CERM® – Cyber Security™

Format: 1 to 2 days 

Abstract
The common factor that goes across all 18 CIPS is cyber security.  Each sector must deal with IT controls and industrial control systems.  This is the first workshop in CERM – Cyber Security.  Ed Perkins is the chair and project manager of this initiative.

A major focus of the Electricity Subsector is cybersecurity – the ability to protect or defend the use of interdependent networks of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers from an attack targeting an enterprise for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide security for the information systems that support its operations and assets.

NIST 800 refers to a series of NIST Special Publications of information security standards and guidelines developed by NIST in response to Federal Information Security Management Act (FISMA). Several  NIST 800 guidelines are applicable to the electric utilities for NERC CIP compliance [SP800-18, -30, -37, -53, -59, -60, -82, and -98] (see http://csrc.nist.gov/publications/PubsSPs.html ). The US Department of Energy (DoE) has released an “Electricity Subsector Risk Management Process” (RMP), based on the NIST 800s, and has announced what it calls an “Electric Sector Cybersecurity Risk Management Maturity” project that will let utility companies and grid operators measure their current capabilities and analyze gaps in their cyber defenses.

This course will cover the regulatory and business drivers for grid cybersecurity, provide a basic overview on cybersecurity systems targeted to the electric utility industry and address the organizational issues in creating a stable and predictable cybersecurity system.  Participants will learn how to apply the DoE “Electricity Subsector Risk Management Process” (RMP) and the “Electricity Subsector Cybersecurity Capability Maturity Model” (ES-C2M2) towards NERC critical infrastructure protection requirements (NERC CIP).

Learning Objectives
Participants will learn basic cybersecurity domains, the design principles for a cybersecurity system, cybersecurity capability maturity concepts, and how to apply the DoE Electricity Subsector Risk Management Process (RMP) for implementation and management of cybersecurity practices for managing cybersecurity risk associated with the operation and use of information technology and operational technology in the electricity subsector.

Prerequisites
Participants should be familiar with Enterprise Risk Management (ERM) principles (CERM® certification preferred), and with the electricity subsector critical infrastructure protection requirements (NERC CIP). Working knowledge of information security principles, and the DoE Electricity Subsector Risk Management Process (RMP), DoE Electricity Subsector Cybersecurity Capability Maturity Model is recommended but not required.

Modules

  • Cybersecurity Domains
  • Federal information security legislation
  • DHS NIPP, FISMA, NIST 800 specifications
  • CIP, NERC CIP
  • Basic Cybersecurity concepts: “CIA” – Confidentiality, Integrity, Availability
  • Review of Risk Management concepts, ERM
  • DoE CMM ES-C2M2
  • DoE Electricity Subsector Risk Management Process (RMP) – “Three Tiers” Model
  • Culture, Key concepts, Risk framing, assessment, response, monitoring
  • Exercises
  • Exam