March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.

Slides:

Advertisements

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Advertisements

Homeland Security at the FCC July 10, FCCs Homeland Security Focus Interagency Partnerships Industry Partnerships Infrastructure Protection Communications.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

HOW TO AVOID HAVING SENSITIVE DISASTER RECOVERY INFORMATION RELEASED UNDER PIA By Ryan Henry Law Offices of Ryan Henry, PLLC 1380 Pantheon Way, Suite 215.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Capability Cliff Notes Series PHEP Capability 5—Fatality Management What Is It And How Will We Measure It?

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.

SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

GOP and QSE Relationship Jeff Whitmer Manager, Compliance Assessments Talk with Texas RE June 25, 2012.

IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Preparing for Disasters General Liability. Introduction  The one coverage that provides you and your business the most protection is General Liability.

Sandra C Security Advisor Energy Dan B Security Advisor Water

Database Administration

Capability Cliff Notes Series PHEP Capability 5—Fatality Management What Is It And How Will We Measure It? For sound, click on the megaphone and then.

Role for Electric Sector in Critical Infrastructure Protection R&D Presented to NERC CIPC Washington D.C. June 9, 2005 Bill Muston Public Release.

Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

2011 East African Internet Governance Forum (EA – IGF) Rwanda Cyber briefing: Positive steps and challenges Didier Nkurikiyimfura IT Security Division.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.

WebCast 5 May 2003 Proposed NERC Cyber Security Standard Presentation to IT Standing Committee Stuart Brindley, IMO May 26, 2003.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

The Internet of Things and Consumer Protection

SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

February,  On October 23, 2015 the Commodity Futures Trading Commission (“CFTC”)approved National Futures Association’s (“NFA”) interpretive notice.

SEE-GRID The SEE-GRID initiative is co-funded by the European Commission under the FP6 Research Infrastructures contract no SEE-GRID.

Homeland Security, First Edition © 2012 Pearson Education, Inc. All rights reserved. Overview of National Infrastructure Protection CHAPTER 3.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

Data protection—training materials [Name and details of speaker]

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Kansas City Power & Light and KCP&L Greater Missouri Operations – Suggestions for Chapter 22 Revisions Missouri Public Service Commission Meeting Aug 31,

Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Cyber Insurance Risk Transfer Alternatives

Iowa Communications Alliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Team 1 – Incident Response

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

I have many checklists: how do I get started with cyber security?

8 Building Blocks of National Cyber Strategies

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cybersecurity ATD technical

Presentation transcript:

March 23, 2015 Missouri Public Service Commission | Jefferson City, MO

Missouri Public Service Commission  Electric utilities responded to a series of questions regarding cybersecurity efforts.  On-the-Record Proceeding.  Staff report summarizing utility efforts and responses and providing recommendations.  Order Regarding Staff Recommendation and Motion for A Waiver or Variance.

Missouri Public Service Commission  Stakeholders formulate informal reporting schedule;  Electric utilities provide information to designated Staff no less than annually;  No notifications or reports concerning the matters shall be made in documentary form (no physical, digital or electronic reports produced or filed; no information provided to Staff transmitted electronically or shared with any other entity);  Information only reported through in-person communications (no telephone, IVoIP, text message, cellular or satellite transmission, video transmission);  Designated Staff shall not convert or reproduce any company- specific information to documentary form;  Designated Staff shall not transmit or relay any information it receives to the Commission in any physical, digital or electronic format, or any communication other than orally…unless ordered by the Commission.

 Physical distribution and transmission grids, substations and offices;  Hardware, software, data and networks that use data;  Equipment and systems that communicate, store and act on data;  Utility-owned systems;  Aspects of customer and third party components that interact with the utility- owned systems.

 Section RSMo - Safe and adequate service.  Section RSMo - General powers of the Commission – gas, water, electricity, and sewer services.  Section RSMo – Notice to consumer for breach of security  4 CSR – Reporting requirements for electric utilities and rural electric cooperatives. Reporting of certain events to inform the commission of developments that may affect the rendering of safe and adequate service and to enable the commission to thoroughly investigate certain accidents and events.  4 CSR – Requirements and procedures for reporting certain gas- related incidents and safety-related conditions applicable to gas systems subject to safety jurisdiction of commission.  4 CSR – Sewer utility safety measures and procedures for reporting accidents.  Informal process for electric and natural gas incidents that do not meet reporting requirements, but may receive press coverage or include details to which the Commission and Staff should be made aware.  Reporting requirements identified in File No. EW

 Framework Core ◦ Identify – Identify most critical intellectual property and assets; ◦ Protect – Develop and implement procedures to protect critical property and assets; ◦ Detect – Have resources in place to timely identify a breach; ◦ Respond – Have procedures in place to respond; ◦ Recover.

 Critical Asset Identification  Security Management Controls  Personnel Training  Electronic Security Perimeter(s)  Physical Security of Critical Cyber Assets  Physical Security of BES Cyber Systems  Systems Security management  Incident Reporting and Response Planning  Recovery Plans for Critical Cyber Assets  Recovery Plans for BES Cyber Systems  Configuration Change Management and Vulnerability Assessments  Information Protection

 The line between knowing enough to determine that a utility’s actions are prudent and knowing so much that the information held by the Commission can pose a risk is a line that commissions should walk carefully. In cybersecurity, the information itself is sometimes the asset worth stealing. To address this issue, States may wish to consider establishing a critical infrastructure information policy. This policy would govern not only the type of information the commission could take possession of (or refuse to take possession of), but also under what circumstances, as well as which access, handling and storage protocols would govern that data.  Sunshine laws – Ensure that sensitive information is not gathered in a context which would enable it to be publicly accessible. ◦ Many states have good cybersecurity exemption rules that properly address utility sectors and associated processes while providing automatic protection of information related to cybersecurity. ◦ State agencies can develop and communicate their non‐disclosure procedures and, where appropriate, may want to consider stronger protections for cybersecurity information than for commercially sensitive information.  Commissions should carefully consider whether they need information before asking for it, because even if they can keep it out of the public record and exclude it from Sunshine request, it may still be vulnerable to cyber attack.

 Should reporting be limited to cybersecurity or include physical infrastructure security?  Who should be requested/required to report information related to cybersecurity/physical infrastructure threats?  Electric utilities  Natural gas utilities  Water/Sewer utilities  What information should be reported to the Commission/Staff?  Identify – Most critical intellectual property and assets;  Protect – Describe procedures to protect critical assets;  Detect – Describe resources to timely identify a breach;  Respond – Describe procedures to respond; and  Recover – Describe procedures to recover.  How should the information be presented to the Commission/Staff?