helping utilities with cybersecurity preparedness: the c2m2

Accelerating Grid ModernizationMore information available on SGIP.org

Helping Utilities with Cybersecurity Preparedness: The C2M2

April 23, 2015


WELCOME

Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST)Smart Grid Cybersecurity Committee Chair

April 23, 2015 Helping Utilities with Cybersecurity Preparedness

Presenter

Presentation Notes

Good afternoon, I am Vicky Pillitteri of NIST and Chair of SGIP’s Smart Grid Cybersecurity Committee. Welcome to today’s webinar on the Cybersecurity capability maturity model.


Advancing grid modernization through standards innovation, gap filling, interface definitions, and the creation of test frameworks.Multi-stakeholder community with tight coupling to Standards Setting Organizations (SSOs).Disciplined, time-tested processes.

Accelerating Smart Grid Interoperability

The Smart Grid Interoperability Panel (SGIP) is a consortium that securely accelerates and advances Grid Modernization

through interoperability and the leadership talents of its members. SGIP prioritizes topics and issues set by the utilities,

independent power producers and industry members to solution and drives innovation of Grid Modernization.


Presenter

Presentation Notes

SGIP keeps commerce and trade flowing by recognizing harmonized standards, a universal architecture to guide design of the modernized electric grid. SGIP enables more efficient and robust open standards by multiple vendors, leading to interoperable products that create more economical solutions. But the business of grid modernization stands to falter if a disparate assembly of components, ideas and procedures don’t work together. Products and solutions built on interoperable standards which have under gone rigorous open evaluation, especially for cybersecurity vulnerabilities, will lower the risk of implementing new grid modernization solutions. Beyond utilities, investors, suppliers, insurers and power customers will be among stakeholders benefiting from emerging Smart Grid commerce, including robust economies, increased power reliability and decreased cost of operation and management.


Agenda• Welcome – Vicky Pillitteri, SGIP• Main Presentation – Jason D. Christopher, DOE• Questions & Answers• SGIP Cybersecurity Update – Vicky Pillitteri• Closing Reminders – Vicky Pillitteri

This meeting, and all SGIP activities, are governed by SGIP By-laws and policies - Intellectual Property Rights Policy and Antitrust Policy.


Presenter

Presentation Notes

We will be taking your questions so please submit them via the “Question” text box located in the GoTo control panel. NEXT SLIDE

http://members.sgip.org/apps/group_public/document.php?document_id=4171&wg_abbrev=sgip-board

http://members.sgip.org/apps/group_public/document.php?document_id=2362&wg_abbrev=sgip-board


CYBERSECURITY CAPABILITY MATURITY MODEL UPDATE

Jason D. ChristopherUS Department of Energy


Presenter

Presentation Notes

BACKGROUND OF SPEAKER: is the electricity subsector Technical Lead for Cyber Security Capabilities and Risk Management at the US Department of Energy. [WHATEVER YOU WOULD LIKE TO SAY] And now I’ll turn things over to Jason. OPENING: Thank you, Vicky…


Defining Security6



Aligning DOE Activities7

Build a Culture of Security

Training

Education

Improved communication within industry

Assess and Monitor Risk

Electricity Subsector

Cybersecurity Capability

Maturity Model

Situational Awareness Tools

Common Vulnerability

Analysis

Threat Assessments

Consequence Assessments

Develop and Implement New

Protective Measures to Reduce Risk

Support Cybersecurity

Standards Development

Near-term Industry-led

R&D projects

Mid-term Laboratory Academia

R&D projects

Long-term Laboratory Academia

R&D projects

Manage Incidents

NSTB (National SCADA Test Bed)

Outreach

Cyber Exercises

Sustain Security Improvements

Product upgrades to address

evolving threats

Collaboration among all

stakeholders to identify needs and

implement solutions


Presenter

Presentation Notes

DOE’s activities are aligned with the five strategies of the Roadmap’s Strategic Framework


Introduction to the C2M2 Program• Since June 2012,

hundreds of organizations have used the C2M2.

• DOE has facilitated self-evaluations for utilities servicing an estimated 39 million US consumers.

• Recently expanded to include oil & natural gas organizations, as well as stakeholders beyond the energy sector

8


Presenter

Presentation Notes

The ES-C2M2 is a scalable, sector-specific maturity model that was developed in May 2012. The ES-C2M2 was the result of a White House initiative led by the Department of Energy (DOE), in partnership with the Department of Homeland Security (DHS), and in collaboration with industry, private sector, and public-sector experts. White House posed the challenge: Develop capabilities to manage dynamic threats and understand cybersecurity posture of the grid DOE and the sector’s approach was to: Develop a maturity model and self-evaluation survey to develop and measure cybersecurity capabilities.


C2M2 Program9

ES-C2M2 Public-private collaborative

effort Sector specific subject

matter expertise Pilot evaluations

ONG-C2M2 Tested and refined for

ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies.

C2M2 Without sector-specific

references or terms of art Refined through the ONG

pilots, and also via cross-sector outreach


Presenter

Presentation Notes

In February 2014, DOE published Version 1.1 of ES-C2M2 along with an ONG-C2M2 tailored for the ONG subsector and a sector neutral C2M2 Version 1.1 of ES-C2M2 has very few changes from version 1.0. Practices remained largely unchanged Kicked off the ONG-C2M2 on June 27, 2013 While there are many differences between the electricity subsector and the oil and natural gas subsector companies, stakeholders requested a piloting process of the C2M2. Pilots began in September, ended on October 25 Currently reviewing pilot findings to report back to energy stakeholders


The Approach: Maturity Model10

Maturity Model Definition:

• An organized way to convey a path of experience, wisdom, perfection, or acculturation.

• The subject of a maturity model can be an object or things, ways of doing something, characteristics of something, practices, or processes.



Progression Model Examples11

Progression for Counting

Computer

Calculator

Adding machine

Slide rule

Abacus

Pencil and paper

Fingers

Progression for Authentication

Three-factor authentication

Two-factor authentication

Passwords change every 60 days

Strong passwords

Passwords

Progression for Human

Mobility

Fly

Sprint

Run

Jog

Walk

Crawl


Presenter

Presentation Notes

Progression Model: Progression or scaling of a characteristic, indicator, attribute, or pattern of a practice Level names and definitions indicate progression of practice maturity; focus on domain-specific practice attributes Levels often arbitrary; little to no validation of transitions between levels Does not measure capability or process maturity but often confused with these


Capability Model Examples12

Example 1

Practices are optimized

Practices are quantitatively managed

Practices are defined

Practices are managed

Practices are ad hoc

Example 3

Practices are shared

Practices are defined

Practices are measured


Practices are planned

Practices are performed but ad hoc

Practices are incomplete

Example 2

Practices are externally integrated

Practices are internally integrated


Practices are performed

Practices are initiated


Presenter

Presentation Notes

Capability (Maturity) Model A more complex instrument Characterizes the maturity of processes the degree to which processes are institutionalized the degree to which the organization demonstrates process maturity Reflects the maturity of the culture of the organization Institutionalized processes are more likely to be retained during times of stress.


C2M2 Domain DescriptionsRM: Risk Management Establish, operate, and maintain an enterprise cybersecurity risk management program to identify,

analyze, and mitigate cybersecurity risk

ACM: Asset, Change, and Configuration Management

Inventory, manage changes to, and manage configuration of technology assets, including OT (operations technology), IT (information technology), hardware, and software

IAM: Identity and Access Management

Create and manage identities for entities that may be granted logical or physical access to assets and control such access

TVM: Threat and VulnerabilityManagement

Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities

SA: Situational Awareness Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information to form a common operating picture (COP)

ISC: Information Sharing and Communications

Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase operational resilience

IR: Event and Incident Response, Continuity of Operations

Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout such events

EDM: Supply Chain and External Dependencies Management

Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities

WM: WorkforceManagement

Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel

CPM: Cybersecurity Program Management

Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for cybersecurity activities



C2M2 Model Architecture

CPM

Cybe

rsec

urity

Pro

gram

M

anag

emen

t

WM

Wor

kfor

ce M

anag

emen

t

EDM

Supp

ly C

hain

and

Ext

erna

l De

pend

enci

es M

anag

emen

tIREv

ent a

nd In

cide

nt R

espo

nse,

Co

ntin

uity

of O

pera

tionsIS

CIn

form

atio

n Sh

arin

g an

d Co

mm

unic

atio

nsSASi

tuat

iona

l Aw

aren

ess

TVM

Thre

at a

nd V

ulne

rabi

lity

Man

agem

ent

IAM

Iden

tity

and

Acce

ss

Man

agem

ent

ACM

Asse

t, Ch

ange

, and

Co

nfig

urat

ion

Man

agem

ent

RMRi

sk M

anag

emen

t

10 Model Domains: logical groupings of cyber security practices — activities that protect operations from cyber-related disruptions

MIL 3(advanced)

MIL 2(intermediate)

MIL 1(beginning)

MIL 04 M

atur

ity In

dica

tor L

evel

s

MIL 1 practices

MIL 2 practices

MIL 3 practices

No practices

Each domain includes a

progression of practices from MIL 1

to MIL 3

MIL 2 & 3 practices are progressively more complete, advanced, and ingrained; target levels should be set for each

domain based on risk tolerance and threat environment

MIL 1 practices are basic activities that any organization may perform; these are the starting blocks



Organization of a Domain15

Model

One or more per domain, unique to each domain

Approach objectives are supported by a progression of practices that are unique to the domain

Practices at MIL1

Practices at MIL2

Practices at MIL3

Approach Objectives

Domain

One per domain, similar in each domain

Each management objective is supported by a progression of practices that are similar in each domain and describe institutionalization activities

Management Objective

Practices at MIL2

Practices at MIL3

Model contains 10 domains



C2M2 Evaluation Tool & Method• Since the program’s inception, DOE has maintained a free

tool for organizations to perform a C2M2 self-evaluation• C2M2 self-evaluation workshops can be completed in a

single day with appropriately limited scope• Output graphically summarizes implementation status for

each of the 312 practices in the model

16

Summary Results — exampleDonut chart key

Number of LargelyImplemented practices

Total number of practices represented by the donut

Number of PartiallyImplemented practices

Number of Not-Implemented practices

Number of FullyImplemented practices



NIST Cybersecurity Framework & C2M217

Executive Order 13636Improving Critical Infrastructure Cybersecurity

Section 8(b)“Sector-Specific Agencies, in consultation with the Secretary and otherinterested agencies, shall coordinate with the Sector Coordinating Councilsto review the Cybersecurity Framework and, if necessary, developimplementation guidance or supplemental materials to address sector-specific risks and operating environments.”

• Working stakeholders from the sector, DOE collaborated to develop an implementation guidance document addressing how C2M2 supports framework implementation.

• Available for download at: http://energy.gov/oe/downloads/energy-sector-cybersecurity-framework-implementation-guidance


Presenter

Presentation Notes

On January 8, 2015, the Energy Department released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST) in February 2014. The voluntary Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure and was developed in response to Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” through collaboration between industry and government. In developing this guidance, the Energy Department collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council and the Oil & Natural Gas Subsector Coordinating Council. The Department also coordinated with other Sector Specific Agency representatives and interested government stakeholders.

http://energy.gov/oe/downloads/energy-sector-cybersecurity-framework-implementation-guidance


NIST Cybersecurity Framework

Core Tiers Profile

Functions Cate

gorie

s

Subc

ateg

orie

s

Info

rmat

ive

Refe

renc

es

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

Tier 1: PartialAd hoc risk managementLimited cybersecurity risk awarenessLow external participation

Tier 2: Risk InformedSome risk management practicesIncreased awareness, no programInformal external participation

Tier 3: RepeatableFormalized risk managementOrganization-wide programReceives external partner info

Tier 4: AdaptiveAdaptive risk management practicesCultural, risk-informed programActively shares information

Current ProfileCurrent state of alignment between Core elements and organizational requirements, risk tolerance, & resources.

Where am I today relative to the Framework?

Target ProfileDesired state of alignment between Core elements and organizational requirements, risk tolerance, & resources.

Where do I aspire to be relative to the Framework?

Roadmap



Framework Process19

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and

Prioritize Gaps

Step 7: Implement Action Plan



C2M2 as a Framework Enabler

C2M2 Output

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and

Prioritize Gaps

Step 7: Implement Action Plan

Select in-scope assets and

requirements

Perform C2M2 self-evaluation

using C2M2 tool

Evaluate risk based on C2M2 output

Create target profile based on C2M2

Prioritize action plan to achieve target profile

Implement the plan, use CSF & C2M2 guidance

Source: Axio Global


20


C2M2 Mapping to CSFCSF Core CSF Tiers

Functions Cate

gorie

s

Subc

ateg

orie

s

Info

rmat

ive

Refe

renc

es

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

CSF Tiers

Tier 1: Partial

Tier 2: Risk Informed

Tier 3: Repeatable

Tier 4: Adaptive

C2M2 Practices

MIL

1

MIL

2

MIL

3

C2M2 C2M2

C2M2 Practices

MIL

1

MIL

2

MIL

3


21


Defining Security22



Resources

• Cybersecurity Framework and supporting materials: http://www.nist.gov/itl/cyberframework.cfm

• NIST Computer Security Resource Center: http://csrc.nist.gov/

• C3 Voluntary Program: www.dhs.gov/ccubedvp• C2M2 Program:

http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program

23


http://www.nist.gov/itl/cyberframework.cfm

http://csrc.nist.gov/

http://www.dhs.gov/ccubedvp

http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program


QUESTIONS?Jason D. Christopher, [email protected]

Resource emails: [email protected]; [email protected]



SGCC UPDATE

Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST)Smart Grid Cybersecurity Committee Chair


Presenter

Presentation Notes

Good afternoon, I am Vicky Pillitteri of NIST and Chair of SGIP’s Smart Grid Cybersecurity Committee. Welcome to today’s webinar on the


Cybersecurity CommitteeThe SGIP Cybersecurity Committee is collaborative forum that develops resources that smart grid stakeholders can leverage to help understand and manage cybersecurity risk.


Cybersecurity is a critical,

cross-cutting issue for the Smart Grid


2015 Progress

• Cybersecurity Frameworks Case Study• Privacy Awareness Self-Assessment • Published:

– Risk Management Process Case Study• Continue:

– Collaboration with other smart grid and energy sector communities/groups

– Cybersecurity reviews for SGIP Catalog of Standards

To learn more contact: [email protected]


mailto:[email protected]


SGIP Reminders• May 12: Engaged in Conversation: Grid 3.0

– Register at SGIP.org/Webinars

• Past webinars and publications available on SGIP.org under “Information Knowledge Base”

• Stay in Touch– Twitter: @SGIPNews– Join our LinkedIn Group– Sign up for SGIP Newsletter, The Conductor


Presenter

Presentation Notes

Also I wanted to share a few more SGIP resources SGIP makes a great deal of its information publicly available. For instance, starting tomorrow, you’ll find archived materials from this event on our Webinars page. SGIP encourages you to follow us on Twitter, join our LinkedIn group to discuss Smart Grid interoperability related topics like testing or cybersecurity, grid resiliency, transactive energy and the like. We also share updates and information in our free monthly newsletter, The Conductor. If you don’t already subscribe, you can do so at sgip.org.


THANK YOU FOR YOUR PARTICIPATION

A FOLLOW-UP EMAIL WILL BE SENT WITH LINK TO RECORDING AND SUPPORTING MATERIALS


Presenter

Presentation Notes

Thank you again for attending and special thanks to our presenters today. SGIP greatly appreciates your participation. You will be receiving a short survey via email asking about this presentation. SGIP staff will also send out a follow up email to this webinar that will include relevant links and of course, the webinar recording archive. Thank you again.

helping utilities with cybersecurity preparedness: the c2m2

Technology

cybersecurity preparedness

advances grid modernization

information available

sgip activities

sgip bylaws

standards innovation

reminders vicky pillitteri

industry members