OEB Cyber Security Framework
29
Presenter: OEB | Andres Mand Presenter: AESI Inc. | Doug Westlund Regulations | Consumer Protection & Industry Performance VP Strategic Planning & Implementation Svcs Protecting Privacy of Personal Information and the Reliable Operation of the Smart Grid in Ontario Developing A Cyber Security Framework EDIST - January 19, 2017
-
Upload
norbi-hegedus -
Category
Business
-
view
166 -
download
1
Transcript of OEB Cyber Security Framework
Presenter: OEB | Andres Mand Presenter: AESI Inc. | Doug Westlund Regulations | Consumer Protection & Industry Performance VP Strategic Planning & Implementation Svcs
Protecting Privacy of Personal Information and the Reliable Operation of the Smart Grid in Ontario Developing A Cyber Security Framework
EDIST - January 19, 2017
Agenda
2
1. Introduction: Issue – Solution Direction
2. OEB Mandate, Policy and Plan
3. Building a Regulatory Cyber Security and Privacy
Framework
Presenter
Presentation Notes
Key Message - “Proposed” Cyber Security Framework need to be cast in the light of a core element solution and a vital component of operations to get top of mind awareness within the board level, plant the seed on Attestation Model of Reporting / Enhanced Governance Key Themes - This could be used as precursor introduction of what the OEB wants to accomplish with Phase 1 of the Framework rollout (i.e.…” you don’t need to be afraid of the NIST model….””…we understand your collective concerns…”) “we (OEB) are actively working with industry experts (i.e. AESI) and the LDC working group/steering committees towards ensuring and validate alignment between the OEB’s goal and your need Mitigation - This would help mitigate potential “stop/stall and wait for approach” with respect to cyber security initiatives currently in stream/underway in the community. We witnessed this in the Smart Grid space and with NERC CIP-3 adoption where some early adopters lead the charge and most became fence sitters which slowed progress. The last thing we would want to do is the slow/steady the pace of adoption and propagation while LDC’s take a wait and see approach as we land on the Framework. Core Themes - Tipping Point Stakeholder Audience - Utilities are on tipping point of something new, Regulatory landscape is evolving and changing, DRAFT framework issued for comment *(reflect and obtain feedback), Provide background (Process) into the creation of the framework, What we are looking for from the utilities to implement, Future state / Timeline Key Focus Areas / Benefits - NIST Cyber Security Framework, Cyber Security Maturity Model & Common Lexicon & Governance, Strategic Timeline, New/forward-looking challenges in the industry from utility, association perspective, Benefits beyond Improved Cyber Security Potential Topics to elaborate - Intent of framework, Best practices, MDMR (tie in), Long Term Objectives, Key Elements of Framework
Cyber Security – Utility Attack Surface & Vectors
3
LDC Corporate Applications and Technology (IT)
LDC Operational Applications and Technology
(OT)
LDC Customers (Residential, Commercial, Industrial)
Bulk Electric System
ICCP Connection
Third Party Vendors
External Risk
Distributed Energy Resources - MicroGrids
System Risk
Communications Risk
Legacy Risk
Unpatched Risk
TS Connection
External Risk
Privacy Risk
External Risk
Insider Risk
Presenter
Presentation Notes
Discussion Points Attack System large and small utilities Degree of automation Geographic distribution of LDC Insider Risks (Malware / Authorized users) Unpatched Risks – patching challenges, update cycle 3rd Party Risks – better controls (DERMS/DRMS) – Phase 2 Consideration
4
North American Situation
Unlike the Bulk Electrical system, North American regulators do not have a distribution focused Cyber Security Framework
NERC applies to Bulk-system
There are many Cyber Security standards and frameworks for critical infrastructure operators in North America
Key Issues:
applicability and making the appropriate selection of any given framework
ease of interpretation, application & implementation in the energy sector
consistent criteria - leading to a common understanding & assessment of Cyber risks and controls
Some Distributor Associations have started to develop user guides
APPA and the NRECA (US distributor associations) represent collaboration opportunities in Cyber Security including awareness for Ontario energy stakeholders
5
Ontario Issue Implementation of Smart Grids in Ontario will depend on increases in data collection and communication networks that will accelerate the risk of Cyberattacks, resulting in
potential communication disruptions, power outages and breaches of consumer privacy.
Currently, we cannot leverage a Canadian nor US cross-sector developed Cyber Security Framework focussed on
the distributors and the distribution system. No clear consistency of expectations - mapping Risks
to Cyber Posture.
Cyber Security - Increasing "Risk Exposure"
Presenter
Presentation Notes
Smart Grids: depend on increasing data collection/aggregation, communication networks and local device automated responses - result in increasing risk exposures to cyber attacks Consumer and External Entities: increasing interconnection & interaction with the distribution system Third Parties Accessing and interacting with the Distribution & Non Bulk infrastructure (Operating & Business Networks) have varying degrees of awareness and sophistication in dealing with Cyber Security Distribution Standards: to date, no cross-sector (Canadian nor US) Cyber Security distribution system standards have been developed for the distributors Transmission Standards: NERC CIP 5/6 applies only to the Bulk Power System Regulatory Oversight: Overlap in Proposed Government and Current Legislation/Regulations – “Confusion” Sophistication of cyber attacks
Cyber Security Expectations
Security and Privacy are inextricably linked in Ontario Security is about protecting and controlling information
Privacy is about recognizing that while LDC’s retains the physical control of the data, the decisions about how to collect, use and disclose personal information reflect individual consent and personal preferences of consumers
Security is integral to privacy, because without strong information security measures, privacy breaches will occur
OEB has required Distributors: To ensure personal information is protected , Distributor Licenses (section
15) have always included privacy conditions
Incorporate Security Risk mitigation as part of their asset management and distribution system plans
6
7
Cyber Security – Consistency of Preparedness
Ontario Solution Development OEB is moving forward on a Cyber Security Policy and is Facilitating
the development of a Framework ultimately to be owned and maintained by the sector.
The objective is ensure the continued protection of Privacy and the Distribution System for Consumers in Ontario’s Smart Grid.
8
Ontario - Policy Objective
Develop a Framework, with Industry partners, that establishes a common approach to Cyber Security: Increasing consistency by linking risk levels to preparedness and
assessments
Supporting tools to guide LDC’s, where needed in development of their Cyber Security posture
Developing a reporting mechanism to support OEB monitoring of the results will be a regulatory requirement
Expecting that the sector assumes ownership of the Framework
Presenter
Presentation Notes
There are no developed distribution Cyber Security standards to rely on, and existing distributors have employed various general standards such as NIST, ISO/IEC 17799-2005, NERC CIP / ISO 27002, ISO 14001, NERC CIP 3, NERC CIP 5, COBIT, SOX (2002), APPA etc. to develop their CS response approaches.
Ontario - Cyber Framework Development
Industry Steering Committee incorporating the EDA, senior LDC
leadership, and academics setting objectives
Engagement of a seasoned partnership of consultants familiar with
Ontario’s Energy Sector, North American experience across multiple
jurisdictions in Cyber Security, privacy and risk assessment / verification
Highly collaborative working group – representing half of Ontario’s
Electrical and Natural Gas Distributors - fully engaged
Incorporation of practical tools and mechanisms to support the
understanding and implementation of the Framework
We will be seeking input on the proposed Framework
9
Presenter
Presentation Notes
Highly collaborative Iterative approach Hydro One and all Ontario’s energy distributors are responsible for managing their cyber-risks. As the energy sector regulator, OEB grants distributors the license to operate. As part of their license to operate, all Ontario’s distributors, including Hydro One, are required to confirm they have a cybersecurity plan in place. The OEB is working to further reduce cyber threats and ensure distributors are following rigorous cybersecurity standards. We are currently developing a new Cybersecurity Framework for Ontario’s electricity and gas sectors. This new framework is intended to further protect consumers by securing the grid against cyber-attacks to ensure reliable service. Ensuring safe and reliable energy service is an important part of the OEB’s mandate to protect customers’ interests.
Bottom Line
Ontario is breaking new ground in developing a Framework that is focused on the distribution sector.
Propose a set of benchmark control objectives for different risk levels
Be scalable so that the Cyber maturity aligns with LDC risk
Provide guidance on an evaluation method that can be used by the LDC
Augment the Framework with training, tools and mechanisms to support assessment & implementation
Encourage more sector sharing of Cyber Security Information
Engage third parties (Phase 2) that interact with the distribution system to meet LDC’s Cyber preparedness expectations
10
What we are presenting is a proposed framework, developed with the Working Group and Expert advice
11
Framework Intended Outcome
1. Establish an appropriate level of regulatory oversight regarding Cyber Security of the non-bulk Power System that is measureable and reportable;
2. Incorporation of privacy standards requirements, to integrate those efforts with other IT and OT Cyber actions;
3. Guide regulated entities in determining the actions needed to mitigate Cyber risks and threats consistent with their risk level.
Presenter
Presentation Notes
Will discuss this more in a few slides: National Institute of Standards and Technology “NIST” Talk to Mid-Level Guys and Small Guys Focus: CONSISTENCY & RISK LEVEL Improve Framework and Sector Maturity improves results in improved CS posture
12
Framework will also…..
Include a set of assessment methodologies, and outcomes based expectations that align policy, energy system operations, and technological approaches to address Cyber Risks
Provide a prioritized, flexible, repeatable, performance- based and cost-effective approach, including information security measures to guide critical infrastructure entities towards: identify, assess, and manage Cyber Risks
Identify areas for improvement to be addressed through future collaboration with the energy sectors, standards-developing organizations, industry associations and government
Framework as proposed leverages:
National Institute of Standards and Technology “NIST” and incorporated other industry standards and guidelines
Presenter
Presentation Notes
NIST – AUTHORATIVE REFERENCE Focus on: Confidentiality – “Protection of Customer Information” Continuity of cyber security requirements between the bulk and non-bulk assets Risk based approach matching risk and exposure with expected maturity Assessment /audit / verification Framework Core… Cyber security activities and informative references common across the sector and organized around particular outcomes Enables communication of cyber risk across an organization Framework Profile… Aligns industry standards and best practices to the framework Core Outcome based - supports prioritization and measurement of progress, while factoring in other business needs— including cost-effectiveness, maturity and innovation Establish Minimum maturity of all distributors- addresses minimum capability requirements Required Sector participation in security incident identification Enhanced Governance requirements at each distributor's Board Staff Training and Awareness Auditing & Assessment Establish risk / capability linkages – address need for increased capabilities for more sophisticated distribution systems Increased levels of capabilities to identify, protect, detect, respond & recover as complexity of distributor’s business evolves
13
Potential Future Regulatory Landscape…
Ontario’s Provincial Government
Cyber Security Information Sharing
IESO Bulk System Operator
Industry – Non-Bulk Operators (Utilities)
Industry – Bulk Operators (Tx, OPG…)
Legislation & Regulations, Codes and Licenses
NERC CIP 5++
Distribution Cyber Security Framework
NIST Framework
IESO Bulk Requirements
Interprovincial Federal Interjurisdictional Standard Setting Agencies
Cyber Security World
(Bulk / Non-Bulk) Ontario Energy Board
Presenter
Presentation Notes
Complementary Core Competencies - Government agencies possess unique core competencies that complement private-sector strengths. Cyber Security Information Exchange represents and opportunity for industry: Meet public sector counterparts face to face Forum for communication of threat briefings Maintenance of security contacts in the sector Incident Response and Security Team access Reduced barriers to information sharing (anonymized)
14
Phase 1 – Develop Framework (OEB Facilitation) Establish a Framework version 1.0 - focused on the distributor’s capability requirements -
expected to be in place end of March 2017 - Implementation timeline TBD Sector executive steering committee, Distributor working group, expert consultant and
significant OEB internal resources
Phase 2 – Stakeholder Engagement (OEB Facilitation proposed) Critical stakeholder groups, Third Party Service Providers to Distributors (i.e. back office
providers) and Generators/Aggregators Update Framework to version 2.0 Initiate the development of a sector cyber security information process
Phase 3 – Evaluation Regulatory communications with other jurisdictions Lessons Learned and improvement – update Framework version 3.0 cyber security information sharing
Phase 4 – Enhancements Sector Guidebook
Ongoing– Program Collaboration Collaboration with other critical infrastructure initiatives
2015
2017
2019
Impl
emen
tatio
n
Approach & Plan (Multi-Year)
Phase 1 - Developing the Framework
Focus - Core of the Electricity Sector – LDC’s
Establish a Framework that leverages existing industry standards, but
provides flexibility to support LDC adoption
Develop tools to assess the risk exposure of a given LDC
Internal auditing for LDC’s to self-assess current state
Create mapping of Cyber controls for ease-of-use and consistency
Establish baseline Cyber postures for various degrees of risk and
exposure, aligning effort to risk
Attestation approach to support OEB monitoring to meet OEB Objectives
15
Presenter
Presentation Notes
Contemplated To Meet ORB Objectives Establish Minimum maturity of all distributors- addresses minimum capability requirements Required Sector participation in security incident identification Preparedness & sector incident reporting LDC self assessment of their risk and maturity against the framework criteria leading to awareness of their development needs (internal to the LDC) Establish risk / capability linkages address need for increased capabilities for more sophisticated distribution systems Increased levels of capabilities to identify, protect, detect, respond & recover as complexity of distributor’s business evolves Establish Minimum maturity of all distributors- addresses minimum capability requirements Required Sector participation in security incident identification Centre of Excellence (COE) Enhanced Governance requirements at each distributor's Board Inclusion of cyber risk in their planning process Preparedness & sector incident reporting Staff Training and Awareness Auditing & Assessment LDC self assessment of their risk and maturity against the framework criteria leading to awareness of their development needs (internal to the LDC) Periodic “Attestation” style of reporting to OEB Annual OEB anonymized sector survey and assessment to understand sector maturity Strong Consultative Team (Que for Doug to introduce Richter and DLA Piper Team in audience) Introduce the common threats / ease of use and consistency for the sector
Overview
Proposed Framework Elements as developed in collaboration with the working Group
(NIST): Framework Core, Framework Profile, and
Framework Implementation Tiers is complemented by
16
Privacy (PbD) by Design
Presenter
Presentation Notes
Reference NIST Endorsed by NIST They are also looking at privacy – no one else has done this Ontario has an innovative approach Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Framework Profile (“Profile”) is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization. A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Framework Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. Key Finding: NIST has steered clear of privacy but the OEB needs to integrate it into their framework
Privacy (PbD) - Incorporated into Framework
Fair Information Principles (FIPs) / PIPEDA are compatible with NIST
[Accountability, Consent, Limiting Collection…]
NIST Framework does not deal with Privacy in any detail; however, were incorporated because LDCs should already doing this.
[ID.GV-3: “Legal and regulatory requirements regarding
cybersecurity, including privacy and civil liberties obligations are
understood and managed”]
FIPs have been embedded into the Framework by:
Building privacy questions into the Risk Profile Tool
Layering privacy controls onto the NIST controls
PRIVACY CONTROLS required by LDC’s 17
Presenter
Presentation Notes
Key Elements: Innovation Approach Security Controls High Ease of Use Embedded Privacy into Framework
NIST Cybersecurity Framework Incorporated by OEB
Functions Categories Subcategories
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
18
Presenter
Presentation Notes
Speak to 5 core elements that make up NIST framework to help fight against CS attacks Talking Points: Take up of Framework in the LDC NIST is the De facto Standard in utility space Eventually may replace NERC CIP Contrast to NERC CIP NIST Guidance for Implementation
Risk Profile - Cyber Security Process
19
Risk Profile tool creates an LDC Specific Profile
Each Profile aligns with specific security controls
Each LDC self-assesses compliance with the security controls in Stage 1
Initial achievement level is defined using DOE-C2M2 Implementation levels
LDC CEO provides attestation
Presenter
Presentation Notes
Working Group Feedback Not subjective Don’t Make us Guess Simple Tools Please Working Group has tested the Framework & Risk Profile Tool Dry Run was positive with achievable repeatable results
Risk Profile - Link to Control Levels
20
Framework proposes: Low Risk: Baseline for all Controls will not require major investments in technology or specialized
resources to implement
Medium Risk: Adds to Baseline Additional controls to address level of risk
Requires some investments (technology & resources) to implement
High Risk: Builds on Baseline Increased number of controls to address high-risk
Requires investments (technology & resources) to implement
Presenter
Presentation Notes
All of the above will have a phased implementation plan to reach the initial required level. If LDC’s risk appetite is higher than associated risk score they can enhance their controls accordingly. Low Risk – Process and Document –no need for high paid experts Med Risk – low cost for uptake as already doing this High Risk – May have existing mature posture, can use to validate gaps
Risk Profile - Tool Navigation
Questions in the Self-Assessment Questionnaire (SAQ) are separated by the colour-coded functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER)
Within these functions are categories and subcategories
Specific questions will be asked to evaluate whether LDCs are meeting the objectives consistent with their Risk Profile
21
Presenter
Presentation Notes
Value ADD opportunity
Risk Profiles - Applied to Framework (NIST)
22
Presenter
Presentation Notes
Distinguish between High / Medium and Low
Compliance and Reporting
“Self-Assessment Questionnaire" (SAQ): VALIDATES COMPLIANCE with the Framework (NIST) model
(subcategories) that is for LDC internal use only
23
Completing the Self-Assessment Questionnaire: For each subcategory, there is a choice of responses to indicate
the status regarding that requirement A description of the meaning for each response is provided
Presenter
Presentation Notes
Phased approach – objective is to establish baseline reporting and move to a more mature level of reporting (self-assessment, desktop audits, etc.)
Reporting – Internal / External
Framework would support an LDC Board Level and operational style dashboard
Framework provides consistent criteria for assessment and auditing
Attestation approach for communicating cyber posture to the OEB
24
Presenter
Presentation Notes
Formal Reporting Open Dashboard Executive involved in the Cyber Security Process is a core Theme of the Framework
Sector - Sharing & Support
Some LDCs will require support to implement and maintain their required Cyber Security Posture.
Cyber Security Information
Sharing
Opportunities in Ontario:
Collaborate with IESO and other LDCs
Establish shared information resources
Establish shared support services
Suggested Collaboration (Industry)
25
Presenter
Presentation Notes
“Cyber Security Exchange” Opportunities to collaborate as a sector IESO and other distributors Cross-sector sharing (e.g. gas distributors) US entities such as the APPA and the NRECA Opportunities to establish shared information resources : Awareness & Training Programs and Modules Synthesized Advisory / Threat Intelligence Services Common Vulnerabilities and How to Address Securing DERs / Microgrid implementations Implementation Guides Lessons Learned Opportunities to establish shared support services can be mentioned here. CSWG (Proposed) – can be a mechanism for the sector Critical element for sector structure
Cyber Security - Framework and Core Processes
26
Implement Security Controls Commensurate With Risk Profile
Privacy
Governance
Tools
Metrics Reports
Implementation Guidance & Support
Sector Sharing
& Learning
Easy to Use And Not
Subjective
Phased Approach
Opportunities with APPA, NRECA,
others
Roles of OEB, IESO,
Hydro One, others
Controls For
Protection from Third Parties Operations
Management Board OEB
Operations Management
Board
Assess via Framework Tool: • Cyber Security Risk • Privacy Impact
Risk Profile
Presenter
Presentation Notes
Talking Points: Unique full closed loop process Evolutionary Path Input from working groups Security is a Process – Framework will help sector understand Cyber Security Working Group request to baseline maturity within sector using common approach (apples to apples comparison) from common reference point Board and Executives involvement and awareness Extension set of resources available with APPA and NRECA OEB has light handed role (similar to Regional Planning) OEB to monitor and facilitate / IESO and TX / DX to set up sector driven process Timeline (exact timeline not specific) – OEB is looking for sector feedback
Framework Benefits - Increasing Defense in Depth
Each LDC’s RISK TOLERANCE may lead to additional control activities that they want to put in place
Add additional controls from the next higher risk grouping
Increase the rigour of existing controls
27
Presenter
Presentation Notes
�Andres QUE Essentially quality vs. quantity ( you can enhance your current defenses or you can add to the defenses) it is up to LDC. Refines risk tolerance Appropriate starting place Add additional items based on risk appetite More robust Map for Basics to use framework to increase posture
28
Key Messages
Cyber Attacks and breaches will occur; no matter how prepared a distributor is.
There are various degrees of Cyber maturity among distributors. Many have been performing assessments of their cyber security posture, in order to determine actions they need to take.
Majority of customer information is protected by cyber security approaches managed by distributors.
Framework will provide Benchmark Control Objectives and scalable additional objectives that will provide sector consistency
This is a strongly collaborative policy initiative, that leverages industry knowledge and experience and is expected to be managed by the sector in the long run
Presenter
Presentation Notes
Cyber-attacks and breaches will occur; no matter how prepared a distributor is. need to enhance its cyber security program to minimize impacts need for sector collaboration to leverage experience & knowledge Guidance on Consistency Consider for Preparation and Response Answers What should we (the sector) should be doing? Vs What are we doing? Provides a benchmark (Level set the landscape_) Note: 50% of the LDC were involved in the working group Similar to Regional Planning – Sector runs the framework
29
Questions / Comments?
