Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Cybersecurity Policies
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
WECC Reliability & Security Workshop
San Diego, CA – October 23–24, 2018
True Story
A CIP compliant cyber asset connected to the internet from a low-impact facility for the purpose of remotely accessing a capacitor bank was compromised by unauthorized internet users for seven months prior to discovery.
• Installed and forgotten• Misidentified • Ignored• Hacked via brute force• Exploited• Advertised in Russia• Ransomed
4
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
True Story (Happy Ending?)
The compromise was discovered before any additional systems were infected or any compromises to the reliability and security of the BPS were carried out.
Lessons learned:
• Maintain accurate inventories of all cyber assets & configurations
• Control and verify installations and configurations/upgrades
• Institute AAA controls
• Limit and control Internet connectivity for all cyber assets
• Provide awareness and training to personnel and contractors
• Re-evaluate processes and test everything… often
5
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Keeping the Hackers at Bay
Start by developing a cybersecurity policy as a foundation to a
comprehensive, multilayered, cyber security program
6
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Agenda
7
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
• Security Goals and Objectives• Cyber Security Program Overview• Cyber Security Policies
– Categories, Types, Examples
• Group Activity #1• Security Policy Elements
– CIP-003-6
• Group Activity #2• Security Frameworks
– NIST
• Review
Primary Security Goals & Objectives
8
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Confidentiality
Integrity Availability
CIATriad
Dependencies
CIA Triad Principles
Confidentiality – Objects are protected from unauthorized access, use, or disclosure.
Integrity – Objects are intentionally modified only by authorized subjects.
Availability – Authorized subjects are granted timely and uninterrupted access to objects.
Dependencies:
Confidentiality Integrity
Availability Confidentiality & Integrity
9
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Cybersecurity Program Pyramid
10
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Procedure
Process
Policy
Program Pyramid Elements
Policy – Defines the scope of security needed by the organization.
Process – Describes how the policy is implemented for specific groups of subjects and objects.
Procedure – Provides detailed, step-by-step actions necessary to implement a specific security control.
11
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Security Policy – A Closer Look
• Overview of an organization’s security needs
• Defines the main security objectives
• Identifies major functional areas for security
• Used to:– Define roles
– Assign responsibilities
– Outline enforcement processes
– Indicate compliance requirements
– Describe acceptable risk levels
12
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Security Policy Categories
Regulatory/Legal – Industry or legal standards that are applicable to the organization.
Advisory – Acceptable behaviors/activities and consequences of violations.
Informative – Information/knowledge about a specific subject.
13
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Regulatory and Legal Policies
A regulatory and legal policy defines requirements and legal obligations that govern an industry or are applicable to the organization.
Examples include:• NERC CIP Standards
• Payment Card Industry Data Security Standard (PCI DSS)
• Sarbanes–Oxley (SOX) Act
• Insurance Requirements
• Business Contract and Service Level Agreements (SLA)
• Board of Directors’ Mandates
14
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Advisory Policies
An advisory policy describes acceptable behaviors/activities and consequences of violations. Examples include:
• Company information disclosure
• Function/Job roles
• Use of organizational resources (e.g. Internet)
• Personal property used for business
• ID and access badge usage
• Authentication (managing passwords)
15
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Informative Policies
An informative policy provides information/knowledge about a specific subject. Examples include:
• Mission/Vision statements
• Organizational goals
• Privacy
• Good neighbor policies
• Supply chain activities
• Incident management and reporting
16
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Security Policy Types
Organizational – Issues relevant to every aspect of an organization (e.g. acceptable use policy).
Issue-Specific – Specific service, department, function, etc.
System-Specific – Individual systems or types of systems (e.g. hardware/software).
17
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Roles vs. Individuals
Defining roles and groups for cybersecurity policies is
preferable to specifying individuals.
Assign individuals to roles and groups separately.
18
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Acceptable Use Policy
An acceptable use policy is specifically designed to assign security roles within the organization and apply security related responsibilities regarding acceptable use to those roles.
19
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Group Activity #1
Individual – Refer to the lessons learned in our true story. Pick the most important two for your organization, or add your own (2 minutes):
– Maintain accurate inventories of all cyber assets & configurations– Control and verify installations and configurations/upgrades– Institute AAA controls– Limit and control Internet connectivity for all cyber assets– Provide awareness and training to personnel and contractors– Re-evaluate processes and test everything… often
Table Discussion – Identify the top 3 lessons learned for the table and write a short policy to implement them (5 minutes)
Group Sharing – Share your policy and explain your choices
20
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Analogy: Getting the kids in bed
ComplianceTasks:
• Get pj’s on
• Go to the Bathroom
• Get in Bed
ComprehensiveTasks:
• Take a bath
• Comb your hair
• Put lotion on
• Get pj’s on
• Go to the Bathroom
• Brush your teeth
• Read a story
• Sing a song
• Snuggles/hugs/kisses
• Get in Bed
21
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Check-In
Policy Program
PolicyCategories
Policy Types
Policy Elements
Policy Frameworks
22
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Policy Elements
Beginning
• Purpose
• Scope
• Objectives
• Roles and Responsibilities
Middle
• Information Classification
• Access Management
• Network Management
• Vendor Management
• Awareness & Training
• Incident Management
End
• Audit/Test
• Disciplinary Action
• References
• Version History
23
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Beginning
Purpose
– What’s the intent?
Scope
– What is included?
Objectives
– What are you hoping to accomplish?
Roles and Responsibilities
– Who is responsible for what?
24
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Middle
Information Classification
– What information is most confidential and needs more protecting?
Access Management
– How will those who need the information obtain access?
Network Security
– How will you safeguard your network to ensure only those who need
to be in are granted access
Vendor Management
– Are you going to use third-party vendors? How will you ensure the
work is completed well?
Awareness & Training
– How will individuals be trained for their responsibilities?
Incident Management
– How will you handle a security incident?
25
End
Audit/Test
– How will you verify the policy is being followed?
Disciplinary Action
– What will happen when the policy is not followed?
References
– What other resources need to be referenced?
Version History
– How has the policy changed over time?
26
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-003-6
• High and medium impact BCS:
– Personnel and training
– Electronic Security Perimeters including Interactive Remote Access
– Physical security of BCS
– System security management
– Incident reporting and response planning
– Recovery plans for BCS
– Configuration change management and vulnerability assessments
– Information protection
– Declaring and responding to CECs
• Low impact BCS:– Cybersecurity awareness– Physical security controls*– Electronic access controls for
LERC and Dial-up*– Cybersecurity Incident response
*implementation by 01/01/2020
27
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Group Activity #2
Instructions: Refer to Handout
Goal: Discussion Surrounding Cybersecurity Policy Elements.
1. Individual (5 min)
2. Table Discussion (10 min)
3. Group Sharing (5 min)
28
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Ingredients
Cybersecurity Policy
Tools
Training
Knowledge
29
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Security Frameworks
Information Technology Infrastructure Libraries (ITIL)– Agency, UK government (Axelos)
National Institute of Standards and Technology (NIST)– Agency, US government (Dept. of Commerce)
International Organization for Standardization (ISO; 27000 series)
– NGO, Geneva Switzerland
Control Objectives for Information and Related Technology (COBIT)
– Nonprofit, professional association, ISACA
30
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
NIST
May 2017 Executive Order 13800:
(ii) Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.
31
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Credit: N. Hanacek/NIST
Review
• Security Goals and Objectives: CIA Pyramid• Cyber Security Program Overview: Policy Pyramid• Cyber Security Policies
– Categories, Types, Examples
• Group Activity #1: Takeaways• Security Policy Elements
– CIP-003-6
• Group Activity #2: Elements• Security Frameworks
– NIST
32
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Questions?
33
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
John Graminski, Tyler Whiting
Assignment
Your Assignment: Take these concepts back to your organization and use them to increase your security posture.
Benefit: An effective cybersecurity program, built on a foundation of a comprehensive cyber security policy will help prevent malicious attacks.
34
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
References
• True Story: NERC Lessons Learned (LL20180701): https://www.nerc.com/pa/rrm/ea/Lessons%20Learned%20Document%20Library/LL20180701_Risk_of_Internet_Accessible_Cyber_Assets.pdf
• Hacker.jpg (graphic): https://nationalpost.com/news/world/after-three-baltic-countries-agree-to-disconnect-power-grids-from-russia-the-cyber-hackers-arrive
• CyberLock.jpg (graphic): https://www.bing.com/images/search?view=detailV2&ccid=vlfkqC1Z&id=9C2C77ADCB072C2C7009A293A726BC052E6D8D22&thid=OIP.vlfkqC1ZKgLcd9xqcqbEbQHaGE&mediaurl=https%3A%2F%2Fthumbs.dreamstime.com%2Fz%2Fcyber-security-21239657.jpg&exph=1065&expw=1300&q=Copyright+Free+Cyber+Security&simid=608056290957853785&selectedindex=1&ajaxhist=0&vt=DetailL2View&eim=1,2,6&sim=1
• CIA Triad: https://www.techrepublic.com/blog/it-security/the-cia-triad/
• Security policies and procedures: https://www.ok.gov/cio/documents/InfoSecPPG.pdf
• NIST.png (graphic): https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework
• Exec. Order No. 13800, 3 C.F.R. (2017). “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, Section 1(c)(ii).
• CIP-003-6 — Cyber Security — Security Management Controls, https://www.nerc.com/_layouts/15/PrintStandard.aspx?standardnumber=CIP-003-6&title=Cyber Security -Security Management Controls&jurisdiction=United States, § B: Requirements and Measures R1, R2 (2016).
• Kostadinov, D. (2018, February 6). Key Elements of an Information Security Policy. Retrieved September 26, 2018, from https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref
36
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L