Guide to Developing a Cyber Security and Risk Mitigation Plan
Total Page:16
File Type:pdf, Size:1020Kb
NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan DOE Award No: DE-OE0000222 National Rural Electric Cooperative Association, Copyright 2011 1 NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan Prepared by Evgeny Lebanidze Cigital 21351 Ridgetop Circle Suite 400 Dulles, VA 20166-6503 [email protected] 703-585-5047 for The National Rural Electric Cooperative Association’s Cooperative Research Network 4301 Wilson Boulevard Arlington, VA 22203 National Rural Electric Cooperative Association, Copyright 2011 2 The National Rural Electric Cooperative Association The National Rural Electric Cooperative Association (NRECA), founded in 1942, is the national service organization supporting more than 900 electric cooperatives and public power districts in 47 states. Electric cooperatives own and operate more than 42 percent of the distribution lines in the nation and provide power to 40 million people (12 percent of the population). The Cooperative Research Network (CRN) is the technology research arm of NRECA. ©Guide to Developing a Cyber Security and Risk Mitigation Plan Copyright © 2011 by National Rural Electric Cooperative Association. Legal Notice This work contains findings that are general in nature. Readers are reminded to perform due diligence in applying these findings to their specific needs as it is not possible for NRECA to have sufficient understanding of any specific situation to ensure applicability of the findings in all cases. Neither the authors nor NRECA assumes liability for how readers may use, interpret, or apply the information, analysis, templates, and guidance herein or with respect to the use of, or damages resulting from the use of, any information, apparatus, method, or process contained herein. In addition, the authors and NRECA make no warranty or representation that the use of these contents does not infringe on privately held rights. This work product constitutes the intellectual property of NRECA and its suppliers, as the case may be, and contains confidential information. As such, this work product must be handled in accordance with the CRN Policy Statement on Confidential Information. Contact: Craig Miller Evgeny Lebanidze CRN Project Manager Security Team Lead [email protected] [email protected] 703-626-9683 703-585-5047 National Rural Electric Cooperative Association, Copyright 2011 3 Compliance vs. Plans This document is intended to help cooperatives develop a cyber-security plan for general business purposes, not to address any specific current or potential regulations. Its foundation is the National Institute of Standards and Technology Interagency Report 7628 (NIST-IR 7628), which is a survey of standards and related security considerations for the smart grid. NIST-IR 7628 does not establish regulations, but is a forward-looking document outlining a strategy for improving smart grid interoperability and security. Independent of this document, co-ops should understand what regulations, if any, pertain to them. A plan as addressed here is not required and development of a plan is not a substitute for, nor guarantee of compliance with any standards. Conversely, real security requires more than simply compliance with rules – the organization must embrace security as a basic requirement of business operations and develop a broad understanding of security. This guide helps cooperatives think about security in a systematic way, consistent with the current Federal thinking. The basic concept is not “do this and you are secure” but a commitment to a process of continuous improvement. National Rural Electric Cooperative Association, Copyright 2011 4 Table of Contents Preface Purpose ............................................................................................................................... 10 Scope ................................................................................................................................... 10 Target Audience .................................................................................................................. 10 Contacts .............................................................................................................................. 10 Executive Summary ...................................................................................................... 11 Introduction .................................................................................................................. 12 Quick Start Guide ......................................................................................................... 15 Additional Cyber Security Standards and Guidance ....................................................... 16 Building a Risk Management Program ......................................................................... 17 Appointing Leadership ........................................................................................................ 18 Establishing a Risk Management Framework ....................................................................... 18 Defining the System ........................................................................................................ 19 Cyber Asset Identification and Classification ................................................................... 19 Identifying Critical Cyber Assets ................................................................................. 20 Classifying Cyber Assets .............................................................................................. 20 Identifying the Electronic Security Perimeter Protecting the Cyber Assets ....................... 22 Conducting a Vulnerability Assessment ........................................................................... 23 Assessing and Mitigating Risks......................................................................................... 23 Assessing Impact and Risk Levels ............................................................................... 24 Mitigating Risks with Security Controls ....................................................................... 25 Evaluating and Monitoring Control Effectiveness ........................................................... 27 Addressing People and Policy Risks .............................................................................. 29 Cyber Security Policy ........................................................................................................... 29 Security Policy Elements .................................................................................................. 30 Security-Related Roles and Responsibilities ...................................................................... 31 Policy Implementation and Enforcement ........................................................................ 32 Policy Exceptions ............................................................................................................ 32 Personnel and Training ........................................................................................................ 32 Security Awareness and Training ..................................................................................... 33 Due Diligence in Hiring ................................................................................................... 33 Access Privileges.............................................................................................................. 33 Addressing Process Risks .............................................................................................. 37 Operational Risks ................................................................................................................ 37 Perform Periodic Risk Assessment and Mitigation ........................................................... 37 Enforce Access Control, Monitoring, and Logging .......................................................... 38 Perform Disposal or Redeployment of Assets ................................................................. 38 5 Enforce Change Control and Configuration Management ............................................... 38 Conduct Vulnerability Assessments ................................................................................. 39 Control, Monitor and Log All Access to Assets ............................................................... 39 Configuration and Maintenance ....................................................................................... 40 Incident Handling ............................................................................................................ 40 Contingency Planning ...................................................................................................... 41 Insecure Software Development Life Cycle (SDLC) Risks ................................................... 45 Physical Security Risks ......................................................................................................... 51 Plan and Protection ......................................................................................................... 53 Monitoring, Logging, and Retention ................................................................................ 53 Maintenance and Testing ................................................................................................. 53 Third -Party Relationship