41
VALUE OF A CYBERSECURITY SELF-ASSESSMENT
VALUE OF A CYBERSECURITY SELF-ASSESSMENT
RC3 Self-Assessment Research Program
RC3 Self-Assessment Research Program
E&O Information Technology (IT)
CEO/GM
Accounting Finance
Directors
Member Services Marketing
HR
Cybersecurity Ecosystem
RC3 Self-Assessment Research Program
RC3 Self-Assessment Research Program
RC3 Self-Assessment Research Program
RC3 Self-Assessment Research Program
Initial findings…
RC3 Self-Assessment Panel• Bobby Smith, Vice President, Information Systems, Laurens Electric
Cooperative, Inc., SC
• Justin Luebbert, Information Security and Business Technology Manager, Central Electric Power Cooperative, MO
• Sherry Fix, Manager of Information Technology, Grand Valley Power, CO
• Jim Haler, Member Services Manager, South Central Electric Association & Redwood Electric Cooperative, MN
RC3 and Cybersecurity Awareness
Bobby SmithVP of Information Technology
Board Awareness
“This is two hours of my life that I will never get back.”
IDENTIFY PROTECT RESPONDDETECT RECOVER
Management Awareness
Cybersecurity is not limited to IT
Importance of Cyber-specific Policies
IT Awareness
Inventory of Assets
Importance of Documentation
“Trace every cable”
Justin LuebbertManager of Information Security & Business Technology
Central Electric Power Cooperative (G&T)Jefferson City, Missouri
CENTRAL ELECTRIC POWER COOPERATIVE
Collectively we deliver power to a 22,000 square mile area in central
Missouri.
1. Boone Electric
2. Callaway Electric
3. Central Missouri Electric
4. Co-Mo Electric
5. Consolidated Electric
6. Cuivre River Electric
7. Howard Electric
8. Three Rivers Electric
8 Distribution Cooperatives
TRANSMISSION COOPERATIVE
• What is the value of a cybersecurity self-assessment?
• What are some of our key takeaways from participating in the NRECA RC3 program?
• NRECA RC3 Self Assessment \ NIST
• IDENTIFY
• PROTECT
• DETECT
• RESPOND
• RECOVER
Communicate risk in ways everyone can understand, from Server Room to the Board Room.
PROVIDES A COMMON LANGUAGECEO to CSR
BENCHMARKING• Creates a benchmark to evaluate your current cybersecurity state.• Helps you understand your cyber posture and what your biggest
vulnerabilities and risk are related to your cooperative.
ABILITY TO EVALUATE CYBERSECURITY POSTURE
PLAN
ANALYZE
IMPLEMENTCOLLECT
MEASURE
BENCHMARKING
PRIORITIZATION• Allows you to set security priorities based on risks, resources and investment.• Enables you to have a better understanding how you can merge:
• cybersecurity priorities and initiatives with business priorities and initiatives.
GOALS• Allows your cooperative to set realistic goals and to measure success of
current initiatives and future initiatives.
SECURITY IS A NEVER ENDING GOAL
ABILITY TO EVALUATE CYBERSECURITY POSTURE
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
EFFICIENCY• Less chance of duplication of efforts within your organization.• Allow different departments to work together toward common goals
and set of standards. • Decreases the chance of shadow IT.
Cybersecurity is no longer just a technology issue, it is also a business issue.
• Understanding of the different roles and needs within an organization related to cybersecurity
• We must embrace cyber security as a business risk, not merely a technology risk.
• Staff and General Manager need to be discussing risk management.
• Review Cooperative Policies: Cybersecurity Integration
• Cyber Insurance & Data Ownership
• Legal Team: Regulatory or Compliance issues, State Laws
• Information Technology & Operational Technology Convergence
• Cyber Incident Response Planning: Table Top Exercises
• Cyber Communications Planning and Media Communications
IT IS NOT JUST AN IT DEPARTMENT PROBLEM
Self-Assessment highlights importance of choosing your vendors & cloud providers
• Not all vendors are taking the required steps when it comes to cybersecurity and can pose huge risk for a cooperative.
• You must manage your cybersecurity risk when making purchasing decisions.
• Get vendor security practices in writing before you sign the contract.
• Create minimum vendor security requirements that all vendors must follow:
• How they connect? When they connect?
• What security practices does the vendor have in place?
• Don’t make assumptions in regards to security responsibilities. Follow Up.
YOUR VENDORS ROLE IN CYBERSECURITY
“THE HUMAN FIREWALL”
• Know what visitors and contractors are coming in and out of your organizations.• Controlling access into facilities entry and exist points, exterior building doors and
critical server or data room doors. • if you SEE something SAY something
IMPORTANCE OF PHYSICAL SECURITY
EDUCATION - EDUCATION - EDUCATION• The importance in educating your employees on their role in:
• “DEFENDING THEIR COOPERATIVE AGAINST CYBER THREATES”• You must empower your employees. Let them know what you are doing and what they can do.• Employees are the first line of defense and the biggest asset.
“THE HUMAN FIREWALL” EDUCATION - EDUCATION - EDUCATION
• Educate employees on cyber crime and who is carrying it out.• Cybercrime is a business • Nations State actors are a real threat (US CERTS)
• What are my cooperatives risk associated with a cybersecurity breach?• Financial, Reputational, Regulatory • How can it negatively affect the cooperative?
• Create Cybersecurity Program similar to cooperative Safety Programs.• Keeps everyone on the same page, focused toward the same goals.
“THE BIG PICTURE”FINAL POINTS: THE VALUE OF SELF-ASSESMENT
An effective cyber security self-assessment will:• Define clear strategic goals within your organization.• Establish security standards to ensure that your cooperative has the best chance to defend itself in
the event of a breach. • Empower your employees and departments to take charge of their own role related to security.• Identify cybersecurity initiatives and how to merge those with the overall business strategy.• Helps define the role cybersecurity plays in the delivery of the cooperatives critical services.
“KEEPING THE LIGHTS ON”
Grand Valley PowerChanges & Challenges Sherry Fix, IT Manager
Grand Valley Power
18,000 meter coop in Western Colorado Founded in 1936 Employed for 36 years 43 Employees
Changes & Challenges• Increased cyber security training with
KnowBe4• Replaced Access Control system/added 7
new cameras • Locked ports to known mac addresses• Insured unused ports not patched• Beginning work on Policy creation• Enhancing our asset management
application
Cyber Security Self-AssessmentSouthwestern Minnesota Co-ops
Jim HalerSouth Central Electric Association
Redwood Electric Cooperative
Southwest Minnesota Co-ops
South Central Electric Association
Redwood Electric Cooperative
Brown County REA
Federated REA
Nobles Cooperative Electric
5 Cooperatives with no IT staff.Each with a different IT vendor.
What we learned……
• We need a plan.• We need to educate our employees and board.
Why the self-assessment is important.
You need a place to start!
155 Questions36 Not applicable78 No or partial
RC3 Self-Assessment Panel• Bobby Smith, Vice President, Information Systems, Laurens Electric
Cooperative, Inc., SC
• Justin Luebbert, Information Security and Business Technology Manager, Central Electric Power Cooperative, MO
• Sherry Fix, Manager of Information Technology, Grand Valley Power, CO
• Jim Haler, Member Services Manager, South Central Electric Association & Redwood Electric Cooperative, MN
• 2018 Self-Assessment Research Program
• Training!!• SANS Voucher Program (Andre Joseph)• EnergySec’s Security Education Week, April 23-27 (from $3,495
to $2,500 with NRECA/APPA discount)
• Cybersecurity Summits – 5 planned in 2018
TechUpdateTwice-monthly email newsletter containing the latest information on RC3 Program opportunities and technical publications, articles, reports, webinars, and conferences.
Sign-up at: [email protected]
Accessible
Accessible Affordable
Accessible Affordable Appropriate
Dr. Tim HeidelDeputy Chief Scientist, NRECA
Lauren KhairRegional Economic Analyst, NRECA
Sarah KielyPrincipal, IT Community Support, NRECA
Dr. Craig MillerChief Scientist, NRECA
Jona OkothSenior Consultant, Synopsys
Andre JosephCybersecurity Principal, NRECA
Dr. Cynthia HsuCybersecurity Program ManagerOffice: 703-907-5500Mobile: 703-403-8698Email: [email protected]
Bob GibsonConsultant
Robin ChristiansonSenior Manager, Engagement & Strategy, NRECA
Adaora IfebighProject Manager, NRECA
Maureen GattiConsultant
Alvin RazonSenior Director, Distribution Optimization, NRECA
