Cyber Security Risk Management and Risk Assessment Methodology Template

Cyber Security Risk Management and Risk Assessment Methodology Template

Cyber Security Risk Management and Risk Assessment Methodology Template

Cyber Security Risk Management and Risk Assessment Methodology Template 

by Annabelle Lee, Chief Cyber Security Specialist, Nevermore Security

 

1  Risk Management Overview

The current power grid consists of both legacy and next generation technologies. These new components operate in conjunction with legacy equipment that may be several decades old and provide no cyber security controls. In addition, industrial control systems/supervisory control and data acquisition (ICS/SCADA) systems were originally isolated from the outside world. Sensors would monitor equipment and provide that information to a control room center. As networking technology has advanced and become more accessible, organizations have made decisions to integrate systems. This integration is necessary to take advantage of the new technology that is being deployed. With the increase in the use of digital devices and more advanced communications and information technology (IT), the overall attack surface has increased. 

Cyber security must address deliberate attacks launched by disgruntled employees and nation states as well as non-malicious cyber security events such as user errors. Because organizations, including utilities, do not have unlimited resources such as personnel and funds, cyber security must be prioritized with the other components of enterprise risk. Risk is the potential for an unwanted impact resulting from an event. Cyber security risk is one component of enterprise risk management, which addresses many types of risk (e.g., financial, mission, public perception). 

In addition, to adequately address potential threats and vulnerabilities, cyber security must be included in all phases of the system development life cycle, from the design phase through implementation, operations and maintenance, and disposition/sunset. Cyber security must be constantly assessed and revised to address evolving threats, vulnerabilities, and security incidents. 

The purpose of this document is to specify a risk management and risk assessment template that may be used by utilities. This also includes the selection and tailoring of cyber security requirements and measures/controls. This document is NOT an attempt to develop new guidance but rather document the diverse existing guidance that is applicable to the electric sector. 

Download Full Publication

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector

PUF Magazine Article Annabelle Lee

Energy Diplomacy:

USAID and USEA Enhancing Cybersecurity in Eastern Europe

co-author

“UCSI is advancing a rational approach to cyber capital expenditures with a risk-based assessment methodology specific to Eastern Europe’s technology and business practices.”


ICS Cybersecurity Strategy Paradigm White Paper March 2018

Industrial Control Systems Cybersecurity Strategy, A New Approach

ICS Cybersecurity Strategy Paradigm White Paper March 2018

Industrial Control Systems Cybersecurity Strategy, A New Approach

by Annabelle Lee, Nevermore Security

 

Executive Summary

Threats to Industrial Control Systems (ICS) and Operational Technology (OT) that operate our critical infrastructures are now in daily news media. ICS controls provide automation of operating power plants, oil and natural gas flowing through pipes nationwide, and support critical manufacturing of goods and pharmaceutical products for everyday use. Attacks on these systems can cause interruptions of major critical infrastructures, physical damage, and potentially threaten human health and safety.

The advances in technology and today’s offerings of the Industrial Internet of Things (IIoT) devices expands the attack surface of the ICS with the impact extending to all parts of the organization operating the critical infrastructures, the supply chain, and ultimately the end-use customers. Current cybersecurity solutions today cannot provide comprehensive protection against all the known and unknown threats of the automation components that operate the critical infrastructures, and specifically the energy sector. Particularly with the constantly changing threat and technology environments, this defensive approach results in the critical infrastructures constantly trying to play catch up in cybersecurity. Cyber attacks may be launched, for example, by malicious insiders, via the supply chain, and/or by unauthorized remote access. Attackers only have to be effective once and defenders need to be effective 100% of the time. It is not realistic to be 100% effective in identifying and addressing all known and potential cyber attacks. In addition, with the increasing availability of attack tools and techniques, the end result is that the defenders keep falling further behind in addressing cybersecurity.

This white paper proposes an alternative to the current defensive paradigm. The paradigm proposed in this paper augments this defensive approach and considers cybersecurity from the attacker’s perspective and includes identifying attack surfaces, attack vectors, and impacts. Because it is not possible to mitigate all potential cyber events, the objective is to identify the most common attack paths and mitigate the highest impact cyber events, independent of the specific attack method. This will include known and potential cybersecurity events. The unknown cyber events will be determined based on the impact to the ICS and the reliability of the grid. This paradigm will allow the energy sector to be more proactive in addressing cybersecurity and more resilient in the event of cyber attacks.

Download Full Publication

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector (co-author)

The Commission under the lead of DG Energy is preparing a strategy on cyber security for the whole energy sector to reinforce and to complement the implementation of Directive on security of Network and Information Systems (NIS) at energy sector level and also to foster synergies between the Energy Union and the Digital Single Market agenda. In this respect, the Energy Expert Cyber Security Platform (EECSP) – Expert Group started work in December 2015. This document reflects the work of this Expert Group towards the development of an energy cyber security strategy by analysis of respective cyber security challenges and existing policy papers with the aim to recommend actions for consideration by the European Commission.

  • Chapter 3 provides an executive summary highlighting the key analysis results and recommended actions.
  • The approach and methodology to derive these recommendations from the EECSP-Expert Group is described in detail in chapter 4.
  • Chapter 5 gives a detailed view on the challenges in the energy sector as viewed by the EECSP-Expert Group.
  • These has led to a set of strategic areas that need to be addressed by the energy sector; the strategic areas are described in chapter 6.
  • Chapter 7 summarizes the existing policy landscape in cyber security for the energy sector at European Union level.
  • These policy papers were analyzed in the context of the strategic areas identified in order to identify gaps in the existing policy which are provided in chapter 8.
  • A set of recommended actions to be considered by the European Commission are included in chapter 9.

Download Full Publication

Security Architecture Methodology for the Electric Sector, Version 2.0

Security Architecture Methodology for the Electric Sector, Version 2.0

Security Architecture Methodology for the Electric Sector, Version 2.0 (co-author)

At present, there is no common security architecture methodology used throughout the utility industry. Several architecture frameworks are available, and each includes unique terms and definitions. In general, these frameworks are intended for use in developing an enterprise architecture and not specifically a cyber security architecture.

Typically, an enterprise architecture does not address cyber security, specifically the overall attack surface, attack vectors, potential vulnerabilities, and applicable mitigation strategies. The challenge is to develop a security architecture methodology that augments, rather than replaces, current enterprise architecture methodologies and is at a level that is useful to utilities. This report includes the second version of a cyber security architecture methodology that may be used by utilities for existing and planned system architectures. This report applies the methodology to distribution and transmission substations and includes reference architectures for legacy, transition, and future/target configurations. A reference cyber security architecture may be used in evaluating the current system configuration and defining transition and target configurations.

Download Full Publication

Substation Attack Surface Analysis

Substation Attack Surface Analysis Technical Report December 2016

Substation Attack Surface Analysis

Technical Report (co-author)

As utilities modernize the grid, they will need to assess the security architecture, identify potential vulnerabilities that may be exploited by an attacker, and determine appropriate mitigation strategies. This can be a difficult task without the use of a security architecture methodology.

The purpose of this document is to define a security architecture methodology that may be implemented throughout the electric sector by utilities of all sizes – large Investor Owned Utilities (IOUs), municipalities, and cooperatives. There are several architecture frameworks that are currently available, and each includes unique terms and definitions. In general, these frameworks are intended to be used to develop the enterprise architecture, and not specifically a security architecture. The frameworks that focus on security architectures typically do not include an approach for analyzing the attack surface and identifying attack vectors and potential vulnerabilities that may be exploited. The focus of this document is to present a standardized security architecture methodology that has been applied to transmission and distribution substations that includes an approach for analyzing the attack surface and reference architecture diagrams. This is the second version of this methodology. This document is a companion document to EPRI’s Substation Security Architecture Reference Diagrams, Version 1.0 (3002009519, December 2016).

Download Full Publication

Substation Security Architecture Reference Diagrams

Substation Security Architecture Reference Diagrams 2.0

Substation Security Architecture Reference Diagrams (co-author)

The nation’s power system consists of both legacy and next generation technologies. This includes devices that may be 30-50 years old, include no cyber security controls, and implement proprietary communication protocols and applications. Many of these legacy devices have significant computing and performance constraints that limit the cyber security controls that may be implemented.

By contrast, new technologies may include modern information technology (IT) devices with commercially available applications and communication protocols. The new operations technology (OT) devices may also include commercially available applications and communications functions. With this shift in technology, utilities are exploring methods to better address cyber security requirements. This encompasses prioritizing the systems, performing a cyber security risk assessment, and determining the impacts of a cyber security compromise. Such activities are all part of a cyber security strategy.

Another component of the cyber security strategy is the cyber security architecture. At present, utilities have enterprise architecture diagrams, but they have not typically developed their cyber security architecture. This technical update includes transmission and distribution substation cyber security architecture reference diagrams for legacy, transition, and future configurations. The update serves as a companion document to EPRI’s Substation Attack Surface Analysis (3002010417, December 2017)

Download Full Publication

Cyber Security Architecture Methodology for the Electric Sector, Version 1.0

Cyber Security Architecture Methodology for the Electric Sector

Cyber Security Architecture Methodology for the Electric Sector, Version 1.0 (co-author)

For grid modernization, increased interconnection in electric sector devices is required, and this will result in a larger attack surface that may be exploited by potential adversaries such as nation-states, terrorist organizations, malicious contractors, and disgruntled employees. A security architecture methodology is an important tool in a utility’s cyber security risk management strategy and a reference cyber security architecture may be used to support utility situational awareness.

Typically, an enterprise architecture does not address cyber security – specifically, the overall attack surface, attack vectors, potential vulnerabilities, and applicable response strategies. The challenge is to develop a security architecture methodology that augments, rather than replaces, current enterprise architecture methodologies and is at a level that is useful to utilities. This report includes the first version of a cyber security architecture methodology that may be used by utilities for existing and planned system architectures. The objective is to provide a common methodology that may be used by utilities of all sizes, from large investor owned utilities to smaller cooperatives and municipalities.

Download Full Publication

Attack Trees for Selected Electric Sector High Risk Failure Scenarios – Version 2.0

Attack Trees NESCOR Slide Deck

Attack Trees for Selected Electric Sector High Risk Failure Scenarios – Version 2.0 (technical lead and co-author)

The briefing contains:

  • Key results from the National Electric Sector Cybersecurity Organization Resource (NESCOR) document: “Analysis of Selected Electric Sector High Risk Failure Scenarios”
    • Failure scenarios selected from the prior NESCOR document “Electric Sector Failure Scenarios and Impact Analyses”
  •  The PowerPoint format supports:
    • Tailoring of information by utilities
    • Use of information in a meeting setting

Download Full Slide Deck

Electric Sector Failure Scenarios Common Vulnerabilities and Mitigations Mapping – Version 2.0

Electric Sector Failure Scenarios Common Vulnerabilities and Mitigations Mapping – Version 2.0 (technical lead and co-author)

This document serves as a further reference for the National Electric Sector Cybersecurity Organization Resource (NESCOR) Electric Sector Failure Scenarios and Impact Analyses version 3.0 document, which was produced by the Electric Power Research Institute (EPRI) for the U.S. Department of Energy (DOE).

Version 0.9 of the Failure Scenarios document listed the initial lists of vulnerabilities, impacts, and mitigations. The vulnerabilities and mitigations were written as unstructured English sentences. Technical Working Group 1 (TWG1) recognized that consistency of terminology and structure within these lists would have several benefits, including improving document readability and enabling analyses of the Failure Scenarios. In particular, the team wanted to identify the common vulnerabilities and common mitigations. TWG1 devised a structured form for the vulnerabilities and mitigations that would support this goal, and it used the same form for both lists: common vulnerability/mitigation followed by the vulnerability/mitigation context.

The document is structured as follows:

  • Appendix A provides the grouping of common vulnerabilities into NISTIR 7628 Vulnerability Classes,
  • Appendix B provides the mapping of the original vulnerabilities in Failure Scenarios version 1.0 to common vulnerabilities in version 2.0,
  • Appendix C provides the grouping of common mitigations into mitigation classes called mitigation action groups, defined by TWG1, and,
  • Appendix D provides the mapping of the original mitigations in Failure Scenarios version 0.9 to common mitigations in version 1.0.