Upload
dave-darnell
View
22
Download
0
Embed Size (px)
Citation preview
1
Who’s there?
Keep the cyber wolf away from
your information, your systems,
your business…
Systrends 1001 E. Warner Road, Suite 102
Tempe, Arizona 85284
480-756-6777
https://www.linkedin.com/dave-darnell-53110
www.systrends.com
1
How Safe is Your Information?
“Electricity is what keeps our society tethered to modern times.” Lights Out, Ted Koppel
With changes in the recent history of the energy industry, energy and utility system infrastructure has
evolved to open network architecture. This means:
Internal users send information out of the secure environment (and receive information back into the secure environment).
Users outside the network have access to data and internal applications.
Smart meters allow access to meter data across a wide range via smart grid technology.
These changes to the power infrastructure have made cyber security threats more likely and more
dangerous. Energy industry entities must make sure the right physical, administrative, and technological
security safeguards are in place.
Because of required open network architecture and communication throughout the energy sector,
energy companies have special vulnerability to cyber security breaches, and to the possible implications
and severity of a cyber attack on any level of the energy infrastructure.
In his book about the energy industry and cyber security, Lights Out, Ted Koppel states “Because the
system’s maintenance and protection reside in so many different hands, though, and because its
complexity has made each player more dependent on computerized control systems, the grid is also
more vulnerable than it used to be. New forms of interconnection between and among firms create new
pathways through which malicious cyber attacks may travel. Security and day-to-day reliability become a
shared responsibility, and as with any other chain, the electric power grid may only be as strong as its
weakest link.” He continues, “Breaking up the industry into a marketplace of interconnected parts
introduced competition, which lowered prices. It also increased the system’s vulnerability to cyber
intrusion.”
A survey conducted by Tripwire (a leading, respected digital cyber security software company), at the end
of last year, brought out some disturbing answers. Tripwire’s energy study’s respondents included over
150 Information Technology professionals in the energy, utility, oil, and gas industries.
75% of the respondents said that the number of successful cyber attacks had increased over the last 12 months.
Over 75% of the respondents said that the cyber attacks they experienced were from an external source.
Over 80% believed that a cyber attack would cause physical damage to their critical infrastructure over the next year.
Tim Erline, Tripwire software’s director of IT security and risk comments “It’s tempting to believe that this
increase in attacks is horizontal across industries, but the data shows that energy organizations are
experiencing a disproportionately large increase when compared to other industries.”
We’ve included additional studies and statistics in this white paper. The respondents and commentators
are information technology and cyber security professionals—people on the front lines of this cyber
security battle.
2
FERC/NERC and DOE Responses to Cyber Security
In 2008, the Federal Energy Regulatory Commission (FERC) approved the North American Electric
Reliability Corporation’s (NERC’s) eight mandatory Critical Infrastructure Protection (CIP) reliability
standards—to protect critical assets in the greater power system from cyber security violations. FERC
designated NERC as the ERO (Electric Reliability Organization) to execute and enforce compliance to the
CIP standards; auditable compliance was mandated in for all energy entities in 2010. The eight Critical
Infrastructure Protection (CIP) standards cover:
1. Critical cyber asset identification. 2. Security management controls. 3. Personnel and training.
4. Electronic security perimeters.
5. Physical security of critical cyber assets. 6. Systems security management. 7. Incident reporting and response planning.
8. Recovery plans for critical cyber assets.
Steps 7 and 8 are considered “post-event” responses which can hopefully be mitigated or eliminated by
comprehensive cyber security auditing and planning.
FERC designated additional clarification and upgrades in January 2016 (Order No. 822); these upgrades
include: requiring large utilities to conduct cyber security training at least once a quarter; and to deploy
two or more physical access controls outside their security perimeters.
In 2015, the Department of Energy (DOE) published their Cybersecurity Framework Implementation
Guidance recommendations as a tool to help energy organizations. This Framework provides a structure
for adherence to the CIP standards. The three main components of the DOE Framework are the Core, the
Tiers, and the Profile.
1. Core—a set of cyber security activities, desired outcomes, and applicable information that are common to organizations in the energy sector.
2. Tiers—describes an organization’s cyber security risk and readiness, and the processes in place to manage that risk. Tiers range from 1 (Partial - incomplete) to 4 (Adaptive – ready to implement, in place).
3. Profile—coordinates the Core with business requirements, risk tolerance, and organizational resources. Profiles can include a current Profile and desired target Profile.
Your Organization’s Cyber Security Profile
The FERC/NERC and DOE information gives you considerable detail on what’s required but not much
instruction on how to meet these auditable expectations. Your IT security staff may already have trouble
keeping up with cyber security advances and information because of: 1) ongoing other priorities and
responsibilities, such as managing internal compliance and risk, and 2) lack of experienced staff and
budget allocation. The people on your front lines of cyber security are worried.
Your energy organization may be confident that your current cyber security profile/baseline is secure. At
the very least, your IT security staff, and your senior management, should be able to answer these
questions:
What is the security risk category of each system in your infrastructure—High, Medium, Low? What are the current security controls for these systems? Who are the people managing and operating these systems? Who uses these systems (internal/external) and how do they use them? What information does each
group/subgroup have?
Are your system controls documented? Are your controls and procedures current and able to be clearly understood and implemented?
3
Overview of this White Paper
We hope this white paper report gives you, the energy organization IT manager, information security
manager, compliance and risk manager, etc., some interesting information on cyber security—surveys,
statistics, standards, certifications, and project processes—and that it becomes a starting point for your
own research into how best to prepare your department, your people, and your organization for this very
real challenge. This report can also be used as a reference, as we have combined and condensed cyber
security information that you—the information security professional—may have documented or saved in
other formats, files, or documents.
This report also includes information on our company, Systrends. Some of you may be customers, and/or
may already know us from our EDI/B2B, CIS, and tariff management consulting and software. Systrends
has provided consulting, project management, and software to the energy industry for 18 years.
Over the last few years, we’ve acquired certifications and expertise in cyber security projects and
consulting; we’ve included details on that part of our business and hope we have an opportunity to
discuss that further with you soon.
This white paper includes:
Survey of Current Global Cyber Security.
Cyber Security Concerns in the Energy Industry.
Cyber Security Standards in the Energy Industry.
Cyber Security Expertise and Certification.
Components of a Cyber Security Project.
Systrends Cyber Security Credentials:
Systrends Cyber Security Certification.
Systrends Cyber Security Project Methodology.
Systrends Cyber Security Software Partners.
Systrends Background.
Cyber security for Your Organization—Next Steps.
Acronym Glossary.
Bibliography/Sources.
4
Survey of Current Global Cyber Security
ISACA/RSA Survey
In November and December of 2015, ISACA (the Information Systems Audit and Control Association) and
RSA Data Security, Inc. (a leading computer and network security company) conducted a global survey of
over 800 cross-industry cyber security managers and practitioners on the current global state of cyber
security. Survey participants agreed on the following general conclusions:
The number of breaches targeting organizational and individual data continues to go unchecked. The sophistication of attack methodologies is evolving. Attacks are not expected to slow down and 75% of respondents anticipated a cyber attack within the
next year. Cyber criminals continue to use social engineering as the primary initial attack point.
60% of all respondents do not believe that their in-house information security staff could handle anything more than simple cyber security incidents.
The detailed survey covered three areas:
1. Organizational cyber security. 2. Threats, attacks, and crime. 3. Emerging trends.
Organizational cyber security
The respondents were asked about malicious activity occurrences in their organizations:
33% said their organization experienced a cyber crime-related incident in 2015. 42% said that their organization was very likely to experience a cyber attack in the next year. 36% said their board of directors was very concerned about cyber security. 71% said that it took two to six months to fill cyber security positions (9% said they could not
adequately fill cyber security positions at all). 33% said that new cyber security hires were not adequately qualified and required extensive training;
75% said that these applicants had a significant skills gap.
Threats, attacks, and crime
The respondents were asked about the type and frequency of malicious activity:
52% had issues with malware.
41% had problems with social engineering. 36% experienced hacking. 34% had loss of mobile devices. 21% had online identify theft. 20% experienced loss of intellectual property. 18% had intentional damage to computer systems.
Emerging trends
The respondents were asked about the future of cyber security—62% thought cyber crime would be
increasing in both short- and long-term scenarios.
5
Black Hat Attendee 2016 Survey
Black Hat is one of the top cross-industry organization for information security conferences and training. At their June 2016 conference, 250 attendees (all information security professionals) were queried regarding information security concerns: 74% said that their departments do not have enough staff to defend against current threats.
63% said their departments do not have the budget to defend against current threats. 72% said that it was highly probably they would deal with a major security breach within the next
year.
When asked what they considered to be the major threats that they face:
46% cited social engineering attacks, such as phishing. 43% said sophisticated attacks targeted directly and deliberately at their organization.
However, when asked how top management directed their time, they said that their time was allocated
as follows:
35% to measuring risk. 32% to managing industry and regulatory compliance. 33% to troubleshooting in internally-developed applications.
6
Cyber Security Concerns in the Energy Industry
The energy sector has unique infrastructure and unique vulnerability in regards to cyber security and
cyber attack. Wide area networks, open architecture, and smart meter/smart grid technology increase
efficiency and output, but also leave energy entities in a unique position of exposure and susceptibility to
cyber crime. Industry leaders and commentators express growing apprehension regarding cyber security
and a potential lack of preparedness:
Alan Neuhauser of U.S. News commented on the growing concerns of the energy industry: “Cyber security leapt onto the list of the top five concerns for U.S. electric utilities this year, yet fewer than a third say they’re prepared to meet the growing threat of an attack.” Neuhauser continued that “a federal analysis reported by the Wall Street Journal in March showed that if only nine of the country’s 55,000 electrical substations were to go down—whether from mechanical issues or malicious attack—the nation would be plunged into a coast-to-coast blackout.”
Rochelle Nadhiri of Breaking Energy reported on similar concerns regarding natural gas companies. Nadhiri quotes Cathy Ranson, Senior Consultant for Black & Veatch: “The dependence on key operational and informational technology for natural gas transportation and storage is a key part of the U.S. critical infrastructure supporting both residential and commercial customers. Therefore, it is important that gas technology infrastructure be protected from cyber attacks that could disrupt or damage operations.”
Energy companies and electric utilities have experienced a spike in cyber attacks in the past year, according to a survey by Tripwire, a digital security firm. 150 Information Technology workers in the electricity, oil, and natural gas sectors were surveyed.
More than 75% of respondents
reported that their organizations
had experienced at least one
successful cyberattack in the
past 12 months, meaning
intruders were able to breach
one or more firewalls, antivirus
programs, or other protections.
More than 75% of respondents said that the cyber attacks were from an external source.
7
Tim Erlin, Director of IT Security and Risk Strategy for Tripwire software, states “Detecting assets successfully is the midpoint of the overall process. Energy organizations need to invest in greater prevention and forensic tools to decrease the rate of successful attacks and fully investigate those they can’t prevent.”
Michael Krancer (partner with Blank Rome L.L.P., former Secretary of Pennsylvania’s Department of Environmental Protection), as a commentator to Forbes, states “Cyber security has been at the forefront of the news for several years. Coverage of the space usually focuses on a breach at a consumer-facing company, resulting in people’s credit cards, bank and personal records being stolen. As bad as these kinds of incidents are, however, we have thus far avoided cyber security threats that pose far larger and scarier problems. It’s cyber attacks on the energy space, not the consumer credit space, that could cripple the United States – or any country – as well as bring about a collapse of order and society that most of us associate with apocalyptical scenarios.”
He continues in his commentary, “according to a Wall Street Journal report, a survey of 625 IT
executives in the U.S., U.K., France, and Germany found that 48 percent said they think it is likely
there will be a cyber-attack on critical infrastructure, including energy infrastructure, in the next
three years that will result in the loss of life. The costs of cyber security are also increasing at an
alarming rate. For example, JPMorgan Chase’s annual cyber security expenditures are expected to
double to $500 million within the next five years.”
In Lights Out, his best-selling book on potential cyber attacks on the U.S. energy industry, Ted Koppel researches, analyzes, and describes what he believes to be the extreme vulnerability of our energy grid system. His observations include:
“Deregulation of the power industry has created a system with more vulnerable points of entry than ever existed previously, and a lot of the equipment is controlled by aging, standardized computer systems used around the world and familiar to many of America’s enemies…Breaking up the industry into a marketplace of interconnected parts introduced competition and lowered prices. It also increased the systems vulnerability to cyber intrusion.”
“Because the system’s maintenance and protection reside in so many different hands…and because its complexity has made each player more dependent on computerized control systems, the grid is also more vulnerable than it used to be. New forms of interconnections between and among firms create new pathways through which malicious cyberattacks may travel. Security and day-to-day reliability become a shared responsibility, as with any other chain, the electric power grid may only be as strong as its weakest link.”
“Local distributors on electricity, even those in major urban areas, are not governed by any national regulatory standards…those local companies tend to be more vulnerable. If enemies wanted to launch a truly devastating cyber attack, couldn’t they go after the local distribution system?”
8
Cyber Security Standards in the Energy Industry
FERC/NERC CIP System Security Standards
Over the last eight years, in response to open architecture and increased risks and incidents, the Federal Energy Regulatory Commission (FERC) has approved infrastructure rules for the industry. In 2008, FERC approved eight mandatory Critical Infrastructure Protection (CIP) reliability standards
to protect critical assets in the greater power system from cyber security violations. FERC designated the North American Electric Reliability Corporation (NERC) as the ERO (Electric Reliability Organization) to execute and enforce compliance to the CIP standards.
Congress has mandated that the FERC/NERC CIP standards are to be reviewed and measured against the current National Institute of Standards and Technology (NIST) cyber security standards. This subjects the current standards to stringent review and revisions.
Auditable compliance was mandated for all energy entities in 2010. All energy systems are categorized for security purposes with a CIP level of security exposure of High,
Medium, or Low. All such systems are subject to CIP standards.
The eight Critical Infrastructure Protection (CIP) standards cover: 1. Critical cyber asset identification. 2. Security management controls. 3. Personnel and training. 4. Electronic security perimeters. 5. Physical security of critical cyber assets. 6. Systems security management. 7. Incident reporting and response planning. 8. Recovery plans for critical cyber assets.
Steps 7 and 8 are considered “post-event” responses which can hopefully be mitigated or eliminated by
comprehensive cyber security auditing and planning.
1. Critical Cyber Asset Identification
2. Security Management Controls
3. Personnel and Training
4. Electronic Security Perimeters
5. Physical Security of Cyber Assets
6. Systems Security Management
7. Incident Reporting/ Response Planning
8. Recovery Plans for Cyber Assets
In 2016, FERC directed NERC to develop and support modifications to address the cyber security of the
bulk electric system, and to improve upon the current CIP standards. These modifications apply to the
first six “pre-event” standards. These upgrades include: requiring large utilities to conduct cyber security
training at least once a quarter; and to deploy two or more physical access controls outside their security
perimeters. The updated standards are designed to reduce the risks to bulk electric systems and
equipment. The updated standards require utilities to close unused networking ports, and to develop
policy for information storage and clearing out old information. Additional clarification includes:
Protection of transient electronic devices used at low-impact bulk electric system cyber systems.
Protection for communication network components between control centers. Refinement of the definition for low-impact external routable connectivity. Study of the effectiveness of the CIP remote access controls, the risks posed by remote access-
related threats and vulnerabilities, and appropriate mitigating controls.
Cyber Event
9
FERC expressed concerns that changes in the bulk electric system cyber threat landscape, identified
through recent malware targeting supply chain vendors, have highlighted a gap in the protections
covered by the standards. FERC comments that the updated standards are designed to mitigate the cyber
security risks to bulk electric system facilities and equipment which—if destroyed, degraded, or
otherwise rendered unavailable as a result of a cyber security incident—would affect the reliable
operation of the U.S. power grid.
Department of Energy Cybersecurity Framework Implementation Guidance
The U.S. Department of Energy (DOE), worked with the Electricity Subsector and Oil & Natural Gas
Subsector Coordinating Councils, to develop cyber security implementation guidelines. The DOE
Cybersecurity Framework Implementation Guidance recommendations were published in 2015 as a tool
to help energy sector organizations:
Characterize their current cyber security profile. Identify gaps in their current cyber security program.
Recognize the tools, standards, and guidelines needed to support the Framework. Demonstrate and communicate their approach and use of the Framework to internal and external
stakeholders.
The Framework recommends FERC/NERC Critical Infrastructure Protection (CIP) Standards as a cyber
security approach that aligns with and should be used with the Framework.
The three main components of the DOE Framework are the Core, the Tiers, and the Profile.
1. Core—a set of cyber security activities, desired outcomes, and applicable information that are common to organizations in the energy sector.
2. Tiers—describes an organization’s cyber security risk and readiness, and the processes in place to manage that risk. Tiers range from 1 (Partial - incomplete) to 4 (Adaptive – ready to implement, in place).
3. Profile—coordinates the Core with business requirements, risk tolerance, and organizational resources. Profiles can include a current Profile and desired target Profile.
Ideally, the Framework components provide a
way for energy organizations to map their
existing cyber security and risk management
approaches. This mapping process should:
Identify gaps between the outcomes achieved by the organization’s approach and the outcomes defined in the Framework Core and the organization’s desired Tier and Profile.
Identify areas where the organization’s approach is equal to or greater than Framework recommendations.
The DOE recommends that a standard project
planning and management approach be used to
implement the Framework, such as the seven
steps illustrated here.
DOE Cyber Security
Framework
Implementation
Project Guidelines
10
Cyber Security Expertise and Certification
When determining how to approach your current cyber security profile—and the steps necessary to
achieve your organization’s desired/optimum cyber security profile—it’s essential to call upon a company
and a consultant who have expertise in the applicable cyber security methodologies. There are two
leading organizations that provide in-depth cyber security training and certification: ISACA and (ISC)2.
ISACA—CISA, CISM
ISACA®, the Information Systems Audit and Control Association, is a global nonprofit association that
represents information systems’ audit, IT governance, risk management, and cyber security professions.
ISACA offers industry-leading knowledge, standards, credentials, and ongoing education. ISACA provides
the knowledge and standards for cyber professionals to apply tools and technology to address threats,
drive innovation, and create positive momentum in the world of cyber management and security. ISACA
has developed and administers industry-leading certifications, including the CISA®—Certified Information
Systems Auditor®, and the CISM®—Certified Information Security Manager®.
The CISA—Certified Information Systems Auditor is a globally-recognized
designation for experienced IS audit, control, and security professionals. It
is the standard for professionals who audit, control, monitor, and access
information technology and business systems. A CISA professional has the
expertise to assess vulnerabilities, report on compliance, and institute
controls. CISA auditors:
Perform rigorous audits on an organization’s information technology, including all applicable systems and processes.
Determine whether an organization’s IT procedures and controls meet regulatory standards. Report on IT governance, the ongoing process of aligning information technology goals with strategic
business objectives. The CISA has five knowledge domains:
1. Audit of information systems. 2. Governance and management of IT. 3. Information systems acquisition, development, and implementation. 4. Information systems operation, maintenance, and support. 5. Protection of information assets.
The CISM—Certified Information Security Manager is a cutting-edge
designation for expert leaders who manage an organization’s information
security. It is a high-level standard for professionals who manage an
enterprise’s information security program, information risk, disaster
planning, business continuity, and enterprise security architecture. CISM
certification provides a common body of knowledge for information security management, focuses on
risk management, covers information security governance, and includes incident identification and
management. The CISM sees information security as a function inside corporate governance.
11
CISM managers:
Identify critical information security issues. Customize company-specific practices to support information governance. Provide a comprehensive view of information security management and its relationship to the
broader organization, and its goals and objectives. Certify information security and credibility of the enterprise.
The CISM has four knowledge domains:
1. Information security governance. 2. Information risk management and compliance. 3. Information security program development and management. 4. Information security incident management.
(ISC)2—CISSP
(ISC)2®, originally known as the International Information Systems Security Certification Consortium,
is an international nonprofit membership association focused on inspiring a safe and secure cyber world.
The organization emphasizes information security education, and is known for the acclaimed CISSP®—
Certified Information Systems Security Professional. (ISC)2 offers a portfolio of credentials that show a
holistic, programmatic approach to security. The membership is made up of certified cyber, information,
software, and infrastructure security professionals.
The CISSP—Certified Information Systems Security
Professional was the first information security credential to
meet stringent ISO Standard 17024. It is a vendor-neutral
certification that reflects technical and managerial
competence, skills, experience, and credibility to design,
engineer, implement, and manage information security
programs. This certification draws from a comprehensive,
global body of knowledge that ensures a deep knowledge of threats, technologies, regulations,
standards, and practices.
The CISSP has eight knowledge domains:
1. Security and risk management. 2. Asset security. 3. Security engineering. 4. Communications and network security. 5. Identify and access management. 6. Security assessment and training. 7. Security operations. 8. Software development security.
12
Components of a Cyber Security Project
The components—documents/deliverables, controls, and processes—of a comprehensive cyber security
project, are discussed in this section. These components are consistent with ISACA®, (ISC)2®, FERC, and
DOE criteria.
Cyber Security Project
A cyber security project should have all the hallmarks of a robust project effort, along with strong cyber
security knowledge and insight.
1. The cyber security project must be well planned—with a clear goal/objective, defined scope (what’s to be covered; what is not included), and the granular steps/work plan which will satisfy the goal.
2. The project process continues the plan by taking the high level into more detail, via deliverables such as the work program, a controls questionnaire/checklist, and test scripts. The process executes the tasks and documents them via these deliverables.
3. The project process is reported to the client in regular intervals and upon completion. The findings are compared to the plan and its documented requirements. There may be iterations if additional testing is needed and/or there are open requirements. A report is drafted and reviewed; and a final report is created upon agreement by the cyber security team and the client.
Cyber Security PLAN
Objective
Scope
Procedures
Cyber Security PROCESS
Controls
Risk Assessment
Testing/Validation
Cyber Security REPORT
Findings/Requirements
Report Draft/Review
Report Issuance
Cyber Security Controls
As part of the cyber security process, controls (policies, standards, procedures) should be documented
and verified, via a checklist. This process demonstrates the actual cyber security state of an organization,
and identifies the issues that place the entity at risk. Controls should be documented in the following
areas:
Personnel security. Physical security. Account and password management. Confidentiality of sensitive data. Disaster recovery. Security awareness and education. Compliance and audit.
• Objective
• Scope
• Procedures
Cyber SecurityPLAN
• Controls
• Risk Assessment
• Testing/Validation
Cyber Security PROCESS
• Findings/Requirements
• Report Draft/Review
• Report Issuance
Cyber Security REPORT
13
Cyber Security Threats and Vulnerability
Threats and vulnerability can be assessed using a checklist that assigns a risk factor to each
segment/category:
Natural threats. Environmental threats. Human threats:
Abuse, sabotage/vandalism, fraud, negligence/error.
Integrity/accuracy threats.
Access control threats.
Repudiation threats.
Legal threats.
Service threats.
Cyber Security Report
The cyber security report develops as the project progresses and the organizational, control, and
threats/vulnerability information is gathered and evaluated. The report includes elements of the project
plan, and shows that the audit effort supported the objectives. In general, the cyber security report
includes:
Objective.
Scope. Schedule. Methodology. Laws, regulations, and client’s security policy. Asset identification—tangible and intangible. Current state of information security.
Findings, risks, and recommendations:
Security policy.
Organization of information security.
Asset management.
Human resources security.
Physical and environmental security.
Communications and operations management.
Access control.
Information systems acquisition, development, and maintenance.
Information security incident management
Business continuity management.
Compliance—laws, regulations, policy. Prioritization of recommendations:
High risk.
Medium risk.
Low risk. Management action plan—agreed action, responsibility for implementation, date, status.
14
Systrends Cyber Security Credentials
Over the last three years, Systrends has been actively pursuing cyber security certifications, knowledge,
expertise, and organizational involvement.
David Darnell has obtained the three top (ISC)2® and ISACA® certifications (see below). Systrends staff are now studying for/pursuing these classes and accreditations.
Systrends Service bureau has SOC 1 SSAE 16 Type II certification. Systrends was awarded this high-level designation through an in-depth audit that certified Systrends cloud services, secure hosting, and comprehensive Systrends Service Bureau.
In partnership with three top cyber security software entities—AlienVault®, Tripwire®, and ZeroFOX®—Systrends can offer solid technical solutions for our energy customers’ cyber security requirements. And our project management experience and expertise will guide you through the administrative, organizational, operational, and technical processes.
David Darnell is the incoming Chapter Meetings Director for the ISACA® Phoenix Chapter; and Systrends staff are participating in this organization. Dave is also championing an Open Threat Intelligence (OTX) community for the energy sector; to keep users up-to-date on current cyber issues.
Systrends Cyber Security Certifications
Through education and stringent examinations, David Darnell—Systrends CEO and Owner/Founder—has
been awarded the following certifications; and Systrends has been accorded with the high-level SOC 1
SSAE 16 Type 2 audit designation.
CISA®—Certified Information Systems Auditor®—administered by ISACA®, the CISA is a
globally respected designation for expertise in cyber security auditing; IT governance and
management; information systems acquisition, development, implementation, operations,
maintenance, and support; and protection of information assets. The CISA performs rigorous
audits on an entity’s systems and processes, determines whether information technology procedures and
controls meet regulatory standards, and reports on security governance.
CISM®—Certified Information Security Manager®—administered by ISACA®, the CISM
provides a fusion between auditing, and a broader, enterprise-level security perspective. The
CISM identifies critical issues, customizes company-specific practices to support information
governance; provides a comprehensive analysis of security management in relation to the organization’s
greater goals; ensures that the security program and the goals are in alignment; and certifies the overall
information security and credibility of the enterprise.
CISSP®—Certified Information Systems Security Professional—backed by (ISC)2®, the CISSP
was the first and foremost credential in information security. This credential demonstrates in-
depth expertise in cyber security risk management; assessment and testing; asset security;
engineering; communications and networking; operations; software evaluation,
implementation, and development; and identity and access management.
SOC 1 SSAE 16 Type II - AICPA Service Organization - Statement on Standards for
Attestation Engagements—Statement on Standards for Attestation Engagements (SSAE)
Number 16 is an attestation standard, issued by the Auditing Standards Board (ASB) of the
American Institute of Certified Public Accountants (AICPA), that addresses engagements
undertaken by a service auditor for reporting on an organization’s service center processes and
standards. Systrends was awarded this high-level designation through an in-depth audit that certified
Systrends cloud services, secure hosting, and comprehensive Systrends Service Bureau.
15
Systrends Cyber Security Project Methodology
Systrends principals and staff have 18 years’ project management experience in the energy industry.
With the intensive study and conditions required for acquisition of the three certification levels of cyber
security auditing/project management, we’ve added significantly to our skill set. Our project
management methodology supports and includes:
FERC’s eight Critical Infrastructure Protection (CIP) Standards;
DOE’s cyber security Core, Tiers, and Profile Framework;
Project methodology recommended by FERC, DOE, and cross-industry ISACA and (ISC)2 cyber security governing/certification entities; and
Project management knowledge obtained through participation and study with PMI, the Project Management Institute.
The main components of the Systrends cyber security project (as outlined in detail in the previous section
of this report) are:
1. Plan—objective, scope, procedures.
2. Process—controls, risk assessment, testing/validation.
3. Report—findings/requirements, report draft/review, report issuance.
A Systrends cyber security project provides a systems
security baseline. This baseline (i.e., your current cyber
security status) serves as the starting point for developing
a cyber security strategy that is in compliance with FERC CIP
standards, that protects your organization, and that
supports your organization’s greater business goals.
Systrends cyber security service:
Provides certified expertise, and takes the cyber security evaluation burden off internal staff.
Establishes your current cyber security baseline—the baseline serves as the starting point for developing a cyber security strategy.
Manages the project scope, and makes sure all systems and people are identified and evaluated.
Identifies all system users (internal and external), their practices, and their access to information.
Determines the risk category of the assets and systems that makes up your infrastructure—High, Medium, and Low.
Documents, updates, and organizes your cyber security policy and procedures; trains your staff to keep controls and policies current.
Ensures your organization’s compliance with FERC/NERC, DOE, marketplace, and internal standards.
Protects your organization and infrastructure from cyber threats by ensuring that the right physical, administrative, operational, and technological security controls are in place.
16
Systrends Cyber Security Software Partners
After extensive research and evaluation, Systrends has partnered with three best-in-breed cyber security
software partners: AlienVault®, Tripwire®, and ZeroFOX®. These relationships, and accompanying
expertize and support, complete our cyber security package and give our offering a solid edge over our
competitors.
AlienVault® Managed Security Service Provider
Systrends is an AlientVault® MSSP,
Managed Security Service Provider.
As such, we are authorized to offer
their AlienVault Unified Security
Management software package, which
provides five essential cyber security capabilities in a single
console.
AlienVault Unified Security Management™ (USM) is an all-
in-one platform designed and priced to ensure that mid-
market organizations can effectively defend themselves
against today’s advanced threats.
3. Vulnerability assessment—identifies systems on your network that are vulnerable to exploits through— Network vulnerability testing. Continuous vulnerability monitoring.
4. SIEM (Security Information and Event Management)—analyzes event data across your network by—
Log management. Event correlation.
Incident response. Reporting and alarms.
5. Intrusion detection—detects malicious traffic on your network with— Network IDS (Intrusion Detection System). Host IDS.
The AlienVault Unified Security Management (USM) platform
provides five essential security capabilities in a single console
to manage both compliance and threats:
1. Asset discovery—finds all assets on your network via—
Active network scanning. Passive network monitoring. Asset inventory. Software inventory.
2. Behavioral monitoring—identifies suspicious behavior and potentially compromised systems using— Network analysis.
Service availability monitoring. Full packet capture.
17
Tripwire® Value Added Reseller
Systrends is a Tripwire® Value Added Reseller. As such, we are authorized to offer their software suite that is specifically
designed for the energy industry. The Tripwire NERC Solution Suite provides a comprehensive solution for NERC CIP compliance by offering a tailored combination of standard products, which includes Tripwire Enterprise™ (security configuration management), Tripwire IP360™ (vulnerability management), Tripwire Log Center™ (intelligent event logging), and NERC-specific extensions.
The Tripwire solution enables energy companies to achieve and maintain NERC compliance by:
1. Asset Discovery—Scans your network and auto-discovers the assets you have. Saves hours of manual effort and increases trust in the identification of systems and software in your environment.
2. Continuous Monitoring—Collects detailed status information on all your critical cyber assets and immediately detects any changes.
3. Automated Assessment—Aggregates and analyzes your security data. Provides alerts on suspicious events of modifications that impact your compliance status.
4. Audit-Ready Evidence—Generates reports and dashboards that fully document, by CIP requirement, your compliance with security controls and processes.
Prevention (i.e., protect/detect) through adapting and prioritizing threats and change deviations, to maintain a consistently hardened and objective view of overall security posture, across all devices and systems.
The center of the Tripwire NERC Solution Suite is Tripwire Enterprise™, an SCM (Security Configuration Management) suite, that provides a fully integrated solution for policy, file integrity, and remediation management. The solution provides a solid strategy for:
Detection (i.e., detect/discover) of cyber threats and possible breach activity by highlighting possible indicators of compromise.
Response (i.e., discover/correct) to deviations with high value, low volume alerts, and with guidance on how to return the system to a secure state.
18
ZeroFOX® Value Added Reseller
Systrends is a ZeroFOX® Value Added Reseller. As such, we are authorized to
offer their ZeroFOX Platform™ software package which targets cyber threats
originating from social media.
The ZeroFOX Platform™ continuously monitors across
social media for security risks and business threats
targeting employees, customers, and organizations. Using
intelligent data collection and an automated scriptable
analysis engine, the ZeroFOX platform automatically
identifies and remediates impersonator accounts, phishing
attacks, fraud, customer scams, and exposed PII (Personally
Identifiable Information). The ZeroFOX platform is top-
ranked in Digital Risk Monitoring.
The ZeroFOX Platform™ provides an easy-to-deploy,
cloud-based solution for visibility into dynamic social
media risks. Using intelligent data collection and
automation, ZeroFOX analyzes data at the speed and scale of social media. The five key steps are:
1. Define what’s important by collecting targeted data into Entities.
2. Create policy using FoxScript™ or custom rules.
3. Monitor social channels continuously as posts and profiles change in the social media landscape.
4. Alert on risks automatically, and in real time, as the platform identifies risks across social networks.
5. Take down malicious content in violation of the networks terms and policies.
The ZeroFOX Platform™:
Finds and takes down fraudulent and impersonating accounts.
Mitigates customer fraud and scams. Uncovers stolen information, pirated content,
counterfeit goods, and attacks being planned.
Continuously monitors key employee and company accounts for compromise.
Identifies targeting phishing attacks. Integrates via open APIS (Application
Programming Interfaces) into exiting security technology to leverage investments.
Develops custom “Foxscripts” to detect unique risks.
Remediates risks using automated takedowns with a 99.8% success rate.
19
Systrends Background Systrends has been a partner and provider to the energy industry for over 18 years. We are an
information systems company that provides a wide range of software and services for customer
information management—enrollment, billing, metering, and a comprehensive software suite;
compliance management—tariff filing and management, regulatory reporting, internal compliance; and
cyber security—FERC/NERC/CIP auditing, consulting, and software. We currently have over 100 active
energy industry customers.
Consulting/Project Management
The core of Systrends business is its project management and consulting. The rest of our business—our software offerings and our service bureau services—were a direct result of successful consulting and project management of our principals and staff. These consulting projects included:
SRP Secure Internet EDI—Systrends managed an on-site project at SRP (Salt River Project) which developed and integrated a secure Internet B2B CIS system. This system (live in January of 1999) was the first production Internet EDI system implemented by a deregulated electric utility in North America.
ERCOT FTP Replacement—Systrends developed and managed the ERCOT (Electric Reliability Council of Texas) project to replace their existing B2B patchwork system with a cohesive B2B software platform. Systrends consultants performed all project management, software design, software development, application integration, and systems implementation functions relating to ERCOT’s B2B infrastructure.
Ontario EBT Hub and Spoke—Systrends developed standards and software to meet all Ontario EBT (Electronic Business Transaction) requirements. Systrends represented Hydro One and Toronto Hydro with the Ontario Energy Board (OEB); XML was approved and implemented as the standard. Ontario became the first energy deregulated marketplace to utilize XML.
Ireland ESB B2B—Systrends provided Ireland’s ESB (Electricity Supply Board) with IT consulting for the design and development of a secure Internet B2B framework for the Irish wholesale electricity market. Structured interviewing and extensive research and analysis were used to develop the requirements for this market implementation plan and execution.
eTariff Design and Development—Systrends was the selected vendor, and led the resulting project, to develop software to meet FERC’s electronic tariff filing requirement. This project included ISO New England, PJM (Pennsylvania, New Jersey, Maryland), New York ISO, and SPP (Southwest Power Pool); and developed the requirements for a system to satisfy FERC requirements while tailoring it to the ISO’s requirements.
Transaction Management/B2B
Our projects for the energy industry started with EDI, NAESB EDI, and XML transaction standards for
deregulating markets in the U.S., in Canada, and in Europe—standards consulting, development,
documentation, and implementation. From this body of experience, we developed capabilities and
software:
Billing CIS—our T2CIS™ software—for bill-ready, rate-ready, utility and supplier consolidated billing; it supports full EDI, XML, and proprietary energy market transactions. It works with our other T2 offerings for full market data integration.
B2B and EDI—our T2 Enterprise™ software suite—includes customer information and transaction management for enrollment, metering, and billing, in regulated and deregulated markets. It provides complex data integration, tracking, and distribution; and manages complex data streams, from mapping and data control to distribution and auditing.
20
FERC Filing Solutions
When FERC (eTariff Order 714) mandated that electric utilities file tariffs electronically via XML, Systrends
worked with the Independent System Operator consortium (ISO New England, New York ISO, PJM, and
SPP) to determine and document the requirements. And we developed software to satisfy and manage
this order and subsequent compliance conditions:
Tariff Management—our eTariffManager™ software suite—for regulatory adherence, filing, tracking, reporting, and archival; it manages tariffs, service agreements, and rate schedules along with related documents.
Report Management—our eFileEQR™ software—is a complete solution for filing FERC Electronic Quarterly Reports; it provides validation, compliance, fast submission, and complete document management.
Compliance—our ComplianceManager™ software—is a web-based GRC (Governance, Risk, and Compliance) solution that incorporates and manages regulatory and related governing documents with internal and corporate compliance materials.
Service Bureau/Cloud Services
Systrends software offerings can be hosted on Systrends Service Bureau which provides security, scalability, and SSAE certification. Statement on Standards for Attestation Engagements (SSAE) Number 16 is an attestation standard by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). It covers engagements conducted by a service auditor for reporting on an organization’s service center processes and standards. Systrends was awarded this high-level designation through an in-depth audit that certified Systrends cloud services, secure hosting, and comprehensive service bureau. We have successfully operated our secure service bureau for over 10 years. We also operated a successfully service bureau for our Canadian energy customers, which was sold in 2009.
21
Cyber Security for Your Organization—Next Steps
We hope that this white paper report has given you an overview of the cyber security challenges facing
the energy sector, and practical solutions for addressing them. Our goal in presenting this information is
to:
1. Educate and inform our customers and colleagues;
2. Present cyber security project methodology and alternatives; and
3. Explain cyber security regulations, certifications, and systems.
Successful energy business operation and systems management require constant cost/benefit evaluation;
and preparing for “possibilities” is often difficult to authorize, to plan, to fund, to schedule. But, however
the facts are presented, the cyber security threat is here and it is real. The three irrefutable points to take
from this document, and discuss with your management and staff are:
The interconnectivity of the energy industry (generation, transmission, distribution, delivery) leaves the grid system vulnerable to cyber attack because of multiple systems and entry points.
Internet access—that provides convenience and access to employees, partners/colleagues, and consumers—has opened a door that will remain open and must be carefully watched.
Information, preparation, and commitment are necessary at all points along the network—and within all levels of each organization—to protect this vital operation and service.
Systrends wants to work with you to prepare and secure your organization, your systems, and your
people. A Systrends cyber security project can address and answer the questions asked at the beginning
of this white paper—
The security risk category of each system in your infrastructure has been evaluated and categorized as High, Medium, or Low.
Security controls for these systems have been defined and documented.
The people managing and operating these systems have been identified; they have been an integral part of the project and of the ongoing process. They are thoroughly trained.
Internal and external users are now identified; how they access the system is understood and documented. Access has been updated and/or changed as necessary.
System controls are documented. Training has been conducted so that responsible parties understand the update process for documentation and ongoing training.
Additional software and service support alternatives have been selected and scheduled for implementation.
Senior management is apprised of results and internal and regulatory compliance.
In Ted Koppel’s Lights Out, Rudy Giuliani (the mayor of New York City on 9/11) talks about how
emergency personnel relentlessly practiced and prepared for lots of possible events, including dirty
bombs and a small nuclear attack, but they had not considered airplanes being used as missiles to bring
down buildings. However, Mr. Giuliani maintained that the act of preparing itself was “enormously
helpful” after the 9/11 attack. To this day, the former mayor believes “the more you prepare, the better
off you are going to be, even if you haven’t quite anticipated the thing that happens.”
22
Systrends looks forward to discussing this document, and your cyber security profile, with you and your
staff. The contact information for our principal consultants/owners is given below.
David Darnell CEO and Owner/Founder 1001 E. Warner Road, Suite 102 Tempe, Arizona 85284 P 480-756-6777 Ext. 201 C 602-432-3353 [email protected] https://www.linkedin.com/dave-darnell-53110 www.systrends.com
Peggy Darnell President and Owner 1001 E. Warner Road, Suite 102 Tempe, Arizona 85284 P 480-897-8479 C 602-300-9481 [email protected] https://www.linkedin.com/in/peggy-darnell-2485692b www.systrends.com
23
Acronym Glossary
AICPA American Institute of Certified Public Accountants
APIS Application Programming Interfaces
ASB Auditing Standards Board
B2B Business-to-Business
CIP Critical Infrastructure Protection
CIS Customer Information System
CISA Certified Information System Auditor
CISM Certified Information Security Manager
CISSP Certified Information Systems Security Professional
DOE Department of Energy
EBT Electronic Business Transaction
EDI Electronic Data Interchange
EQR Electronic Quarterly Report
ERO Electric Reliability Organization
ESB Electricity Supply Board
FERC Federal Energy Regulatory Commission
GRC Governance, Risk, Compliance
IDS Intrusion Detection System
ISACA Information Systems Audit and Control Association
(ISC)2 International Information Systems Security Certification Consortium
ISO Independent System Operator
MSSP Managed Security Service Provider
NERC North American Reliability Corporation
NIST National Institute of Standards and Technology
OTX Open Threat Intelligence
PII Personally Identifiable Information
PMI Project Management Institute
RTO Regional Transmission Organization
SCM Security Configuration Management
SIEM Security Information and Event Management
SOC Service Organization Controls
SSAE Statement on Standards for Attestation Engagements
XML Extensible Markup Language
24
Bibliography/Sources
“About (ISC)2.” Information Security Education & Certification Leader. (ISC)2. 2016. www.isc2.org.
November 2016.
“The Biggest Cybersecurity Threat: The Energy Sector. “Krancer, Michael. Forbes. Forbes, November
2015. www.forbes.com . November 2016.
“Customer Information Security Audit Report.” Customer Information Security Audit Report. Safecoms. 18
January 2006. www.safecoms.com. November 2016.
“Energy Sector Cybersecurity Framework Implementation Guidance.” Energy Sector Cybersecurity
Framework Implementation Guidance. Office of Electricity Delivery & Energy Reliability.
www.energy.gov. November 2016.
“FERC Adopts Improvements to Critical Infrastructure Protection Standards.” News Release: January 21,
2016. FERC Federal Energy Regulatory Commission. 21 January 2016. www.ferc.gov. 17 Nov 2016.
“FERC Posts New Electric Utility Cybersecurity Standards.” Gross, Gary. MeriTalk, 26 January 2016.
www.meritalk.com. November 2016.
“Has the number of successful cyberattacks your organization has experienced increased in the past 12
months?” www.tripwire.com. November 2016.
“ISACA Fact Sheet.” ISACA Fact Sheet. ISACA. www.isaca.org . November 2016.
“An ISACA and RSA Conference Survey.” State of Cybersecurity Implications for 2016. ISACA.
www.isaca.org . November 2016.
Lights Out. Koppel, Ted. 2015. New York, New York. Broadway Books.
“News Recap: Energy Industry Concerned about Cyber Security.” CSID. 15 August 2014. www.csid.com. 1
November 2016.
“The Rising Tide of Cybersecurity Concern.” Blackhat USA 2016. Blackhat.com. July 2016. November
2016.
“SSAE 16 Definition”, NDB Accountants & Consultants, November 2016. www.ssae16.org .November
2016.