Utility Sector

outrunning the bear a cybersecurity assessment boards actually care about

Outrunning the Bear

Outrunning the Bear 1200 628 Jason Christopher
Outrunning the Bear by Jason Christopher Axio CTO

Outrunning the Bear

A Cybersecurity Assessment Boards Actually Care About

by Jason Christopher, Axio Chief Technology Officer

November 5, 2018

Boards and executives are becoming increasingly involved in cybersecurity planning and strategy discussions. This is a marked improvement over the last decade, much of which is due to media-catching headlines and public incidents. But those headlines are a double-edged sword. Now executives not only want to know how their organization is doing with regards to cybersecurity, but also how they compare to their peers.

In my recent Forbes piece, I discuss the usefulness of maturity models and specifically discuss the use of the Cybersecurity Capability Maturity Model (C2M2) and the NIST Cybersecurity Framework (CSF). Both of these bodies of work contain guidance for new and existing programs while also providing a self-assessment methodology for evaluating your organization’s cybersecurity practices. As the former technical lead for the C2M2 and the federal energy sector lead for the CSF, I have been able to see both programs evolve across industry, but they always lead to the same question by executives—“But how do we benchmark across industry?”

There’s no mystery as to why this question comes up—cybersecurity is full of acronyms, terms of art, and is deeply technical. It may not always be obvious what steps to take next. And while maturity models inherently describe how to “crawl, walk, and run,” some organizations may rightfully ask, “do we really need to run right now, or is walking fine for our cybersecurity program?” Well, as the old adage goes, when fleeing from a bear at a picnic, you do not need to be faster than the bear—just the person next to you. Some executives, whether right or wrong, may just want to know if the person next to them is running faster.

At Axio, we believe maturity models have a vital place in program management. But we also understand the power of benchmarking and data analytics. That’s why our Axio360 platform leverages both. Not only can you evaluate your program using either the C2M2 or CSF, but you can also provide valuable benchmarking analytics to board and executives. Combined with the other elements of 360, including cyber risk quantification and insurance analysis, your security program will be equipped with meaningful metrics. We’ve seen clients use our platform to promote budget justifications, hiring additional resources, and getting further executive buy-in on important security and financial controls.

At the end of the day, executives want to know the right thing is being done. Maturity models, and data analytics, can provide that peace of mind. Read more about the C2M2 and CSF and see how these self-assessments can help your program.

key cybersecurity trends in the utility sector

Key Cyber Security Trends in the Utilities Sector

Key Cyber Security Trends in the Utilities Sector 1200 628 Axio Global
Key Cyber Security Trends in the Utilities Sector

Key Cyber Security Trends In The Utilities Sector

by Axio

March 20, 2018

At Axio, we are committed to helping companies quantify the impact of a potential cyber event. What would it mean to a company’s bottom line? What vulnerabilities exist in an enterprise’s security controls and insurance programs? And from an investment standpoint where does it make the most sense to effectively reduce cyber risk?

For all these reasons and more, we are extremely pleased to announce a new strategic partnership with North Highland, a global management consulting firm. We will be providing North Highland’s energy and utilities clients with our unmatched technology and services, all geared to addressing and protecting against cyber security events.

Our partnership with North Highland focuses on delivering:
· Exposure Quantification. Understanding the types and scale of financial impacts that could arise from a complex cyber event.
· Cyber Program Evaluation. Measuring the current maturity of the cyber security program, establishing a targeting profile, and building the plan to achieve higher maturity.
· Insurance Analysis & Stress Test. Understanding the organization’s ability to recover from a complex and costly cyber event, and how the insurance portfolio will respond.

North Highland Vice President Stephen Kinney notes the importance of the utilities industry to the world —and why, therefore, it’s critical that utility companies take a risk-based approach to cybersecurity—in his latest post, Key Cyber Security Trends in Utilities Sector:

Utilities are evolving fast through digitization. More assets are getting connected today than ever in order to become agile, customer focused and innovative. This leaves the sector vulnerable to cyber attacks, as has been witnessed throughout the world in recent years.

Stephen Kinney

one thing your utility cybersecurity program is missing

The One Thing your Utility Security Program is Missing

The One Thing your Utility Security Program is Missing 1200 628 Axio Global
The One Thing your Utility Security Program is Missing

The One Thing your Utility Security Program is Missing

by Jason Christopher, Axio Chief Technology Officer

January 12, 2018

Ever since the Federal Energy Regulatory Commission approved mandatory cybersecurity standards for the nation’s grid, self-proclaimed gurus and experts have been making a headache of things. The Critical Infrastructure Protection (CIP) standards are one of the few compliance requirements that can monetarily penalize asset owners/operators for poor cybersecurity hygiene. And all the cool kids want to be CIP “ninjas.” But how do hiring managers, engineers, or IT peers know that the person they are talking to is really a CIP master?

Late last year, SANS announced a new certification for electric grid stakeholders interested in verifying their CIP chops—the GIAC Critical Infrastructure Protection (GCIP) certification (https://www.giac.org/certification/critical-infrastructure-protection-gcip ). The multi-hour exam tests participants on all the necessary knowledge and skills needed to execute a successful utility security program, including:

  • BES Cyber System identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability
  • Strategic implementation approaches for supporting technologies
  • Recurring tasks and strategies for CIP program maintenance

The exam is great for life-long CIP experts and newbies who want to take that next step in their career. Moreover, it covers the entire CIP universe—so you know any GCIP certified personnel will be a well-rounded security professional with an understanding of compliance, technical aptitude, and all the various components to not just be compliant, but to be secure.

The certification is accompanied by a course from SANS, the foremost leader in security training, which I also teach—ICS456: Essentials for NERC CIP (https://www.sans.org/course/essentials-for-nerc-critical-infrastructure-protection ). The course is not a prerequisite for taking the certification, but the amount of information we give you over 5 days (and 25 hands-on labs!) will definitely help out any one looking to prove themselves with the GCIP.

The GCIP officially goes live in February, just in time for my next run of ICS456 in Anaheim, CA (https://www.sans.org/event/southern-california-anaheim-2018/course/essentials-for-nerc-critical-infrastructure-protection) !

nist updates for critical infrastructure security

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know 1200 628 Axio Global
NIST Updates Guidance for Critical Infrastructure Security What You Need to Know

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know

by Jason Christopher, Axio Chief Technology Officer

December 18, 2017

NIST releases the Cybersecurity Framework V1.1 Draft 2 with new guidance.

In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.

Axio has worked alongside this team in many ways over the last three years. Several members of our team, including Dave White, Nader Mehravari, Lisa Young, and Pamela Curtis, participated in the original NIST CSF drafts and workshops for transportation, healthcare, and financial sector perspectives across industry and academia. At the time, my role at the US Department of Energy was to ensure the NIST CSF would not conflict with existing efforts, like the mandatory compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards or the voluntary Cybersecurity Capability Maturity Model (C2M2) efforts. Moreover, I collaborated with industry members across the electric and oil and natural gas sectors to ensure the CSF would work for their operating environments, regardless of size, function, or ownership. This critical work led to the Energy Sector Implementation Guidance document for using the NIST CSF.

Over nearly four years, industry has grown with the CSF. We have seen its adoption across multiple sectors, especially finance, healthcare, and water. While we have personally seen great success with measuring the CSF through the C2M2, many organizations have adopted different methods for assessing their adoption of the CSF. Moreover, we have seen more organizations talk about CSF functions when working across their cybersecurity supply chain, including asking suppliers to provide evidence that they are meeting contractual cybersecurity obligations. Critical infrastructure cybersecurity programs have matured as a result of the CSF dialogue since the first version was released.

The latest draft update attempts to codify some of the lessons learned since the release of V1.0, including:

  • Self-assessment guidance for measuring an organization’s cybersecurity program improvement;
  • Using the CSF for procurement and other supply chain decisions;
  • Examining a “cyberattack lifecycle” to provide further context to the CSF;
  • New subcategories (and informative references) for authentication and coordinated vulnerability disclosure; and
  • A roadmap of additional discussion topics.

These new additions are meant to augment the existing CSF, meaning there is no gigantic overhaul for organizations that want to incorporate the new recommendations. That being said, without a preferred method to self-assess to the CSF, most organizations will need to either create their own metrics program or leverage a facilitator or third-party tool.

There’s a lot to consider with this new update. Axio will be working with our clients to ensure industry benefits from clear, concise, and actionable guidance. In the coming weeks we will examine the latest draft and provide our thoughts on some of the key topics, including security metrics and supply chain considerations.

Until then we’re here to help— and if your organization has any questions about the latest draft, feel free to reach out to us at info@axio.com .

 

Summary

In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.

Axio

Company

Support

Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.