Embed Size (px)
Citation preview
Security Guidelines Working Group Update
CIPC MeetingPhoenix, AZ
Mar 16, 2006
Seiki Harada
SGWG Chair
CIPC Confidentiality: Public Release
Foil 2SGWG
Discussion Items 1. SGWG Roster
2. Change to the Guideline Preamble
3. 2006 Prioritization of the Guideline Updates
4. Regular Review Cycle for All Security Guidelines
5. Content Review of Guidelines by SGWG
6. Guideline Directions
Foil 3SGWG
Fragile Truce
Men
tal S
tate
CIP 1200 In Effect
Flu Pandemic
PDD 63
Osama Done In!
CIPC Maturity Cycle
FERC NOPRon SMD
Security StandardsIterations
Methodologies
CI FundingERO Implementaion
Asset Classification
ICCP Vulnerability
Fools Euphoria
Trough of Dispair
Slope of Enlightenment
State of PermanentAnnoyance
Pure Innocence
Stages
SCADA VendorPromises
CIPC Full Committee Status
CIPAGEstablished
Vendor Delivery
Foil 4SGWG
SGWG Roster:
As of March 10, 2006, the SGWG comprises:
1. Scott McCoy (Physical)
2. Scott Webber (Physical)
3. Bruce Metruck (Physical)
4. Mike Paszynsky (Physical)
5. Larry Bugh (Cyber)
6. Joe Doetzl (Cyber)
7. David Baumken (Cyber)
8. Roger Lampila (Operations)
9. Tom Kropp (Research Institutions)
10. Ken Hall (Research Institutions)
Foil 5SGWG
Changes to the Preamble
A suggestion was made by a NERC legal staff to adopt the following:
“This document addresses potential risks that can apply to some electricity sector organizations and provides practices that can help mitigate the risks. Each organization decides for itself the risks it can accept and the practices it deems appropriate to manage its risks. “
Foil 6SGWG
Prioritization of Guideline Updates:
1. Of the 18 Security Guidelines, 14 were assessed as needing updates.
2. The remainder, 4, are recent ones and deemed acceptable.
3. It is not reasonable to expect various working groups to re-draft all 14 of them and put through CIPC approvals in one year (9 months now!).
4. SGWG recommends 7 updates this year and 7 next year
(refer to the SGWG Reference Document No.1)
Foil 7SGWG
Criteria for Prioritization:
1. Synchronization with, or in support of, the permanent cyber security guidelines
2. Importance/relevance of the subject matter today
3. How 'off' or 'dated' the content is
4. Subsumed by any new guidelines ( e.g., elimination candidates)?
Foil 8SGWG
Prioritization of Guideline Updates:
Recommended Updates for 2006:
SG001 Vulnerability and Risk Assessment
SG002 Emergency Plans
SG003 Continuity of Business Processes
SG005 Physical Security
SG006 Cyber Security – Risk Management
SG007 Cyber Security – Access Controls
SG018 Threat Alert System and Cyber Response
Foil 9SGWG
Prioritization of Guideline Updates:
Recommended Updates for 2007:
SG004 Communications
SG008 Cyber Security – IT Firewalls
SG009 Cyber Security – Intrusion Detection
SG010 Employment Background Screening
SG011 Protecting Potentially Sensitive Information
SG012 Securing Remote Access to Electronic CPS
SG014 Threat and Incident Reporting
Foil 10SGWG
Guideline Updates – Further Recommendations:
1. The CIPC Executive Committee assign an ‘owning’ working group for each security guideline.
2. The ‘owning’ working group will accommodate identified updates in their 2006/2007 work schedule.
3. NERC CIPC support staff will follow up with respective working group re the timing of completion and CIPC reviews
Foil 11SGWG
Regular Guideline Reviews:
1. Today, there is no fixed schedule for reviewing existing guidelines.
2. The Cyber Security Standard (CIP 003) asks for an annual review of policies.
3. SGWG Recommendation:
• Complete the identified updates for 2006 and 2007
• After that, schedule reviews of the guidelines every two years or when there is a watershed event in the subject area. These bi-annual reviews may not necessarily result in updates.
Foil 12SGWG
Content Review of Security Guidelines:
Background:
1. Comments were made that SGWG should stay away from reviewing guideline contents.
2. The SGWG Terms of Reference states, in part:
“review existing CIPC guidelines, and other electric and non-electric industry reference material, for currency and relevance”.
Foil 13SGWG
Content Review of Security Guidelines:
What the SGWG guideline reviews entail today:
1. Consistency and compatibility with security standards and other security guidelines
2. Consistency of parts within a specific guideline
3. Currency and relevance to the current threats/industry practices (e.g., against IEEE, ISO, NIST, ANSI, CSA, etc)
Foil 14SGWG
Content Review of Security Guidelines:
Recommendation:
1. SGWG will review ‘content’ only in the sense of the above consistency checks – not in value judgement.
2. SGWG will provide timely comments to the ‘Owning’ working group.
3. The ‘owning’ working group will consider the comments provided. They are not obliged to accommodate all comments.
Foil 15SGWG
Guideline Directions:
1. Most new guidelines come from Working Groups or Task forces/Teams.
2. SGWG may from time identify the area where a new security guideline is appropriate.
3. The CIPC will have the final say in the generation of a new (or the elimination of an existing) security guidelines.
Foil 16SGWG
Thank you!
1. Thank you for working with me for the past two years. It has been a challenge and pleasure at the same time.
2. Please support Scott McCoy in the coming years!
