Cybersecurity / Regulatory Overview 25 FEB 2019 Cybersecurity / Regulatory Overview Tracy Monteith Director, Cybersecurity Black & Veatch Management Consulting

Purpose Provide perspective on cybersecurity best practices and address alignment to standards. Facilitate discussion on regulatory overview. Bottom Line Up Front: A holistic and comprehensive approach to risk management and resiliency that enables Due Diligence and Due Care (to include the protection of personnel, operations, and assets) forms a sound foundation for cybersecurity best practices irrespective of industry. Approach: This briefing consists of a narrative of cybersecurity-related graphics that illustrates, threats, cybersecurity domains, and alignment to regulations.

Agenda Cybersecurity Overview Threats and Cybersecurity Challenges Cybersecurity Perspectives IT vs OT Technologies OSI alignment for Energy Sector, (other industries) Regulatory Landscape for Cybersecurity Building Blocks approach for Holistic Coverage and Best Practices Support Processes and Best Practices

Defining Cybersecurity Cybersecurity encompasses solutions against all sorts of breaches and hacking, including internal misuse, corporate espionage, ransomware, crypto-mining and denial of service attacks. Due Care: Putting reasonable measures in place to protect assets or data. Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data. Cybersecurity is the concept of protecting information and technology systems from attacks, damages or unauthorized access. Risk/Resilience OT Security IT Security Physical Security Cybersecurity is only part of a holistic security risk and resilience effort that is required to protect people, assets, and operations.

Primary Driver: Cyber threats are increasing across all sectors Cyber and reliability incidents are real, recent, and relevant.  Most incidents are preventable with cybersecurity best practices.

Cybersecurity Challenges

Cybersecurity High-level Overview B&V services align with market segments Due Care: Putting reasonable measures in place to protect assets or data. Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data.

IT vs. OT Perspective Graphic illustrates the alignment of technologies to IT & OT. Security, Risk, & Resiliency is an planning aspect of each cell. Due Care: Putting reasonable measures in place to protect assets or data. Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data.

OSI Model Perspective Due Care: Putting reasonable measures in place to protect assets or data. Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data.

Regulatory Landscape for Cybersecurity ITIL (Network Operations and Services Mgmt.) ISO 27001/27002 (IS-MS/InfoSec) NIST RMF, 800-53 Controls Framework COBIT (Security Operations Services Mgmt.) SOX, HIPAA University Programs (Carnegie Mellon) Cisco Systems (PPDIOO) Network Project Management Industry (Deloitte / Price-Waterhouse / Accenture / SAIC / BoozAllen / BAE / Boeing / KPMG / Microsoft / General Dynamics The PPDIOO phases are as follows: Prepare: Involves establishing the organizational requirements, developing a network strategy, and proposing a high-level conceptual architecture identifying technologies that can best support the architecture. The prepare phase can establish a financial justification for network strategy by assessing the business case for the proposed architecture. Plan: Involves identifying initial network requirements based on goals, facilities, user needs, and so on. The plan phase involves characterizing sites and assessing any existing networks and performing a gap analysis to determine whether the existing system infrastructure, sites, and the operational environment can support the proposed system. A project plan is useful for helping manage the tasks, responsibilities, critical milestones, and resources required to implement changes to the network. The project plan should align with the scope, cost, and resource parameters established in the original business requirements. Design: The initial requirements that were derived in the planning phase drive the activities of the network design specialists. The network design specification is a comprehensive detailed design that meets current business and technical requirements, and incorporates specifications to support availability, reliability, security, scalability, and performance. The design specification is the basis for the implementation activities. Implement: The network is built or additional components are incorporated according to the design specifications, with the goal of integrating devices without disrupting the existing network or creating points of vulnerability. Operate: Operation is the final test of the appropriateness of the design. The operational phase involves maintaining network health through day-to-day operations, including maintaining high availability and reducing expenses. The fault detection, correction, and performance monitoring that occur in daily operations provide the initial data for the optimization phase. Optimize: Involves proactive management of the network. The goal of proactive management is to identify and resolve issues before they affect the organization. Reactive fault detection and correction (troubleshooting) is needed when proactive management cannot predict and mitigate failures. In the PPDIOO process, the optimization phase can prompt a network redesign if too many network problems and errors arise, if performance does not meet expectations, or if new applications are identified to support organizational and technical requirements. Pick one ….

Cybersecurity Framework Industry Requirements Due Care: Putting reasonable measures in place to protect assets or data. Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data. EPA Mandated Risk & Resilience Assessment (must include Cyber) NERC/CIP Framework Categories align with NIST SECURITY CONTROLS Due Care: Putting reasonable measures in place to protect assets or data. Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data. Mostly Safety and Operations Driven All Roads (eventually) trace to NIST. NIST provides a mature framework for holistic risk management.

Water Industry – Regulatory Landscape Specifics AWWA Prescribes a 7-Step RAMCAP Process. Additionally, EPA Requires Water Utilities to Complete Vulnerability Assessment Annually that include CYBERSECURITY. CA has additional requirements for privately held water utilities  deliver clean, safe, and reliable water to customers.

Regulatory Landscape alignment of Cybersecurity The next few slides will walk through the Key aspects of governing regulations. Does not include the numerous DoD agency cybersecurity and information assurance/ information protection regulations such as: DoD 1000.25 Personnel Identity Protection, DoD 8570 Mandatory minimum credentials for access control.

Regulatory Landscape alignment to Cybersecurity (1 of 3) Privacy Act 1974 – PII Protection, fair use, and systems maintained by the Federal Government. Growing number of states have consumer data protection laws. (ex. Mass 201 CMR 17) Government Sarbanes-Oxley Act (SOX) – Protection from accounting errors and Corp Fraud. Internal controls, data storage, data transmission, encryption, key mgt, segregation of duties. Aligns with Control Objectives for Information and Technologies (COBIT) for auditing. Commercial Industry Health Insurance Portability and Accountability Act (HIPAA, 1996) – Protects Patient Care, Treatments, Payment details, and health care operations. Includes administrative, physical, and technical safeguards. Includes: Access Control, Audit Controls, Data Integrity, Authentication Transmission Security, and Encryption for PHI and PII. Payment Card Industry (PCI) Data Security Standard (DSS) – A continuous compliance process of Assess, Remediate, Report. PIN Security, Vendor Security, Data Security, Vulnerability Assessment & Mgt Requirements, Data Storage, Data Encryption Financial / Accounting Healthcare

Regulatory Landscape alignment to Cybersecurity (1 of 3) Standards for Attestation Engagements nos. 16 & 18 (SSAE); Systems and Organizational Controls SOC – “Cyber Attest” Service Auditor, Internal Controls and Services Audit, Annual Risk Assessment Process, Cyber Risk Management Program, Risk Governance, Information at Risk identification. Considerations are: Security, Availability, Processing Integrity, Confidentiality, and Privacy Service Related Industries SSAE/SOCC standards trace to NIST Report Types: SOC 1: Internal Control over Financial Reporting SOC 2: Trust Services Criteria (TSC) SOC 3: TSC General Use Report Who Needs it?: Payroll processors Medical claims processors Loan servicing companies Data center companies Software-as-a-Service (SaaS) companies that may impact the financials of their user entities. The program must include the set of policies, processes and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect and respond to, mitigate and recover from security events on a timely basis.

Regulatory Landscape alignment to Cybersecurity (1 of 3) NERC/CIP Energy Sector Framework Utilities and Industries that leverage ICS. TSA – Protecting transportation infrastructure and Transportation Systems Sector (TsS). Aligns with DHS Pillars. Risk Identification, Vulnerability Reduction, Consequence Mitigation, Cybersecurity Outcome Enablement. TSA Uses a continuous improvement model: Assess, Protect, Respond, Strengthen, Improve. NRC/NEI/10.CFR73 Nuclear Plant Physical Security, Machinery Protection, Data Protection, Nuclear Materials Protection, Risk Assessments, Risk Controls Framework. AWWA – EPA Requires a holistic risk and resiliency assessment that includes cybersecurity. << BRADOS >>

Cybersecurity Building Blocks Building Blocks approach aligns with NIST Controls Building Blocks represent necessary elements that form a holistic cybersecurity program.

NIST Controls to Building Block Alignment

NERC Controls and Requirements to Building Block Alignment NERC and NIST have complementary control requirements.

Processes and Best Practices For End-Results, deliberate planning that leverages a well-defined process (Such as PAADIO) produces optimal results that integrate Policies, Architecture, and Risk Management Planning Assessment Architecture Design Implementation Optimization Policies/Governance Architecture Risk Management

Questions, Comments, Discussion

Backup Slides

Smart Start® Vision, Goals, Planning Smart Utility Infrastructure® Build, Operate Planning C-Level + Directors Network Eng. Mgmt. Architecture (Conceptual) Assessment Lead Network Eng. App/Service Owners Design (Detailed) Full Network Eng. Staff Implementation Optimization + Assigned Staff Eng. Smart Start: Establish Understanding of Strategic Business Drivers, Goals and Challenges. Apply Value-engineering principles Identify innovation opportunity for included execution phases Acquire Stakeholder Input to Define Project Criteria Gain Customer definitions for data infrastructure Current State, high-level, based on available data using proprietary information request form(s) Acquire common understanding for Project Definition of Telecom Master Planning Link cybersecurity policy program(s) to data network infrastructure goals with TMP Acquire common Understanding of Risk/Value Coverage Review Current Data Network , T&D Automation Topology, etc. Compare Current State to industry bench marks, analyzing application of industry standards and value-variances Assess data and security network design, infrastructure and operations (OA&M) Assess applications and services requirements and data flow in network context Collect and Analyze data network performance Identify and Analyze cybersecurity architecture and infrastructure overlay/integration Security Technical Vulnerability Assessment and Penetration Testing Assess data network documentation standards and utilization Develop and document Future State design with TMP and discovery inputs, incl. Systems Requirements Develop and document data network gap analysis Develop and document conceptual network architecture Research, evaluate and compare existing and emerging technologies, incl. comparison matrices Identify mission and non-mission Critical Assets (Cyber Assets) Identify and define existing support process Impact Develop and document Solutions Analysis Information Security Policy Impact Develop, document and execute RFI/RFP for Future State design – PoC validation Build Initial BoM for Budgeting Estimates Develop and Document Functional Requirements Develop, document and execute RFP for Future State design Develop and document detailed network designs and specifications, including logical/physical drawings and interface-level configuration elements Generate design – build final Bill of Materials (BoM) for budgeting allocations Develop and execute solution validation activities including lap, proof-of-concept and field trials Identify and define Operations and Monitoring Integration impacts and associated design requirements Develop and document detailed network design for security data network overlay and integration Identify data network construction program requirements, timing, milestones, resources, etc. Plan Future State implementation considering convergence and migration Processes w/risk identification and mitigation Organizational & Operational Change Management identification and integration with Design and Implementation program Assigning of qualified expert resources, verification and validation certification Design, Installation and Testing activities Execute convergence and migration plan, end-to-end methods of procedure and field validation test plan execution Customer Sustainment - Training and Knowledge Transfer Assist in industry regulatory tracking and impact Execute or assist with recommended annual infrastructure health checks Sustainment activities e.g. updating of “As-built” documentation, network device configuration baseline deviations, platform OS security patch review, etc. Data network infrastructure audits of network policies and procedures Information Security overlay and integration audits, controls, policy and procedures - analyze effectiveness of OA&M activities relative to newly applied designs, analyze effectiveness of OA&M activities relative to newly applied designs Network “Triage”, project restart, architecture repair, etc.