Cybersecurity Policies

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

WECC Reliability & Security Workshop

San Diego, CA – October 23–24, 2018

True Story

A CIP compliant cyber asset connected to the internet from a low-impact facility for the purpose of remotely accessing a capacitor bank was compromised by unauthorized internet users for seven months prior to discovery.

• Installed and forgotten• Misidentified • Ignored• Hacked via brute force• Exploited• Advertised in Russia• Ransomed

4

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

True Story (Happy Ending?)

The compromise was discovered before any additional systems were infected or any compromises to the reliability and security of the BPS were carried out.

Lessons learned:

• Maintain accurate inventories of all cyber assets & configurations

• Control and verify installations and configurations/upgrades

• Institute AAA controls

• Limit and control Internet connectivity for all cyber assets

• Provide awareness and training to personnel and contractors

• Re-evaluate processes and test everything… often

5

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Keeping the Hackers at Bay

Start by developing a cybersecurity policy as a foundation to a

comprehensive, multilayered, cyber security program

6

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Agenda

7

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• Security Goals and Objectives• Cyber Security Program Overview• Cyber Security Policies

– Categories, Types, Examples

• Group Activity #1• Security Policy Elements

– CIP-003-6

• Group Activity #2• Security Frameworks

– NIST

• Review

Primary Security Goals & Objectives

8

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Confidentiality

Integrity Availability

CIATriad

Dependencies

CIA Triad Principles

Confidentiality – Objects are protected from unauthorized access, use, or disclosure.

Integrity – Objects are intentionally modified only by authorized subjects.

Availability – Authorized subjects are granted timely and uninterrupted access to objects.

Dependencies:

Confidentiality Integrity

Availability Confidentiality & Integrity

9

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Cybersecurity Program Pyramid

10

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Procedure

Process

Policy

Program Pyramid Elements

Policy – Defines the scope of security needed by the organization.

Process – Describes how the policy is implemented for specific groups of subjects and objects.

Procedure – Provides detailed, step-by-step actions necessary to implement a specific security control.

11

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Security Policy – A Closer Look

• Overview of an organization’s security needs

• Defines the main security objectives

• Identifies major functional areas for security

• Used to:– Define roles

– Assign responsibilities

– Outline enforcement processes

– Indicate compliance requirements

– Describe acceptable risk levels

12

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Security Policy Categories

Regulatory/Legal – Industry or legal standards that are applicable to the organization.

Advisory – Acceptable behaviors/activities and consequences of violations.

Informative – Information/knowledge about a specific subject.

13

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Regulatory and Legal Policies

A regulatory and legal policy defines requirements and legal obligations that govern an industry or are applicable to the organization.

Examples include:• NERC CIP Standards

• Payment Card Industry Data Security Standard (PCI DSS)

• Sarbanes–Oxley (SOX) Act

• Insurance Requirements

• Business Contract and Service Level Agreements (SLA)

• Board of Directors’ Mandates

14

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Advisory Policies

An advisory policy describes acceptable behaviors/activities and consequences of violations. Examples include:

• Company information disclosure

• Function/Job roles

• Use of organizational resources (e.g. Internet)

• Personal property used for business

• ID and access badge usage

• Authentication (managing passwords)

15

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Informative Policies

An informative policy provides information/knowledge about a specific subject. Examples include:

• Mission/Vision statements

• Organizational goals

• Privacy

• Good neighbor policies

• Supply chain activities

• Incident management and reporting

16

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Security Policy Types

Organizational – Issues relevant to every aspect of an organization (e.g. acceptable use policy).

Issue-Specific – Specific service, department, function, etc.

System-Specific – Individual systems or types of systems (e.g. hardware/software).

17

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Roles vs. Individuals

Defining roles and groups for cybersecurity policies is

preferable to specifying individuals.

Assign individuals to roles and groups separately.

18

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Acceptable Use Policy

An acceptable use policy is specifically designed to assign security roles within the organization and apply security related responsibilities regarding acceptable use to those roles.

19

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Group Activity #1

Individual – Refer to the lessons learned in our true story. Pick the most important two for your organization, or add your own (2 minutes):

– Maintain accurate inventories of all cyber assets & configurations– Control and verify installations and configurations/upgrades– Institute AAA controls– Limit and control Internet connectivity for all cyber assets– Provide awareness and training to personnel and contractors– Re-evaluate processes and test everything… often

Table Discussion – Identify the top 3 lessons learned for the table and write a short policy to implement them (5 minutes)

Group Sharing – Share your policy and explain your choices

20

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Analogy: Getting the kids in bed

ComplianceTasks:

• Get pj’s on

• Go to the Bathroom

• Get in Bed

ComprehensiveTasks:

• Take a bath

• Comb your hair

• Put lotion on

• Get pj’s on

• Go to the Bathroom

• Brush your teeth

• Read a story

• Sing a song

• Snuggles/hugs/kisses

• Get in Bed

21

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Check-In

Policy Program

PolicyCategories

Policy Types

Policy Elements

Policy Frameworks

22

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Policy Elements

Beginning

• Purpose

• Scope

• Objectives

• Roles and Responsibilities

Middle

• Information Classification

• Access Management

• Network Management

• Vendor Management

• Awareness & Training

• Incident Management

End

• Audit/Test

• Disciplinary Action

• References

• Version History

23

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Beginning

Purpose

– What’s the intent?

Scope

– What is included?

Objectives

– What are you hoping to accomplish?

Roles and Responsibilities

– Who is responsible for what?

24

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Middle

Information Classification

– What information is most confidential and needs more protecting?

Access Management

– How will those who need the information obtain access?

Network Security

– How will you safeguard your network to ensure only those who need

to be in are granted access

Vendor Management

– Are you going to use third-party vendors? How will you ensure the

work is completed well?

Awareness & Training

– How will individuals be trained for their responsibilities?

Incident Management

– How will you handle a security incident?

25

End

Audit/Test

– How will you verify the policy is being followed?

Disciplinary Action

– What will happen when the policy is not followed?

References

– What other resources need to be referenced?

Version History

– How has the policy changed over time?

26

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-003-6

• High and medium impact BCS:

– Personnel and training

– Electronic Security Perimeters including Interactive Remote Access

– Physical security of BCS

– System security management

– Incident reporting and response planning

– Recovery plans for BCS

– Configuration change management and vulnerability assessments

– Information protection

– Declaring and responding to CECs

• Low impact BCS:– Cybersecurity awareness– Physical security controls*– Electronic access controls for

LERC and Dial-up*– Cybersecurity Incident response

*implementation by 01/01/2020

27

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Group Activity #2

Instructions: Refer to Handout

Goal: Discussion Surrounding Cybersecurity Policy Elements.

1. Individual (5 min)

2. Table Discussion (10 min)

3. Group Sharing (5 min)

28

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Ingredients

Cybersecurity Policy

Tools

Training

Knowledge

29

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Security Frameworks

Information Technology Infrastructure Libraries (ITIL)– Agency, UK government (Axelos)

National Institute of Standards and Technology (NIST)– Agency, US government (Dept. of Commerce)

International Organization for Standardization (ISO; 27000 series)

– NGO, Geneva Switzerland

Control Objectives for Information and Related Technology (COBIT)

– Nonprofit, professional association, ISACA

30

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

NIST

May 2017 Executive Order 13800:

(ii) Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.

31

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Credit: N. Hanacek/NIST

Review

• Security Goals and Objectives: CIA Pyramid• Cyber Security Program Overview: Policy Pyramid• Cyber Security Policies

– Categories, Types, Examples

• Group Activity #1: Takeaways• Security Policy Elements

– CIP-003-6

• Group Activity #2: Elements• Security Frameworks

– NIST

32

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Questions?

33

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

John Graminski, Tyler Whiting

cip@wecc.biz

Assignment

Your Assignment: Take these concepts back to your organization and use them to increase your security posture.

Benefit: An effective cybersecurity program, built on a foundation of a comprehensive cyber security policy will help prevent malicious attacks.

34

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

References

• True Story: NERC Lessons Learned (LL20180701): https://www.nerc.com/pa/rrm/ea/Lessons%20Learned%20Document%20Library/LL20180701_Risk_of_Internet_Accessible_Cyber_Assets.pdf

• Hacker.jpg (graphic): https://nationalpost.com/news/world/after-three-baltic-countries-agree-to-disconnect-power-grids-from-russia-the-cyber-hackers-arrive

• CyberLock.jpg (graphic): https://www.bing.com/images/search?view=detailV2&ccid=vlfkqC1Z&id=9C2C77ADCB072C2C7009A293A726BC052E6D8D22&thid=OIP.vlfkqC1ZKgLcd9xqcqbEbQHaGE&mediaurl=https%3A%2F%2Fthumbs.dreamstime.com%2Fz%2Fcyber-security-21239657.jpg&exph=1065&expw=1300&q=Copyright+Free+Cyber+Security&simid=608056290957853785&selectedindex=1&ajaxhist=0&vt=DetailL2View&eim=1,2,6&sim=1

• CIA Triad: https://www.techrepublic.com/blog/it-security/the-cia-triad/

• Security policies and procedures: https://www.ok.gov/cio/documents/InfoSecPPG.pdf

• NIST.png (graphic): https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework

• Exec. Order No. 13800, 3 C.F.R. (2017). “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, Section 1(c)(ii).

• CIP-003-6 — Cyber Security — Security Management Controls, https://www.nerc.com/_layouts/15/PrintStandard.aspx?standardnumber=CIP-003-6&title=Cyber Security -Security Management Controls&jurisdiction=United States, § B: Requirements and Measures R1, R2 (2016).

• Kostadinov, D. (2018, February 6). Key Elements of an Information Security Policy. Retrieved September 26, 2018, from https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref

36

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L