MANAGING CYBER SECURITY RISK IS NECESSARY TO ENSURE RELIABILITY OF THE ELECTRIC GRID.
The approach of Nevermore Security is to identify the highest priority risks while providing the most effective cyber security strategies and solutions.
STRATEGY AND RISK MANAGEMENT
Nevermore Security works with utilities to develop/tailor a cyber security strategy and risk management frameworks that are applicable to the unique requirements of the utility operational environment. This may also include performing a risk assessment.
DESIGN AND ARCHITECTURE
Nevermore Security augments the enterprise architecture with a cyber security architecture, including attack vectors, potential vulnerabilities, and applicable response strategies.
SPECIFICATION, GUIDANCE, AND REQUIREMENTS DEVELOPMENT
Nevermore Security assists utilities in developing specifications, guidance, and procurement documents that are tailored to the utility environment.
Strategy and Risk Management
Typically, a cyber security strategy and risk management framework at the organization level are at a high-level. The strategy and framework may be tailored at lower levels in an organization such as for business and operational components. Cyber security risk is one component of organizational risk that may include many types of risk (e.g., public image, financial, safety, and legal liability). A cyber security risk assessment includes identifying assets, vulnerabilities, and impacts. The output is the basis for the selection of security requirements and subsequent risk-mitigation strategies.
DESIGN AND ARCHITECTURE
Increased interconnection in electric sector systems and devices results in a larger attack surface that may be exploited by potential adversaries. Typically, an enterprise architecture does not address cyber security, specifically, the overall attack surface, attack vectors, potential vulnerabilities, and applicable response strategies. The challenge is to develop and implement a security architecture methodology that augments, rather than replaces current enterprise architecture methodologies.
SPECIFICATION, GUIDANCE, AND REQUIREMENTS DEVELOPMENT
To adequately address potential vulnerabilities, cyber security must be included in all phases of the system development life cycle, from the design phase through implementation, operations and maintenance, and disposition/sunset. Although there are cyber security reference documents available, utilities need to tailor them for their specific environments.
ASSESSMENTS AGAINST STANDARDS
There is diverse existing cyber security guidance that may be used by utilities. Nevermore Security conducts assessments against various standards such as the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2).
TRAINING
With the constantly changing technical and threat environments, cyber security training is necessary to increase knowledge and reduce cyber security risk. Nevermore Security trains utility staff, regulators, and users in cyber security. The training may also include tabletop exercises.
APPLIED CRYPTOGRAPHY
One area of critical importance to the security of the modernized grid is cryptography. Nevermore Security provides guidance on implementing cryptographic techniques to ensure confidentiality, non-repudiation, and authentication in the utility environment.
ASSESSMENTS AGAINST STANDARDS
There is diverse existing cyber security guidance that may be used by cyber security practitioners in addressing cyber security. Utilities are trying to analyze all this guidance because it is at different levels of specificity and focus. Many of the standards are voluntary, however, there are some mandatory standards such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards and the European Directive on security of network and information systems (NIS Directive).
TRAINING
With the constantly changing technical and threat environments, cyber security training is necessary to increase knowledge, alter behaviors, and reduce cyber security risk. The training may be tailored to the unique requirements of utility staff, regulators, and users. The training may also include tabletop exercises that are used to test an organization’s plans, policies, and procedures for incident detection, response, and recovery.
APPLIED CRYPTOGRAPHY
One area of critical importance to the security of the modernized grid is cryptography. Cryptographic techniques are used to ensure confidentiality, non-repudiation, and authentication. Cryptography is particularly useful when data transmission or authentication occurs over communications networks where physical protection mechanisms are often cost-prohibitive or impossible to implement, as is typical in the electric sector.
Annabelle Lee’s experience comprises over 40 years of technical experience in IT system design and implementation and over 25 years of cyber security design, specification development, and testing.
Over the last 15 years, she has focused on cyber security for the energy sector. Over her career she has authored or co-authored many documents on cyber security, cryptography, and testing. She began her career in private industry concentrating on IT systems specifications, software testing, and quality assurance.