Presentation is loading. Please wait.

Presentation is loading. Please wait.

JU September Stakeholder Engagement Conference Webinar #1

Published byAugusta Parsons Modified over 6 years ago

Similar presentations

Presentation on theme: "JU September Stakeholder Engagement Conference Webinar #1"— Presentation transcript:

1 JU September Stakeholder Engagement Conference Webinar #1
September 15th, 2016 Cybersecurity & Privacy

2 Agenda for September 15th
Time Topic 2:30 – 2:35 Introductions Matt Robison (ICF) 2:35 – 3:55 Demand and DER Forecasting & Q/A Mark Domino (National Grid) and Mike DeMatteo (National Grid) Timothy Duffy (NYISO) Laura Manz (ICF) 3:55 – 4:55 Cybersecurity and Privacy & Q/A Mikhail Falkovich (Con Edison / O&R) Kenya Jackmon (ICF) and Scott Graves (ICF) 4:55 – 5:00 Wrap-up

3 Grid Operations Cybersecurity and Privacy Scott Graves and Kenya Jackmon (ICF) Mikhail Falkovich (JU)

4 Cyber and Privacy Working Group Topics and Scope
Purpose: Explore common ground in approaches regarding the cybersecurity and privacy concerns in New York as Distributed Energy Resource (DER) penetration increases. Topics and Scope: Cybersecurity and Privacy REV-related Cyber Security and Privacy policy priorities of this team Develop JU REV Cyber Security & Privacy Framework Provide appropriate advice & guidance to the supplemental DSIP working groups on matters concerning cybersecurity and privacy, including but not limited to the sharing of system and customer data w/ 3rd parties Events and/or filings for which this team will prepare on the DSP’s behalf; Support initial and supplemental DSIP filings on cyber security and privacy framework matters Stakeholder engagement objectives (if any); and, Support the Supplemental DSIP stakeholder engagement process Periodic updates to the DSP Committee Important deliverables that will be developed by this team Cyber Security and Privacy Framework Cyber Security and Privacy Guiding Principles Supplemental DSIP Cyber Security and Privacy filing support

5 JU Cybersecurity and Privacy Framework
The JU developed the JU cyber and privacy framework to establish a cyber/privacy framework to ensure a common approach to cybersecurity and privacy. Information risk arises when the confidentiality, availability, or integrity of data can be compromised. To mitigate risk the Framework recommends the integration of cybersecurity in the Risk Management process for the protection of Confidentiality (C), Integrity (I) and Availability (A) of Utility information and information systems: The Framework is flexible enough to meet each utility at its current Risk Management/Cybersecurity capability The Risk Management process is a holistic approach to identifying threats, vulnerabilities and mitigation strategies. Ensure information security decisions are risk-based. Cybersecurity and Privacy concerns should be incorporated into the systems development lifecycle. Bring all stakeholders to the table with a vested interest in the success or outcome of the mission or business function. Demonstrate linkage between cybersecurity and the success/outcome of the business or mission function.

6 Business drive approach to cybersecurity
Cybersecurity enables the business objective of the Utility by controlling operational risk. Business Driver Enterprise Architecture Cybersecurity Identifies Business Decision/Risk Defines business processes Implements business processes Informs Business Decision/Risk Defines Security Controls Implements Cybersecurity Controls

7 JU Cybersecurity and Privacy Framework
The Framework recommends a set of actions (a control set) to defend against cyber and physical attacks for utilities and third parties. This control set is based on the National Institute of Science and Technology (NIST) Special Publication (SP) rev 4. Security and Privacy Controls for Federal Information Systems and Organizations. Defines 27 total control families, 9 of which are related to privacy . Maps to ISO/IEC standards and the Generally Accepted Privacy Principles (GAPP) Aligns with the NIST Cyber Security Framework Basis for other control documents to include NIST Internal/Interagency Report (NISTIR) 7268 Guidelines for Smart grid Cybersecurity The Framework is flexible enough to meet each utility at its current Risk Management/Cybersecurity capability.

8 What does the Framework mean for Stakeholders?
The recommended Cybersecurity and Privacy controls cover a range of protections to address operational risk.

9 JU Cybersecurity and Privacy Framework
Access Control (AC) Utilities will define a process to manage access control based on system sensitivity and importance. The process should consider: which information systems/components require authentication, an account management process, access control schemes (e.g. role-based access control (RBAC),) restrictions on access controls (least privilege/separation of duties.) and, remote access requirements

10 Risk Management and the Risk Assessment
Utilities must use due diligence to ensure shared data is protected due to increased data-sharing between utilities, customers, and third parties. The risk assessment is a crucial tool in the risk management process Assumptions There is no common validation/vetting process across the JU for the third party’s requesting information. Questionnaire to determine security posture Security artifacts based on third party cyber program this is what can be requested. ( ISO Certification letters, Corrective action reports, SOC 2 audit reports) Risk decision/recommendation Utility has the right to require specific controls in contractual language. Utility has the right to deny data request should the third party not have adequate security controls.

11 Timeline Short Term The Utility’s Cybersecurity and or Privacy teams will be to support risk assessment activities and requests as they are submitted. Long Term – Recognition of value for a common process Utilities are working toward a common framework for vetting third parties requesting data.

12 Reference Documents Information Security Forum General Information Security Practices NIST Cybersecurity Framework NISTIR 7628: Guidelines for Smart Grid Security NIST SP : Security and Privacy Controls for Federal Information Systems and Organizations NIST SP : Guide for Conducting Risk Assessments NIST IR 8062: Privacy Risk Management for Federal Information Systems DOE DataGuard Energy Data Privacy Program AICPA Generally Accepted Privacy Principles ISO/IEC Information Security Management ISO/IEC Code of Practice for Information Security Controls ISO/IEC Information Security Risk Management ISO/IEC Privacy Framework

13 Cybersecurity and Privacy Q & A Mikhail Falkovich (Con Edison / O&R) Kenya Jackmon & Scott Graves ( ICF)

14 Thank you for joining us!
Please contact or visit our website for more information

Download ppt "JU September Stakeholder Engagement Conference Webinar #1"

Similar presentations

The Department of Energy Enterprise Risk Management Model

The Department of Energy Enterprise Risk Management Model
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.

SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google