Energy Sector Cybersecurity Framework Implementation Guidance
Energy Sector Cybersecurity Framework Implementation Guidance Vicky Yan Pillitteri, National Institute of Standards and Technology Akhlesh Kaushiva, Department of Energy Chris Villarreal, California Public Utility Commission Accelerating Grid Modernization More information available on SGIP.org Executive Order: Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” President Barack Obama Executive Order 13636, Feb. 12, 2013 • The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure • Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work Accelerating Grid Modernization More information available on SGIP.org Energy Sector Cybersecurity Framework Implementation Guidance AKHLESH KAUSHIVA, P.E. Department of Energy Office of Electricity Delivery and Energy Reliability Accelerating Grid Modernization More information available on SGIP.org Sector Specific Agency Role EXECUTIVE ORDER 13636 IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY • “Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.” 1 Accelerating Grid Modernization More information available on SGIP.org Guidance Document Goals • The goal of the Framework Guidance document is to help energy sector stakeholders: – develop or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework. – effectively demonstrate and communicate cybersecurity risk management approach and use of the Framework to both internal and external stakeholders. 2 Accelerating Grid Modernization More information available on SGIP.org Document Development Approach • DOE has collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council (ESCC) and the Oil & Natural Gas Subsector Coordinating Council (ONG SCC) forums for the development of the draft Guidance. • The DOE has also been coordinating with other Sector Specific Agency (SSA) representatives and interested government stakeholders for the development of the draft Guidance and to address cross-sector overlaps. 3 Accelerating Grid Modernization More information available on SGIP.org Document Development Approach • The DOE, through a notice published in Federal Register on June 20, 2014, requested energy sector organizations to participate in the ESCC and ONG SCC forums. • DOE distributed draft versions of the Guidance document for comments and held bi-weekly conference calls with the industry and government stakeholders to discuss document updates. 4 Accelerating Grid Modernization More information available on SGIP.org Document Development Approach DIFFERENT MODELS, STANDARDS, PRACTICES, AND GUIDELINES EXIST IN ENERGY SECTOR INCLUDING ES-C2M2 • Public-private collaborative effort • Sector specific subject matter expertise • Pilot evaluations ONG-C2M2 • Tested and refined for ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies. 5 Accelerating Grid Modernization More information available on SGIP.org Document Development Approach • There are many potential tools for addressing Framework implementation. ES-C2M2 is one of many such tools. • For organizations that prefer an implementation approach other than the C2M2, the Guidance document includes a general process addressing how alternative approaches may satisfy the goals of the framework. • For organizations that use C2M2, the Implementation Guidance highlights the interoperability between the NIST Cybersecurity Framework and DOE’s C2M2 program. 6 Accelerating Grid Modernization More information available on SGIP.org Using C2M2 for Framework Implementation • Broad use of the model by energy sector could support benchmarking of the sector’s cybersecurity capabilities, voluntary sharing of knowledge and best practices using common terminology. • The recommended process for using the C2M2 parallels the Framework approach of setting a target, identifying gaps, and addressing gaps. • The C2M2 adequately addresses all the objectives of the Framework. • The C2M2 uses maturity indicator levels that can help an organization track measurable, incremental progression in the maturity of cybersecurity practices. 7 Accelerating Grid Modernization More information available on SGIP.org Current Status • On September 2nd, 2014 DOE distributed draft version 8 of the guidance document to the industry for comments. • On September 12th 2014, DOE used the same draft to open a 30 day public comment period with an announcement in the Federal Register. Comments should be submitted on the prescribed comment submission form by October 14th 2014. • It is anticipated that the final version of the Energy sector Cybersecurity Framework Implementation Guidance document will be published in November 2014. 8 Accelerating Grid Modernization More information available on SGIP.org Links Federal Register Notice: http://www.energy.gov/sites/prod/files/2014/0 9/f18/FRN-091214-CFIG.pdf Energy Sector Cybersecurity Framework Implementation Guidance Document Draft and Comment Submission Form: http://www.energy.gov/oe/downloads/energysector-cybersecurity-frameworkimplementation-guidance-draft-public-comment 9 Accelerating Grid Modernization More information available on SGIP.org Questions For further information please contact [email protected] 10 Accelerating Grid Modernization More information available on SGIP.org
© Copyright 2024