Continuous and effective
•Integrated•Proactive•Usually Automated
Key Security issues are addressed, could
move here…
Page 13
James GrimshawCritical Cyber Infrastructure Manager,Transmission Compliance
Page 14
Control Systems Cyber Security (or Compliance?)
• NERC Compliance Events January 2009 – One year to be fully compliant
January 2010 - Fully compliant date
October 2010 – TOP CFR Certification
November 2011 – 1st Full TO/TOP/LSE CIP Audit
2012 – Documented lessons learned (LL) and begin to implement LL during annual updates
1. Manage and Communicate Compliance Activities
2. CIP-004 -3, R4 – Access Program
3. Management Dashboard
Page 15
Manage and Communicate Compliance Activities
• Annual reviews (Policies, Programs, Procedures etc…)
• Create compliance periodic reports
• Where to file (sensitive) associated reports and evidence
• Complete Reliability Standards Audit Worksheets (RSAWs)
• Create workflows for accountability, accuracy, & oversight
• Risk management – Escalation of non-completed workflows, security
trends
• Manage Technical Feasibility Exceptions, Mitigation Plans etc.
• Decrease interruption to Subject Matter Expert daily work schedule
Page 16
Physical & Cyber Access Program
• Automate performance reviews and system generated reports
• Integrate systems to decrease risk & increase efficiency
• Physical Security Perimeter & Electronic Security Perimeter
• PSP Area Owners & Cyber System Owners
• Corporate Enterprise Resource Planning program for PRAs
• Corporate learning management system for NERC training records
• Weekly access report fed into management dashboard
• Automate position organizational changes, terminations and new hires
• CIP Version 5 – Role based access (and other changes)
Page 17
Management Compliance Dashboard
• One of top ranked challenges is getting management support NERC Committee (Steering Group)
Provide senior management with high level insight (drill down)
• Properly prioritize projects vs. compliance
• Properly prioritize funding
• Corporate level risk mitigation
Page 18
The Future for Control Systems Environments
• Working together with other Utilities CIP Working Group
• Continuous Process Improvement Invest to automate processes
Integrate systems to decrease risk
• Stay informed and utilize resources NERC and ICSJWG Workshops
Keep up with NERC & TxRE communications
DOE/DHS
Page 19
Questions