Risk Management in Practice – A Guide for the Electric Sectorsmartgrid.epri.com/doc/ICCS_Summit/C1.1_Lee_eu summit 0415 risk... · Risk Management in Practice ... Assessment Risk

© 2015 Electric Power Research Institute, Inc. All rights reserved.

Annabelle Lee

Senior Technical Executive

ICCS – European Engagement Summit

April 28, 2015

Risk Management in

Practice – A Guide for

the Electric Sector

2© 2015 Electric Power Research Institute, Inc. All rights reserved.

Before we continue let’s get over our fears and myths

with some much needed levity …

The following three slides are based on a briefing given by Daniel Thanos of Telos


Myth: Our systems are so proprietary and esoteric that

Einstein himself couldn’t figure them out so “hackers” have no

chance

Reality: Whatever can be engineered can be reverse-

engineered and Stuxnet is the proof

Th

e E

inste

in D

efe

nse

Sum of All Myths


Myth: There is no problems here just happy and trusted

people working on reliable and isolated systems

Fact: Sophisticated attackers use trusted people and

privileged access without the target’s knowledge

• Attackers usually succeed when security is exclusively

perimeter and “trust” based

Wis

hfu

l

Imm

un

ity

Sum of All Myths


Myth: Security reduces reliability and degrades

capabilities and prices us out of existence

Fact: Correctly engineered security increases reliability

and reduces costs and risks due to poor design and systemic

failures

Mo

rdac

Syn

dro

me

Sum of All Myths


Asset /System

Characterization

Impact Analysis

Vulnerability

AssessmentThreat Agent

Characterization

Security

Requirements/

Controls

Threat Likelihood

AssessmentRisk Determination

Risk Assessment Methodology

Risk Acceptable?NO

YES

General Risk Assessment Approach


Risk Assessment Methodology (2)

Implementation and Assessment Phases

System

Implementation

Successful Risk

Mitigation?

Ongoing

Monitoring

Testing and

Exercising

YES

Risk Assessment Risk Acceptable?Security

ControlsNO

Overview

Cybersecurity Capability Maturity Model

(C2M2)

Expansion Project and Comparative

Analysis


Risk Framing

Risk Assessment

Risk Response

Risk Monitoring

Department of Energy Risk

Management Process

Risk Management Cycle

The risk management cycle:

(i) Risk framing (i.e., establish the

context for risk-based decisions)

(ii) Risk assessment

(iii) Risk response once determined,

and

(iv) Risk monitoring on an ongoing

basis.

Risk management is carried out as an

organization-wide activity


Framework Implementation Guidance Mapping

(Project #1)

CSF Core CSF Tiers

Functions Cate

go

rie

s

Su

bca

tegories

Info

rma

tive

R

efe

rences

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

CSF Tiers

Tier 1: Partial

Tier 2: Risk Informed

Tier 3: Repeatable

Tier 4: Adaptive

C2M2 Practices

MIL

1

MIL

2

MIL

3

C2M2 C2M2

C2M2 Practices

MIL

1

MIL

2

MIL

3


C2M2 Comparative Analysis

(Project #2)

Domains Ob

jective

s

Pra

ctices

Risk

Management

Asset,

Change, &

Configuration

Management

Identity and

Access

Management

…

Cyber

Program

Management

CyberSecurity

Framework

C2M2

NISTIR 7628

SP 800-53

NRECA Cyber

Security Guidelines

Others as requested by industry

…

Industry Standards


C2M2 Comparative Analysis Process

Domains Ob

jective

s

Pra

ctices

Risk

Management

Asset,

Change, &

Configuration

Management

Identity and

Access

Management

…

Cyber

Program

Management

C2M2

NRECA Cyber

Security Guidelines

Many sector-specific standards, such

as the NRECA Cyber Security

Guidelines, have already been mapped

directly to the C2M2.

In these cases, the maps are easily

ported into the C2M2 expansion as a

module.


C2M2 Comparative Analysis Process

NIST Cybersecurity Framework

NIST SP 800-53

NISTIR 7628

COBIT 5ISA 99 /

IEC 62443

ISO 2700x

With the release of the Framework, even

more standards are available.

By leveraging the maps that apply to the

Framework, as well as industry’s map of

the C2M2-Framework, the expansion

can include other modules with very little

effort.


Risk Management in Practice –

A Guide for the Electric Sector

EPRI Technical Update:

3002003333


Assessing and Monitoring Risk

Issue

There are many cyber security risk assessment and security requirements documents, tools and methods, making it difficult for a utility to show how they meet all of the specifications.

Project approach

Perform a comparative analysis of the NIST Cybersecurity Framework, DOE ES-C2M2, NISTIR 7628, NESCOR Failure Scenarios, NIST SP 800-53, NEI 08-09, NRC 5.71

Create a database to improve the usability of the mappings

Value

Straightforward reporting to senior management and regulatory agencies to verify conformance with industry frameworks


Assessing and Monitoring Risk (2)

Department of Energy Electricity Subsector Cybersecurity

Capability Maturity Model (DOE ES-C2M2)

National Institute of Standards and Technology Interagency

Report (NISTIR) 7628

National Electric Sector Cybersecurity Organization

Resource (NESCOR) Failure Scenarios

NIST Special Publication (NIST SP) 800-53

Nuclear Energy Institute (NEI) 08-09

Nuclear Regulatory Commission (NRC) 5.71



Example from the Document


Moving Forward…

Cyber security supports both the reliability and

privacy of the Smart Grid

Address interconnected systems – both IT and

control systems

– Cyber security needs to be addressed in all

systems, not just critical assets

– Augment existing protection controls, as applicable

Continuously monitor and assess the security status

Acknowledge will be some security breaches

– Focus on response and recovery

– Fail secure

Address both safety and security


Discussion

[email protected]

202.293.6345

mailto:[email protected]


Together…Shaping the Future of Electricity

Documents

Risk Management in Practice – A Guide for the Electric Sectorsmartgrid.epri.com/doc/ICCS_Summit/C1.1_Lee_eu summit 0415 risk... · Risk Management in Practice ... Assessment Risk