Presentation is loading. Please wait.

Presentation is loading. Please wait.

Drew Payne, CISA Corporate Security Senior Manager

Published byNorman Young Modified over 6 years ago

Similar presentations

Presentation on theme: "Drew Payne, CISA Corporate Security Senior Manager"— Presentation transcript:

1 Drew Payne, CISA Corporate Security Senior Manager
Oregon Public Utility Commission - Cyber Security Workshop June 28, 2018 Drew Payne, CISA Corporate Security Senior Manager CONFIDENTIAL

2 Planning – Policies and Standards
Corporate Security Policy Business Continuity & Disaster Recovery Standard Business Continuity Program Identity Theft Prevention Program Cyber Security Controls Standard Cyber Security Controls Standard Manual Cyber Security Incident Response Standard Cyber Security Incident Response Plan Physical Event Reporting Standard Physical Access Standard Physical Security Program IPC has a corporate security policy to oversee and respond to security-related issues arising in day-to-day operations. This policy requires the development of written standards and a training and awareness program. CONFIDENTIAL

3 Planning – Auditing Audit Services – Idaho Power WECC
Operational Audits: Determined based on annual risk assessment process Approved by Audit Committee of the Board of Directors Sarbanes Oxley Audits: Completed Annually Critical Information Protection (CIP) Audits: Requested by Regulatory Compliance group based on risk assessment WECC Audits completed every 3 years Operational: Disaster Recovery Follow-Up; Desktop, Laptop, and Mobile Device Security: Boardvantage; Outage Management System: System Implementation; Desktop, Laptop, and Mobile Device Security: GOOD; Application Primary Service Level Accounts and MV90 App Controls Network Administration and Security; IT Software License Guidelines Follow Up; Records Management and Document Services; Corporate Security Program; HIPAA; HRIS AssetSuite/PeopleSoft Application Controls; SAP Application Controls; IT Software License Guidelines; Network Administration and Security; Records Management and Document Services; Disaster Recovery SOX – ITSS, ITCM, ITCH, ITMO CIP – Review completed in 2017; WECC Audit 2018 CONFIDENTIAL

4 Planning – DHS Interaction
Information received from: ICS-CERT US-CERT HSIN (Homeland Security Information Network) Collaboration: Office of Infrastructure Protection Office of Intelligence and Analysis Two IPC employees have security clearances for classified briefings IPC receives information from DHS via ICS-CERT, US-CERT, and HSIN (Homeland Security Information Network). We have partnerships with the Office of Infrastructure Protection and the Office of Intelligence and Analysis (Fusion Centers). Two individuals in the organization have clearances for classified briefings. CONFIDENTIAL

5 Planning – Cyber Security Incident Response Plan (CSIRP)
CSIRP is reviewed and updated annually and in the interim as necessary CSIRP is exercised annually (at a minimum) Testing typically involves other groups within IPC CONFIDENTIAL

6 Response & Recover - CSIRP
CSIRP includes roles and responsibilities Cyber Security Incident Response Team (CSIRT) includes: Technologists Management (Middle and Executive) Legal Corporate Communications Human Resources Compliance Finance Government Entities (FBI, DHS, etc.) A CSIRT Lead is responsible for overseeing cyber security incident activities IPC is a member of the EEI’s Cyber Mutual Assistance Program CONFIDENTIAL

7 Standards – CIP Compliance
Programs, standards, and policies & procedures are in place across IPC for the various CIP requirements to maintain compliance Regulatory Compliance group oversees the program and compliance monitoring/reporting IPC has a strong culture of compliance (noted by WECC, FERC, and other regulatory agencies) Internal reviews and assessments, along with external audits by WECC, ensure a compliance verification method CONFIDENTIAL

8 Standards – Cyber Security Implementation Prioritization
Cyber Security Risk Assessment Threats are evaluated against likelihood of occurrence and impact to the organization, taking into consideration IPC controls (policies, procedures, tools, etc.) to determine residual risk IPC reviews proposed tools and processes to identify if appropriate risk reduction would be obtained with implementation Ongoing Optimization IPC technologists reviews tools and processes to ensure: Performance is at optimal levels Tools/systems are capable of adjusting to the changing threat landscape CONFIDENTIAL

9 Standards – Cyber Security Framework
Cyber Security utilizes NIST SP framework as a foundation Standards are tailored to IPC based upon applicable NIST requirements CONFIDENTIAL

10 Reporting – Incident Reporting
Incidents with potential impact to bulk electric power system: Department of Energy (DOE) specifies reporting requirements to both the DOE and Electricity Information Sharing and Analysis Center (E-ISAC) Other incident types (HIPAA, PII, etc.): IPC’s CSIRP contains a methodology to determine the type of incident and the severity Methodology, along with regulatory requirements and sound business practices, informs when there is a need to report CONFIDENTIAL

11 Partnerships – Information Sharing
Current Information Monitoring/Sharing Industry Organizations (E-ISAC, EEI, WEI, WECC, and others) Idaho Fusion Center (DHS) InfraGard (FBI) NERC/FERC Security Research Other Utilities ICS/US-CERT Vendors Conferences Academic Conferences (i.e. IEEE, ASIS, RSA, etc.) Industry Conferences (i.e. Energy Sec Summit, GridSec Con, etc.) Practitioner Conferences (i.e. DEFCON, etc.) Joint Exercises INL “Advanced SCADA Security Red/Blue Team” NERC GridEx CONFIDENTIAL

12 Procurement Practices – Procurement Security Language
Contract Security Language Standard security language has been developed that addresses a breadth of security concerns (breach reporting, vulnerability and patch management programs, etc.) Seek to obtain third party indemnification when possible Language is customized based on product or service being acquired Business unit, Legal, Contracting, and Cyber Security determine acceptable risks based on the inability of vendor/contractor to meet requirements CONFIDENTIAL

13 Procurement Practices – Background Checks
Personal Risk Assessments (PRAs), which include a background check, are required for all individuals (employee/contractor/vendor/etc.) prior to gaining unescorted physical or electronic access Criteria is defined for what is acceptable and what requires an adjudication process to occur CONFIDENTIAL

14 Procurement Practices – Cyber Security Personnel
The Cyber Security department consists of a manager and seven security specialists This group is charged with setting policy and standards, consulting on technology projects, monitoring/maintaining security tools, and incident response CONFIDENTIAL

15 Procurement Practices – Other Security Practitioners
IT Infrastructure: Corporate Active Directory Firewalls Port Security Privilege Access Management Integrated Operations Center (IOC) Performs initial security alerts monitoring and triage on some alerts Energy Management System (EMS) Analysts: Monitor/maintain security tools and controls for EMS system System Protection Manages the security tools and controls for system protection and apparatus groups CONFIDENTIAL

16 Risk Management – Risk Assessment
IPC performs a risk assessment utilizing the NIST threat list as a basis The risk assessment is reviewed by a broad group as needed and at least annually Included in the review is the impact (consequence) of the threat and the likelihood CONFIDENTIAL

17 Risk Management – Vulnerability Assessments
Baseline requirements for operating systems – monitored by Cyber Security System Security Plans required for major upgrades to existing systems/applications and for all new purchases Internal Red Team / Blue Team exercises (ad hoc) External assessments by third parties are managed by Audit Services with consultation from Cyber Security and Legal CONFIDENTIAL

18 Effectiveness – Cyber Security Policy
Several methods provided feedback on the effectiveness of our program: Risk Assessment Process Internal Exercises Phishing Awareness Program Legal Review Audit Services Assessments Operational SOX CIP Third Party Assessments Vulnerability Assessments FERC-OEIS/DHS Architecture Review WECC CONFIDENTIAL

19 Effectiveness – Program Improvement
Risk Assessment provides visibility to threats that are at an unacceptable level of risk Business cases are developed to show the value of changing particular systems or processes and reduction of risk New risks/threats emerging daily Resource limitations; O&M cost intensive CONFIDENTIAL

Download ppt "Drew Payne, CISA Corporate Security Senior Manager"

Similar presentations

1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Similar presentations

Ads by Google