Process - Revision history

Jlawrence: /* Supply Chain */

2024-10-30T19:58:48Z

Supply Chain

← Older revision		Revision as of 19:58, 30 October 2024
Line 70:		Line 70:
	*Visibility is mainly limited and incomplete. Source code visibility is rare for commercially available software. Standardized software bills of materials (SBOMs) and hardware bills of materials (HBOMs) are being driven by U.S. federal government initiatives but have not been widely implemented in the private sector.		*Visibility is mainly limited and incomplete. Source code visibility is rare for commercially available software. Standardized software bills of materials (SBOMs) and hardware bills of materials (HBOMs) are being driven by U.S. federal government initiatives but have not been widely implemented in the private sector.
	*In North America, NERC standards CIP-003, CIP-005, CIP-010, and CIP-013 address the supply chain and vendor remote access requirements.		*In North America, NERC standards CIP-003, CIP-005, CIP-010, and CIP-013 address the supply chain and vendor remote access requirements.

			'''Relevant EPRI Resources'''
			* [https://www.epri.com/research/programs/112046/results/3002027429 Cyber Security Procurement Topical Guide: For Control System and Operational Technology Installation and Upgrade in Power Generation Facilities]
			* [https://www.epri.com/research/programs/112046/results/3002021184 Hydro Power DCS Upgrade Cyber Security Assessment: Cyber Security Technical Assessment Methodology (TAM) Case Study]
			* [https://www.epri.com/research/programs/112046/results/3002015402 Understanding Vendor Cyber Security Certifications: Generation Cyber Security]
			* [https://www.epri.com/research/programs/112046/results/3002012753 Cyber Security in the Supply Chain: Cyber Security Procurement Methodology, Revision 2]

Jlawrence: /* Workforce Development */

2024-10-30T19:58:26Z

Workforce Development

← Older revision		Revision as of 19:58, 30 October 2024
Line 49:		Line 49:

	'''Relevant EPRI Resources'''		'''Relevant EPRI Resources'''
			* [https://www.epri.com/research/programs/112046/results/3002027495 Generation Cyber Security: Workforce Development]
	* [https://www.epri.com/research/programs/112046/results/3002014785 Access Control and Permission Management: Generation Cyber Security - Computer Based Technology Transfer]		* [https://www.epri.com/research/programs/112046/results/3002014785 Access Control and Permission Management: Generation Cyber Security - Computer Based Technology Transfer]
	* [https://www.epri.com/research/programs/112046/results/3002011545 Computer-Based Technology Transfer (CBTT): Secure Interactive Remote Access in Power Generation Facilities v1.0]		* [https://www.epri.com/research/programs/112046/results/3002011545 Computer-Based Technology Transfer (CBTT): Secure Interactive Remote Access in Power Generation Facilities v1.0]
	* [https://www.epri.com/research/programs/112046/results/3002027921 Cyber Security Operations Security (OPSEC) Awareness Posters]		* [https://www.epri.com/research/programs/112046/results/3002027921 Cyber Security Operations Security (OPSEC) Awareness Posters]
	* [https://www.epri.com/research/programs/112046/results/3002017753 Developing a Cyber Security Culture in the Operational Technology (OT) Environment]		* [https://www.epri.com/research/programs/112046/results/3002017753 Developing a Cyber Security Culture in the Operational Technology (OT) Environment]
	* [https://www.epri.com/research/programs/112046/results/3002027495 Generation Cyber Security: Workforce Development]
	* [https://www.epri.com/research/programs/112046/results/3002014786 Guideline on Cyber Security Scanning for Generation Plant Control Systems Computer Based Technology Transfer]		* [https://www.epri.com/research/programs/112046/results/3002014786 Guideline on Cyber Security Scanning for Generation Plant Control Systems Computer Based Technology Transfer]
	* [https://www.epri.com/research/programs/112046/results/3002011991 Guideline on Digital I&C Configuration Management and Hardening for Generation Facilities Computer Based Technology Transfer Module, version 1.0]		* [https://www.epri.com/research/programs/112046/results/3002011991 Guideline on Digital I&C Configuration Management and Hardening for Generation Facilities Computer Based Technology Transfer Module, version 1.0]

Jlawrence: /* Workforce Development */

2024-10-30T19:57:38Z

Workforce Development

@@ Line 47: / Line 47: @@
 *Energy transformation introduces a new set of workforce requirements. Renewable generation assets are often remotely located, are minimally manned, incorporate new technologies, and require more external connections (including third-party vendors).
 *The NIST NICE Workforce Framework for Cybersecurity provides a set of building blocks for describing the tasks, knowledge, and skills that are needed to perform cyber security work.
 ==Supply Chain ==

Jlawrence: /* Program Development */

2024-10-30T19:57:18Z

Program Development

← Older revision		Revision as of 19:57, 30 October 2024
Line 35:		Line 35:
	* Organizations may use frameworks or standards, such as the NIST Cybersecurity Framework, NERC CIP, and CIS Critical Security Controls, to develop and structure their cyber security programs.		* Organizations may use frameworks or standards, such as the NIST Cybersecurity Framework, NERC CIP, and CIS Critical Security Controls, to develop and structure their cyber security programs.
	*Increased IT/OT integration demands that the OT cyber security program align with, learn from, adapt to, and mature corporate IT processes. An example is data governance and information security. As OT data became more available and utilized, organizations established data governance and information security frameworks for OT data, often utilizing, referencing, or adapting the existing IT information security frameworks.		*Increased IT/OT integration demands that the OT cyber security program align with, learn from, adapt to, and mature corporate IT processes. An example is data governance and information security. As OT data became more available and utilized, organizations established data governance and information security frameworks for OT data, often utilizing, referencing, or adapting the existing IT information security frameworks.

			'''Relevant EPRI Resources'''
			* [https://www.epri.com/research/programs/112046/results/3002018753 Risk-Informed Cyber Security Program Guide for Electric Generation Facilities: Generation Cyber Security]

	==Workforce Development ==		==Workforce Development ==

Jlawrence: /* Governance, Risk, and Compliance */

2024-10-30T19:56:36Z

Governance, Risk, and Compliance

@@ Line 16: / Line 16: @@
 **In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.
 *Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.
 ==Program Development ==

Jlawrence at 14:09, 30 October 2024

2024-10-30T14:09:03Z

← Older revision		Revision as of 14:09, 30 October 2024
Line 1:		Line 1:
	~~Process and Integration Overview~~

	Processes, Integration, and Standards: Researching and developing technical approaches to address process and coordination challenges associated with cyber security. (i.e., cyber-informed engineering, governance, risk management, workforce development, etc.). Cyber security requires people and processes to implement and maintain measures consistent with strategies. Security tools will not be effective without a trained workforce and repeatable processes. Studies show that people are often an organization's weakest cyber security link. For example, the 2024 Verizon Data Breach Investigations report found that 68% of breaches involve the human element.		Processes, Integration, and Standards: Researching and developing technical approaches to address process and coordination challenges associated with cyber security. (i.e., cyber-informed engineering, governance, risk management, workforce development, etc.). Cyber security requires people and processes to implement and maintain measures consistent with strategies. Security tools will not be effective without a trained workforce and repeatable processes. Studies show that people are often an organization's weakest cyber security link. For example, the 2024 Verizon Data Breach Investigations report found that 68% of breaches involve the human element.

Jlawrence at 14:08, 30 October 2024

2024-10-30T14:08:33Z

← Older revision		Revision as of 14:08, 30 October 2024
Line 18:		Line 18:
	**In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.		**In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.
	*Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.		*Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.

			==Program Development ==
			Program management refers to strategic developing, documenting, monitoring, and communicating cyber security processes. Mature cyber security program management allows consistent and effective implementation of strategies and promotes continuous improvements.

			'''Current program development key practices''' include standards and IT/OT integration:
			* Organizations may use frameworks or standards, such as the NIST Cybersecurity Framework, NERC CIP, and CIS Critical Security Controls, to develop and structure their cyber security programs.
			*Increased IT/OT integration demands that the OT cyber security program align with, learn from, adapt to, and mature corporate IT processes. An example is data governance and information security. As OT data became more available and utilized, organizations established data governance and information security frameworks for OT data, often utilizing, referencing, or adapting the existing IT information security frameworks.

			==Workforce Development ==
			Workforce development is a crucial component of cyber security process and integration. It ensures that competent and adequate resources effectively carry out and manage the developed cyber security program.

			'''Current workforce development challenges and key practices''' in power generation include:
			* The development of the Operational Technology (OT) cyber security workforce is challenging due to the need for a blend of specialized knowledge in OT and cyber security. This creates a competitive landscape for a limited talent pool, further exacerbated by the scarcity of industry-specific learning materials and platforms.
			*Cyber security workforce includes many stakeholders, including personnel in the core OT cyber security, IT security, physical security, compliance, procurement, operations, maintenance, and senior leadership. In a survey conducted in 2020, P209 members have identified that tailored, role-based cyber security training as one of the gaps.
			*Energy transformation introduces a new set of workforce requirements. Renewable generation assets are often remotely located, are minimally manned, incorporate new technologies, and require more external connections (including third-party vendors).
			*The NIST NICE Workforce Framework for Cybersecurity provides a set of building blocks for describing the tasks, knowledge, and skills that are needed to perform cyber security work.

			==Supply Chain ==
			Supply chain cybersecurity involves safeguarding the interconnected network of organizations, processes, and technologies that contribute to producing and delivering goods and services from cyber threats and vulnerabilities.

			'''Current supply chain key practices and challenges''' include:
			*The complex nature of supply chains involving multiple stakeholders, technologies, and processes makes security challenging.
			*Attacks against the supply chain vary widely and include third-party code libraries, software development tools, distribution, remote access, and attacks against vendors.
			*Visibility is mainly limited and incomplete. Source code visibility is rare for commercially available software. Standardized software bills of materials (SBOMs) and hardware bills of materials (HBOMs) are being driven by U.S. federal government initiatives but have not been widely implemented in the private sector.
			*In North America, NERC standards CIP-003, CIP-005, CIP-010, and CIP-013 address the supply chain and vendor remote access requirements.

Jlawrence at 14:07, 30 October 2024

2024-10-30T14:07:37Z

← Older revision		Revision as of 14:07, 30 October 2024
Line 1:		Line 1:
	Process and Integration Overview		Process and Integration Overview

	== ~~Topic 1~~ ==		Processes, Integration, and Standards: Researching and developing technical approaches to address process and coordination challenges associated with cyber security. (i.e., cyber-informed engineering, governance, risk management, workforce development, etc.). Cyber security requires people and processes to implement and maintain measures consistent with strategies. Security tools will not be effective without a trained workforce and repeatable processes. Studies show that people are often an organization's weakest cyber security link. For example, the 2024 Verizon Data Breach Investigations report found that 68% of breaches involve the human element.

			Key process and integration topics include:
			*Governance, Risk, and Compliance
			*Program Development
			*Workforce Development
			*Supply Chain

			==Governance, Risk, and Compliance ==
			Governance, Risk, and Compliance refers to organizations’ integrated approach to ensuring that their cyber security programs are aligned with business objectives, compliant with regulations, and resilient against cyber threats. Effective GRC strategies allow organizations to proactively manage risks, maintain regulatory compliance, and enhance their overall cybersecurity posture.

			'''Challenges and key practices''' with GRC in power generation facilities include:
			*NIST Cyber Security Framework 2.0 (Draft) adds “GOVERN” as the sixth function.
			*Regulatory compliance has traditionally been the major driving force in shaping cyber security processes and integration; emerging incentives from investor interests and the government are now encouraging the industry to go beyond compliance.
			**Regulations are always changing, and their requirement scope expanding. For instance, in North America, five high-priority NERC standards projects affecting CIP standards are planned to be completed by 2024, which address virtualization, Internal Network Security Monitoring, enhancing low impact category, etc. In the European Union, the NIS2 Directive came into force in 2023 and Member States have until October 2024 to transpose its measures into national law.
			**In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.
			*Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.

Jlawrence: Created page with "Process and Integration Overview == Topic 1 =="

2024-09-25T16:05:30Z

Created page with "Process and Integration Overview == Topic 1 =="

New page

Process and Integration Overview

== Topic 1 ==