SlideShare a Scribd company logo
Industry Reliability and Security
Standards Working Together
Where the standards are going and where your program
should be heading
21 August 2014
Page 2
About your presenters
Josh Axelrod
► Ernst & Young LLP
Cybersecurity, Power &
Utility lead
► Former NERC CIP auditor
► Former Navy nuclear
engineer
► Certifications: CISSP,
CISA, CISM, GICSP,
CRISC, CGEIT
Matt Davis
► Ernst & Young LLP
Cybersecurity, Power &
Utility team
► Former NERC CIP auditor
► Former ISP/telecom
engineer
► Certifications: CISSP,
CISA, CISM, GICSP,
CRISC, CIPP/IT
Page 3
Overview
► Version Control
► Taking Control
► Framework Alignment
► Reliability Assurance Initiative
► Take a Risk
► Predictions
21 August 2014 Industry Reliability and Security Standards Working Together
Page 4
Version (out of) Control
Page 5
Which version?
► CIP standards are rapidly evolving and fragmenting.
► Current list of draft RSAWs:
► CIP-002-5.1
► CIP-003-6
► CIP-004-6
► CIP-005-5
► CIP-006-6
► CIP-007-6
► CIP-008-5
► CIP-009-6
► CIP-010-2
► CIP-011-2
21 August 2014 Industry Reliability and Security Standards Working Together
Page 6
Not much to see here, keep moving …
► Overview of V6 changes
► Removal of Identify, Assess, Correct (IAC)
► “Cabling” is back with mitigating controls … again
► Physical ports control for PCA
► Transient devices – prior to use
► CIP-014-1
► Third-party assessments
► Who is qualified? Who is willing?
21 August 2014 Industry Reliability and Security Standards Working Together
Page 7
Take Controls
Page 8
Let It Go
► Moving away from regulatory requirements
► Right-size for your organization based on risk and budget
► Create your own story
► Leverage other frameworks
► Review all controls for need
► Similar to ISO 27000 approach
21 August 2014 Industry Reliability and Security Standards Working Together
Page 9
Keys to Control Success
► Development
► Program – design
► Controls – effectiveness
► Maintain – change control
► Mapping
► Get granular
► Risk management process
► Drive selection
21 August 2014 Industry Reliability and Security Standards Working Together
Page 10
Framework Alignment
Page 11
Why NIST?
► 800-53 is comprehensive and free
► What NERC CIP was supposed to use and will continue
to evolve toward
► Strong guidance
► Guidance from other 800 series
► Alignment to federal (EO 13636)
► Alignment to 800-82 (ICS)
► Detonation chambers
21 August 2014 Industry Reliability and Security Standards Working Together
Page 12
Other Options
► ISO 27001 – international and corporate
► Not free
► BITS – third-party assessments
► Not free
► PCI – encryption, virtualization
► Free
21 August 2014 Industry Reliability and Security Standards Working Together
Page 13
Reliability Assurance Initiative
Page 14
Reliability Assurance Initiative (RAI)
► Risk Assessment
► Region will develop a transparent but customized compliance profile
based on the Registered Entity’s impact to the grid.
► Assessment will be shared with the Entity so that it understands how
it will be monitored as part of the compliance profile.
► Internal Controls Reliance
► Entity’s internal control practices will be provided and reviewed by
the Region.
► Region will evaluate the level of the entities internal control program
to tailor compliance activities in conjunction with the assessment.
21 August 2014 Industry Reliability and Security Standards Working Together
Page 15
A New Hope
► Aggregation of Non-compliance
► Based on the level of controls reliance
and the Risk Assessment
► May be able to log minimal risk non-
compliance
► Trade-off in internal controls vs.
minor deficiencies
► “Extra credit”
21 August 2014 Industry Reliability and Security Standards Working Together
Page 16
Internal Compliance Program
► What is an internal compliance program (ICP)?
► A formal process to achieve and mature compliance objectives through risk management practice enabled by controls
► What are the regulatory benefits?
► Culture of excellence, not compliance
► Reduction in compliance and reliability risks
► Potential for reduced auditing and penalties
► Components of an ICP
Objectives
 Quality improvement
 Assurance
 Proactive
 Prompt
 Preventative
Risk Management
 Risk management model
 Enterprise risk strategy
 Governance structure
 Compliance management
functions
 Internal controls assessment
 Evaluation with independence
Controls
 Controls environment
 Programmatic processes
 SME training program
 Communication plans
 Industry participation
 Metrics reporting
Controls Risk
Management
ICP
Industry Reliability and Security Standards Working Together
Page 17
Take a Risk
Page 18
Risk Management
► Executive involvement
► Board-integrated
► Insight-driven and performance-
oriented
► Intrinsic to the business and is
embedded in key business
processes
21 August 2014 Industry Reliability and Security Standards Working Together
Page 19
Maturity
► Defines the appropriate activities
► Helps identify best places for budget
► Builds a road map for the program
► Source: DOE ES-C2M2 Model
21 August 2014 Industry Reliability and Security Standards Working Together
Page 20
Summary
Page 21
V7 Predictions
► Third-party compliance
► Threat management
► Baselines for monitoring
► HIPS or white-listing
► Application security
► Honeypots … just kidding
21 August 2014 Industry Reliability and Security Standards Working Together
Page 22
Summary
► Manage security through risk
► Keep maturing to keep ahead
► Monitor trends to anticipate change
► Let the standards follow you
21 August 2014 Industry Reliability and Security Standards Working Together
Page 23
Q&A
► Thank you!
joshua.axelrod@ey.com
matt.davis@ey.com

More Related Content

PDF
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
PPT
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
PPTX
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
PPTX
CIP-014-1: Next Steps from an Auditor’s Perspective
PPTX
Top 20 Security Controls for a More Secure Infrastructure
PPTX
Information Assurance Metrics: Practical Steps to Measurement
PDF
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
PPTX
Managed Security Services from Symantec
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
CIP-014-1: Next Steps from an Auditor’s Perspective
Top 20 Security Controls for a More Secure Infrastructure
Information Assurance Metrics: Practical Steps to Measurement
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Managed Security Services from Symantec

What's hot (20)

PPSX
Does audit make us more secure
PPTX
Data Consult - Managed Security Services
PDF
Cybersecurity Application Installation with no Shutdown Required webinar Slides
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
PDF
OWASP based Threat Modeling Framework
PDF
Governance of security operation centers
PPT
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
PPSX
Next-Gen security operation center
PPTX
How to Use the NIST CSF to Recover from a Healthcare Breach
PPTX
Security and Compliance Initial Roadmap
PPTX
Web Application Security Strategy
PDF
Nist cybersecurity framework isc2 quantico
PDF
TrustedAgent GRC for Vulnerability Management
PDF
The Real Costs of SIEM vs. Managed Security Service
PDF
Rapid7 NERC-CIP Compliance Guide
PDF
Overview
PDF
Rothke secure360 building a security operations center (soc)
PDF
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
PDF
Gpc case study_eng_0221
Does audit make us more secure
Data Consult - Managed Security Services
Cybersecurity Application Installation with no Shutdown Required webinar Slides
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
OWASP based Threat Modeling Framework
Governance of security operation centers
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
Next-Gen security operation center
How to Use the NIST CSF to Recover from a Healthcare Breach
Security and Compliance Initial Roadmap
Web Application Security Strategy
Nist cybersecurity framework isc2 quantico
TrustedAgent GRC for Vulnerability Management
The Real Costs of SIEM vs. Managed Security Service
Rapid7 NERC-CIP Compliance Guide
Overview
Rothke secure360 building a security operations center (soc)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Gpc case study_eng_0221
Ad

Viewers also liked (20)

PPT
What the Department of Defense and Energy Sector Can Learn from Each Other
PPTX
Legacy of Void*
PDF
Come See What’s Cooking in My Lab
PPTX
RAMS 2013 Establishing product reliability goals
PDF
Mac Klingler: 2013 Sandia National Laboratoies Wind Plant Reliability Workshop
PDF
Service Tools and Social Media Data Sharing Use Case
PDF
Peng etal UPQ_AMS2014_P332
PDF
New Paradigm for Ensuring and Improving Data Quality and Usability
PDF
Stewards - Knowledge and Communication Hub
PDF
Peng Privette SMM_AMS2014_P695
PDF
Scientific Data Stewardship Maturity Matrix
PPT
Profeo PRINCE2 MSP MoP P3O and P3M3
DOCX
Return on Investment for a Design for Reliability Program
PPT
P3M3 - Discovery Assessment
PDF
Non Functional Requirements for Climate Data Records
PDF
Building Human Intelligence – Pun Intended
PPTX
RAMS 2013 Tutorial Introduction to R & M Management
PPTX
RAMS 2013 Tutorial Effective Reliability Traits and Management
DOCX
Reliability maturity matrix
What the Department of Defense and Energy Sector Can Learn from Each Other
Legacy of Void*
Come See What’s Cooking in My Lab
RAMS 2013 Establishing product reliability goals
Mac Klingler: 2013 Sandia National Laboratoies Wind Plant Reliability Workshop
Service Tools and Social Media Data Sharing Use Case
Peng etal UPQ_AMS2014_P332
New Paradigm for Ensuring and Improving Data Quality and Usability
Stewards - Knowledge and Communication Hub
Peng Privette SMM_AMS2014_P695
Scientific Data Stewardship Maturity Matrix
Profeo PRINCE2 MSP MoP P3O and P3M3
Return on Investment for a Design for Reliability Program
P3M3 - Discovery Assessment
Non Functional Requirements for Climate Data Records
Building Human Intelligence – Pun Intended
RAMS 2013 Tutorial Introduction to R & M Management
RAMS 2013 Tutorial Effective Reliability Traits and Management
Reliability maturity matrix
Ad

Similar to Industry Reliability and Security Standards Working Together (20)

PPTX
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
PDF
A Major Revision of the CISRCP Program
PPTX
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
PPTX
Bryan Singer S4 Presentation
PPT
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
PPTX
Leveraging compliance to raise the bar on security
PDF
IoT Security Assessment - IEEE PAR Proposal
PPTX
Institute of Internal Auditors Presentation 2014
PDF
NIST Framework for Information System
PDF
CISSP - Certified Information Systems Security Professional
PDF
Evident io Continuous Compliance - Mar 2017
PDF
Treating Security Like a Product
PDF
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
PPTX
Aligning Application Security to Compliance
PDF
Cyber Security Program Realization in the Mid Market - Executive Summary
PDF
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
PDF
Snyk provides Compliance-Cheat-Sheet.pdf
PPSX
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
PPTX
vCISO Overview Virtual CISO Chief Information Security Officer
PPTX
Cybersecurity Risk Management Program and Your Organization
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
A Major Revision of the CISRCP Program
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Bryan Singer S4 Presentation
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Leveraging compliance to raise the bar on security
IoT Security Assessment - IEEE PAR Proposal
Institute of Internal Auditors Presentation 2014
NIST Framework for Information System
CISSP - Certified Information Systems Security Professional
Evident io Continuous Compliance - Mar 2017
Treating Security Like a Product
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Aligning Application Security to Compliance
Cyber Security Program Realization in the Mid Market - Executive Summary
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
Snyk provides Compliance-Cheat-Sheet.pdf
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
vCISO Overview Virtual CISO Chief Information Security Officer
Cybersecurity Risk Management Program and Your Organization

More from EnergySec (20)

PDF
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
PDF
Slide Griffin - Practical Attacks and Mitigations
PDF
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
PPTX
Jack Whitsitt - Yours, Anecdotally
PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
PPTX
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
PPTX
Explore the Implicit Requirements of the NERC CIP RSAWs
PDF
Wireless Sensor Networks: Nothing is Out of Reach
PDF
Please, Come and Hack my SCADA System!
PDF
Unidirectional Network Architectures
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
PDF
Industrial Technology Trajectory: Running With Scissors
PPTX
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
PDF
Where Cyber Security Meets Operational Value
PPTX
Where Are All The ICS Attacks?
PPTX
Third Party Security Testing for Advanced Metering Infrastructure Program
PPTX
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
PPTX
Sea Changes, Strategic Implications, Board Cyber Perspectives
PPTX
Red Teaming and Energy Grid Security
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Slide Griffin - Practical Attacks and Mitigations
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Jack Whitsitt - Yours, Anecdotally
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Explore the Implicit Requirements of the NERC CIP RSAWs
Wireless Sensor Networks: Nothing is Out of Reach
Please, Come and Hack my SCADA System!
Unidirectional Network Architectures
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
Industrial Technology Trajectory: Running With Scissors
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
Where Cyber Security Meets Operational Value
Where Are All The ICS Attacks?
Third Party Security Testing for Advanced Metering Infrastructure Program
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Sea Changes, Strategic Implications, Board Cyber Perspectives
Red Teaming and Energy Grid Security

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
PPTX
MYSQL Presentation for SQL database connectivity
DOCX
The AUB Centre for AI in Media Proposal.docx
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
PPTX
Cloud computing and distributed systems.
PDF
Spectral efficient network and resource selection model in 5G networks
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
PPT
Teaching material agriculture food technology
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
PDF
Advanced IT Governance
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PDF
KodekX | Application Modernization Development
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
“AI and Expert System Decision Support & Business Intelligence Systems”
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Dropbox Q2 2025 Financial Results & Investor Presentation
MYSQL Presentation for SQL database connectivity
The AUB Centre for AI in Media Proposal.docx
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
GamePlan Trading System Review: Professional Trader's Honest Take
CIFDAQ's Market Insight: SEC Turns Pro Crypto
Cloud computing and distributed systems.
Spectral efficient network and resource selection model in 5G networks
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
Teaching material agriculture food technology
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Mobile App Security Testing_ A Comprehensive Guide.pdf
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Advanced IT Governance
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
KodekX | Application Modernization Development
Per capita expenditure prediction using model stacking based on satellite ima...

Industry Reliability and Security Standards Working Together

  • 1. Industry Reliability and Security Standards Working Together Where the standards are going and where your program should be heading 21 August 2014
  • 2. Page 2 About your presenters Josh Axelrod ► Ernst & Young LLP Cybersecurity, Power & Utility lead ► Former NERC CIP auditor ► Former Navy nuclear engineer ► Certifications: CISSP, CISA, CISM, GICSP, CRISC, CGEIT Matt Davis ► Ernst & Young LLP Cybersecurity, Power & Utility team ► Former NERC CIP auditor ► Former ISP/telecom engineer ► Certifications: CISSP, CISA, CISM, GICSP, CRISC, CIPP/IT
  • 3. Page 3 Overview ► Version Control ► Taking Control ► Framework Alignment ► Reliability Assurance Initiative ► Take a Risk ► Predictions 21 August 2014 Industry Reliability and Security Standards Working Together
  • 4. Page 4 Version (out of) Control
  • 5. Page 5 Which version? ► CIP standards are rapidly evolving and fragmenting. ► Current list of draft RSAWs: ► CIP-002-5.1 ► CIP-003-6 ► CIP-004-6 ► CIP-005-5 ► CIP-006-6 ► CIP-007-6 ► CIP-008-5 ► CIP-009-6 ► CIP-010-2 ► CIP-011-2 21 August 2014 Industry Reliability and Security Standards Working Together
  • 6. Page 6 Not much to see here, keep moving … ► Overview of V6 changes ► Removal of Identify, Assess, Correct (IAC) ► “Cabling” is back with mitigating controls … again ► Physical ports control for PCA ► Transient devices – prior to use ► CIP-014-1 ► Third-party assessments ► Who is qualified? Who is willing? 21 August 2014 Industry Reliability and Security Standards Working Together
  • 8. Page 8 Let It Go ► Moving away from regulatory requirements ► Right-size for your organization based on risk and budget ► Create your own story ► Leverage other frameworks ► Review all controls for need ► Similar to ISO 27000 approach 21 August 2014 Industry Reliability and Security Standards Working Together
  • 9. Page 9 Keys to Control Success ► Development ► Program – design ► Controls – effectiveness ► Maintain – change control ► Mapping ► Get granular ► Risk management process ► Drive selection 21 August 2014 Industry Reliability and Security Standards Working Together
  • 11. Page 11 Why NIST? ► 800-53 is comprehensive and free ► What NERC CIP was supposed to use and will continue to evolve toward ► Strong guidance ► Guidance from other 800 series ► Alignment to federal (EO 13636) ► Alignment to 800-82 (ICS) ► Detonation chambers 21 August 2014 Industry Reliability and Security Standards Working Together
  • 12. Page 12 Other Options ► ISO 27001 – international and corporate ► Not free ► BITS – third-party assessments ► Not free ► PCI – encryption, virtualization ► Free 21 August 2014 Industry Reliability and Security Standards Working Together
  • 14. Page 14 Reliability Assurance Initiative (RAI) ► Risk Assessment ► Region will develop a transparent but customized compliance profile based on the Registered Entity’s impact to the grid. ► Assessment will be shared with the Entity so that it understands how it will be monitored as part of the compliance profile. ► Internal Controls Reliance ► Entity’s internal control practices will be provided and reviewed by the Region. ► Region will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the assessment. 21 August 2014 Industry Reliability and Security Standards Working Together
  • 15. Page 15 A New Hope ► Aggregation of Non-compliance ► Based on the level of controls reliance and the Risk Assessment ► May be able to log minimal risk non- compliance ► Trade-off in internal controls vs. minor deficiencies ► “Extra credit” 21 August 2014 Industry Reliability and Security Standards Working Together
  • 16. Page 16 Internal Compliance Program ► What is an internal compliance program (ICP)? ► A formal process to achieve and mature compliance objectives through risk management practice enabled by controls ► What are the regulatory benefits? ► Culture of excellence, not compliance ► Reduction in compliance and reliability risks ► Potential for reduced auditing and penalties ► Components of an ICP Objectives  Quality improvement  Assurance  Proactive  Prompt  Preventative Risk Management  Risk management model  Enterprise risk strategy  Governance structure  Compliance management functions  Internal controls assessment  Evaluation with independence Controls  Controls environment  Programmatic processes  SME training program  Communication plans  Industry participation  Metrics reporting Controls Risk Management ICP Industry Reliability and Security Standards Working Together
  • 18. Page 18 Risk Management ► Executive involvement ► Board-integrated ► Insight-driven and performance- oriented ► Intrinsic to the business and is embedded in key business processes 21 August 2014 Industry Reliability and Security Standards Working Together
  • 19. Page 19 Maturity ► Defines the appropriate activities ► Helps identify best places for budget ► Builds a road map for the program ► Source: DOE ES-C2M2 Model 21 August 2014 Industry Reliability and Security Standards Working Together
  • 21. Page 21 V7 Predictions ► Third-party compliance ► Threat management ► Baselines for monitoring ► HIPS or white-listing ► Application security ► Honeypots … just kidding 21 August 2014 Industry Reliability and Security Standards Working Together
  • 22. Page 22 Summary ► Manage security through risk ► Keep maturing to keep ahead ► Monitor trends to anticipate change ► Let the standards follow you 21 August 2014 Industry Reliability and Security Standards Working Together
  • 23. Page 23 Q&A ► Thank you! joshua.axelrod@ey.com matt.davis@ey.com

Editor's Notes

  • #6: Time to left go of versions <number>
  • #17: <number>