Transcription
Cyber SecurityAssessmentsUSAID-USEA Digitalization and CyberSecurity Webinar SeriesGalen RascheSenior Program Manager, [email protected] 3, 2020www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
About EPRI (www.epri.com) EPRI conducts research and development relating to thegeneration, delivery and use of electricity for the benefitof the public. EPRI brings together its scientists and engineers as wellas experts from academia and industry to help addresschallenges in electricity, including reliability, efficiency,affordability, health, safety and the environment.EPRI members represent 90% of the electricity generatedand delivered in the United States with internationalparticipation extending to nearly 40 countries.Social Media: Facebook LinkedIn Twitter YouTube2www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Assessments for Electric Power Utilities3www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Assessments Where are we now? Current state assessment Where do we want to be? Desired future state How do we get there? Identify required capabilities toachieve future state Develop Cybersecurity ProgramRoadmap and implementation plans4www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Elements of the NIST Cybersecurity Framework (CSF)Source: Maritime Bulk Liquids TransferCybersecurity Framework Profile5www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Develop the organizational understanding to managecybersecurity risk to systems, assets, data, and capabilitiesDevelop and implement the appropriate safeguards toensure delivery of critical infrastructure servicesDevelop and implement the appropriate activities toidentify the occurrence of a cybersecurity eventDevelop and implement the appropriate activities to takeaction regarding a detected cybersecurity eventDevelop and implement the appropriate activities tomaintain plans for resilience and to restore anycapabilities or services that were impaired due to acybersecurity event6www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.NIST Cybersecurity Framework
NIST Cybersecurity FrameworkHow should our cyber security program be organized andassessed?Are we accurately assessing and communicating risk?Do we trust the equipment we are deploying?Are we mitigating risks from third-party service providers?How do we manage passwords and remote access to fielddevices?Do we have the right architectures and technology toprotect our OT systems?Do we have visibility into our OT networks and devices?Are our IDS tools configured and effective for OT systems?Can our SCADA operators identify and respond to cyberattacks?Do we have the forensics tools and capabilities todetermine which devices have been compromised?7www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
NIST Cybersecurity Framework8www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
BenefitsChallengesFive functions easy for non-security staffand executives to understand Widely adopted in the industry Focuses on outcomes – flexibleimplementation Industry profiles and implementationguides available Can be implemented with variousinternational cyber security standardsand controls catalogues 9www.epri.comNo generally accepted scoringmechanism Control set is at different levels Different tiers are not a formal maturitymodel Need OT cyber security expertise tocorrectly apply the Framework to electricpower utility operations domains 2020 Electric Power Research Institute, Inc. All rights reserved.
NIST Cybersecurity Framework Resources NIST Cybersecurity Framework (CSF) Version 1.1 NIST TN 2051 – Cybersecurity Framework Smart Grid Profile Maritime Bulk Liquids Transfer Cybersecurity Framework Profile NIST IR 8183 - Cybersecurity Framework Manufacturing Profile NIST IR 8183A - Cybersecurity Framework Manufacturing ProfileLow Impact Level Example Implementations Guide10www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
EPRI Technical Assessment Methodology11www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Technical Assessment Methodology (TAM) PurposeProvides an actionable, risk-informed, systemsengineered based approach that guides users to: Understand their systems and components, Analyze the actual vulnerabilities and how thesystem can be attacked, Mitigate those vulnerabilities to an acceptablerisk level, By applying effective control measures.12www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
The EPRI Technical Assessment Methodology (TAM) Security Risk Assessment of Systems,Sub-Systems or ComponentsScoring risks of existing control measures(effectiveness and burden)For Procurement or Installed EquipmentDetermines Mitigations & UnmitigatedVulnerabilitiesIdentifies parties responsible forMitigationsSystemsSub-SystemsComponentsCyber Security Data Sheet(CSDS)13www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Data Sheet (CSDS)CSDS Part 1: Attack Surface Characterization Part 1a: Assessment Scope Part 1b: Target Asset Characteristics Part 1c: Attack Pathways Part 1d: Exploit SequencesCSDS Part 2: Identify, Score, & Allocate Control Methods Part 2a: Security Control Method Identification and Scoring Part 2b: Allocation of Security Control Methods14www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Output of the ProcessIdentify attack surfaceCyber Security Data Sheets (CSDS)Scoring of existing control measures (effectiveness andburden)Unmitigated vulnerabilitiesWhat if analysis of additional control measuresStandardized and scalableSystems and component communicationData flowsRelationships SetsShared control measuresAids in incident responseLibrary of administrative and shared technical control methods15www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Technical Assessment Methodology ResourcesCyber Security Technical Assessment Methodology, Risk InformedExploit Sequence Identification and Mitigation, Revision 1 EPRI Cyber Security Technical Assessment Methodology Video (3.43min) Toward a New Risk-Informed Approach to Cyber Security SEL 487E Protective Relay Reference Cyber Security Data Sheet (CSDS):Cyber Security Technical Assessment Methodology Use Case Study(3002017149) Domain Controller Cyber Security Data Sheet (CSDS) Topical Guide(3002015759) Risk Informed Target Level Topical Guide (3002015760) Cyber Security Data Flow Identification and Documentation TopicalGuide (3002015761) 16www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
Contact:Galen RascheSr. Program [email protected] 2020 Electric Power Research Institute, Inc. All rights reserved.
Together Shaping the Future of Electricity18www.epri.com 2020 Electric Power Research Institute, Inc. All rights reserved.
affordability, health, safety and the environment. EPRI members represent 90% of the electricity genera
