A series of six sessions broadcast which will be of special interest to PUDs (Public Utility Districts) and smaller utilities that do not have IT departments with experience in implementing a cybersecurity system.

This series will cover the regulatory and business drivers for grid cybersecurity, provide a basic tutorial on cybersecurity systems based on ‘NIST 800’ specifications targeted to the electric utility industry.  The series will emphasize how utilities subject to NERC requirements can architect, design, and deploy internal control frameworks that comply with FERC guidance and are based on DOE guidelines.  It will then cover the basic structure of a cybersecurity program, its implementation and case studies in program operation and maintenance, and concludes with a discussion of process approaches to ensure achievement of a mature and compliant cyber security program in your organization. It will also discuss the DOE Roadmap and newly proposed Cybersecurity Risk Management process.

Security of the US electric grid is a critical priority. Our economy is so dependent upon electricity that if the power should fail most of modern life would grind to a halt. In recognition of this, the electric grid has been declared one of the key Critical Infrastructures (CI) by the Executive Branch, and FERC (Federal Energy Regulatory Commission) is the independent regulatory agency responsible for its protection. The progress in securing the electric grid is of keen interest to Congress, and legislation is often proposed to tighten security requirements and speed up implementation of security programs.

FERC has designated the North American Electric Reliability Corporation (NERC) as the “Electric Reliability Organization” required to develop and enforce compliance with mandatory grid reliability standards and protection. NERC has developed a set of standards for electric system (grid) Critical Infrastructure Protection (CIP). These specify a comprehensive computer, controls and network (cyber) security system. Each entity and electric utility, large or small, involved with the grid must develop and implement a cyber security program for NERC CIP compliance.

The National Institute of Standards and Technology (NIST) is designated by the Federal government to develop specifications for cyber security. NIST 800 refers to a series of NIST Special Publications of information security standards and guidelines developed in response to the Federal Information Security Management Act (FISMA)*. Several  NIST 800 guidelines are applicable to the electric utilities for NERC CIP compliance [SP800-18, -30, -37, -53, -59, -60, -82, and -98] (see http://csrc.nist.gov/publications/PubsSPs.html ).

It is likely that FERC will require additional risk management for compliance which will reference these guidelines. The US Department of Energy (DOE) very recently announced what it calls an “Electric Sector Cybersecurity Risk Management Maturity” project that will let utility companies and grid operators measure their current capabilities and analyze gaps in their cyber defenses. Thus it is useful to understand the eight NIST specifications applicable to the electric system as a basis for understanding cybersecurity systems.

[*The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide security for the information systems that support its operations and assets.]

Who should attend:

• Anyone interested in understanding cybersecurity as applied to critical infrastructure.
• Anyone in a NERC CIP Compliance-related role.
• Anyone with interest in understanding enterprise information security and learning how to integrate the information security function into the business.

Series Prerequisites:

• Familiarity with critical infrastructure protection requirements such as the NERC CIP V3 and V5 standards.
• Familiarity with real-time controls systems and SCADA would be beneficial.

1)    Cyber Security in the Electricity Sector…You Can Get There From Here
This session will discuss history of the development and implementation of the NERC Critical Infrastructure Protection (CIP) cyber security standards, the continuing evolution of those standards, and what it means to NERC-registered entities in the electricity sector. Specifically:

• The genesis of the CIP standards
• Compliance trends of the CIP standards
• Current challenges to complying with the CIP standards
• What’s next…  Version 4 and Version 5 overview

Attendees will learn the background history of the CIP standards and gain insight into what is required to comply with the current and evolving CIP standards.

2)    Getting started with NIST 800 series for NERC CIP applications
This session will cover those NIST 800 series specifications applicable to the reliability of the Bulk Electric System and its operational Cyber security. [E.g. SP800-18, -30, -37, -53, -59, -60, -82, and -98].   The NIST standards cover an array of topics:

800-18 “Guide for Developing Security Plans for Federal Information Systems
800-30 “Guide for Conducting Risk Assessments”

800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems”
800-53 “Recommended Security Controls for Federal Information Systems and Organizations”
800-53A “Guide for Assessing the Security Controls in Federal Information Systems”
800-59 “Guideline for Indentifying an Information System as a National Security System”
800-60 VI “Guide for Mapping Types of Information and Information Systems to Security Categories”
800-60 VII “Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories”
800-82 “Guide to Industrial Control Systems (ICS) Security”
800-93 “Guidelines for Securing Radio Frequency Identification (RFID) Systems

The session will

• Cover the Target Audience, Purpose and Scope, and Relationship to Other Documents.
• Focus on the order in which the standards should be addressed .

3)    Design of a Cyber security program
This session will cover the essential components of a Cyber security program at the enterprise, process and workflow levels. Essential components include Risk Assessment, Development of Security Plans, Applying a Risk Management Framework.  Implementing and Assessing Security Controls, Monitoring and Cyber Incident Response, and Compliance.

4)    Developing a NERC Critical Infrastructure Protection Program
This session will discuss developing and implementing an enterprise-wide NERC CIP Program that leverages elements of the NIST Risk Management Framework, ISO 27001, and NIST 800-82 “Guide to Industrial Control Systems Security”.  Specifically:

• Implementing a Program Hybrid Organizational Model
• Building a Cross-Functional Cyber Security Team
• Maintaining Compliance through Continuous Monitoring
• Policies and Procedures
• Achieving Operational Excellence

Attendees will learn about: organizational models used for cyber security; the basic functions of a cyber security team; the application of monitoring to ensure compliance; and the role of policies and procedures in a protection program.

5)    Maintaining a cyber security program:  DOE’s Risk Management Cybersecurity Maturity Project
This session will describe the US DOE’s Roadmap (Roadmap to Achieve Energy Delivery Systems Cybersecurity) to building a secure energy infrastructure and the new Cybersecurity Risk Management Maturity program, and the expected impact on the Electric Utility Sector.

6)    Leading Information Security – Operating at the Intersection of the Business and Information Security
This session will discuss leading the information security function as it assists the enterprise to meet its information security and how to properly align information security with the business’ objectives.  It will discuss the various information security management responsibilities including advocating the information security function, advising the business of its responsibilities, acquiring the resources necessary to execute an effective information security program and overseeing its proper operation.

Attendees will learn how to lead, resource and demonstrate the value contribution of the information security to the enterprise.