Industry Reliability and Security Standards Working TogetherWhere the standards are going and where your program should be heading
21 August 2014
Page 2
About your presenters
Josh Axelrod► Ernst & Young LLP
Cybersecurity, Power & Utility lead
► Former NERC CIP auditor► Former Navy nuclear
engineer► Certifications: CISSP,
CISA, CISM, GICSP, CRISC, CGEIT
Matt Davis► Ernst & Young LLP
Cybersecurity, Power & Utility team
► Former NERC CIP auditor► Former ISP/telecom
engineer► Certifications: CISSP,
CISA, CISM, GICSP, CRISC, CIPP/IT
Page 3
Overview
► Version Control► Taking Control► Framework Alignment► Reliability Assurance Initiative► Take a Risk► Predictions
21 August 2014 Industry Reliability and Security Standards Working Together
Page 4
Version (out of) Control
Page 5
Which version?
► CIP standards are rapidly evolving and fragmenting.
► Current list of draft RSAWs:► CIP-002-5.1► CIP-003-6► CIP-004-6► CIP-005-5► CIP-006-6► CIP-007-6► CIP-008-5► CIP-009-6► CIP-010-2► CIP-011-2
21 August 2014 Industry Reliability and Security Standards Working Together
Page 6
Not much to see here, keep moving …
► Overview of V6 changes► Removal of Identify, Assess, Correct (IAC)► “Cabling” is back with mitigating controls … again► Physical ports control for PCA► Transient devices – prior to use
► CIP-014-1► Third-party assessments► Who is qualified? Who is willing?
21 August 2014 Industry Reliability and Security Standards Working Together
Page 7
Take Controls
Page 8
Let It Go
► Moving away from regulatory requirements
► Right-size for your organization based on risk and budget
► Create your own story
► Leverage other frameworks
► Review all controls for need► Similar to ISO 27000 approach
21 August 2014 Industry Reliability and Security Standards Working Together
Page 9
Keys to Control Success
► Development► Program – design► Controls – effectiveness► Maintain – change control
► Mapping► Get granular
► Risk management process► Drive selection
21 August 2014 Industry Reliability and Security Standards Working Together
Page 10
Framework Alignment
Page 11
Why NIST?
► 800-53 is comprehensive and free► What NERC CIP was supposed to use and will
continue to evolve toward
► Strong guidance► Guidance from other 800 series► Alignment to federal (EO 13636)► Alignment to 800-82 (ICS)► Detonation chambers
21 August 2014 Industry Reliability and Security Standards Working Together
Page 12
Other Options
► ISO 27001 – international and corporate► Not free
► BITS – third-party assessments► Not free
► PCI – encryption, virtualization► Free
21 August 2014 Industry Reliability and Security Standards Working Together
Page 13
Reliability Assurance Initiative
Page 14
Reliability Assurance Initiative (RAI)
► Risk Assessment► Region will develop a transparent but customized compliance
profile based on the Registered Entity’s impact to the grid.► Assessment will be shared with the Entity so that it understands
how it will be monitored as part of the compliance profile.
► Internal Controls Reliance► Entity’s internal control practices will be provided and reviewed by
the Region.► Region will evaluate the level of the entities internal control
program to tailor compliance activities in conjunction with the assessment.
21 August 2014 Industry Reliability and Security Standards Working Together
Page 15
A New Hope
► Aggregation of Non-compliance► Based on the level of controls
reliance and the Risk Assessment
► May be able to log minimal risk non-compliance
► Trade-off in internal controls vs. minor deficiencies
► “Extra credit”
21 August 2014 Industry Reliability and Security Standards Working Together
Page 16
Internal Compliance Program
► What is an internal compliance program (ICP)?► A formal process to achieve and mature compliance objectives through risk management practice
enabled by controls
► What are the regulatory benefits?► Culture of excellence, not compliance► Reduction in compliance and reliability risks► Potential for reduced auditing and penalties
► Components of an ICP
Objectives Quality improvement Assurance Proactive Prompt Preventative
Risk Management Risk management model Enterprise risk strategy Governance structure Compliance management
functions Internal controls assessment Evaluation with independence
Controls Controls environment Programmatic processes SME training program Communication plans Industry participation Metrics reporting
Controls Risk Management
ICP
Industry Reliability and Security Standards Working Together
Page 17
Take a Risk
Page 18
Risk Management
► Executive involvement
► Board-integrated
► Insight-driven and performance-oriented
► Intrinsic to the business and is embedded in key business processes
21 August 2014 Industry Reliability and Security Standards Working Together
Page 19
Maturity
► Defines the appropriate activities► Helps identify best places for budget► Builds a road map for the program
► Source: DOE ES-C2M2 Model
21 August 2014 Industry Reliability and Security Standards Working Together
Page 20
Summary
Page 21
V7 Predictions
► Third-party compliance► Threat management► Baselines for monitoring► HIPS or white-listing► Application security
► Honeypots … just kidding
21 August 2014 Industry Reliability and Security Standards Working Together
Page 22
Summary
► Manage security through risk► Keep maturing to keep ahead► Monitor trends to anticipate change► Let the standards follow you
21 August 2014 Industry Reliability and Security Standards Working Together