Electricity Subsector Cybersecurity Capability Maturity Model (ES-‐C2M2)
Case Study: Snohomish County PUD Ini?al Facilitated Assessment August 2012
Benjamin Beberness Snohomish County PUD John Fry ICF Interna?onal
ES-‐C2M2 Background & Overview
• Challenge: Develop capabili?es to manage dynamic threats and understand cybersecurity posture of the grid
• Approach: Develop a maturity model and self-‐evalua?on survey to develop and measure cybersecurity capabili?es
• Results: A scalable, sector-‐specific model created in partnership with industry
ES-‐C2M2 Case Study 2
ES-‐C2M2 ObjecCves
• Strengthen cybersecurity capabiliCes
• Enable consistent evalua?on and benchmarking of cybersecurity capabili?es
• Share knowledge and best prac?ces
• Enable prioriCzed ac?ons and cybersecurity investments
Why Create a Maturity Model?
If you want to build a ship, don’t herd people together to collect wood and don’t assign tasks and work, but rather, teach them to long for the endless immensity of the sea.
– Antoine de Saint-Exupery
ES-‐C2M2 Case Study 3
Why Create a Maturity Model?
• Tool for u?li?es (opposed to regula?on from Government)
• Helps answer ques?ons – Where are we?
– Where do we go?
– How do we get there?
ES-‐C2M2 Case Study 4
ES-‐C2M2 Domains
5
CYBE
R Cybersecurity Program
Management
WOR
KFOR
CE
Workforce Management
DEPE
NDEN
CIES
Supply Chain and External
Dependencies Management RE
SPON
SE Event and
Incident Response,
Continuity of Operations
SHAR
ING Information
Sharing and Communications SI
TUAT
ION
Situational Awareness
THRE
AT
Threat and Vulnerability Management AC
CESS
Identity and Access
Management ASSE
T Asset, Change, and
Configuration Management
RISK
Risk Management
• Domains are logical groupings of cybersecurity pracCces
• Each domain has a short name for easy reference
ES-‐C2M2 Case Study
6
Model Architecture
ES-‐C2M2 Case Study
PracCce
Maturity Indicator Level
(MIL)
ObjecCve
Domain Domain
ObjecCve 1
MIL 1
PracCce 1 PracCce 2
MIL 2
ObjecCve 2
SituaConal Awareness: 4 ObjecCves 1. Perform Logging
– MIL1, MIL2, MIL3
2. Monitor the FuncCon – MIL1, MIL2, MIL3
3. Establish and Maintain a Common OperaCng Picture – MIL1, MIL2, MIL3
4. Manage SITUATION AcCviCes (common objecCve) – MIL1, MIL2, MIL3
7
Example: Objec?ves
ES-‐C2M2 Case Study
8 ES-‐C2M2 Case Study
Example: Prac?ce Maturity Progression
9 ES-‐C2M2 Case Study
Example: Prac?ce Maturity Progression
SituaConal Awareness “Monitor the FuncCon”
• MIL1 – Cybersecurity monitoring ac?vi?es are performed (e.g., periodic reviews of log data)
• MIL2 – Alarms and alerts are configured to aid the iden?fica?on of cybersecurity events
• MIL3 – Con?nuous monitoring is performed across the opera?onal environment to iden?fy anomalous ac?vity
10
Example: Prac?ce Maturity Progression
ES-‐C2M2 Case Study
11 ES-‐C2M2 Case Study
X Reserved 3 Managed
2 Performed
1 Ini?ated 0 Not Performed
RISK
10 Model Domains: Logical groupings of cybersecurity prac?ces
ASSE
T
ACCE
SS
THRE
AT
SITU
ATIO
N
SHAR
ING
RESP
ONSE
DEPE
NDEN
CIES
WOR
KFOR
CE
CYBE
R
4 Maturity Indicator Levels: Defined progressions of prac?ces
Each cell contains the defining prac?ces for the domain at that maturity indicator level
1 Maturity Indicator Level that is reserved for future use
Maturity
Indicator Levels
The Model at a Glance
Using the Evalua?on Results
12 ES-‐C2M2 Case Study
13
Using the Evalua?on Results
Assessed Domains
• Enterprise versus func?onal area • Assessed Domains
– Risk Management (RISK) – Asset, Change, and Configuration Management (ASSET) – Identity and Access Management (ACCESS) – Threat and Vulnerability Management (THREAT) – Situational Awareness (SITUATION) – Information Sharing and Communications (SHARING) – Event and Incident Response, Continuity of Operations (RESPONSE) – Supply Chain and External Dependencies Management
(DEPENDENCIES) – Workforce Management (WORKFORCE) – Cybersecurity Program Management (CYBER) 14
SNOPUD Rela?ve Scoring
Risk
Asset
Access
Threat
Situation
Sharing
Response
Dependencies
Workforce
Cyber
MIL3
MIL2
MIL1
5
77
5 3
13
9
1 3
127
3 5
5
15
8 6
12
136
11
5 5
15
19
13 5
1013
2 7
1012
92 3
13
13
1
5
2
57
7
1 2
8
4
2 1
10
83
58
2
6
31
7
9
11
1
88
2 4
44
72
811
5
1
3
1
21
5 3 2
3
9
22
6
1
3
11
24 26 33 31 3152 3025 22 38
13 15 19 16 2128 1916 11 19
6 3 412 46 2 62 6
Fully implemented Partially implementedLargely implemented Not implemented
Maturity Indicator Level (MIL) 1 through 3 indicate the stage of implementa?on of the domain with 1 indica?ng there is room for improvement and 3 indica?ng it is fully implemented with very lidle room for improvement. Not all domains for every organiza?on need to be at MIL 3. Many organiza?ons, based on the risk profile, may have an adequate program at MIL 1. 15
Assessment Results
• No surprises – areas needing improvement were known
• Facilitators were very objec?ve • Areas for improvement include risk management and log management,
and areas of asset management
• Areas where program elements are in place include areas of asset management, access control (policy), threat/vulnerability management, sharing and managing informa?on, threat response, dependencies, workforce management, and cyber program management
• The assessment provided quan?ta?ve guidance for program improvement – Review individual function areas (Generation, Water, T&D) – Determine the individual as well as the functional domain target maturity
goals – Prioritize objectives in overall cyber security program
16 ES-‐C2M2 Case Study
17
No?onal Sample Report Actual vs. Desired Score
ES-‐C2M2 Case Study
ES-‐C2M2 -‐ Next Steps
18 ES-‐C2M2 Case Study
• Share Best PracCces within the sector
• Identify approaches for Capability Development
• Discussion Opportunities created
• Develop anonymous aggregated Benchmarking Data
• R&D Investment needs iden?fied by result data
• Access to Online Training Tools
Next Steps
• Data collec?on – ES-C2M2 compartment within US-CERT Portal – PCII protections – Projected timeline
• Data Analy?cs • Benchmark Data
19 ES-‐C2M2 Case Study
No?onal Sample Comparison Report
20 ES-‐C2M2 Case Study
Links
21 ES-‐C2M2 Case Study
ES-C2M2 Model http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-may-2012 ES-C2M2 Self-Evaluation Tool Requests, Questions, or Requests for Facilitation [email protected]
THANK YOU For ques?ons or feedback please contact ES-‐[email protected]
22 ES-‐C2M2 Case Study
Background Slides
ES-‐C2M2 Domain Descrip?ons
Domain DescripCon Risk Management (RISK)
Establish, operate, and maintain an enterprise cybersecurity risk management program to iden?fy, analyze, and mi?gate cybersecurity risk to the organiza?on, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders. RISK comprises three objec?ves:
1. Establish Cybersecurity Risk Management Strategy 2. Manage Cybersecurity Risk 3. Manage RISK Ac?vi?es
Asset, Change, and ConfiguraCon Management (ASSET)
Manage the organiza?on’s opera?ons technology (OT) and informa?on technology (IT) assets, including both hardware and somware, commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. ASSET comprises four objec?ves:
1. Manage Asset Inventory 2. Manage Asset Configura?on 3. Manage Changes to Assets 4. Manage ASSET Ac?vi?es
ES-‐C2M2 Case Study
ES-‐C2M2 Domain Descrip?ons
Domain DescripCon IdenCty and Access Management (ACCESS)
Create and manage iden??es for en??es that may be granted logical or physical access to the organiza?on’s assets. Control access to the organiza?on’s assets, commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. ACCESS comprises three objec?ves:
1. Establish and Maintain Iden??es 2. Control Access 3. Manage ACCESS Ac?vi?es
Threat and Vulnerability Management (THREAT)
Establish and maintain plans, procedures, and technologies to detect, iden?fy, analyze, manage, and respond to cybersecurity threats and vulnerabili?es, commensurate with the risk to the organiza?on’s infrastructure (e.g., cri?cal, IT, opera?onal) and organiza?onal objec?ves. THREAT comprises three objec?ves:
1. Iden?fy and Respond to Threats 2. Reduce Cybersecurity Vulnerabili?es 3. Manage THREAT Ac?vi?es
ES-‐C2M2 Case Study
ES-‐C2M2 Domain Descrip?ons
Domain DescripCon SituaConal Awareness (SITUATION)
Establish and maintain ac?vi?es and technologies to collect, analyze, alarm, present, and use power system and cybersecurity informa?on, including status and summary informa?on from the other model domains, to form a common opera?ng picture (COP), commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. SITUATION comprises four objec?ves:
1. Perform Logging 2. Monitor the Func?on 3. Establish and Maintain a Common Opera?ng Picture 4. Manage SITUATION Ac?vi?es
InformaCon Sharing and CommunicaCons (SHARING)
Establish and maintain rela?onships with internal and external en??es to collect and provide cybersecurity informa?on, including threats and vulnerabili?es, to reduce risks and to increase opera?onal resilience, commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. SHARING comprises two objec?ves:
1. Share Cybersecurity Informa?on 2. Manage SHARING Ac?vi?es
ES-‐C2M2 Case Study
ES-‐C2M2 Domain Descrip?ons
Domain DescripCon Event and Incident Response, ConCnuity of OperaCons (RESPONSE)
Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain opera?ons throughout a cybersecurity event, commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. RESPONSE comprises five objec?ves:
1. Detect Cybersecurity Events 2. Escalate Cybersecurity Events 3. Respond to Escalated Cybersecurity Events 4. Plan for Con?nuity 5. Manage RESPONSE Ac?vi?es
Supply Chain and External Dependencies Management (DEPENDENCIES)
Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external en??es, commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. DEPENDENCIES comprises three objec?ves:
1. Iden?fy Dependencies 2. Manage Dependency Risk 3. Manage DEPENDENCIES Ac?vi?es
ES-‐C2M2 Case Study
ES-‐C2M2 Domain Descrip?ons
Domain DescripCon Workforce Management (WORKFORCE)
Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to cri?cal infrastructure and organiza?onal objec?ves. WORKFORCE comprises five objec?ves:
1. Assign Cybersecurity Responsibili?es 2. Control the Workforce Lifecycle 3. Develop Cybersecurity Workforce 4. Increase Cybersecurity Awareness 5. Manage WORKFORCE Ac?vi?es
Cybersecurity Program Management (CYBER)
Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organiza?on’s cybersecurity ac?vi?es in a manner that aligns cybersecurity objec?ves with the organiza?on’s strategic objec?ves and the risk to cri?cal infrastructure. CYBER comprises five objec?ves:
1. Establish Cybersecurity Program Strategy 2. Sponsor Cybersecurity Program 3. Establish and Maintain Cybersecurity Architecture 4. Perform Secure Somware Development 5. Manage CYBER Ac?vi?es ES-‐C2M2 Case Study
Top Related