OEB Cyber Security Framework
-
Upload
norbi-hegedus -
Category
Business
-
view
166 -
download
1
Transcript of OEB Cyber Security Framework
Presenter: OEB | Andres Mand Presenter: AESI Inc. | Doug Westlund Regulations | Consumer Protection & Industry Performance VP Strategic Planning & Implementation Svcs
Protecting Privacy of Personal Information and the Reliable Operation of the Smart Grid in Ontario Developing A Cyber Security Framework
EDIST - January 19, 2017
Agenda
2
1. Introduction: Issue – Solution Direction
2. OEB Mandate, Policy and Plan
3. Building a Regulatory Cyber Security and Privacy
Framework
Cyber Security – Utility Attack Surface & Vectors
3
LDC Corporate Applications and Technology (IT)
LDC Operational Applications and Technology
(OT)
LDC Customers (Residential, Commercial, Industrial)
Bulk Electric System
ICCP Connection
Third Party Vendors
External Risk
Distributed Energy Resources - MicroGrids
System Risk
Communications Risk
Legacy Risk
Unpatched Risk
TS Connection
External Risk
Privacy Risk
External Risk
Insider Risk
4
North American Situation
Unlike the Bulk Electrical system, North American regulators do not have a distribution focused Cyber Security Framework
NERC applies to Bulk-system
There are many Cyber Security standards and frameworks for critical infrastructure operators in North America
Key Issues:
applicability and making the appropriate selection of any given framework
ease of interpretation, application & implementation in the energy sector
consistent criteria - leading to a common understanding & assessment of Cyber risks and controls
Some Distributor Associations have started to develop user guides
APPA and the NRECA (US distributor associations) represent collaboration opportunities in Cyber Security including awareness for Ontario energy stakeholders
5
Ontario Issue Implementation of Smart Grids in Ontario will depend on increases in data collection and communication networks that will accelerate the risk of Cyberattacks, resulting in
potential communication disruptions, power outages and breaches of consumer privacy.
Currently, we cannot leverage a Canadian nor US cross-sector developed Cyber Security Framework focussed on
the distributors and the distribution system. No clear consistency of expectations - mapping Risks
to Cyber Posture.
Cyber Security - Increasing "Risk Exposure"
Cyber Security Expectations
Security and Privacy are inextricably linked in Ontario Security is about protecting and controlling information
Privacy is about recognizing that while LDC’s retains the physical control of the data, the decisions about how to collect, use and disclose personal information reflect individual consent and personal preferences of consumers
Security is integral to privacy, because without strong information security measures, privacy breaches will occur
OEB has required Distributors: To ensure personal information is protected , Distributor Licenses (section
15) have always included privacy conditions
Incorporate Security Risk mitigation as part of their asset management and distribution system plans
6
7
Cyber Security – Consistency of Preparedness
Ontario Solution Development OEB is moving forward on a Cyber Security Policy and is Facilitating
the development of a Framework ultimately to be owned and maintained by the sector.
The objective is ensure the continued protection of Privacy and the Distribution System for Consumers in Ontario’s Smart Grid.
8
Ontario - Policy Objective
Develop a Framework, with Industry partners, that establishes a common approach to Cyber Security: Increasing consistency by linking risk levels to preparedness and
assessments
Supporting tools to guide LDC’s, where needed in development of their Cyber Security posture
Developing a reporting mechanism to support OEB monitoring of the results will be a regulatory requirement
Expecting that the sector assumes ownership of the Framework
Ontario - Cyber Framework Development
Industry Steering Committee incorporating the EDA, senior LDC
leadership, and academics setting objectives
Engagement of a seasoned partnership of consultants familiar with
Ontario’s Energy Sector, North American experience across multiple
jurisdictions in Cyber Security, privacy and risk assessment / verification
Highly collaborative working group – representing half of Ontario’s
Electrical and Natural Gas Distributors - fully engaged
Incorporation of practical tools and mechanisms to support the
understanding and implementation of the Framework
We will be seeking input on the proposed Framework
9
Bottom Line
Ontario is breaking new ground in developing a Framework that is focused on the distribution sector.
Propose a set of benchmark control objectives for different risk levels
Be scalable so that the Cyber maturity aligns with LDC risk
Provide guidance on an evaluation method that can be used by the LDC
Augment the Framework with training, tools and mechanisms to support assessment & implementation
Encourage more sector sharing of Cyber Security Information
Engage third parties (Phase 2) that interact with the distribution system to meet LDC’s Cyber preparedness expectations
10
What we are presenting is a proposed framework, developed with the Working Group and Expert advice
11
Framework Intended Outcome
1. Establish an appropriate level of regulatory oversight regarding Cyber Security of the non-bulk Power System that is measureable and reportable;
2. Incorporation of privacy standards requirements, to integrate those efforts with other IT and OT Cyber actions;
3. Guide regulated entities in determining the actions needed to mitigate Cyber risks and threats consistent with their risk level.
12
Framework will also…..
Include a set of assessment methodologies, and outcomes based expectations that align policy, energy system operations, and technological approaches to address Cyber Risks
Provide a prioritized, flexible, repeatable, performance- based and cost-effective approach, including information security measures to guide critical infrastructure entities towards: identify, assess, and manage Cyber Risks
Identify areas for improvement to be addressed through future collaboration with the energy sectors, standards-developing organizations, industry associations and government
Framework as proposed leverages:
National Institute of Standards and Technology “NIST” and incorporated other industry standards and guidelines
13
Potential Future Regulatory Landscape…
Ontario’s Provincial Government
Cyber Security Information Sharing
IESO Bulk System Operator
Industry – Non-Bulk Operators (Utilities)
Industry – Bulk Operators (Tx, OPG…)
Legislation & Regulations, Codes and Licenses
NERC CIP 5++
Distribution Cyber Security Framework
NIST Framework
IESO Bulk Requirements
Interprovincial Federal Interjurisdictional Standard Setting Agencies
Cyber Security World
(Bulk / Non-Bulk) Ontario Energy Board
14
Phase 1 – Develop Framework (OEB Facilitation) Establish a Framework version 1.0 - focused on the distributor’s capability requirements -
expected to be in place end of March 2017 - Implementation timeline TBD Sector executive steering committee, Distributor working group, expert consultant and
significant OEB internal resources
Phase 2 – Stakeholder Engagement (OEB Facilitation proposed) Critical stakeholder groups, Third Party Service Providers to Distributors (i.e. back office
providers) and Generators/Aggregators Update Framework to version 2.0 Initiate the development of a sector cyber security information process
Phase 3 – Evaluation Regulatory communications with other jurisdictions Lessons Learned and improvement – update Framework version 3.0 cyber security information sharing
Phase 4 – Enhancements Sector Guidebook
Ongoing– Program Collaboration Collaboration with other critical infrastructure initiatives
2015
2017
2019
Impl
emen
tatio
n
Approach & Plan (Multi-Year)
Phase 1 - Developing the Framework
Focus - Core of the Electricity Sector – LDC’s
Establish a Framework that leverages existing industry standards, but
provides flexibility to support LDC adoption
Develop tools to assess the risk exposure of a given LDC
Internal auditing for LDC’s to self-assess current state
Create mapping of Cyber controls for ease-of-use and consistency
Establish baseline Cyber postures for various degrees of risk and
exposure, aligning effort to risk
Attestation approach to support OEB monitoring to meet OEB Objectives
15
Overview
Proposed Framework Elements as developed in collaboration with the working Group
(NIST): Framework Core, Framework Profile, and
Framework Implementation Tiers is complemented by
16
Privacy (PbD) by Design
Privacy (PbD) - Incorporated into Framework
Fair Information Principles (FIPs) / PIPEDA are compatible with NIST
[Accountability, Consent, Limiting Collection…]
NIST Framework does not deal with Privacy in any detail; however, were incorporated because LDCs should already doing this.
[ID.GV-3: “Legal and regulatory requirements regarding
cybersecurity, including privacy and civil liberties obligations are
understood and managed”]
FIPs have been embedded into the Framework by:
Building privacy questions into the Risk Profile Tool
Layering privacy controls onto the NIST controls
PRIVACY CONTROLS required by LDC’s 17
NIST Cybersecurity Framework Incorporated by OEB
Functions Categories Subcategories
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
18
Risk Profile - Cyber Security Process
19
Risk Profile tool creates an LDC Specific Profile
Each Profile aligns with specific security controls
Each LDC self-assesses compliance with the security controls in Stage 1
Initial achievement level is defined using DOE-C2M2 Implementation levels
LDC CEO provides attestation
Risk Profile - Link to Control Levels
20
Framework proposes: Low Risk: Baseline for all Controls will not require major investments in technology or specialized
resources to implement
Medium Risk: Adds to Baseline Additional controls to address level of risk
Requires some investments (technology & resources) to implement
High Risk: Builds on Baseline Increased number of controls to address high-risk
Requires investments (technology & resources) to implement
Risk Profile - Tool Navigation
Questions in the Self-Assessment Questionnaire (SAQ) are separated by the colour-coded functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER)
Within these functions are categories and subcategories
Specific questions will be asked to evaluate whether LDCs are meeting the objectives consistent with their Risk Profile
21
Risk Profiles - Applied to Framework (NIST)
22
Compliance and Reporting
“Self-Assessment Questionnaire" (SAQ): VALIDATES COMPLIANCE with the Framework (NIST) model
(subcategories) that is for LDC internal use only
23
Completing the Self-Assessment Questionnaire: For each subcategory, there is a choice of responses to indicate
the status regarding that requirement A description of the meaning for each response is provided
Reporting – Internal / External
Framework would support an LDC Board Level and operational style dashboard
Framework provides consistent criteria for assessment and auditing
Attestation approach for communicating cyber posture to the OEB
24
Sector - Sharing & Support
Some LDCs will require support to implement and maintain their required Cyber Security Posture.
Cyber Security Information
Sharing
Opportunities in Ontario:
Collaborate with IESO and other LDCs
Establish shared information resources
Establish shared support services
Suggested Collaboration (Industry)
25
Cyber Security - Framework and Core Processes
26
Implement Security Controls Commensurate With Risk Profile
Privacy
Governance
Tools
Metrics Reports
Implementation Guidance & Support
Sector Sharing
& Learning
Easy to Use And Not
Subjective
Phased Approach
Opportunities with APPA, NRECA,
others
Roles of OEB, IESO,
Hydro One, others
Controls For
Protection from Third Parties Operations
Management Board OEB
Operations Management
Board
Assess via Framework Tool: • Cyber Security Risk • Privacy Impact
Risk Profile
Framework Benefits - Increasing Defense in Depth
Each LDC’s RISK TOLERANCE may lead to additional control activities that they want to put in place
Add additional controls from the next higher risk grouping
Increase the rigour of existing controls
27
28
Key Messages
Cyber Attacks and breaches will occur; no matter how prepared a distributor is.
There are various degrees of Cyber maturity among distributors. Many have been performing assessments of their cyber security posture, in order to determine actions they need to take.
Majority of customer information is protected by cyber security approaches managed by distributors.
Framework will provide Benchmark Control Objectives and scalable additional objectives that will provide sector consistency
This is a strongly collaborative policy initiative, that leverages industry knowledge and experience and is expected to be managed by the sector in the long run
29
Questions / Comments?