1. No category

Energy Sector Cybersecurity
Framework Implementation
Guidance
Vicky Yan Pillitteri, National Institute of Standards and Technology
Akhlesh Kaushiva, Department of Energy
Chris Villarreal, California Public Utility Commission
Accelerating Grid Modernization
More information available on SGIP.org
Executive Order:
Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and
resilience of the Nation’s critical infrastructure and to maintain a cyber
environment that encourages efficiency, innovation, and economic
prosperity while promoting safety, security, business confidentiality,
privacy, and civil liberties”
President Barack Obama
Executive Order 13636, Feb. 12, 2013
• The National Institute of Standards and Technology (NIST) was
directed to work with stakeholders to develop a voluntary
framework for reducing cyber risks to critical infrastructure
• Version 1.0 of the framework was released on Feb. 12, 2014, along
with a roadmap for future work
Accelerating Grid Modernization
More information available on SGIP.org
Energy Sector Cybersecurity
Framework Implementation Guidance
AKHLESH KAUSHIVA, P.E.
Department of Energy
Office of Electricity Delivery and Energy Reliability
Accelerating Grid Modernization
More information available on SGIP.org
Sector Specific Agency Role
EXECUTIVE ORDER 13636
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
• “Sector-Specific Agencies, in consultation with the
Secretary and other interested agencies, shall
coordinate with the Sector Coordinating Councils to
review the Cybersecurity Framework and, if
necessary, develop implementation guidance or
supplemental materials to address sector-specific
risks and operating environments.”
1
Accelerating Grid Modernization
More information available on SGIP.org
Guidance Document Goals
• The goal of the Framework Guidance document is to
help energy sector stakeholders:
– develop or align existing cybersecurity risk management
programs to meet the objectives of the Cybersecurity
Framework.
– effectively demonstrate and communicate cybersecurity
risk management approach and use of the Framework to
both internal and external stakeholders.
2
Accelerating Grid Modernization
More information available on SGIP.org
Document Development Approach
• DOE has collaborated with private sector stakeholders
through the Electricity Subsector Coordinating Council
(ESCC) and the Oil & Natural Gas Subsector
Coordinating Council (ONG SCC) forums for the
development of the draft Guidance.
• The DOE has also been coordinating with other Sector
Specific Agency (SSA) representatives and interested
government stakeholders for the development of the
draft Guidance and to address cross-sector overlaps.
3
Accelerating Grid Modernization
More information available on SGIP.org
Document Development Approach
• The DOE, through a notice published in Federal
Register on June 20, 2014, requested energy
sector organizations to participate in the ESCC
and ONG SCC forums.
• DOE distributed draft versions of the Guidance
document for comments and held bi-weekly
conference calls with the industry and
government stakeholders to discuss document
updates.
4
Accelerating Grid Modernization
More information available on SGIP.org
Document Development Approach
DIFFERENT MODELS, STANDARDS,
PRACTICES, AND GUIDELINES EXIST IN
ENERGY SECTOR INCLUDING
ES-C2M2
• Public-private collaborative effort
• Sector specific subject matter
expertise
• Pilot evaluations
ONG-C2M2
• Tested and refined for ONG through
ONG pilot evaluations across
upstream, midstream, and
downstream ONG companies.
5
Accelerating Grid Modernization
More information available on SGIP.org
Document Development Approach
• There are many potential tools for addressing Framework
implementation. ES-C2M2 is one of many such tools.
• For organizations that prefer an implementation approach
other than the C2M2, the Guidance document includes a
general process addressing how alternative approaches may
satisfy the goals of the framework.
• For organizations that use C2M2, the Implementation Guidance
highlights the interoperability between the NIST Cybersecurity
Framework and DOE’s C2M2 program.
6
Accelerating Grid Modernization
More information available on SGIP.org
Using C2M2 for Framework
Implementation
• Broad use of the model by energy sector could support
benchmarking of the sector’s cybersecurity capabilities,
voluntary sharing of knowledge and best practices using
common terminology.
• The recommended process for using the C2M2 parallels the
Framework approach of setting a target, identifying gaps,
and addressing gaps.
• The C2M2 adequately addresses all the objectives of the
Framework.
• The C2M2 uses maturity indicator levels that can help an
organization track measurable, incremental progression in
the maturity of cybersecurity practices.
7
Accelerating Grid Modernization
More information available on SGIP.org
Current Status
• On September 2nd, 2014 DOE distributed draft version 8 of
the guidance document to the industry for comments.
• On September 12th 2014, DOE used the same draft to open
a 30 day public comment period with an announcement in
the Federal Register. Comments should be submitted on
the prescribed comment submission form by October 14th
2014.
• It is anticipated that the final version of the Energy sector
Cybersecurity Framework Implementation Guidance
document will be published in November 2014.
8
Accelerating Grid Modernization
More information available on SGIP.org
Links
Federal Register Notice:
http://www.energy.gov/sites/prod/files/2014/0
9/f18/FRN-091214-CFIG.pdf
Energy Sector Cybersecurity Framework
Implementation Guidance Document Draft and
Comment Submission Form:
http://www.energy.gov/oe/downloads/energysector-cybersecurity-frameworkimplementation-guidance-draft-public-comment
9
Accelerating Grid Modernization
More information available on SGIP.org
Questions
For further information please contact
[email protected]
10
Accelerating Grid Modernization
More information available on SGIP.org