aga cybersecurity leadership · • jim linn, managing director, information technology • rebecca...
TRANSCRIPT
Cybersecurity Issues and Impact on Utilities
AGA Cybersecurity Leadership
SEPTEMBER 24 , 2015
AGA Cybersecurity LeadershipAGA Cybersecurity Ramp-UpAGA Cybersecurity Strategy Task ForceAGA Cybersecurity InitiativesONG-C2M2 Reviews and WorkshopsDNG-ISAC Update and StatusAGA Cybersecurity Legislative and Regulatory Update
CybersecurityCyber threats are real and unrelenting for all critical infrastructure. The natural gas industry must continue to employ prudent policies and practices to help ensure the resiliency and safety of natural gas systems.
3
Protecting Natural Gas Systems:
The Oil & Natural Gas Sector
Coordinating Council
Cybersecurity Working Group,
chaired by AGA, is an
operators’ forum supported by
DOE, in coordination with DHS,
to promote effective
cybersecurity strategies and
activities, policy and
communication across the oil
and natural gas sector to
achieve the nation’s homeland
security mission.
AGA Cybersecurity Ramp-Up• Status prior to 2012
• And then the world changed
4
AGA Cybersecurity Ramp-Up (continued)• AGA Board briefed by Eric Cornelius, then of US-CERT• AGA Leadership Commissions AGA Cyber Team
• Brian Caudill, Senior Director, Federal Affairs• Kimberly Denbow, Engineering Services Director• Jim Linn, Managing Director, Information Technology• Rebecca Massello, Security and Operations Manager• John Bryk, (contractor) DNG ISAC Threat Analyst
• AGA Board Cybersecurity Plan of Action• Review and provide guidance on cybersecurity assessments• Educate members and facilitate best practices sharing• Educate stakeholders and advocate
5
AGA Cybersecurity Strategy Task Force• AGA Board prescribes initiation of Cybersecurity Strategy Task Force• AGA Cybersecurity Strategy Task Force (CSTF)
• Information Technology – CIOs • Information Security – CISOs• Physical Security – CSOs• Natural Gas Security – SCADA• Natural Gas Operations – Gas Control
• CSTF to date• Directs AGA Cybersecurity efforts• Supply Chain Workshop • Cyber Threat Workshop
6
AGA Cybersecurity Initiatives• AGA leads Cybersecurity Working Group of Oil & Natural Gas Sector
Coordinating Council • AGA participates on DHS Industrial Control Systems Joint Working
Group Steering Team • AGA Cybersecurity Strategy Task Force Initiatives
• Cybersecurity Threat Analysis Project• Procurement Language Project• Insider Threat Workshop • Department of Energy ONG-C2M2 Reviews and Workshops • Downstream Natural Gas Information Sharing and Analysis
Center (DNG-ISAC) Development
7
ONG-C2M2 Reviews and Workshops• Initiative began with desire to understand Cybersecurity
preparedness at AGA small member companies• Considered building our own tool• Success of Electric Sector – Cybersecurity Capability Maturity Model• Release of Department of Energy Oil and Natural Gas Sector –
Cybersecurity Capability Maturity Model• Reviews at four AGA member companies• Regional reviews
• Mid-Atlantic at LG&E• West at Questar• North-East at Central Hudson• Mid-West at We Energies
• AGA recommends members use the ONG-C2M2 and evaluate and act on its findings
8
What is the ONG-C2M2?A model and evaluation method that supports ongoing evaluation and improvement of cybersecurity capabilities within the ONG subsectorObjectives• Strengthen cybersecurity capabilities in the ONG subsector.• Enable ONG organizations to effectively and consistently evaluate and
benchmark cybersecurity capabilities.• Share knowledge, best practices, and relevant references within the
subsector as a means to improve cybersecurity capabilities.• Enable ONG organizations to prioritize actions and investments to
improve cybersecurity
9
ONG-C2M2 Model Overview
CPM
Cyb
erse
curit
y Pr
ogra
m
Man
agem
ent
WM
Wor
kfor
ce M
anag
emen
t
EDM
Supp
ly C
hain
and
Ext
erna
l D
epen
denc
ies
Man
agem
entIR
Even
t and
Inci
dent
Res
pons
e,
Con
tinui
ty o
f Ope
ratio
nsISC
Info
rmat
ion
Shar
ing
and
Com
mun
icat
ionsSA
Situ
atio
nal A
war
enes
s
TVM
Thre
at a
nd V
ulne
rabi
lity
Man
agem
ent
IAM
Iden
tity
and
Acce
ss
Man
agem
ent
ACM
Asse
t, C
hang
e, a
nd
Con
figur
atio
n M
anag
emen
t
RM
Ris
k M
anag
emen
t
10 Model Domains: logical groupings of cyber security practices — activities that protect operations from cyber-related disruptions
MIL3(advanced)
MIL2(intermediate)
MIL1(beginning)
MIL04 M
atur
ity In
dica
tor L
evel
s
MIL 1 practices
MIL 2 practices
MIL 3 practices
No practices
Each domain
includes a progression of practices
from MIL1 to MIL3
MIL2 & MIL3 practices are progressively more complete, advanced, and ingrained; target levels should be set for
each domain based on risk tolerance and threat environment
MIL1 practices are basic activities that any organization should perform; these are the starting blocks
10
Domain
Objective
Practice
Notes
TVM: Threat and Vulnerability Management
2. Reduce Cybersecurity Vulnerabilities
TVM-2g.Cybersecurity vulnerabilities are addressed according to the assigned priority
Observations• The ONG-C2M2 helped each participant company better
understand its cybersecurity capability maturity level, both validating many cybersecurity practices and identifying areas for improvement
• Generally the strongest domains were Asset, Change and Configuration Management and Identity and Access Management
• Generally the weakest domain was Supply Chain and External Dependencies Management
• Participating companies received a range of overall scores• The review process brings together information technology
professionals and operational technology professionals in an environment to discuss and review cybersecurity
12
Recommendations for Participants• Close maturity level one gaps• Evaluate maturity level two and maturity level three gaps for closure• Institutionalize the cybersecurity program
• Ensure cybersecurity is governed by policy• Ensure company leadership guides cybersecurity governance
• Supply chain management has been identified as the culprit for a number of successful cybersecurity compromises in other industries
• Prioritize separation of Information Technology networks from Operational Technology networks
• Repeat the ONG-C2M2 review• Review / Identify Gaps / Prioritize and Plan / Close Gaps / Repeat
13
The DNG ISAC is an online platform that will help natural gas utilities share and access timely, accurate and relevant threat information and further enhance the security of natural gas utilities.
14
In 2014, AGA launched the Downstream Natural Gas Information Sharing and Analysis Center.
“Information sharing is a
fundamental pillar of a robust
cyber and physical defense effort.
The DNG ISAC is tailored to
address the distinct operational
needs of the downstream natural
gas sector and provides the
technological sophistication and
coordination necessary to meet
the ever-changing threats of the
21st century.”
Dave McCurdyAGA President and CEO
Update and Status• The DNG ISAC, Downstream Natural Gas Information Sharing and
Analysis Center, is the downstream natural gas industry’s resource for cyber and physical threat intelligence analysis and sharing
• It was created for the natural gas industry and operates as nonprofit entity
• The DNG ISAC speeds security alerts to multiple recipients near-simultaneously while providing for user authentication and secure information sharing
• The DNG ISAC employs one full-time threat analyst• The DNG-ISAC coordinates very closely with the Electric Sector
Information Sharing and Analysis Center (ES-ISAC) and shares information back and forth between electric, combination (natural gas and electric) and natural gas utilities
• The DNG ISAC is a member of the National Council of ISACs which facilitates information sharing among other critical infrastructure sectors
15
Legislative Update• AGA considers cybersecurity a top public policy priority. For the
past 5-6 years we have worked individually and as part of broader utility and multi-industry coalitions to draft and pass cybersecurity information sharing legislation that matches our goals:
• Participation is voluntary. Companies must not be forced to participate.
• No top-down regulatory mandates. A prescriptive information sharing program will morph into a compliance program as opposed to a true cybersecurity program.
• Industry received liability protections for participating in an information sharing program.
• AGA maintains its security partnership DHS. AGA has worked hand-in-glove with DHS since 9/11 to ensure our systems and infrastructure are safe from attack. We oppose any cyber program that would impede or replace that relationship with another agency.
16
Legislative Update – House and Senate• In the current Congress the House has passed cybersecurity
information sharing legislation, the National Cybersecurity Prevention Advancement Act. Companion legislation in the Senate, the Cybersecurity Information Sharing Act, passed the Senate Intelligence Committee by a 14-1 vote and awaits Floor time. Both bills feature similar elements:
• Voluntary participation in cyber information sharing program
• Liability, regulatory, and information security protections for companies that participate in the program
• DHS will act as the public-private information sharing conduit
• Privacy of data – particularly personally identifiable information – is protected
17
Legislative Update – Status• The Senate remains a frustration. The online privacy community
has had some success in convincing a few Senators that CISA is less a cyber information sharing bill than it is a domestic surveillance bill. This is wrong-headed, but the tactic has had some political effect. AGA and all other critical infrastructure entities are continuing to push hard for CISA to get Floor time.
• AGA is cautiously optimistic that if CISA sees Floor time in the Senate that it has the votes to pass. Should that happen, CISA will move to conference with the House passed bill and a joint House-Senate “conference committee” will hammer out a final product to pass and present the President. The Administration has - thus far - voiced quiet support for information sharing legislation. We are hopeful he would sign a final product into law.
• Questions: Brian Caudill, AGA Federal Affairs ([email protected])
18
Jim LinnManaging Director, Information [email protected]
19
Find Us Online
www.aga.org
www.truebluenaturalgas.org
http://twitter.com/naturalgasflk
www.facebook.com/naturalgas
www.linkedin.com/company/50905?trk=tyah