security management seminar - nerc training/1 security management... · information...
TRANSCRIPT
Ross Johnson, CPP
Capital Power
Edmonton, Alberta
Security Management
Seminar
SSID PSAV_Event_SolutionsPasscode NERC0001
•Security Management Programs
•Security Risk Management
•Design Basis Threat
•Security Measures Selection
•Threat Response Planning
Agenda
• Sets organization-wide policies and procedures that define how the program integrates into the company’s overall management system
• Includes management commitment and accountability
• Includes:
• Accountability
• Implementation
• Competence
• External Practices
• Internal Practices4
Security Management Program
• Ensures that all aspects of security are considered
• Provides 'best practice' guidance
• Developed by a large group of security practitioners, ensuring that it is based on a broad base of experience
• Provides guidance on requirements, objectives, and metrics
• Demonstrates professionalism to senior management and external stakeholders
• Tells you what to do, not how to do it5
Advantages
1. Security Management Program
2. Security Risk Management
3. Information Security Management
4. Information Technology/Control Systems Security
5. Personnel Security
6. Physical Security Measures
7. Security Incident Management
8. Contingency Planning
9. Threat Response Planning
10. Change Management Process
11. Evaluation & Review
12. Continuous Improvement6
Security Management Program Elements
Based on the Canadian StandardAssociation’s Z246.1-09 Security Management for Petroleum and Natural Gas Industry Systems
• Identify and classify security risks
• Develop and implement strategies and security controls to eliminate or mitigate risks
• Security risk management activities must consider asset:
• Type
• Size
• Location
• Criticality
• Risk should be continually assessed across the organization by determining the likelihood and impact of potential threats
7
Security Risk Management
• Policies and procedures for protecting both hard-copy and digital information from the time of conception through to its final disposition
• Should include documented policies and procedures
• Areas to consider include classification and labelling, handling, destruction, training, incident reporting and investigation, and audit, compliance, and disaster recovery
• Determination of what to protect is done by risk assessment: what information could hurt the company if it got into the wrong hands, either accidently or on purpose?
8
Information Security Management
• Information technology is protected by a combination of controls, processes, procedures, organizational structures, software, and hardware
• The aim is to protect data confidentiality, integrity, and availability
• ISO 27002 provides best practice recommendations on information security management
9
Information Technology Security
• Control systems run industrial production equipment, and are heavily used in the energy industry
• Often targeted by hackers or other threat actors
• NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security is an excellent resource on this subject
• NERC CIP standards might have a thing or two to say on this
10
Industrial Control Systems Security
11
Personnel Security
• Protection of personnel
• Workplace Violence Assessment & Prevention
• Security Training and Awareness
• Personnel Screening
• Personnel Termination
• Employee Travel
• Minimum physical security guidelines
• Vehicle searches
• Signage standards
• Chain-link fencing standards
• CCTV cameras
• Copper/metal theft prevention
• Guard force management
12
Physical Security Measures
FacilityType
AccessControl
FencewithTopGuard
FencelineIntrusionDetection
CCTV/Lighting ElectronicCardAccess
InteriorIntrusionDetection
LockedFenceGateswithCCTV
LockedExteriorAccessDoors
VisitorManagement
BackgroundChecksforallUnescortedPersonnel
Signage
CriticalAssetMannedPowerPlant ● ● ● ● ● DuringSilentHours ● ● ●
UnmannedPowerPlant ● ● ● ● ● ● ● ● ● ●
ControlRoom ● ● ● ● ● ●
PEECC ● ● ● ● ● ● ●Switchyard ● ● ● ● ● ● ● ● ●
Non-CriticalAssetThermalPowerPlant ● ● SeeNote1. ● DuringSilentHours ● ● ●
WindFacility ● ● ● ● ●
SolarFacility ● ● ● ● ●
ControlRoom ● ● ● ● ●
PEECC Optional ● ● ●
Switchyard ● ● ● ● ●
OfficeBuilding/DataCentre ● ● ● ● ● ●
ConstructionSite ● ● ● ● ●
13
14
FacilityTypeGuards Regulatory
Requirements
FixedPost MobilePatrols SafeWalkProgram SecurityShuttle NERCEOP
004/ARSCIP-001NERC/ARSCIP-002toCIP-014
CriticalAsset
MannedPowerPlant ● ● ● ●
UnmannedPowerPlant ● ● ●
ControlRoom ● ● ● ●PEECC ● ● ●Switchyard ● ● ●Non-CriticalAssetControlRoom ● ●PEECC ●
ThermalPowerPlant ● ●
Switchyard ● ●WindFacility ● ●SolarFacility ● ●
OfficeBuilding/DataCentre Guardsmaybeusedifdeemednecessarybecauseoflocalsecurityconditions
ConstructionSite ●
• Incident reporting
• Investigations
• Workplace violence incident management
• Lessons Learned
• Security Management Program upgrades
15
Security Incident Management
• Business Continuity Management
• Emergency Response Program
• Crisis Management Planning
19
Contingency Planning
• Business Continuity Management
• Emergency Response Program
• Crisis Management Planning
20
Contingency Planning
§ Includes loss of:§ People§ Office space§ Critical IT systems
• Business Continuity Management
• Emergency Response Program
• Crisis Management Planning
21
Contingency Planning
o Used at the production facility level
o Includes communications, equipment, and tactical response plans for all the scenarios deemed of concern during a Hazard Risk Vulnerability Assessment
• Business Continuity Management
• Emergency Response Program
Ø Crisis Management Planning
22
Contingency Planning
o Used at the corporate level to marshal resources and senior executive leadership to solve problems that threaten the company's people, assets, or reputation
o Part of the emergency response program
• Threat and vulnerability assessment
• Security measures
• Observation plan
• Random security measures
• Response plan
• Communications
• Training and review23
Threat Response Planning
TRPs bring together a number of elements of the security management program: they are not part of the CSA standard
• Use of a standardized security management program template can help you to ensure that all elements of security are considered in your security plan
• They add dignity to what would otherwise be a vulgar brawl
• We are trying to develop an security management program template in the electricity sector, and we could use your help
24
Conclusion