Situation
Cybersecurity is routinely cited as one of the leading challenges for the energy industry. The confidentiality, integrity and availability of information and systems that support critical infrastructure is part of the foundation of modern society. Disruptions or significant damage to this infrastructure has implications for public welfare, economic output and national security. Industrial control systems (ICS) present the largest target for cyberattacks, as utilities are highly dependent on these systems to maintain operations. Examples of ICS include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and process control systems (PCS). Historically, ICS have been built to address specific operational needs, but more recently these systems have undergone a strategic transformation by which they have been integrated through the application of networking technology to improve operational efficiency, functionality and availability. In order to facilitate the transition to a networked environment, traditional wired, wireless, mobile and virtual technologies have been employed. While greatly enhancing the capabilities of ICS, this integration has unfortunately made ICS more susceptible to cyberattacks.
A large, municipal energy company engaged RSM to advise on matters of cybersecurity. RSM has supported this relationship with tactical and strategic initiatives to leverage its expertise in risk management, cybersecurity, physical security, smart-grid technologies, application architecture, mesh networks and wireless backhaul links. The intent of this relationship is to help the client develop a strategic road map with specific tactical solutions.
Solution
The first step in helping the client to develop a strategic road map was to conduct a security program alignment session. This activity was designed to be a collaborative effort between the client and RSM to identify and prioritize security goals and objectives. The session consisted of RSM interviewing control owners within the organization. During these interviews, risk scenarios and questions regarding key controls were presented for discussion purposes. We then guided the client through discussions, with the intent of identifying goals and objectives. Once these goals and objectives were established, key controls were mapped to mitigate significant risks in the environment.
Prior to conducting the interviews, the process for determining goals and objectives began with selecting a security framework. For this client, we chose two frameworks that best reflected the client’s environment. The frameworks chosen were from the Interstate Natural Gas Association of America (INGAA) and the National Institute of Standards and Technology (NIST). The respective frameworks were the Control Systems Cybersecurity Guidelines for the Natural Gas Pipeline Industry (CSCSG) and Special Publication 800-53 Revision 3 (SP-800-53). CSCSG was developed by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is a component of the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT’s mission is to provide guidance to the industry for improving the cybersecurity posture of control systems within the nation's critical infrastructure. ICS-CERT also employs SP-800-53 as a methodology to allow for comparisons of control data between companies and industries. Finally, RSM applied a weight to each control set within each framework based on the relative importance of the confidentiality, integrity and availability of each control to the client’s business. This enabled us to provide a customized list of priorities for the client depending on the state of the controls.
Results
NIST’s 800-30 methodology takes a broader approach than many other security risk assessments. Rather than simply looking at technology, 800-30 takes a three-tiered approach and examines business processes as well as organizational structure and governance. This larger view helps to provide much more context around identified risks. For this client, using NIST provided a defensible risk management framework that demonstrated the commitment to sound, industry recognized security best practices. It also provided independent verification that the current infrastructure and applications met the client’s security expectations and reduced their IT security costs.
At the conclusion of the engagement, RSM delivered a written report to the client which included:
- An executive summary aimed at senior management summarizing findings and specific recommendations to address tactical and strategic opportunities for improvement
- A detailed explanation of the methodology and findings prioritized for the client’s management to build its own security program
RSM also provided supplemental instruction to the client on how to conduct self-assessments that reinforce the lessons learned during the security program alignment session.
The protection of the client’s critical infrastructure is essential for maintaining customer confidence and ensuring the viability of the organization. Cyberthreats continue to evolve, and it is imperative that the client understand how changes in their environment are affecting the security posture of the organization. The relationship with RSM has enabled the client to develop a baseline assessment of:
- The risks within its environment
- The key controls within its environment that mitigate those risks
- Additional key controls required to mitigate unaddressed risks
Finally, this baseline assessment and the self-assessment methodology enabled the client to develop a security program that can evolve to meet the organization’s future risk management needs.