OIL AND NATURAL GAS SUBSECTOR CYBERSECURITY CAPABILITY MATURITY MODEL ONG-C2M2 Version 1 1 February 2014 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 iii TABLE OF CONTENTS Acknowledgments v 1 Introduction 1 1 1 Intended Audience 1 1 2 Document Organization 2 2 Background 3 2 1 Model Development Approach 3 3 About the Oil and Natural Gas Subsector 4 4 Core Concepts 5 4 1 Maturity Models 5 4 2 Critical Infrastructure Objectives 5 4 3 IT and OT Assets 5 4 4 Relationship to the Risk Management Process 6 4 5 Function 6 5 Model Architecture 8 5 1 Domains 8 5 2 Maturity Indicator Levels 10 5 2 1 Approach Progression 11 5 2 2 Institutionalization Progression 12 5 2 3 Summary of MIL Characteristics 15 5 3 Practice Reference Notation 16 6 Using the Model 17 6 1 Prepare To Use the Model 17 6 2 Perform an Evaluation 18 6 3 Analyze Identified Gaps 18 6 4 Prioritize and Plan 19 6 5 Implement Plans and Periodically Reevaluate 19 7 Model Domains 21 7 1 Risk Management 21 7 2 Asset Change and Configuration Management 24 7 3 Identity and Access Management 27 7 4 Threat and Vulnerability Management 29 7 5 Situational Awareness 32 7 6 Information Sharing and Communications 35 7 7 Event and Incident Response Continuity of Operations 37 7 8 Supply Chain and External Dependencies Management 41 7 9 Workforce Management 44 7 10 Cybersecurity Program Management 48 APPENDIX A References 51 iv Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ACKNOWLEDGEMENTS APPENDIX B Glossary 61 APPENDIX C Acronyms 76 Notices 77 LIST OF FIGURES Figure 1 Critical Elements of the Oil Supply Chain 4 Figure 2 Risk Management Process 6 Figure 3 Model and Domain Elements 9 Figure 4 Referencing an Individual Practice Example RM-1a 16 Figure 5 Recommended Approach for Using the Model 17 LIST OF TABLES Table 1 Example of Approach Progression in the Cyber Program Management Domain 12 Table 2 Mapping of Management Practices to Domain-Specific Practices 13 Table 3 Summary of Maturity Indicator Level Characteristics 15 Table 4 Recommended Process for Using Evaluation Results 20 v Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ACKNOWLEDGEMENTS ACKNOWLEDGMENTS The Department of Energy DOE developed the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model ONG-C2M2 as a derivative of the Electricity Subsector Cybersecurity Capability Maturity Model ES-C2M2 Version 1 0 The ES-C2M2 was developed in support of a White House initiative led by the DOE in partnership with the Department of Homeland Security DHS and in collaboration with private- and public-sector experts The DOE acknowledges the dedication and technical expertise of all the organizations and individuals who participated in the development of ES-C2M2 as well as the organizations and individuals from the ONG subsector who have provided the critiques evaluations and modifications in order to produce this first version of the ONG-C2M2 Program Manager John McIlvain Department of Energy Office of Electricity Delivery and Energy Reliability DOE-OE Program Technical Lead Jason D Christopher Department of Energy Office of Electricity Delivery and Energy Reliability DOE-OE Program Team Cliff Glantz Pacific Northwest National Laboratory Fowad Muneer ICF International John Fry ICF International Laura Ritter BCS Incorporated Paul Skare Pacific Northwest National Laboratory Model Architect Carnegie Mellon University Software Engineering Institute – CERT Division Model Contributors Beth Lemke Dan Strachan David W White Drew Kittey Dustin Brooks Evon Sallee Jack Eisenhauer Jack Whitsitt James W Sample Jim Fisher John S Townsend Jonathan Murphy Keith Dodrill Keith H Herndon Kelley Bray Kimberly Denbow Lindsay Kishter Lisa Kaiser Matthew Harper Paul Skare Penny Wolter Peter Sindt R Peter Weaver Robert Mims Robert Mims Scott M Baron Scott vonFischer Scott Womer Seamus Stack Suzanne Lemieux Tamara Lance Terry Boss Thomas Whitmore Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ACKNOWLEDGEMENTS vi Cautionary Note Intended Scope and Use of This Publication The guidance provided in this publication is intended to address only the implementation and management of cybersecurity practices associated with information technology IT and operational technology OT and the environments in which they operate The guidance is not intended to replace or subsume other cybersecurity-related activities programs processes or approaches that oil and natural gas subsector organizations have implemented or intend to implement including any cybersecurity activities associated with legislation regulations policies programmatic initiatives or mission and business requirements Additionally this guidance is not part of any regulatory framework and is not intended for regulatory use Rather the guidance in this publication is intended to complement a comprehensive enterprise cybersecurity program Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 INTRODUCTION 1 1 INTRODUCTION Repeated cyber intrusions into organizations of all types demonstrate the need for improved cybersecurity Cyber threats continue to grow and represent one of the most serious operational risks facing modern organizations The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats Beyond critical infrastructure the economic vitality of the nation depends on the sustained operation of organizations of all types The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model ONG-C2M2 can help oil and natural gas ONG organizations of all types evaluate and make improvements to their cybersecurity programs The ONG-C2M2 is a derivative of the ES-C2M2 Version 1 0 and was developed as part of the DOE Cybersecurity Capability Maturity Model C2M2 Program in order to address the unique characteristics of the oil and natural gas subsector The program supports ongoing development and measurement of cybersecurity capabilities within the ONG subsector and the model can be used to  Strengthen cybersecurity capabilities in the ONG subsector  Enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities  Share knowledge best practices and relevant references within the subsector as a means to improve cybersecurity capabilities  Enable ONG organizations to prioritize actions and investments to improve cybersecurity The ONG-C2M2 is designed for use with a self-evaluation methodology and toolkit available by request for an organization to measure and improve its cybersecurity program 1 A self evaluation using the toolkit can be completed in one day but the toolkit could be adapted for a more rigorous evaluation effort Additionally the model can inform the development of a new cybersecurity program The ONG-C2M2 provides descriptive rather than prescriptive industry focused guidance The model content is presented at a high level of abstraction so that it can be interpreted by subsector organizations of various types structures and sizes Broad use of the model is expected to support benchmarking the subsector’s cybersecurity capabilities These attributes also make the ONG-C2M2 an easily scalable tool for the subsector’s implementation of the National Institute of Standards and Technology NIST Cyber Security Framework 1 1 Intended Audience The ONG-C2M2 enables ONG subsector organizations to evaluate cybersecurity capabilities consistently communicate capability levels in meaningful terms and prioritize cybersecurity 1 The ONG-C2M2 Toolkit may be obtained by sending a request to ONG-C2M2@doe gov 2 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 INTRODUCTION investments The model can be used by any ONG subsector organization regardless of ownership structure or size Within the organization various stakeholders may benefit from familiarity with the model This document specifically targets people in the following organizational roles  Decision makers executives who control the allocation of resources and the management of risk in organizations these are typically senior leaders 2  Leaders with responsibility for managing organizational resources and operations associated with the domains of this model see Section 5 1 for more information on the content of each ONG-C2M2 domain  Practitioners with responsibility for supporting the organization in the use of this model planning and managing changes in the organization based on the model 3  Facilitators with responsibility for leading a self-evaluation of the organization based on this model and the associated toolkit and analyzing the self-evaluation results 4 1 2 Document Organization This document along with several others support organizations in the effective use of the ONG C2M2 and introduces the model and provides the ONG-C2M2’s main structure and content Stakeholders may benefit by focusing on specific sections of this document as outlined in the table below Despite these recommendations all readers may benefit from reading the entire document Role Recommended Document Sections Decision makers Chapter 1 and 2 Leaders or managers Chapters 1 2 3 4 and 5 Practitioners Entire document Facilitators Entire document Chapter 2 presents background information on the model and its development Chapter 3 provides an overview of the U S oil and natural gas subsector Chapter 4 describes several core concepts that are important for interpreting the content and structure of the ONG-C2M2 Chapter 5 describes the architecture of the ONG-C2M2 Chapter 6 provides guidance on how to use the model Chapter 7 contains the model itself- the model’s objectives and practices organized into 10 domains Appendix A includes references that were either used in the development of this document or provide further information about the practices identified within the model Appendix B is the Glossary Appendix C defines the acronyms used in this document 2 The sponsor of the self-evaluation should be a decision maker from the organization For more information about the sponsor role please refer to the C2M2 Facilitator Guide The Facilitator Guide may be downloaded from http energy gov node 795826 3 Subject matter experts SMEs for the self-evaluation should be leaders or practitioners For more information about the SME role please refer to the C2M2 Facilitator Guide The Facilitator Guide may be downloaded from http energy gov node 795826 4 For more information about the facilitator role please refer to the C2M2 Facilitator Guide The Facilitator Guide may be downloaded from http energy gov node 795826 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 BACKGROUND 3 2 BACKGROUND This ONG-C2M2 is a derivative of the ES-C2M2 Version 1 0 The ES-C2M2 was developed in support of a White House initiative led by the DOE in partnership with DHS and in collaboration with private- and public-sector experts The initiative used the National Infrastructure Protection Plan framework as a public-private partnership mechanism to support the development of the model The ES-C2M2 initiative leveraged and built upon existing efforts models and cybersecurity best practices and is aligned with the White House’s 2010 Cyberspace Policy Review the DOE’s Roadmap to Achieve Energy Delivery Systems Cybersecurity the Energy Sector-Specific Plan and the Industrial Control Systems Joint Working Group’s ICSJWG Cross-Sector Roadmap for Cybersecurity of Control Systems 2 1 Model Development Approach The ONG-C2M2 was developed to address the specific needs of the ONG subsector The development process was centered on extensive engagement with public and private sector experts through pilot facilitations working sessions and subject matter expert document review This resultant ONG-C2M2 applies to all ONG subsector organizations regardless of ownership structure size or functional area The following guiding principles influenced the development of the ONG-C2M2  Public-private partnership Numerous government industry and academic organizations participated in the development of the model bringing a broad range of knowledge skills and experience to the team The model was developed collaboratively through a series of working sessions and it was revised based on feedback from multiple pilot evaluations with ONG subsector entities  Best practices and sector alignment The model builds upon and ties together a number of existing cybersecurity resources and initiatives and was informed by a review of cyber threats to the subsector Leveraging related works shortened the development schedule and helped to ensure that the model would be relevant and beneficial to the subsector  Descriptive not prescriptive The model was developed to provide descriptive not prescriptive guidance to help organizations develop and improve their cybersecurity capabilities As a result the model practices tend to be at a high level of abstraction so that they can be interpreted for organizations of various structures functions and sizes  Pilot to test validate and improve The draft model was piloted with private sector entities to validate that it would provide valuable feedback as a basis for evaluation and to collect feedback for improvement 4 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ABOUT THE OIL AND NATURAL GAS SUBSECTOR 3 ABOUT THE OIL AND NATURAL GAS SUBSECTOR Comprising two similar yet unique industries the ONG subsector includes the exploration gathering production processing storage and transportation of petroleum liquids and natural gas Oil and natural gas are imported as well as produced domestically stored throughout the Nation and transported over thousands of miles via pipelines waterways railways and highways Oil and natural gas are both made up of hydrocarbon compounds that originate in underground reservoirs Crude oil is a liquid that must be brought to the surface removed of gases water and other impurities and then transported to processing facilities petroleum refineries where finished products are derived Petroleum products derived from crude oil include gasoline kerosene aviation fuel diesel fuel heating oil heavy fuel oil lubricants waxes asphalt and liquefied petroleum gas as well as a number of petrochemical precursors Similar to crude oil natural gas is produced removed of liquids and other impurities and then transported via pipeline to gas processing facilities that separate heavier gas components leaving a product composed almost entirely of methane The methane is then transported as clean natural gas to bulk storage industrial consumers and individual homes Liquefaction of natural gas makes for a more dense concentration of natural gas and enables liquefied natural gas LNG to be transported economically via oceangoing tankers instead of pipelines Figure 1 Critical Elements of the Oil Supply Chain Source American Petroleum Institute 5 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 CORE CONCEPTS 4 CORE CONCEPTS This chapter describes several core concepts that are important for interpreting the content and structure of the model 4 1 Maturity Models A maturity model is a set of characteristics attributes indicators or patterns that represent capability and progression in a particular discipline Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices processes and methods and set goals and priorities for improvement Also when a model is widely used in a particular industry and assessment results are shared organizations can benchmark their performance against other organizations An industry can determine how well it is performing overall by examining the capability of its member organizations To measure progression maturity models typically have “levels” along a scale —ONG-C2M2 uses a scale of maturity indicator levels MILs 0–3 which are described in Section 5 2 A set of attributes defines each level If an organization demonstrates these attributes it has achieved both that level and the capabilities that the level represents Having measurable transition states between the levels enables an organization to use the scale to  Define its current state  Determine its future more mature state  Identify the capabilities it must attain to reach that future state 4 2 Critical Infrastructure Objectives The model makes regular reference to critical infrastructure objectives These are objectives found in the sector-specific infrastructure protection plans5 of the 16 United States critical infrastructure sectors defined in Presidential Policy Directive 21 “Critical Infrastructure Security and Resilience ” 6 The referenced objectives serve as a reminder that many of the functions provided by potential adopters of the model support the Nation’s critical infrastructure and that the broader cybersecurity objectives of the sector-specific plans should be considered 4 3 IT and OT Assets Many ONG-C2M2 practices refer to assets When evaluating how completely a practice is performed be sure to consider both traditional and emerging enterprise IT assets and any 5 http www dhs gov sector-specific-plans 6 http www whitehouse gov the-press-office 2013 02 12 presidential-policy-directive-critical-infrastructure-security-and-resil 6 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 CORE CONCEPTS industrial control systems ICS in use including process control systems supervisory control and data acquisition SCADA systems and other OT 4 4 Relationship to the Risk Management Process The phrase “commensurate with risk to critical infrastructure and organizational objectives” is used throughout the model This phrase reminds the organization to tailor its implementation of the model content to address its unique risk profile This supports the model intent of providing descriptive rather than prescriptive guidance In order to effectively follow this guidance the organization should use the model as part of a continuous enterprise risk management process like that depicted in Figure 2 Risk Management Process Figure 2 Risk Management Process The ONG-C2M2 Risk Management domain see Section 7 1 suggests establishing a cybersecurity risk management strategy that aligns with the enterprise risk management strategy Cybersecurity risk is an important component of the overall business risk environment ONG-C2M2’s cybersecurity risk management activities should feed into the enterprise risk management strategy and program so that cybersecurity risk is considered in and benefits from corporate decisions based on risk impact tolerance for risk and risk response approaches The implementation of practices in the Risk Management domain provides supporting elements used by other practices in the model as part of the overall risk management process Throughout the model these Risk Management practices are referenced in related practices using the notation described in Section 5 3 4 5 Function In this model the term function is used as a scoping mechanism it refers to the subset of the operations of the organization that are being evaluated based on the model Risk Framing Risk Assessment Risk Response Risk Monitoring 7 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 CORE CONCEPTS It is common for an organization to use the model to evaluate a subset of its operations This subset or function will often align with organizational boundaries Therefore common examples of functions for evaluation include departments lines of business or distinct facilities Organizations have also successfully used the model to evaluate a specific system or technology thread that crosses departmental boundaries For example an organization uses the model to evaluate its enterprise IT services including email Internet connectivity and Voice over Internet Protocol VoIP telecommunication In the Threat and Vulnerability Management domain practice 2b states “Cybersecurity vulnerability information is gathered and interpreted for the function ” When evaluating the implementation of this practice the organization should interpret function to mean the operations of the enterprise IT services In this example the practice means that cybersecurity vulnerability information is gathered and interpreted for the enterprise IT services—information about vulnerabilities that would affect the enterprise email services network devices and the VoIP system Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE 8 5 MODEL ARCHITECTURE The model arises from a combination of existing cybersecurity standards frameworks programs and initiatives The model provides flexible guidance to help organizations develop and improve their cybersecurity capabilities As a result the model practices tend to be at a high level of abstraction so that they can be interpreted for organizations of various structures and sizes The model is organized into 10 domains Each domain is a logical grouping of cybersecurity practices The practices within a domain are grouped by objective—target achievements that support the domain Within each objective the practices are ordered by MIL The following sections include additional information about the domains and the MILs 5 1 Domains Each of the model’s 10 domains contains a structured set of cybersecurity practices Each set of practices represents the activities an organization can perform to establish and mature capability in the domain For example the Risk Management domain is a group of practices that an organization can perform to establish and mature cybersecurity risk management capability For each domain the model provides a purpose statement which is a high-level summary of the intent of the domain followed by introductory notes which give context for the domain and introduce its practices The purpose statement and introductory notes offer context for interpreting the practices in the domain The practices within each domain are organized into objectives which represent achievements that support the domain For example the Risk Management domain comprises three objectives  Establish Cybersecurity Risk Management Strategy  Manage Cybersecurity Risk  Management Practices Each of the objectives in a domain comprises a set of practices which are ordered by MIL Figure 3 summarizes the elements of each domain 9 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE Model Domain Approach Objectives z Approach Objectives Practices at MIL1 Practices at MIL2 Practices at MIL3 Management Objective Practices at MIL2 Practices at MIL3 Model contains 10 domains one or more per domain Unique to each domain Approach objectives are supported by a progression of practices that are unique to the domain Each management objective is supported by a progression of practices that are similar in each domain and describe institutionalization activities one per domain Similar in each domain Figure 3 Model and Domain Elements A brief description of the 10 domains follows in the order in which they appear in the model Risk Management Establish operate and maintain an enterprise cybersecurity risk management program to identify analyze and mitigate cybersecurity risk to the organization including its business units subsidiaries related interconnected infrastructure and stakeholders Asset Change and Configuration Management Manage the organization’s OT and IT assets including both hardware and software commensurate with the risk to critical infrastructure and organizational objectives Identity and Access Management Create and manage identities for entities that may be granted logical or physical access to the organization’s assets Control access to the organization’s assets commensurate with the risk to critical infrastructure and organizational objectives Threat and Vulnerability Management Establish and maintain plans procedures and technologies to detect identify analyze manage and respond to cybersecurity threats and vulnerabilities commensurate with the risk to the organization’s infrastructure e g critical IT operational and organizational objectives 10 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE Situational Awareness Establish and maintain activities and technologies to collect analyze alarm present and use operational and cybersecurity information including status and summary information from the other model domains to form a common operating picture COP Information Sharing and Communications Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information including threats and vulnerabilities to reduce risks and to increase operational resilience commensurate with the risk to critical infrastructure and organizational objectives Event and Incident Response Continuity of Operations Establish and maintain plans procedures and technologies to detect analyze and respond to cybersecurity events and to sustain operations throughout a cybersecurity event commensurate with the risk to critical infrastructure and organizational objectives Supply Chain and External Dependencies Management Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities commensurate with the risk to critical infrastructure and organizational objectives Workforce Management Establish and maintain plans procedures technologies and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel commensurate with the risk to critical infrastructure and organizational objectives Cybersecurity Program Management Establish and maintain an enterprise cybersecurity program that provides governance strategic planning and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with the organization’s strategic objectives and the risk to critical infrastructure 5 2 Maturity Indicator Levels The model defines four maturity indicator levels MIL0 through MIL3 which apply independently to each domain in the model The MILs define a dual progression of maturity an approach progression and an institutionalization progression which are explained in the following sections 11 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE Four aspects of the MILs are important for understanding and applying the model 1 The maturity indicator levels apply independently to each domain As a result an organization using the model may be operating at different MIL ratings for different domains For example an organization could be operating at MIL1 in one domain MIL2 in another domain and MIL3 in a third domain 2 The MILs are cumulative within each domain to earn a MIL in a given domain an organization must perform all of the practices in that level and its predecessor level s For example an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain Similarly the organization would have to perform all practices in MIL1 MIL2 and MIL3 to achieve MIL3 3 Establishing a target MIL for each domain is an effective strategy for using the model to guide cybersecurity program improvement Organizations shouldbecome familiar with the practices in the model prior to determining target MILs Gap analysis activities and improvement efforts should then focus on achieving those target levels 4 Practice performance and MIL achievement need to align with business objectives and the organization’s cybersecurity strategy Striving to achieve the highest MIL in all domains may not be optimal Companies should evaluate the costs of achieving a specific MIL against potential benefits However the model was developed so that all companies regardless of size should be able to achieve MIL1 across all domains 5 2 1 Approach Progression The domain-specific objectives and practices describe the progression of the approach to cybersecurity for each domain in the model Approach refers to the completeness thoroughness or level of development of an activity in a domain As an organization progresses from one MIL to the next it will have more complete or more advanced implementations of the core activities in the domain At MIL1 while only the initial set of practices for a domain is expected an organization is not precluded from performing additional practices at higher MILs Table 1 provides an example of the approach progression in the Cyber Program Management domain At MIL1 a cybersecurity program strategy exists in any form MIL2 adds more requirements to the strategy including the need for defined objectives alignment with the overall organization’s strategy and approval of senior management Finally in addition to requiring performance of all MIL1 and MIL2 practices MIL3 warrants that the strategy be updated to reflect business changes changes in the operating environment and changes to the threat profile developed in the Threat and Vulnerability Management domain 12 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE Table 1 Example of Approach Progression in the Cyber Program Management Domain MIL0 MIL1 a The organization has a cybersecurity program strategy MIL2 b The cybersecurity program strategy defines objectives for the organization’s cybersecurity activities c The cybersecurity program strategy and priorities are documented and aligned with the organization’s strategic objectives and risk to critical infrastructure d The cybersecurity program strategy defines the organization’s approach to provide program oversight and governance for cybersecurity activities e The cybersecurity program strategy defines the structure and organization of the cybersecurity program f The cybersecurity program strategy is approved by senior management MIL3 g The cybersecurity program strategy is updated to reflect business changes changes in the operating environment and changes in the threat profile TVM-1d 5 2 2 Institutionalization Progression Institutionalization describes the extent to which a practice or activity is ingrained in an organization’s operations The more deeply ingrained an activity the more likely it is that the organization will continue to perform the practice over time the practice will be retained under times of stress and the outcomes of the practice will be consistent repeatable and of high quality The progression of institutionalization is described by a set of practices that can be performed to institutionalize the domain-specific practices These practices are similar across domains and are called the Management Objective and Practices The progression of the practices within a domain-specific objective corresponds to the progression of the management practices though not necessarily practice to practice Table 2 shows an example mapping of the management practices to the practices in the second objective of the Risk Management domain 13 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE Table 2 Mapping of Management Practices to Domain-Specific Practices 2 Manage Cybersecurity Risk Management Practices MIL0 MIL1 a Cybersecurity risks are identified b Identified risks are mitigated accepted tolerated or transferred 1 Initial practices are performed but may be ad hoc MIL2 c Risk assessments are performed to identify risks in accordance with the risk management strategy d Identified risks are documented e Identified risks are analyzed to prioritize response activities in accordance with the risk management strategy f Identified risks are monitored in accordance with the risk management strategy g Risk analysis is supported by network IT and or OT architecture 1 Practices are documented 2 Stakeholders of the practice are identified and involved 3 Adequate resources are provided to support the process people funding and tools 4 Standards and or guidelines have been identified to guide the implementation of the practices MIL3 h The risk management program defines and operates risk management policies and procedures that implement the risk management strategy i A current cybersecurity architecture is used to support risk analysis j A risk register a structured repository of identified risks is used to support risk management 1 Activities are guided by policies or other organizational directives and governance 2 Policies include compliance requirements for specified standards and or guidelines 3 Activities are periodically reviewed to ensure they conform to policy 4 Responsibility and authority for performing the practices are assigned to personnel 5 Personnel performing the practices have adequate skills and knowledge A description of the management practices of each MIL can be found in the list below Maturity Indicator Level 0 MIL0 The model contains no practices for MIL0 Performance at MIL0 simply means that MIL1 in a given domain has not been achieved Maturity Indicator Level 1 MIL1 In each domain MIL1 contains a set of initial practices To achieve MIL1 these initial activities may be performed in an ad hoc manner but they must be performed If an organization were to start with no capability in managing cybersecurity it should focus initially on implementing the MIL1 practices MIL1 is characterized by a single management practice 1 Initial practices are performed but may be ad hoc In the context of this model ad hoc i e an ad hoc practice refers to performing a practice in a manner that depends largely on the 14 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE initiative and experience of an individual or team and team leadership without much in the way of organizational guidance in the form of a prescribed plan verbal or written policy or training The quality of the outcome may vary significantly depending on who performs the practice when it is performed and the context of the problem being addressed the methods tools and techniques used and the priority given a particular instance of the practice With experienced and talented personnel high-quality outcomes may be achieved even if practices are ad hoc However at this MIL lessons learned are typically not captured at the organizational level so approaches and outcomes are difficult to repeat or improve across the organization Maturity Indicator Level 2 MIL2 Four management practices are present at MIL2 which represent an initial level of institutionalization of the activities within a domain 1 Practices are documented The practices in the domain are being performed according to a documented plan The focus here should be on planning to ensure that the practices are intentionally designed or selected to serve the organization 2 Stakeholders of the practice are identified and involved Stakeholders of practices are identified and involved in the performance of the practices This could include stakeholders from within the function from across the organization or from outside the organization depending on how the organization implemented the practice 3 Adequate resources are provided to support the process people funding and tools Adequate resources are provided in the form of people funding and tools to ensure that the practices can be performed as intended The performance of this practice can be evaluated by determining whether any desired practices have not been implemented due to a shortage of resources If all desired practices have been implemented as intended by the organization then adequate resources have been provided 4 Standards and or guidelines have been identified to guide the implementation of the practices The organization identified some standards and or guidelines to inform the implementation of practices in the domain These may simply be the reference sources the organization consulted when developing the plan for performing the practices Overall the practices at MIL2 are more complete than at MIL1 and are no longer performed irregularly or are not ad hoc in their implementation As a result the organization’s performance of the practices is more stable At MIL2 the organization can be more confident that the performance of the domain practices will be sustained over time Maturity Indicator Level 3 MIL3 At MIL3 the activities in a domain have been further institutionalized and are now being managed Five management practices support this progression 15 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE 1 Activities are guided by policies or other organizational directives and governance Managed activities in a domain receive guidance from the organization in the form of organizational direction as in policies and governance Policies are an extension of the planning activities that are in place at MIL2 2 Policies include compliance requirements for specified standards and or guidelines 3 Activities are periodically reviewed to ensure they conform to policy 4 Responsibility and authority for performing the practices are assigned to personnel 5 Personnel performing the practices have adequate skills and knowledge The personnel assigned to perform the activities have adequate domain-specific skills and knowledge to perform their assignments At MIL3 the practices in a domain are further stabilized and are guided by high-level organizational directives such as policy As a result the organization should have additional confidence in its ability to sustain the performance of the practices over time and across the organization 5 2 3 Summary of MIL Characteristics Table 3 summarizes the characteristics of each MIL At MIL2 and MIL3 the characteristic associated with the approach progression is distinguished from the characteristics associated with the institutionalization progression Table 3 Summary of Maturity Indicator Level Characteristics Level Characteristics MIL0 Practices are not performed MIL1 Initial practices are performed but may be ad hoc MIL2 Institutionalization characteristics Practices are documented Stakeholders are identified and involved Adequate resources are provided to support the process Standards or guidelines are used to guide practice implementation Approach characteristic Practices are more complete or advanced than at MIL1 MIL3 Institutionalization characteristics Activities are guided by policy or other directives and governance Policies include compliance requirements for specified standards or guidelines Activities are periodically reviewed for conformance to policy Responsibility and authority for practices are assigned to personnel Personnel performing the practice have adequate skills and knowledge Approach characteristic Practices are more complete or advanced than at MIL2 16 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 MODEL ARCHITECTURE 5 3 Practice Reference Notation A number of practices within the domains are connected to other model practices When this occurs the connecting practice is referenced using a notation that begins with the domain abbreviation a hyphen the objective number and the practice letter Figure 4 shows an example from the Risk Management domain the domain’s first practice “There is a documented cybersecurity risk management strategy ” would be referenced elsewhere in the model using the notation “RM-1a ” Example RM-1a Domain Abbreviation-Objective Number Practice Letter 1 Establish Cybersecurity Risk Management Strategy MIL1 No practice at MIL1 MIL2 a There is a documented cybersecurity risk management strategy b The strategy provides an approach for risk prioritization including consideration of impact MIL3 c Organizational risk criteria tolerance for risk and risk response approaches are defined d The risk management strategy is periodically updated to reflect the current threat environment e An organization-specific risk taxonomy is documented and is used in risk management activities Figure 4 Referencing an Individual Practice Example RM-1a Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 USING THE MODEL 17 6 USING THE MODEL The ONG-C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities consistently to communicate its capability levels in meaningful terms and to inform the prioritization of its cybersecurity investments Figure 5 summarizes the recommended approach for using the model An organization performs an evaluation against the model uses that evaluation to identify gaps in capability prioritizes those gaps and develops plans to address them and finally implements plans to address the gaps As plans are implemented business objectives change and the risk environment evolves the process is repeated The following sections discuss the preparation activities required to begin using the model in an organization and provide additional details on the activities in each step of this approach Figure 5 Recommended Approach for Using the Model 6 1 Prepare To Use the Model A design goal of the model was to enable organizations to complete a self-evaluation for a single function in less than one day without extensive study or preparation This goal is achieved in part because the model is supported by an evaluation survey and scoring mechanism and the evaluation survey itself is performed in a workshop setting led by a facilitator who is familiar with the model content An important component of successfully completing the self-evaluation in one day is the selection of an effective facilitator Generally speaking a ONG-C2M2 facilitator is not only someone who is familiar with the model and its supporting artifacts but also someone who is effective at helping a group of people understand their common objectives and assisting them in planning to achieve these objectives without taking a particular position in the discussion 18 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 USING THE MODEL In addition to helping to execute the self-evaluation and interpret the results the facilitator helps the organization establish a scope for the model application Though the ONG-C2M2 and its supporting survey apply to an entire organization the self-evaluation survey is typically applied to a single function to maintain focus Recall that the term function refers to the subset of the operations of the organization that is being evaluated The facilitator must work with the organization to determine the survey scope—the part of the organization’s operations to which the model and survey will be applied and the organizations supporting IT and OT Selecting and documenting the scope before completing the survey ensures that users of the survey results understand to which part of the organization the results apply More thorough guidance on using the model selecting a facilitator and scoping the evaluation can be found in the supporting C2M2 Facilitator Guide7 6 2 Perform an Evaluation The organization should select the appropriate personnel to evaluate the function in scope against the model practices Participation by a broad representation across the parts of the organization being evaluated yields the best results and enables internal information sharing about the model practices Personnel selected to participate in the evaluation should include operational personnel management stakeholders and any others who could provide useful information on the organization’s performance of cybersecurity practices in the model Upon completion of the evaluation a scoring report is generated that shows maturity indicator level results for each domain This report provides a picture of the current state of practices relative to the model for the unit evaluated The report should be reviewed with the evaluation workshop participants and any discrepancies or questions should be addressed 6 3 Analyze Identified Gaps The scoring report from the evaluation will identify gaps in the performance of model practices The first analysis step for the organization is to determine whether these gaps are meaningful and important for the organization to address It is not typically optimal for an organization to strive to achieve the highest MIL in all domains Rather the organization should determine the level of practice performance and MIL achievement for each domain that best enables it to meet its business objectives and cybersecurity strategy The organization should identify its desired capability profile—a target MIL rating for each domain in the model This collection of desired capabilities is the organization’s target profile For organizations using the model for the first time a target capability profile is typically identified after the initial evaluation This gives the organization an opportunity to develop more familiarity with the model Organizations that have more experience with the model have often identified a target capability profile before undergoing an evaluation The appropriate organizational stakeholders should select the desired profile This might be a single individual 7 The C2M2 Facilitator Guide may be downloaded from http energy gov node 795826 19 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 USING THE MODEL with expertise in the function’s operations and management but it is likely to be a collection of individuals The desired profile can then be examined against the results from the evaluation workshop to identify gaps that are important to the organization because they represent differences from the desired capability profile 6 4 Prioritize and Plan After the gap analysis is complete the organization should prioritize the actions needed to fully implement the practices that enable achievement of the desired capability in specific domains The prioritization should be done using criteria such as how gaps affect organizational objectives the importance of the business objective supported by the domain the cost of implementing the necessary practices and the availability of resources to implement the practices A cost-benefit analysis for gaps and activities can inform the prioritization of the actions needed Next a plan should be developed to address the selected gaps These plans can span a period of weeks months or years depending on the extent of improvements needed to close the selected gaps and achieve the desired capability 6 5 Implement Plans and Periodically Reevaluate Plans developed in the previous step should be implemented to address the identified gaps Model evaluations are particularly useful in tracking implementations and should be conducted periodically to ensure that desired progress is achieved Reevaluations should also be considered in response to major changes in the business technology market or threat environments to ensure that the current profile matches the organization’s desired state 20 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 USING THE MODEL Table 4 presents a more detailed outline of the ONG-C2M2 process as described in this chapter Table 4 Recommended Process for Using Evaluation Results Inputs Activities Outputs Perform Evaluation 1 ONG-C2M2 Self-Evaluation 2 Policies and procedures 3 Understanding of cybersecurity program 1 Conduct ONG-C2M2 Self-Evaluation Workshop with appropriate attendees ONG-C2M2 Self-Evaluation Report Analyze Identified Gaps 1 ONG-C2M2 Self-Evaluation Report 2 Organizational objectives 3 Impact to critical infrastructure 1 Analyze gaps in organization’s context 2 Evaluate potential consequences from gaps 3 Determine which gaps need attention List of gaps and potential consequences Prioritize and Plan 1 List of gaps and potential consequences 2 Organizational constraints 1 Identify actions to address gaps 2 Cost-benefit analysis CBA on actions 3 Prioritize actions CBA and consequences 4 Plan to implement prioritize actions Prioritized implementation plan Implement Plans 1 Prioritized implementation plan 1 Track progress to plan 2 Reevaluate periodically or in response to major change Project tracking data 21 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 RISK MANAGEMENT 7 MODEL DOMAINS 7 1 Risk Management Purpose Establish operate and maintain an enterprise cybersecurity risk management program to identify analyze and mitigate cybersecurity risk to the organization including its business units subsidiaries related interconnected infrastructure and stakeholders Cybersecurity risk is defined as risk to organizational operations including mission functions image and reputation resources and other organizations due to the potential for unauthorized access use disclosure disruption modification or destruction of information IT and or OT Cybersecurity risk is one component of the overall business risk environment and feeds into an organization’s enterprise risk management strategy and program Cybersecurity risk cannot be completely eliminated but it can be managed through informed decision-making processes The Risk Management RM domain comprises three objectives 1 Establish Cybersecurity Risk Management Strategy 2 Manage Cybersecurity Risk 3 Management Activities A cybersecurity risk management strategy is a high-level strategy that provides direction for analyzing and prioritizing cybersecurity risk and defines risk tolerance The cybersecurity risk management strategy includes a risk assessment methodology risk monitoring strategy and cybersecurity governance program This includes defining the enterprise risk criteria e g impact thresholds risk response approaches that guide the cybersecurity program discussed in the Cybersecurity Program Management domain later in this model The cybersecurity risk management strategy should align with the enterprise risk management strategy to ensure that cybersecurity risk is managed in a manner that is consistent with the organization’s mission and business objectives Example Risk Management Anywhere Energy Inc has developed an enterprise risk management strategy that identifies its risk tolerance and strategy for assessing responding to and monitoring cybersecurity risks The board of directors reviews this strategy annually to ensure that it remains aligned with the strategic objectives of the organization Within this program risk tolerances including compliance risk and risk to the delivery of essential services are identified and documented Identified risks are recorded in a risk register to ensure that they are monitored and responded to in a timely manner and to identify trends Anywhere Energy Inc maintains a network architecture diagram that identifies critical assets and shows how they are connected and which ones are exposed to the Internet Resources like Web servers that take requests from the Internet are considered at higher risk than those that do not Assets that directly support ones with direct exposure like the database server behind a Web server are in the second risk tier and so on Anywhere Energy Inc augments the risk assessment derived from the network architecture with its cybersecurity architecture Since its network diagram includes elements like firewalls and intrusion detection devices an asset’s base risk is refined depending on how it is protected by security controls Final risk for each asset is a combination of the asset’s importance in delivering essential services and its exposure based on the network and cybersecurity architectures 22 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 RISK MANAGEMENT Managing cybersecurity risk involves framing identifying and assessing responding to accepting avoiding mitigating transferring and monitoring risks in a manner that aligns with the needs of the organization Key to performing these activities is an organization-wide understanding of the cybersecurity risk management strategy discussed above With defined risk criteria organizations can consistently respond to and monitor identified risks A risk register—a list of identified risks and associated attributes—facilitates this process Other domains in this model including Event and Incident Response Continuity of Operations Threat and Vulnerability Management and Situational Awareness refer to the risk register and illustrate how the practices in the model are strengthened as they connect through a cybersecurity risk management program Objectives and Practices 1 Establish Cybersecurity Risk Management Strategy MIL1 No practice at MIL1 MIL2 a There is a documented cybersecurity risk management strategy b The strategy provides an approach for risk prioritization including consideration of impact MIL3 c Organizational risk criteria objective criteria that the organization uses for evaluating categorizing and prioritizing operational risks based on impact tolerance for risk and risk response approaches are defined and available d The risk management strategy is periodically updated to reflect the current threat environment e An organization-specific risk taxonomy is documented and is used in risk management activities 2 Manage Cybersecurity Risk MIL1 a Cybersecurity risks are identified b Identified risks are mitigated accepted tolerated or transferred MIL2 c Risk assessments are performed to identify risks in accordance with the risk management strategy d Identified risks are documented e Identified risks are analyzed to prioritize response activities in accordance with the risk management strategy f Identified risks are monitored in accordance with the risk management strategy g Risk analysis is informed by network IT and or OT architecture MIL3 h The risk management program defines and operates risk management policies and procedures that implement the risk management strategy i A current cybersecurity architecture is used to inform risk analysis j A risk register a structured repository of identified risks is used to support risk management activities 23 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 RISK MANAGEMENT 3 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for risk management activities b Stakeholders for risk management activities are identified and involved c Adequate resources people funding and tools are provided to support risk management activities d Standards and or guidelines have been identified to inform risk management activities MIL3 e Risk management activities are guided by documented policies or other organizational directives f Risk management policies include compliance requirements for specified standards and or guidelines g Risk management activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of risk management activities are assigned to personnel i Personnel performing risk management activities have the skills and knowledge needed to perform their assigned responsibilities 24 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ASSET CHANGE AND CONFIGURATION MANAGEMENT 7 2 Asset Change and Configuration Management Purpose Manage the organization’s IT and OT assets including both hardware and software commensurate with the risk to critical infrastructure and organizational objectives An asset is something of value to an organization For the purposes of this model assets to be considered are IT and OT hardware and software assets as well as information essential to operating the function The Asset Change and Configuration Management ACM domain comprises four objectives 1 Manage Asset Inventory 2 Manage Asset Configuration 3 Manage Changesto Assets 4 Management Activities An inventory of assets important to the delivery of the function is an important resource in managing cybersecurity risk Recording important information such as software version physical location asset owner and priority enables many other cybersecurity management activities For example a robust asset inventory can identify the deployment location of software that requires patching Managing asset configuration involves defining a configuration baseline for IT and OT assets and ensuring that assets are configured according to the baseline Most commonly this practice applies to ensuring that similar assets are configured in the same way However in cases where assets are either unique or must have individual configurations managing asset configuration involves controlling the configuration baseline of the asset when it is deployed for operation and ensuring that the asset remains configured according to the baseline Managing changes to assets includes analyzing requested changes to ensure they do not introduce unacceptable vulnerabilities into the operating environment ensuring all changes follow the change management process and identifying unauthorized changes Change control applies to the entire asset life cycle including requirements definition testing deployment and maintenance and retirement from operation Example Asset Change and Configuration Management Anywhere Energy Inc has an asset database Within that database technology assets are identified and prioritized based on importance to the delivery of the function The database includes attributes that support cybersecurity operations such as hardware and software versions physical location security requirements business needs for the asset’s confidentiality integrity and availability asset owner and version of applied configuration baseline Anywhere Energy Inc uses this information for cybersecurity risk management activities including identifying which systems may be affected by software vulnerabilities prioritizing cybersecurity incident response and planning disaster recovery To maintain change traceability and consistency Anywhere Energy Inc ’s change management activities ensure that the asset database remains current as configurations change All important decisions about assets are communicated to stakeholders including the asset owner so that potential impacts to the function are efficiently managed 25 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ASSET CHANGE AND CONFIGURATION MANAGEMENT Objectives and Practices 1 Manage Asset Inventory MIL1 a There is an inventory of OT and IT assets that are important to the delivery of the function b There is an inventory of information assets that are important to the delivery of the function e g SCADA set points customer information financial data MIL2 c Inventory attributes include information to support the cybersecurity strategy e g location asset owner applicable security requirements service dependencies service level agreements and conformance of assets to relevant industry standards d Inventoried assets are prioritized based on their importance to the delivery of the function MIL3 e There is an inventory for all connected IT and OT assets related to the delivery of the function f The asset inventory is current as defined by the organization 2 Manage Asset Configuration MIL1 a Configuration baselines are established for inventoried assets where it is desirable to ensure that multiple assets are configured similarly b Configuration baselines are used to configure assets at deployment MIL2 c The design of configuration baselines includes cybersecurity objectives MIL3 d Configuration of assets are monitored for consistency with baselines throughout the assets’ life cycle e Configuration baselines are reviewed and updated at an organizationally-defined frequency 3 Manage Changes to Assets MIL1 a Changes to inventoried assets are evaluated before being implemented b Changes to inventoried assets are logged MIL2 c Changes to assets are tested prior to being deployed whenever possible d Change management practices address the full life cycle of assets i e acquisition deployment operation retirement MIL3 e Changes to assets are tested for cybersecurity impact prior to being deployed f Change logs include information about modifications that impact the cybersecurity requirements of assets availability integrity confidentiality 26 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ASSET CHANGE AND CONFIGURATION MANAGEMENT 4 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for asset inventory configuration and change management activities b Stakeholders for asset inventory configuration and change management activities are identified and involved c Adequate resources people funding and tools are provided to support asset inventory configuration and change management activities d Standards and or guidelines have been identified to inform asset inventory configuration and change management activities MIL3 e Asset inventory configuration and change management activities are guided by documented policies or other organizational directives f Asset inventory configuration and change management policies include compliance requirements for specified standards and or guidelines g Asset inventory configuration and change management activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of asset inventory configuration and change management activities are assigned to personnel i Personnel performing asset inventory configuration and change management activities have the skills and knowledge needed to perform their assigned responsibilities 27 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 IDENTITY AND ACCESS MANAGEMENT 7 3 Identity and Access Management Purpose Create and manage identities for entities that may be granted logical or physical access to the organization’s assets Control access to the organization’s assets commensurate with the risk to critical infrastructure and organizational objectives For the purposes of this domain access control applies to logical access to assets used in the delivery of the function physical access to cyber assets relevant to the function and automated access control systems logical or physical relevant to the function Improper access management practices can lead to unauthorized use disclosure destruction or modification as well as unnecessary exposure to cybersecurity risks The Identity and Access Management IAM domain comprises three objectives 1 Establish and Maintain Identities 2 Control Access 3 Management Activities Establishing and maintaining identities begins with the provisioning and deprovisioning removing available identities when they are no longer required of identities to entities Entities may include individuals internal or external to the organization as well as devices systems or processes that require access to assets In some cases organizations may need to use shared identities Management of shared identities may require compensatory measures to ensure an appropriate level of security Maintenance of identities includes traceability ensuring that all known identities are valid as well as deprovisioning Controlling access includes determining access requirements granting access to assets based on those requirements and revoking access when it is no longer required Access requirements are associated with assets and provide guidance for which types of entities are allowed to access the asset the limits of allowed access and authentication parameters For example the access requirements for a specific asset might allow remote access by a vendor only during specified and preplanned maintenance intervals and might also require multifactor authentication for such access At higher maturity indicator levels more scrutiny is applied to the access being granted Access is granted only after considering risk to the function and regular reviews of access are conducted Example Identity and Access Management Anywhere Energy Inc decides to upgrade multiple identity and access management systems to a system that is capable of supporting multifactor authentication The organization believes that reducing the number of IAM systems that it manages will enable more effective access management As Anywhere Energy Inc prepares to migrate legacy systems to the new IAM system it discovers that some former employees still have active accounts some current employees have more access than is required for their role and some employees who have changed roles within the organization still have active accounts on systems to which they no longer require access Anywhere Energy Inc updates its identity management processes to include coordination with the organization’s human resources processes to help ensure that whenever a user changes roles or leaves the organization his or her access will be reviewed and updated appropriately Anywhere Energy Inc also institutes a quarterly review to ensure that access granted to the organization’s assets aligns with access requirements 28 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 IDENTITY AND ACCESS MANAGEMENT Objectives and Practices 1 Establish and Maintain Identities MIL1 a Identities are provisioned for personnel and other entities e g services devices who require access to assets note that this does not preclude shared identities b Credentials are issued for personnel and other entities that require access to assets e g passwords smart cards certificates keys c Identities are deprovisioned when no longer required MIL2 d Identity repositories are periodically reviewed and updated to ensure validity i e to ensure that the identities still need access e Credentials are periodically reviewed to ensure that they are associated with the correct person or entity f Identities are deprovisioned within organizationally defined time thresholds when no longer required MIL3 g Requirements for credentials are informed by the organization’s risk criteria e g multifactor credentials for higher risk access RM-1c 2 Control Access MIL1 a Access requirements including those for remote access are determined access requirements are associated with assets and provide guidance for which types of entities are allowed to access the asset the limits of allowed access and authentication parameters b Access is granted to identities based on requirements c Access is revoked when no longer required MIL2 d Access requirements incorporate least privilege and separation of duties principles e Access requests are reviewed and approved by the asset owner f Root privileges administrative access emergency access and shared accounts receive additional scrutiny and monitoring MIL3 g Access privileges are reviewed and updated to ensure validity at an organizationally defined frequency h Access to assets is granted by the asset owner based on risk to the function i Anomalous access attempts are monitored as indicators of cybersecurity events 3 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed to establish and maintain identities and control access b Stakeholders for access and identity management activities are identified and involved c Adequate resources people funding and tools are provided to support access and identity management activities d Standards and or guidelines have been identified to inform access and identity management activities MIL3 e Access and identity management activities are guided by documented policies or other organizational directives f Access and identity management policies include compliance requirements for specified standards and or guidelines g Access and identity management activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of access and identity management activities are assigned to personnel i Personnel performing access and identity management activities have the skills and knowledge needed to perform their assigned responsibilities 29 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 THREAT AND VULNERABILITY MANAGEMENT 7 4 Threat and Vulnerability Management Purpose Establish and maintain plans procedures and technologies to detect identify analyze manage and respond to cybersecurity threats and vulnerabilities commensurate with the risk to the organization’s infrastructure e g critical IT operational and organizational objectives A cybersecurity threat is defined as any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation resources and other organizations through IT OT or communications infrastructure via unauthorized access destruction disclosure modification of information and or denial of service Threats to IT OT and communication infrastructure assets vary and may include malicious actors malware e g viruses and worms accidents and weather emergencies A cybersecurity vulnerability is a weakness or flaw in IT OT communications systems or devices procedures or internal controls that could be exploited by a threat The Threat and Vulnerability Management TVM domain comprises three objectives 1 Identify and Respond to Threats 2 Reduce Cybersecurity Vulnerabilities 3 Management Activities Threat identification and response begins with collecting useful threat information from reliable sources interpreting that information in the context of the organization and function and responding to threats that have the means motive and opportunity to affect the delivery of functions A threat profile includes characterization of likely intent capability and target of threats to the function The threat profile can be used to guide the identification of specific threats the risk analysis process described in the Risk Management domain and the building of the COP described in the Situational Awareness domain Reducing cybersecurity vulnerabilities begins with collecting and analyzing vulnerability information Vulnerability discovery may be performed using automatic scanning tools network penetration tests cybersecurity exercises and audits Vulnerability analysis should consider the vulnerability’s local impact the potential effect of the vulnerability on the exposed asset as well as the importance of the exposed asset to the delivery of the function Vulnerabilities may Example Threat and Vulnerability Management Anywhere Energy Inc examined the types of threats that it normally responds to including malicious software denial-of service attacks and activist cyber attack groups This information has been used to develop Anywhere Energy Inc ’s documented threat profile Anywhere Energy Inc has identified reliable sources of information to enable rapid threat identification and is able to consume and analyze published threat information from sources such as the US-CERT Information Sharing and Analysis Centers ISACs and Industrial Control Systems Cyber Emergency Response Team and begin an effective response When reducing cybersecurity vulnerabilities Anywhere Energy Inc uses the Forum of Incident Response and Security Teams FIRST Common Vulnerability Scoring System CVSS to better identify the potential impacts of known software vulnerabilities This allows the organization to prioritize reduction activities according to the importance of the vulnerabilities 30 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 THREAT AND VULNERABILITY MANAGEMENT be addressed by implementing mitigating controls monitoring threat status applying cybersecurity patches or through other activities Objectives and Practices 1 Identify and Respond to Threats MIL1 a Information sources to support threat management activities are identified e g various critical infrastructure sector ISACs ICS-CERT US-CERT industry associations vendors federal briefings b Cybersecurity threat information is gathered and interpreted for the function c Threats that are considered important to the function are addressed e g implement mitigating controls monitor threat status MIL2 d A threat profile for the function is established that includes characterization of likely intent capability and target of threats to the function e Threat information sources that address all components of the threat profile are prioritized and monitored f Identified threats are analyzed and prioritized g Threats are addressed according to the assigned priority MIL3 h The threat profile for the function is validated at an organization-defined frequency i Analysis and prioritization of threats are informed by the function’s or organization’s risk criteria RM-1c j Threat information is added to the risk register RM-2j 2 Reduce Cybersecurity Vulnerabilities MIL1 a Information sources to support cybersecurity vulnerability discovery are identified e g US-CERT various critical infrastructure sector ISACs ICS-CERT industry associations vendors federal briefings internal assessments b Cybersecurity vulnerability information is gathered and interpreted for the function c Cybersecurity vulnerabilities that are considered important to the function are addressed e g implement mitigating controls apply cybersecurity patches MIL2 d Cybersecurity vulnerability information sources that address all assets important to the function are monitored e Cybersecurity vulnerability assessments are performed e g architectural reviews penetration testing cybersecurity exercises vulnerability identification tools f Identified cybersecurity vulnerabilities are analyzed and prioritized e g NIST Common Vulnerability Scoring System could be used for patches internal guidelines could be used to prioritize other types of vulnerabilities g Cybersecurity vulnerabilities are addressed according to the assigned priority h Operational impact to the function is evaluated prior to deploying cybersecurity patches 31 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 THREAT AND VULNERABILITY MANAGEMENT 2 Reduce Cybersecurity Vulnerabilities cont MIL3 i Cybersecurity vulnerability assessments are performed for all assets important to the delivery of the function at an organization-defined frequency j Cybersecurity vulnerability assessments are informed by the function’s or organization’s risk criteria RM-1c k Cybersecurity vulnerability assessments are performed by parties that are independent of the operations of the function l Analysis and prioritization of cybersecurity vulnerabilities are informed by the function’s or organization’s risk criteria RM-1c m Cybersecurity vulnerability information is added to the risk register RM-2j n Risk monitoring activities validate the responses to cybersecurity vulnerabilities e g deployment of patches or other activities 3 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for threat and vulnerability management activities b Stakeholders for threat and vulnerability management activities are identified and involved c Adequate resources people funding and tools are provided to support threat and vulnerability management activities d Standards and or guidelines have been identified to inform threat and vulnerability management activities MIL3 e Threat and vulnerability management activities are guided by documented policies or other organizational directives f Threat and vulnerability management policies include compliance requirements for specified standards and or guidelines g Threat and vulnerability management activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of threat and vulnerability management activities are assigned to personnel i Personnel performing threat and vulnerability management activities have the skills and knowledge needed to perform their assigned responsibilities 32 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 SITUATIONAL AWARENESS 7 5 Situational Awareness Purpose Establish and maintain activities and technologies to collect analyze alarm present and use operational and cybersecurity information including status and summary information from the other model domains to form a common operating picture COP commensurate with the risk to critical infrastructure and organizational objectives Situational awareness involves developing near-real-time knowledge of a dynamic operating environment In part this is accomplished through the logging and monitoring of IT OT and communication infrastructure assets essential for the delivery of the function It is equally important to maintain knowledge of relevant current cybersecurity events external to the enterprise Once an organization develops a COP it can align predefined states of operation to changes in the operating environment Rapid shifts among predetermined emergency operations can enable faster and more effective response to cybersecurity events The Situational Awareness SA domain comprises four objectives 1 Perform Logging 2 Perform Monitoring 3 Establish and Maintain a Common Operating Picture 4 Management Activities Logging should be enabled based on the assets’ potential impact to the function For example the greater the potential impact of a compromised asset the more data an organization might collect about the asset The condition of assets as discovered through monitoring contributes to an operating picture Effectively communicating the operating picture to relevant decision makers is the essence of a COP While many implementations of a COP may include visualization tools e g dashboards maps and other graphical displays they are not necessarily required to achieve the goal Organizations may use other methods to share a function’s current state of cybersecurity Example Situational Awareness Anywhere Energy Inc identified the assets that are essential to the delivery of the organization’s functions Additionally the personnel monitor a number of resources that provide reliable cybersecurity information including its vendors and US-CERT Further Anywhere Energy Inc determined that indicators of an emerging threat often reside in different parts of the organization Building Security tracks visitors the Helpdesk responds to strange laptop behavior shipping knows about packages and the security team monitors network events and external sources Each day the security team gathers information from other departments adds their own data and produces a COP for the rest of the organization The COP summarizes the current state of operations using a color-coded scale and is posted on the wall of the control room as well as on the corporate intranet site When the COP suggests a need for heightened security visitors are screened more carefully the Helpdesk conducts malware scans on misbehaving laptops and human resources sends out reminders about phishing Senior management reviews the COP and is prepared should extraordinary action—like shutting down the Web site—be required At the highest state of alert they change firewall rule sets to restrict nonessential protocols like video conferencing delay all but emergency change requests and put the cybersecurity incident response team on standby 33 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 SITUATIONAL AWARENESS Objectives and Practices 1 Perform Logging MIL1 a Logging is occurring for assets important to the function where possible MIL2 b Logging requirements have been defined for all assets important to the function e g scope of activity and coverage of assets cybersecurity requirements confidentiality integrity availability c Log data are being aggregated within the function MIL3 d Logging requirements are based on the risk to the function e Log data support other business and security processes e g incident response asset management 2 Perform Monitoring MIL1 a Cybersecurity monitoring activities are performed e g periodic reviews of log data b Operational environments are monitored for anomalous behavior that may indicate a cybersecurity event MIL2 c Monitoring and analysis requirements have been defined for the function and address timely review of event data d Alarms and alerts are configured to aid in the identification of cybersecurity events IR-1b e Indicators of anomalous activity have been defined and are monitored across the operational environment f Monitoring activities are aligned with the function’s threat profile TVM-1d MIL3 g Monitoring requirements are based on the risk to the function h Monitoring is integrated with other business and security processes e g incident response asset management i Continuous monitoring is performed across the operational environment to identify anomalous activity j Risk register RM-2j content is used to identify indicators of anomalous activity k Alarms and alerts are configured according to indicators of anomalous activity 3 Establish and Maintain a Common Operating Picture COP MIL1 No practice at MIL1 MIL2 a Methods of communicating the current state of cybersecurity for the function are established and maintained b Monitoring data are aggregated to provide an understanding of the operational state of the function i e a common operating picture a COP may or may not include visualization or be presented graphically c Information from across the organization is available to enhance the common operating picture MIL3 d Monitoring data are aggregated to provide near-real-time understanding of the cybersecurity state for the function to enhance the common operating picture e Information from outside the organization is collected to enhance the common operating picture f Predefined states of operation are defined and invoked manual or automated process based on the common operating picture 34 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 SITUATIONAL AWARENESS 4 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for logging monitoring and COP activities b Stakeholders for logging monitoring and COP activities are identified and involved c Adequate resources people funding and tools are provided to support logging monitoring and COP activities d Standards and or guidelines have been identified to inform logging monitoring and COP activities MIL3 e Logging monitoring and COP activities are guided by documented policies or other organizational directives f Logging monitoring and COP policies include compliance requirements for specified standards and or guidelines g Logging monitoring and COP activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of logging monitoring and COP activities are assigned to personnel i Personnel performing logging monitoring and COP activities have the skills and knowledge needed to perform their assigned responsibilities 35 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 INFORMATION SHARING AND COMMUNICATIONS 7 6 Information Sharing and Communications Purpose Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information including threats and vulnerabilities to reduce risks and to increase operational resilience commensurate with the risk to critical infrastructure and organizational objectives The objective of information sharing is to strengthen cybersecurity by establishing and maintaining a framework for interaction among organizations as well as between organizations and the government The Information Sharing and Communications ISC domain comprises two objectives 1 Share Cybersecurity Information 2 Management Activities Sharing cybersecurity information begins with gathering cybersecurity information relevant to the function This information is available from many sources including vendors government entities and peers Secure sharing of different types of risk-related information is essential to the well-being of individual organizations and the subsector As threats are responded to and vulnerabilities are discovered organizations should ensure that relevant data is effectively and appropriately shared so that peers may also reduce their risk and improve sector resilience Forums such as the Information Sharing and Analysis Centers in many sectors can facilitate this sharing Example Information Sharing and Communications Anywhere Energy Inc worked with trade groups to find and maintain informal connections with other organizations This worked sufficiently well for a variety of issues without critical deadlines However new security and cyber-related issues with critical deadlines strained this informal method of sharing and communications Recognizing the need for more significant relationships the organization decided to formalize ties to industry groups that will inform it of news and issues engage with vendors with whom they have significant investment and participate with regional state and government organizations that advance thought leadership and practical guidance As part of this effort Anywhere Energy Inc partners with others to establish a secure confidential information-sharing environment that enables organizations to share cybersecurity information without attribution Within this environment organizations are free to disclose cybersecurity information as well as share technical expertise to overcome cybersecurity challenges 36 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 INFORMATION SHARING AND COMMUNICATIONS Objectives and Practices 1 Share Cybersecurity Information MIL1 a Information is collected from and provided to selected individuals and or organizations b Responsibility for cybersecurity reporting obligations are assigned to personnel e g internal reporting ICS-CERT law enforcement MIL2 c Information-sharing stakeholders are identified based on their relevance to the continued operation of the function e g connected organizations vendors sector organizations regulators internal entities d Information is collected from and provided to identified information-sharing stakeholders e Technical sources are identified that can be consulted on cybersecurity issues f Provisions are established and maintained to enable secure sharing of sensitive or classified information g Information-sharing practices address both standard operations and emergency operations MIL3 h Information-sharing stakeholders are identified based on shared interest in and risk to critical infrastructure i The function or the organization participates with information sharing and analysis centers j Information-sharing requirements have been defined for the function and address timely dissemination of cybersecurity information k Procedures are in place to analyze and de-conflict received information l A network of internal and external trust relationships formal and or informal has been established to vet and validate information about cyber events 2 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for information-sharing activities b Stakeholders for information-sharing activities are identified and involved c Adequate resources people funding and tools are provided to support information-sharing activities d Standards and or guidelines have been identified to inform information-sharing activities MIL3 e Information-sharing activities are guided by documented policies or other organizational directives f Information-sharing policies include compliance requirements for specified standards and or guidelines g Information-sharing activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of information-sharing activities are assigned to personnel i Personnel performing information-sharing activities have the skills and knowledge needed to perform their assigned responsibilities j Information-sharing policies address protected information and ethical use and sharing of information including sensitive and classified information as appropriate 37 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 EVENT AND INCIDENT RESPONSE CONTINUITY OF OPERATIONS 7 7 Event and Incident Response Continuity of Operations Purpose Establish and maintain plans procedures and technologies to detect analyze and respond to cybersecurity events and to sustain operations throughout a cybersecurity event commensurate with the risk to critical infrastructure and organizational objectives A cybersecurity event in a system or network is any observable occurrence that is related to a cybersecurity requirement confidentiality integrity or availability of assets A cybersecurity incident is an event or series of events that significantly affects or could significantly affect critical infrastructure and or organizational assets and services and requires the organization and possibly other stakeholders to respond in some way to prevent or limit adverse impacts The Event and Incident Response Continuity of Operations IR domain comprises five objectives 1 Detect Cybersecurity Events 2 Escalate Cybersecurity Events and Declare Incidents 3 Respond to Incidents and Escalated Cybersecurity Events 4 Plan for Continuity 5 Management Activities Detecting cybersecurity events includes designating a forum for reporting events and establishing criteria for event prioritization These criteria should align with the cybersecurity risk management strategy discussed in the Risk Management domain ensure consistent valuation of events and provide a structure to differentiate between cybersecurity events and cybersecurity incidents Escalating cybersecurity events involves applying the criteria discussed in the Detect Cybersecurity Events objective and identifying when cybersecurity events need to be managed according to a response plan These escalated cybersecurity events including incidents may trigger external obligations including reporting to regulatory bodies or notifying customers Correlating multiple cybersecurity events and incidents and other records may uncover systemic problems within the environment Responding to escalated cybersecurity events requires the organization to have a process to limit the impact of cybersecurity events to subsector functions The process should describe how the organization manages all phases of the incident life cycle e g triage handling communication coordination and closure Conducting lessons-learned reviews as a part of Example Event and Incident Response Continuity of Operations Anywhere Energy Inc purchased a helpdesk tracking system to log and track important cybersecurity events On the wall in the helpdesk shared working area Anywhere Energy Inc posted a chart that identifies criteria for escalating cybersecurity events which include who must be notified and response time objectives When the organization experiences a cybersecurity incident the incident response plan requires that the incident be logged and communicated to key stakeholders The reporting process includes those responsible for communicating the common operating picture described in the Situational Awareness domain Anywhere Energy Inc tests its disaster recovery plan annually to ensure that it can continue to meet recovery time objectives for the sector functions and that it has a good understanding of the restoration path for its assets 38 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 EVENT AND INCIDENT RESPONSE CONTINUITY OF OPERATIONS cybersecurity event and incident response helps the organization eliminate the exploited vulnerability that led to the incident Planning for continuity involves the necessary activities to sustain the subsector function in the event of an interruption such as a severe cybersecurity incident or a disaster Business impact analyses enable the organization to identify essential assets and associated recovery time objectives Continuity plans should be tested and adjusted to ensure they remain realistic and practicable Objectives and Practices 1 Detect Cybersecurity Events MIL1 a There is a point of contact person or role to whom cybersecurity events could be reported b Detected cybersecurity events are reported c Cybersecurity events are logged and tracked MIL2 d Criteria are established for cybersecurity event detection e g what constitutes an event where to look for events e There is a repository where cybersecurity events are logged based on the established criteria MIL3 f Event information is correlated to support incident analysis by identifying patterns trends and other common features g Cybersecurity event detection activities are adjusted based on information from the organization’s risk register RM-2j and threat profile TVM-1d to help detect known threats and monitor for identified risks h The common operating picture for the function is monitored to support the identification of cybersecurity events SA-3a 2 Escalate Cybersecurity Events and Declare Incidents MIL1 a Criteria for cybersecurity event escalation are established including cybersecurity incident declaration criteria b Cybersecurity events are analyzed to support escalation and the declaration of cybersecurity incidents c Escalated cybersecurity events and incidents are logged and tracked MIL2 d Criteria for cybersecurity event escalation including cybersecurity incident criteria are established based on the potential impact to the function e Criteria for cybersecurity event escalation including cybersecurity incident declaration criteria are updated at an organization-defined frequency f There is a repository where escalated cybersecurity events and cybersecurity incidents are logged and tracked to closure MIL3 g Criteria for cybersecurity event escalation including cybersecurity incident declaration criteria are adjusted according to information from the organization’s risk register RM-2j and threat profile TVM-1d h Escalated cybersecurity events and declared cybersecurity incidents inform the common operating picture SA-3a for the function i Escalated cybersecurity events and declared incidents are correlated to support the discovery of patterns trends and other common features 39 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 EVENT AND INCIDENT RESPONSE CONTINUITY OF OPERATIONS 3 Respond to Incidents and Escalated Cybersecurity Events MIL1 a Cybersecurity event and incident response personnel are identified and roles are assigned b Responses to escalated cybersecurity events and incidents are implemented to limit impact to the function and restore normal operations c Reporting of escalated cybersecurity events and incidents is performed e g internal reporting ICS CERT relevant ISACs MIL2 d Cybersecurity event and incident response is performed according to defined procedures that address all phases of the incident life cycle e g triage handling communication coordination and closure e Cybersecurity event and incident response plans are exercised at an organization- defined frequency f Cybersecurity event and incident response plans address OT and IT assets important to the delivery of the function g Training is conducted for cybersecurity event and incident response teams MIL3 h Cybersecurity event and incident root-cause analysis and lessons-learned activities are performed and corrective actions are taken i Cybersecurity event and incident responses are coordinated with law enforcement and other government entities as appropriate including support for evidence collection and preservation j Cybersecurity event and incident response personnel participate in joint cybersecurity exercises with other organizations e g table top simulated incidents k Cybersecurity event and incident response plans are reviewed and updated at an organization-defined frequency l Cybersecurity event and incident response activities are coordinated with relevant external entities m Cybersecurity event and incident response plans are aligned with the function’s risk criteria RM-1c and threat profile TVM-1d n Policy and procedures for reporting cybersecurity event and incident information to designated authorities conform with applicable laws regulations and contractual agreements o Restored assets are configured appropriately and inventory information is updated following execution of response plans 4 Plan for Continuity MIL1 a The activities necessary to sustain minimum operations of the function are identified b The sequence of activities necessary to return the function to normal operation is identified c Continuity plans are developed to sustain and restore operation of the function MIL2 d Business impact analyses inform the development of continuity plans e Recovery time objectives RTO and recovery point objectives RPO for the function are incorporated into continuity plans f Continuity plans are evaluated and exercised MIL3 g Business impact analyses are periodically reviewed and updated h RTO and RPO are aligned with the function’s risk criteria RM-1c i The results of continuity plan testing and or activation are compared to recovery objectives and plans are improved accordingly j Continuity plans are periodically reviewed and updated k Restored assets are configured appropriately and inventory information is updated following execution of continuity plans 40 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 EVENT AND INCIDENT RESPONSE CONTINUITY OF OPERATIONS 5 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for cybersecurity event and incident response as well as continuity of operations activities b Stakeholders for cybersecurity event and incident response as well as continuity of operations activities are identified and involved c Adequate resources people funding and tools are provided to support cybersecurity event and incident response as well as continuity of operations activities d Standards and or guidelines have been identified to inform cybersecurity event and incident response as well as continuity of operations activities MIL3 e Cybersecurity event and incident response as well as continuity of operations activities are guided by documented policies or other organizational directives f Cybersecurity event and incident response as well as continuity of operations policies include compliance requirements for specified standards and or guidelines g Cybersecurity event and incident response as well as continuity of operations activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of cybersecurity event and incident response as well as continuity of operations activities are assigned to personnel i Personnel performing cybersecurity event and incident response as well as continuity of operations activities have the skills and knowledge needed to perform their assigned responsibilities 41 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 SUPPLY CHAIN AND EXTERNAL DEPENDENCIES MANAGEMENT 7 8 Supply Chain and External Dependencies Management Purpose Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities commensurate with the risk to critical infrastructure and organizational objectives As the interdependencies among infrastructures operating partners suppliers service providers and customers increase establishing and maintaining a comprehensive understanding of key relationships and managing their associated cybersecurity risks is essential for the secure reliable and resilient delivery of the function This model classifies external dependencies as supplier or customer Supplier dependencies are external parties on which the delivery of the function depends including operating partners Customer dependencies are external parties that depend on the delivery of the function including operating partners Supply chain risk is a noteworthy example of a supplier dependency The cybersecurity characteristics of products and services vary widely Without proper risk management they pose serious threats including software of unknown provenance and counterfeit possibly malicious hardware Organizations’ requests for proposal often give suppliers of high-technology systems devices and services only rough specifications which may lack adequate requirements for security and quality assurance The autonomy organizations often give to their individual business units further increases the risk unless procurement activities are constrained by plan or policy to include cybersecurity requirements The Supply Chain and External Dependencies Management EDM domain comprises three objectives 1 Identify Dependencies 2 Manage Dependency Risk 3 Management Activities Example Supply Chain and External Dependencies Management Anywhere Energy Inc receives products and services from multiple vendors Recently the organization began to work with a new vendor that during the normal course of business will have access to sensitive data and systems Within the contract for the project Anywhere Energy Inc mandated the nondisclosure of sensitive data Anywhere Energy also specified cybersecurity requirements for the handling communication and storage of its information requiring that it be encrypted both in transit and in storage The cybersecurity requirements also stated that passwords and cryptographic keys would be properly managed and they specified strict limits and controls on the vendor personnel and systems that will have access to Anywhere Energy Inc ’s systems and data during deployment operations and maintenance Additionally Anywhere Energy Inc conducted a review of the vendor’s practices including the vendor’s cybersecurity practices with respect to its suppliers participated in a security design review of the vendor’s proposed system and plans to conduct periodic audits of the delivered system to ensure that the vendor continues to meet its obligations When the vendor supplied equipment Anywhere Energy Inc carried out an inspection to verify that the hardware software and firmware were authentic and that initial configurations were as agreed upon To accomplish this Anywhere Energy Inc conducted random sample audits which included visually confirming serial numbers with the hardware manufacturer to help detect counterfeits verifying digital signatures for associated software and firmware and checking initial configuration settings for conformance 42 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 SUPPLY CHAIN AND EXTERNAL DEPENDENCIES MANAGEMENT Identifying dependencies involves establishing and maintaining a comprehensive understanding of the key external relationships required for the delivery of the function Managing dependency risk includes approaches such as independent testing code review scanning for vulnerabilities and reviewing demonstrable evidence from the vendor that a secure software development process has been followed Contracts binding the organization to a relationship with a partner or vendor for products or services should be reviewed and approved for cybersecurity risk mitigation such as contract language that establishes vendor responsibilities for meeting or exceeding specified cybersecurity standards or guidelines Service level agreements can specify monitoring and audit processes to verify that vendors and service providers meet cybersecurity and other performance measures Objectives and Practices 1 Identify Dependencies MIL1 a Important IT and OT supplier dependencies are identified i e external parties on which the delivery of the function depend including operating partners b Important customer dependencies are identified i e external parties that are dependent on the delivery of the function including operating partners MIL2 c Supplier dependencies are identified according to established criteria d Customer dependencies are identified according to established criteria e Single-source and other essential dependencies are identified f Dependencies are prioritized MIL3 g Dependency prioritization and identification are based on the function’s or organization's risk criteria RM-1c 2 Manage Dependency Risk MIL1 a Significant cybersecurity risks due to suppliers and other dependencies are identified and addressed b Cybersecurity requirements are considered when establishing relationships with suppliers and other third parties MIL2 c Identified cybersecurity dependency risks are entered into the risk register RM-2j d Contracts and agreements with third parties incorporate sharing of cybersecurity threat information e Cybersecurity requirements are established for suppliers according to a defined practice including requirements for secure software development practices where appropriate f Agreements with suppliers and other external entities include cybersecurity requirements g Evaluation and selection of suppliers and other external entities includes consideration of their ability to meet cybersecurity requirements h Agreements with suppliers require notification of cybersecurity incidents related to the delivery of the product or service i Suppliers and other external entities are periodically reviewed for their ability to continually meet the cybersecurity requirements 43 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 SUPPLY CHAIN AND EXTERNAL DEPENDENCIES MANAGEMENT 2 Manage Dependency Risk cont MIL3 j Cybersecurity risks due to external dependencies are managed according to the organization’s risk management criteria and process k Cybersecurity requirements are established for supplier dependencies based on the organization’s risk criteria RM-1c l Agreements with suppliers require notification of vulnerability-inducing product defects throughout the intended life cycle of delivered products m Acceptance testing of procured assets includes testing for cybersecurity requirements n Information sources are monitored to identify and avoid supply chain threats e g counterfeit parts software and services 3 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for managing dependency risk b Stakeholders for managing dependency risk are identified and involved c Adequate resources people funding and tools are provided to support dependency risk management activities d Standards and or guidelines have been identified to inform managing dependency risk MIL3 e Dependency risk management activities are guided by documented policies or other organizational directives f Dependency risk management policies include compliance requirements for specified standards and or guidelines g Dependency risk management activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of dependency risk management are assigned to personnel i Personnel performing dependency risk management have the skills and knowledge needed to perform their assigned responsibilities 44 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 WORKFORCE MANAGEMENT 7 9 Workforce Management Purpose Establish and maintain plans procedures technologies and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel commensurate with the risk to critical infrastructure and organizational objectives As organizations increasingly adopt advanced digital technology it is a challenge to enhance the skill sets of their existing workforce and hire personnel with the appropriate level of cybersecurity experience education and training Organizations’ reliance on advanced technology for digital communications and control continues to grow and workforce issues are a crucial aspect of successfully addressing cybersecurity and risk management for these systems Collective bargaining agreements may challenge some aspects of the practices in this domain as written so organizations may need to implement alternative practices that meet the intent of the model practices and align with those agreements The Workforce Management WM domain comprises five objectives 1 Assign Cybersecurity Responsibilities 2 Control the Workforce Life Cycle 3 Develop Cybersecurity Workforce 4 Increase Cybersecurity Awareness 5 Management Activities An important aspect of assigning cybersecurity responsibilities is ensuring adequacy and redundancy of coverage For example specific workforce roles with significant cybersecurity responsibilities are often easy to determine but they can be challenging to maintain It is vital to develop plans for key cybersecurity workforce roles e g system administrators to provide appropriate training testing redundancy and evaluations of performance Of course cybersecurity responsibilities are not restricted to traditional IT roles for example some operations engineers may have cybersecurity responsibilities Controlling the workforce life cycle includes personnel vetting e g background checks and assigning risk designations to positions that have access to assets needed to deliver an essential service For example system administrators who typically have the ability to change configuration settings modify or delete log files create new accounts and change Example Workforce Management Anywhere Energy Inc determines that it will invest in advanced digital technology Part of this investment will be a long-term program for workforce training and management to help personnel keep the new systems running efficiently and securely Anywhere Energy Inc finds it much harder than expected to recruit train and retain personnel with the necessary skill sets particularly personnel with cybersecurity education and experience Furthermore the organization finds that its brand of new digital technology has been compromised at another company due to poor security practices Anywhere Energy Inc analyzes this information through a risk management assessment of its systems practices and policies The organization determines that employee training is paramount to addressing system and social engineering vulnerabilities as well as insider threats to the company’s goals and objectives As a result Anywhere Energy Inc begins investing in technical and security training and certification for management and personnel to instill the awareness and skills necessary to manage and protect the company’s assets which may also contribute to the protection of interconnected critical infrastructure external to the organization 45 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 WORKFORCE MANAGEMENT passwords on critical systems are given a higher risk designation and specific measures are taken to protect these systems from accidental or malicious behavior by this category of personnel Developing the cybersecurity workforce includes training and recruiting to address identified skill gaps For example hiring practices should ensure that recruiters and interviewers are aware of cybersecurity workforce needs Also newly recruited personnel and contractors should receive security awareness training to reduce their vulnerability to social engineering and other threats Increasing the cybersecurity awareness of the workforce is as important as technological approaches for improving the cybersecurity of the organization The threat of a cyber attack to an organization often starts with gaining some foothold into a company’s IT or OT systems — for example by gaining the trust of an unwary employee or contractor who then introduces media or devices into the organization’s networks The organization should share information with its workforce on methods and techniques to identify suspicious behavior avoid spam or spear phishing and recognize social engineering attacks to avoid providing information about the organization to potential adversaries For example an internal Web site could provide information about new threats and vulnerabilities in the industry If information on threats vulnerabilities and best practices is not shared with the workforce personnel may become more lax about security processes and procedures Objectives and Practices 1 Assign Cybersecurity Responsibilities MIL1 a Cybersecurity responsibilities for the function are identified b Cybersecurity responsibilities are assigned to specific people MIL2 c Cybersecurity responsibilities are assigned to specific roles including external service providers d Cybersecurity responsibilities are documented e g in position descriptions MIL3 e Cybersecurity responsibilities and job requirements are reviewed and updated as appropriate f Cybersecurity responsibilities are included in job performance evaluation criteria g Assigned cybersecurity responsibilities are managed to ensure adequacy and redundancy of coverage 46 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 WORKFORCE MANAGEMENT 2 Control the Workforce Life Cycle MIL1 a Personnel vetting e g background checks drug tests is performed at hire for positions that have access to the assets required for delivery of the function b Personnel termination procedures address cybersecurity MIL2 c Personnel vetting is performed at an organization-defined frequency for positions that have access to the assets required for delivery of the function d Personnel transfer procedures address cybersecurity MIL3 e Risk designations are assigned to all positions that have access to the assets required for delivery of the function f Vetting is performed for all positions including employees vendors and contractors at a level commensurate with position risk designation g Succession planning is performed for personnel based on risk designation h A formal accountability process that includes disciplinary actions is implemented for personnel who fail to comply with established security policies and procedures 3 Develop Cybersecurity Workforce MIL1 a Cybersecurity training is made available to personnel with assigned cybersecurity responsibilities MIL2 b Cybersecurity knowledge skill and ability gaps are identified c Identified gaps are addressed through recruiting and or training d Cybersecurity training is provided as a prerequisite to granting access to assets that support the delivery of the function e g new personnel training personnel transfer training MIL3 e Cybersecurity workforce management objectives that support current and future operational needs are established and maintained f Recruiting and retention are aligned to support cybersecurity workforce management objectives g Training programs are aligned to support cybersecurity workforce management objectives h The effectiveness of training programs is evaluated at an organization-defined frequency and improvements are made as appropriate i Training programs include continuing education and professional development opportunities for personnel with significant cybersecurity responsibilities 4 Increase Cybersecurity Awareness MIL1 a Cybersecurity awareness activities occur MIL2 b Objectives for cybersecurity awareness activities are established and maintained c Cybersecurity awareness content is based on the organization’s threat profile TVM-1d MIL3 d Cybersecurity awareness activities are aligned with the predefined states of operation SA-3f e The effectiveness of cybersecurity awareness activities is evaluated at an organization-defined frequency and improvements are made as appropriate 47 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 WORKFORCE MANAGEMENT Note In the following practices “cybersecurity workforce management activities” refers collectively to all of the above practices in this domain 5 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for cybersecurity workforce management activities b Stakeholders for cybersecurity workforce management activities are identified and involved c Adequate resources people funding and tools are provided to support cybersecurity workforce management activities d Standards and or guidelines have been identified to inform cybersecurity workforce management activities MIL3 e Cybersecurity workforce management activities are guided by documented policies or other organizational directives f Cybersecurity workforce management policies include compliance requirements for specified standards and or guidelines g Cybersecurity workforce management activities are periodically reviewed to ensure conformance with policy h Responsibility and authority for the performance of cybersecurity workforce management activities are assigned to personnel i Personnel performing cybersecurity workforce management activities have the skills and knowledge needed to perform their assigned responsibilities 48 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 CYBERSECURITY PROGRAM MANAGEMENT 7 10 Cybersecurity Program Management Purpose Establish and maintain an enterprise cybersecurity program that provides governance strategic planning and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with the organization’s strategic objectives and the risk to critical infrastructure A cybersecurity program is an integrated group of activities designed and managed to meet cybersecurity objectives for the organization and or the function A cybersecurity program may be implemented at either the organization or the function level but a higher level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise The Cybersecurity Program Management CPM domain comprises five objectives 1 Establish Cybersecurity Program Strategy 2 Sponsor Cybersecurity Program 3 Establish and Maintain Cybersecurity Architecture 4 Perform Secure Software Development 5 Management Activities The cybersecurity program strategy is established as the foundation for the program In its simplest form the program strategy should include a list of cybersecurity objectives and a plan to meet them At higher levels of maturity the program strategy will be more complete and include priorities a governance approach structure and organization for the program and more involvement by senior management in the design of the program Sponsorship is important for implementing the program in accordance with the strategy The fundamental form of sponsorship is to provide resources people tools and funding More advanced forms of sponsorship include visible involvement by senior leaders and designation of responsibility and authority for the program Further sponsorship includes organizational support for establishing and implementing policies or other organizational directives to guide the program Example Cybersecurity Program Management Anywhere Energy Inc decided to establish an enterprise cybersecurity program To begin Anywhere Energy has formed a board with representation from each of the functional areas This cybersecurity governance board will develop a cybersecurity strategy for the organization and recruit a new vice president of cybersecurity to implement a program based on the strategy The vice president will also report to the board of directors and will work across the enterprise to engage business and technical management and personnel to address cybersecurity The new vice president’s first action will be to expand and document the cybersecurity strategy for Anywhere Energy Inc ensuring that it remains aligned to the organization’s business strategy and addresses its risk to critical infrastructure Once the strategy is approved by the board the new vice president will begin implementing the program by reorganizing of some existing compartmentalized cybersecurity teams and recruiting additional team members to address skill gaps in the organization The head of customer service and vice president of accounting will depend on the new program to address both immediate and collateral damage from potential incidents and the public relations issues that would follow The head of IT and the vice president for engineering will expect guidance on systems development and methods to mitigate risks 49 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 CYBERSECURITY PROGRAM MANAGEMENT A cybersecurity architecture is an integral part of the enterprise architecture It describes the structure and behavior of an enterprise’s security processes cybersecurity systems personnel and subordinate organizations and aligns them with the organization’s mission and strategic plans An important element of the cybersecurity architecture is effective isolation of IT systems from OT systems Performing and requiring secure software development for assets that are important to the delivery of the function is important to help reduce vulnerability-inducing software defects Objectives and Practices 1 Establish Cybersecurity Program Strategy MIL1 a The organization has a cybersecurity program strategy MIL2 b The cybersecurity program strategy defines objectives for the organization’s cybersecurity activities c The cybersecurity program strategy and priorities are documented and aligned with the organization’s strategic objectives and risk to critical infrastructure d The cybersecurity program strategy defines the organization’s approach to provide program oversight and governance for cybersecurity activities e The cybersecurity program strategy defines the structure and organization of the cybersecurity program f The cybersecurity program strategy is approved by senior management MIL3 g The cybersecurity program strategy is updated to reflect business changes changes in the operating environment and changes in the threat profile TVM-1d 2 Sponsor Cybersecurity Program MIL1 a Resources people tools and funding are provided to support the cybersecurity program b Senior management provides sponsorship for the cybersecurity program MIL2 c The cybersecurity program is established according to the cybersecurity program strategy d Adequate funding and other resources i e people and tools are provided to establish and operate a cybersecurity program aligned with the program strategy e Senior management sponsorship for the cybersecurity program is visible and active e g the importance and value of cybersecurity activities is regularly communicated by senior management f If the organization develops or procures software secure software development practices are sponsored as an element of the cybersecurity program g The development and maintenance of cybersecurity policies is sponsored h Responsibility for the cybersecurity program is assigned to a role with requisite authority MIL3 i The performance of the cybersecurity program is monitored to ensure it aligns with the cybersecurity program strategy j The cybersecurity program is independently reviewed i e by reviewers who are not in the program for achievement of cybersecurity program objectives k The cybersecurity program addresses and enables the achievement of regulatory compliance as appropriate l The cybersecurity program monitors and or participates in selected industry cybersecurity standards or initiatives 50 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 CYBERSECURITY PROGRAM MANAGEMENT 3 Establish and Maintain Cybersecurity Architecture MIL1 a A strategy to architecturally isolate the organization’s IT systems from OT systems is implemented MIL2 b A cybersecurity architecture is in place to enable segmentation isolation and other requirements that support the cybersecurity strategy c Architectural segmentation and isolation is maintained according to a documented plan MIL3 d Cybersecurity architecture is updated at an organization-defined frequency to keep it current 4 Perform Secure Software Development MIL1 No practice at MIL1 MIL2 a Software to be deployed on assets that are important to the delivery of the function is developed using secure software development practices MIL3 b Policies require that software that is to be deployed on assets that are important to the delivery of the function be developed using secure software development practices 5 Management Activities MIL1 No practice at MIL1 MIL2 a Documented practices are followed for cybersecurity program management activities b Stakeholders for cybersecurity program management activities are identified and involved c Standards and or guidelines have been identified to inform cybersecurity program management activities MIL3 d Cybersecurity program management activities are guided by documented policies or other organizational directives e Cybersecurity program management activities are periodically reviewed to ensure conformance with policy f Personnel performing cybersecurity program management activities have the skills and knowledge needed to perform their assigned responsibilities Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES 51 APPENDIX A REFERENCES The ONG-C2M2 was derived from the ES-C2M2 The DOE acknowledges the electricity subsector standards guidelines white papers and frameworks that informed the development of the first iteration of the model The reference table below shows general references that were either used in the development of this document or may serve as a source for further information regarding the practices identified within the model References that informed the document more broadly have no marker in any of the right-hand columns that represent mapping to the model domains References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary ACC Chemical Cyber Security American Chemical Council 2009 Guidance document Guidance for addressing cyber security in the chemical industry Retrieved from http responsiblecare americanchemistry com Responsible-Care Program-Elements Responsible-Care-Security-Code PDF-Responsible Care-Security-Code pdf • • • • • • • • • AGA Report 12 American Gas Association 2006 AGA Report No 12 Cryptographic protection of SCADA communications Part 1 Background--Policies and test plan Retrieved from http www scadahacker com library Documents Standards AGA%20- %20Cryptographic%20Protection%20of%20SCADA%20Communications %20-%2012%20Part1 pdf • • • • • • API SGPI American Petroleum Institute 2005 Security guidelines for the petroleum industry 3rd ed Retrieved from http www nj gov dep rpp brp security downloads API%20Security%20G uidance%203rd%20Edition pdf • • • • • • • • API 1164 American Petroleum Institute 2009 Pipeline SCADA security API Standard 1164 • • • • • • • • • • API NPRA Vulnerability Assessment American Petroleum Institute National Petrochemical Refiners Association 2004 Security vulnerability assessment methodology for the petroleum and petrochemical industries 2nd ed Retrieved from http www api org policy otherissues upload sva_e2 pdf • • • • 52 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary API Offshore O G Security American Petroleum Institute 2003 reaffirmed 2010 Security for offshore oil and natural gas operations API Recommended Practice 70 1st ed • • • • • • • API Recommended Practice 70I American Petroleum Institute 2004 Security for worldwide offshore oil and natural gas operations API Recommended Practice 70I 1st ed • • • • • • • API Third Party Network American Petroleum Institute 2007 Standard for third party network connectivity • • • • • • CERT CSIRTs West Brown M Stikvoort D Kossakowski K Killcrece G Ruefle R Zajicek Mark 2003 Handbook for computer security incident response teams CSIRTs CMU SEI-2003-HB-002 Retrieved from Software Engineering Institute Carnegie Mellon University website http www sei cmu edu library abstracts reports 03hb002 cfm • CERT CSIRT FAQs Software Engineering Institute Carnegie Mellon University 2012 CSIRT FAQ Retrieved from http www cert org csirts csirt_faq html • • • CERT RMM Caralli R A Allen J H White D W 2011 CERT resilience management model A maturity model for managing operational resilience CERT-RMM Version 1 1 Boston MA Addison-Wesley • • • • • • • • • • • CERT SGMM The SGMM Team 2011 version 1 2 Smart grid maturity model Model definition CMU SEI-2011-TR-025 Retrieved from Software Engineering Institute Carnegie Mellon University website http www sei cmu edu reports 11tr025 pdf • • • • • • • CERT State of the Practice of CSIRTs Killcrece G Kossakowski K Ruefle R Zajicek M 2003 State of the practice of computer security incident response teams CSIRTs CMU SEI-2003-TR-001 Retrieved from Software Engineering Institute Carnegie Mellon University website http www cert org archive pdf 03tr001 pdf • CNSSI 4009 Committee on National Security Systems 2010 National information assurance IA glossary CNSS Instructions No 4009 Retrieved from https www cnss gov CNSS issuances Instructions cfm • • • DHS Cross-Sector Roadmap Industrial Control Systems Joint Working Group 2011 revision 3 0 Cross-sector roadmap for cybersecurity of control systems United States Computer Emergency Readiness Team • • • 53 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary DHS ICS-CERT Department of Homeland Security 2012 May Industrial Control Systems Cyber Emergency Response Team Retrieved from http www us-cert gov control_systems ics-cert • • DHS ICSJWG Department of Homeland Security 2012 May Industrial Control Systems Joint Working Group May 2012 http www us-cert gov control_ systems icsjwg • • DHS PCII Department of Homeland Security 2012 May Who can access Protected Critical Infrastructure Information PCII Retrieved from http www dhs gov files programs gc_1193089801658 shtm • • DHS Procurement U S Department of Homeland Security Control Systems Security Program National Cyber Security Division 2009 U S Department of Homeland Security Cyber security procurement language for control systems • • DHS Recommendations for Standards U S Department of Homeland Security National Cyber Security Division Control Systems Security Program 2011 Catalog of control systems security Recommendations for standards developers Retrieved from http ics-cert us cert gov sites default files documents CatalogofRecommendationsVer7 pdf • • • • • • • • • • DOE 21 Steps to Improve Cyber Security of SCADA Networks U S Department of Energy and the President’s Critical Infrastructure Protection Board n d 21 Steps to improve cyber security of SCADA networks http energy gov sites prod files oeprod DocumentsandMedia 21_Steps_ -_SCADA pdf • • • • DOE Roadmap to Achieve Energy Delivery Systems Cybersecurity Energy Sector Control Systems Working Group 2011 Roadmap to achieve energy delivery systems cybersecurity Retrieved from Department of Energy website http energy gov sites prod files Energy%20Delivery%20Systems%20Cy bersecurity%20Roadmap_finalweb pdf • • • • • • EIA Glossary U S Energy Information Administration n d Glossary Retrieved from http www eia gov tools glossary • 54 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary EOPUS Policy Framework Executive Office of the President of the United States 2011 A policy framework for the 21st Century grid Enabling our secure energy future Retrieved from http www whitehouse gov sites default files microsites ostp nstc-smart grid-june2011 pdf ES-SPP U S Department of Homeland Security and U S Department of Energy 2010 Energy sector-specific plan An annex to the national infrastructure protection plan Retrived from http www dhs gov xlibrary assets nipp-ssp-energy-2010 pdf • • • • • • FIRST Forum of Incident Response and Security Teams FIRST 2012 CSIRT case classification Example for enterprise CSIRT Retrieved from http www first org _assets resources guides csirt_case_classification html • • • HSPD-7 U S Department of Homeland Security n d Homeland Security Presidential Directive – 7 Retrieved from http www dhs gov homeland security-presidential-directive-7#1 • • • IACCM BRM3 International Association for Contract Commercial Management IACCM 2003 The IACCM business risk management maturity model BRM3 • • ISA 99 International Society of Automation ISA 2009 Industrial automation and control systems security Establishing an industrial automation and control systems security program ANSI ISA-99 02 01-2009 ISACs National Council of Information Sharing and Analysis Centers ISACs 2012 Home page Retrieved from http www isaccouncil org • • • • ISO 27005 2011 International Organization for Standardization 2011 Information security risk management ISO 27005 2011 • • ISO 28001 2007 International Organization for Standardization n d Security management systems for the supply chain - Best practices for implementing supply chain security assessments and plans - Requirements and guidance ISO IEC20001 2007 • • 55 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary ISO IEC 21827 2008 International Organization for Standardization 2008 Systems Security Engineering – Capability Maturity Model SSE-CMM ISO IEC 21827 2008 • • • • ISO IEC 27001 2005 International Organization for Standardization 2008 Information security management systems ISO IEC CD 27001 2005 • • • • • • • ISO IEC 27002 2005 International Organization for Standardization 2008 Code of practice for information security management ISO IEC27002 2005 • • • • • • • ISO IEC 2 2004 International Organization for Standardization 2004 Standardization and related activities -- General vocabulary ISO IEC 2 2004 • MIT SCMM Rice Jr J B Tenney W 2007 How risk management can secure your business future Massachusetts Institute of Technology Supply Chain Strategy 3 5 1-4 Retrieved from http web mit edu scresponse repository rice_tenney_SCS_RMM_june july_2007 pdf • NASA RMMM National Aeronautics and Space Administration 2005 NASA RMC VI Continuous Risk Management Maturity Assessment pp 5-7 Retrieved from http www rmc nasa gov presentations Powell_CRM_Maturity_Assessm ent pdf • • National Strategy to Secure Cyberspace The White House 2003 The national strategy to secure cyberspace Retrieved from https www us cert gov sites default files publications cyberspace_strategy pdf • • • • • • • • NDIA ESA National Defense Industrial Association System Assurance Committee 2008 version 1 0 Engineering for System Assurance • • • NIPP U S Department of Homeland Security 2009 National infrastructure protection plan Partnering to enhance protection and resiliency Retrieved from http www dhs gov xlibrary assets NIPP_Plan pdf • • • • • • • • • • NIST Framework National Institute of Standards and Technology 2012 NIST framework and roadmap for smart grid interoperability standards Release 2 0 Retrieved from http www nist gov smartgrid upload NIST_Framework_Release_2- 0_corr pdf 56 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary NISTIR 7622 Swanson M Bartol N Moorthy R 2010 Piloting supply chain risk management for federal information systems Draft NISTIR 7622 National Institute of Standards and Technology Retrieved from http csrc nist gov publications drafts nistir-7622 draft-nistir-7622 pdf • • NISTIR 7628 Vol 1 The Smart Grid Interoperability Panel – Cyber Security Working Group 2010 Guidelines for smart grid cyber security Vol 1 smart grid cyber security strategy architecture and high-level requirements NISITIR 7628 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistir ir7628 nistir-7628_vol1 pdf • • • • NISTIR 7628 Vol 3 The Smart Grid Interoperability Panel – Cyber Security Working Group 2010 Guidelines for smart grid cyber security Vol 3 Supportive analyses and references NISITIR 7628 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistir ir7628 nistir-7628_vol3 pdf • • • • NIST NVD National Institute of Standards and Technology 2012 National vulnerability database Retrieved from http nvd nist gov cvss cfm • • • • • NIST Security Considerations in SDLC Radack S 2008 Security considerations in the information system development life cycle National Institute of Standards and Technology Retrieved from http www itl nist gov lab bulletns bltndec03 htm • • NIST SP 800-16 Wilson M Stine K Bowen P 2009 Information security training requirements A role- and performance-based model NIST Special Publication 800-16 revision 1 0 National Institute of Standards and Technology Retrieved from http csrc nist gov publications drafts 800- 16-rev1 draft_sp800_16_rev1_2nd-draft pdf • • NIST SP 800-37 National Institute of Standards and Technology Joint Task Force Transformation Initiative 2010 Guide for applying the risk management framework to federal information systems NIST Special Publication 800- 37 Retrieved from http csrc nist gov publications nistpubs 800-37- rev1 sp800-37-rev1-final pdf • • • • • NIST SP 800-40 Mell P Bergeron T Henning D 2005 Creating a patch management and vulnerability management program NIST Special Publication 800-40 version 2 0 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistpubs 800- 40-Ver2 SP800-40v2 pdf • • 57 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary NIST SP 800-50 Wilson M Hash J 2003 Building an information technology security awareness and training program NIST Special Publication 800- 50 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistpubs 800-50 NIST-SP800-50 pdf • NIST SP 800-53 National Institute of Standards and Technology Joint Task Force Transformation Initiative 2009 Recommended security controls for federal information systems and organizations NIST Special Publication 800-53 revision 3 Retrieved from http csrc nist gov publications nistpubs 800-53-Rev3 sp800-53-rev3- final_updated-errata_05-01-2010 pdf • • • • • • • • NIST SP 800-61 Scarfone K Grance T Masone K 2008 Computer security incident handling guide NIST Special Publication 800-61 revision 1 National Institute of Standards and Technology Retrieved from http nvlpubs nist gov nistpubs SpecialPublications NIST SP 800- 61r2 pdf • • NIST SP 800-64 Kissel R Stine K Scholl M Rossman H Fahlsing J Gulick Jessica 2008 Security considerations in the system development life cycle NIST Special Publication 800-64 revision 2 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistpubs 800-64-Rev2 SP800-64- Revision2 pdf • • • NIST SP 800-82 Stouffer K Falco J Scarfone K 2011 Guide to industrial control systems ICS security NIST Special Publication 800-82 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistpubs 800-82 SP800-82-final pdf • NIST SP 800-83 Mell P Kent K Nusbaum J 2005 Guide to malware incident prevention and handling NIST Special Publication 800-83 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistpubs 800-83 SP800-83 pdf • NIST SP 800-128 National Institute of Standards and Technology 2011 Guide for security-focused configuration management of information systems Special Publication 800-128 Retrieved from http csrc nist gov publications nistpubs 800-128 sp800-128 pdf • • 58 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary NIST SP 800-137 Dempsey K Chawla N S Johnson A Johnston R Jones A C Orebaugh A Stine K 2011 Information security continuous monitoring ISCM for federal information systems and organizations NIST Special Publication 800-137 National Institute of Standards and Technology Retrieved from http csrc nist gov publications nistpubs 800- 137 SP800-137-Final pdf • • • • NIST SP 800-36 National Institute of Standards and Technology 2003 Guide to selecting information technology security products SP 800-36 Retrieved from http csrc nist gov publications nistpubs 800-36 NIST SP800-36 pdf • • • • • NIST SP 800-48 National Institute of Standards and Technology 2008 Guide to securing legacy IEEE 802 11 wireless networks SP 800-48 Rev 1 Retrieved from http csrc nist gov publications nistpubs 800-48- rev1 SP800-48r1 pdf • • • • NIST SP 800-52 National Institute of Standards and Technology 2005 Guidelines for the selection and use of transport layer security TLS implementations SP 800-52 Retrieved from http www hhs gov ocr privacy hipaa administrative securityrule nist8005 2 pdf • • • • NIST SP 800-63 National Institute of Standards and Technology 2013 Electronic authentication guideline SP 800-63-2 Retrieved from http nvlpubs nist gov nistpubs SpecialPublications NIST SP 800-63-2 pdf • • • NIST SP 800-73-3 National Institute of Standards and Technology 2010 Interfaces for personal identity verification SP 800-73-3 Retrieved from http csrc nist gov publications nistpubs 800-73-3 sp800-73- 3_PART1_piv-card-applic-namespace-date-model-rep pdf • • NIST SP 800-76-1 National Institute of Standards and Technology 2007 Biometric data specification for personal identity verification SP 800-76-1 Retrieved from http csrc nist gov publications nistpubs 800-76-1 SP800-76- 1_012407 pdf • • NIST SP 800-82 National Institute of Standards and Technology 2011 Guide to industrial control systems ICS security SP 800-82 Retrieved from http csrc nist gov publications nistpubs 800-82 SP800-82-final pdf • • • • • • • • • • 59 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES References RM ACM IAM TVM SA ISC IR EDM WM CPM Glossary NIST SP 800-86 National Institute of Standards and Technology 2006 Guide to integrating forensic techniques into incident response SP 800-86 • • • • • NIST SP 800-97 National Institute of Standards and Technology 2007 Establishing wireless robust security networks A guide to IEEE 802 11i SP800-97 Retrieved from http csrc nist gov publications nistpubs 800-97 SP800- 97 pdf • OECD Reducing Systemic Cybersecurity Risk Sommer P Brown I 2011 Reducing systemic cybersecurity risk Organisation for Economic Co-operation and Development Retrieved from http www oecd org dataoecd 57 44 46889922 pdf • • SCADA AU RMF IT Security Expert Advisory Group 2012 Generic SCADA risk management framework for Australian critical infrastructure Retrieved from http www tisn gov au Documents SCADA-Generic-Risk Management-Framework pdf • • SEI CMM Paulk M Weber C Garcia S Chrissis M B Bush M 1993 Key practices of the capability maturity model Version 1 1 Technical Report CMU SEI-93-TR-25 Software Engineering Institute Carnegie Mellon University Retrieved from http www sei cmu edu reports 93tr025 pdf • • Situation Awareness in Dynamic Systems Endsley M 1995 Toward a theory of situation awareness in dynamic systems Human Factors pp 32-64 • • • Supply Chain Risk Management Awareness Filsinger J Fast B Wolf D G Payne J F X Anderson M 2012 Supply chain risk management awareness Armed Forces Communication and Electronics Association Cyber Committee Retrieved from http www afcea org committees cyber documents Supplychain pdf • • • • TSA Pipeline Security U S Department of Homeland Security Transportation Security Administration 2011 Pipeline security guidelines Retrieved from http www tsa gov sites default files assets pdf Intermodal tsa_pipeline_s ec_guideline_april2011 pdf • • • • • • • • WH Trusted Identities in Cyberspace The White House National strategy for trusted identities in cyberspace 2011 Retrieved from http www whitehouse gov sites default files rss_viewer NSTICstrategy_ 041511 pdf • • 60 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 REFERENCES 61 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY APPENDIX B GLOSSARY Term Definition Source access Ability and means to enter a facility to communicate with or otherwise interact with a system to use system resources to handle information to gain knowledge of the information the system contains or to control system components and functions Adapted from CNSSI 4009 access control Limiting access to organizational assets only to authorized entities e g users programs processes or other systems See asset Adapted from CNSSI 4009 access management Management processes to ensure that access granted to the organization’s assets is commensurate with the risk to critical infrastructure and organizational objectives See access control and asset Adapted from CERT RMM ad hoc In the context of this model ad hoc i e an ad hoc practice refers to performing a practice in a manner that depends largely on the initiative and experience of an individual or team and team leadership without much in the way of organizational guidance in the form of a prescribed plan verbal or written policy or training The methods tools and techniques used the priority given a particular instance of the practice and the quality of the outcome may vary significantly depending on who is performing the practice when it is performed and the context of the problem being addressed With experienced and talented personnel high-quality outcomes may be achieved even though practices are ad hoc However because lessons learned are typically not captured at the organizational level approaches and outcomes are difficult to repeat or improve across the organization ONG-C2M2 anomalous anomaly Inconsistent with or deviating from what is usual normal or expected Merriam Webster com architecture See cybersecurity architecture assessment See risk assessment asset Something of value to the organization Assets include many things including technology information roles performed by personnel and facilities For the purposes of this model assets to be considered are IT and OT hardware and software assets as well as information essential to operating the function asset change and configuration management ACM The ONG-C2M2 domain with the purpose to manage the organization’s OT and IT assets including both hardware and software commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 asset owner A person or organizational unit internal or external to the organization that has primary responsibility for the viability productivity and resilience of an organizational asset CERT RMM authentication Verifying the identity of a user process or device often as a prerequisite to allowing access to resources in an IT or ICS DOE RMP authenticator The means used to confirm the identity of a user processor or device e g user password or token NIST 800-53 62 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source availability Ensuring timely and reliable access to and use of information For an asset the quality of being accessible to authorized users people processes or devices whenever it is needed DOE RMP CERT RMM business impact analysis A mission impact analysis that prioritizes the impact associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets Adapted from NIST SP800-30 change control change management A continuous process of controlling changes to information or technology assets related infrastructure or any aspect of services enabling approved changes with minimum disruption CERT RMM common operating picture Activities and technologies to collect analyze alarm present and use cybersecurity information including status and summary information from the other model domains ONG-C2M2 computer security incident A computer security incident is a violation or imminent threat of violation of computer security policies acceptable use policies or standard security practices An ―imminent threat of violation‖ refers to a situation in which the organization has a factual basis for believing that a specific incident is about to occur For example the antivirus software maintainers may receive a bulletin from the software vendor warning them of new malware that is rapidly spreading across the Internet Also see incident NIST 800-61 computer security incident confidentiality The preservation of authorized restrictions on information access and disclosure including means for protecting personal privacy and proprietary information For an information asset confidentiality is the quality of being accessible only to authorized people processes and devices DOE RMP Adapted from CERT RMM configuration baseline A documented set of specifications for an IT or OT system or asset or a configuration item within a system that has been formally reviewed and agreed upon at a given point in time and which should be changed only through change control procedures The baseline configuration is used as a basis for future builds releases and or changes Adapted from NIST 800-53 Glossary configuration management A collection of activities focused on establishing and maintaining the integrity of assets through control of the processes for initializing changing and monitoring the configurations of those assets throughout their life cycle NIST SP 800- 128 contingency plan Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability The contingency plan is the first plan used by the enterprise risk managers to determine what happened why and what to do It may point to the continuity of operations plan or disaster recovery plan for major disruptions CNSSI 4009 continuous monitoring Maintaining ongoing awareness of the current cybersecurity state of the function throughout the operational environment by collecting analyzing alarming presenting and using OT system and cybersecurity information to identify anomalous activities vulnerabilities and threats to the function in order to support incident response and organizational risk management decisions Adapted from NIST 800-137 controls The management operational and technical methods policies and procedures—manual or automated— i e safeguards or countermeasures prescribed for an IT and ICS to protect the confidentiality integrity and availability of the system and its information DOE RMP 63 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source critical infrastructure Assets that provide the essential services that underpin American society The Nation possesses numerous key resources whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction or could profoundly affect our national prestige and morale In addition there is critical infrastructure so vital that its incapacitation exploitation or destruction through terrorist attack could have a debilitating effect on security and economic well-being HSPD-7 current Updated at an organization-defined frequency e g as in the asset inventory is kept ―current‖ that is selected such that the risks to critical infrastructure and organization objectives associated with being out-of-date by the maximum interval between updates are acceptable to the organization and its stakeholders ONG-C2M2 cyber attack An attack via cyberspace targeting an enterprise’s use of cyberspace for the purpose of disrupting disabling destroying or maliciously controlling a computing environment infrastructure or for destroying the integrity of the data or stealing controlled information DOE RMP cybersecurity The ability to protect or defend the use of cyberspace from cyber attacks Measures taken to protect a computer or computerized system IT and OT against unauthorized access or attack DOE RMP and Merriam Webster com cybersecurity architecture An integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes cybersecurity systems personnel and subordinate organizations showing their alignment with the organization’s mission and strategic plans See enterprise architecture and network architecture DOE RMP cybersecurity event Any observable occurrence in a system or network that is related to a cybersecurity requirement confidentiality integrity or availability See also event ONG-C2M2 cybersecurity impact The effect on the measures that are in place to protect from and defend against cyber attack ONG-C2M2 cybersecurity incident See incident cybersecurity incident life cycle See incident life cycle cybersecurity plan Formal document that provides an overview of the cybersecurity requirements for an IT and ICS and describes the cybersecurity controls in place or planned for meeting those requirements DOE RMP cybersecurity policy A set of criteria for the provision of security services DOE RMP cybersecurity program A cybersecurity program is an integrated group of activities designed and managed to meet cybersecurity objectives for the organization and or the function A cybersecurity program may be implemented at either the organization or the function level but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise ONG-C2M2 64 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source cybersecurity program management CPM The ONG-C2M2 domain with the purpose to establish and maintain an enterprise cybersecurity program that provides governance strategic planning and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with the organization’s strategic objectives and the risk to critical infrastructure ONG-C2M2 cybersecurity program strategy A plan of action designed to achieve the performance targets that the organization sets to accomplish its mission vision values and purpose for the cybersecurity program CERT RMM cybersecurity requirements Requirements levied on an IT and OT that are derived from organizational mission and business case needs in the context of applicable legislation Executive Orders directives policies standards instructions regulations procedures to ensure the confidentiality integrity and availability of the services being provided by the organization and the information being processed stored or transmitted Adapted from DOE RMP cybersecurity responsibilities Obligations for ensuring the organization’s cybersecurity requirements are met ONG-C2M2 cybersecurity risk The risk to organizational operations including mission functions image reputation resources and other organizations due to the potential for unauthorized access use disclosure disruption modification or destruction of information and or IT and ICS See risk DOE RMP cybersecurity workforce management objectives Performance targets for personnel with cybersecurity responsibilities that the organization sets to meet cybersecurity requirements Adapted from CERT RMM defined practice A practice that is planned i e described explained made definite and clear and standardized and is executed in accordance with the plan Adapted from CERT RMM dependency risk Dependency risk is measured by the likelihood and severity of damage if an IT or OT system is compromised due to a supplier or other external party on which delivery of the function depends Evaluating dependency risk includes an assessment of the importance of the potentially compromised system and the impact of compromise on organizational operations and assets individuals other organizations and the Nation See upstream dependencies and supply chain risk Adapted from NIST 7622 pg 10 deprovisioning The process of revoking or removing an identity’s access to organizational assets See also provisioning CERT RMM domain In the context of the model structure a domain is a logical grouping of cybersecurity practices ONG-C2M2 domain objectives The practices within each domain are organized into objectives The objectives represent achievements that support the domain such as ―Manage Asset Configuration‖ for the ASSET domain and ―Increase Cybersecurity Awareness‖ for the WORKFORCE domain Each of the objectives in a domain comprises a set of practices which are ordered by maturity indicator level ONG-C2M2 65 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source downstream activities Business process most commonly used in the petroleum industry to describe postproduction processes e g refining transportation and marketing of petroleum products API STD 689 Collection and Exchange of Reliability and Maintenance Data for Equipment First Edition July 2007 downstream dependencies External parties dependent on the delivery of the function such as customers and some operating partners ONG-C2M2 electricity subsector A portion of the energy sector that includes the generation transmission and distribution of electricity ES-SPP enterprise The largest i e highest-level organizational entity to which the organization participating in the ONG-C2M2 survey belongs For some participants the organization taking the survey is the enterprise itself See organization Adapted from SGMM v1 1 Glossary enterprise architecture The design and description of an enterprise’s entire set of IT and OT how they are configured how they are integrated how they interface to the external environment at the enterprise’s boundary how they are operated to support the enterprise mission and how they contribute to the enterprise’s overall security posture See cybersecurity architecture and network architecture DOE RMP but changed ICS to OT entity Something having separate or distinct existence Merriam Webster com establish and maintain The development and maintenance of the object of the practice such as a program For example ―Establish and maintain identities‖ means that not only must identities be provisioned but they also must be documented have assigned ownership and be maintained relative to corrective actions changes in requirements or improvements CERT RMM event Any observable occurrence in a system or network Depending on their potential impact some events need to be escalated for response To ensure consistency criteria for response should align with the organization’s risk criteria NIST 800-61 event and incident response continuity of operations IR The ONG-C2M2 domain with the purpose to establish and maintain plans procedures and technologies to detect analyze and respond to cybersecurity events and to sustain operations throughout a cybersecurity event commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 function A subset of the operations of the organization that are being evaluated based on the C2M2 model ONG-C2M2 governance An organizational process of providing strategic direction for the organization while ensuring that it meets its obligations appropriately manages risk and efficiently uses financial and human resources Governance also typically includes the concepts of sponsorship setting the managerial tone compliance ensuring that the organization is meeting its compliance obligations and alignment ensuring that processes such as those for cybersecurity program management align with strategic objectives Adapted from CERT RMM 66 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source guidelines A set of recommended practices produced by a recognized authoritative source representing subject matter experts and community consensus or internally by an organization See standard ONG-C2M2 identity The set of attribute values i e characteristics by which an entity is recognizable and that within the scope of an identity manager’s responsibility is sufficient to distinguish that entity from any other entity CNSSI 4009 identity and access management IAM The ONG-C2M2 domain with the purpose to create and manage identities for entities that may be granted logical or physical access to the organization’s assets Control access to the organization’s assets commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 impact Negative consequence to subsector functions ONG-C2M2 incident An event or series of events that significantly affects or has the potential to significantly affect critical infrastructure and or organizational assets and services and requires the organization and possibly other stakeholders to respond in some way to prevent or limit adverse impacts See also computer security incident and event Adapted from CERT RMM incident life cycle The stages of an incident from detection to closure Collectively the incident lifecyle includes the processes of detecting reporting logging triaging declaring tracking documenting handling coordinating escalating and notifying gathering and preserving evidence and closing incidents Escalated events also follow the incident life cycle even if they are never formally declared to be incidents Adapted from CERT RMM information assets Information or data that is of value to the organization including diverse information such as operational data intellectual property customer information and contracts Adapted from CERT RMM information sharing See Information Sharing and Communications ISC information sharing and analysis center ISAC An Information Sharing and Analysis Center ISAC shares critical information with industry participants on infrastructure protection Each critical infrastructure industry has established an ISAC to communicate with its members its government partners and other ISACs about threat indications vulnerabilities and protective strategies ISACs work together to better understand cross-industry dependencies and to account for them in emergency response planning Adapted from Electricity Sector Information Sharing and Analysis Center website home page information sharing and communications ISC The ONG-C2M2 domain with the purpose to establish and maintain relationships with internal and external entities to collect and provide cybersecurity information including threats and vulnerabilities to reduce risks and to increase operational resilience commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 information technology IT A discrete set of electronic information resources organized for the collection processing maintenance use sharing dissemination or disposition of information In the context of this publication the definition includes interconnected or dependent business systems and the environment in which they operate DOE RMP 67 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source institutionalization The extent to which a practice or activity is ingrained into the way an organization operates The more an activity becomes part of how an organization operates the more likely it is that the activity will continue to be performed over time with a consistently high level of quality ―Incorporated into the ingrained way of doing business that an organization follows routinely as part of its corporate culture ‖ – CERT RMM See also maturity indicator level ONG-C2M2 integrity Guarding against improper information modification or destruction Integrity includes ensuring information nonrepudiation and authenticity For an asset integrity is the quality of being in the condition intended by the owner and therefore continuing to be useful for the purposes intended by the owner DOE RMP CERT RMM least privilege A security control that addresses the potential for abuse of authorized privileges The organization employs the concept of least privilege by allowing only authorized access for users and processes acting on behalf of users who require it to accomplish assigned tasks in accordance with organizational missions and business functions Organizations employ the concept of least privilege for specific duties and systems including specific functions ports protocols and services The concept of least privilege is also applied to information system processes ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and or functions Organizations consider the creation of additional processes roles and information system accounts as necessary to achieving least privilege Organizations also apply least privilege concepts to the design development implementation and operations of IT and OT systems Adapted from NIST 800-53 logging Logging typically refers to automated recordkeeping by elements of an IT or OT system of system network or user activity Logging may also refer to keeping a manual record e g a sign-in sheet of physical access by personnel to a protected asset or restricted area although automated logging of physical access activity is commonplace Regular review and audit of logs manually or by automated tools is a critical monitoring activity that is essential for situational awareness e g through the detection of cybersecurity events or weaknesses ONG-C2M2 logical control A software firmware or hardware feature i e computational logic not a physical obstacle within an IT or OT system that restricts access to and modification of assets only to authorized entities For contrast see physical control Adapted from CNSSI 4009 definition of ―internal security controls‖ maturity The extent to which an organization has implemented and institutionalized the cybersecurity practices of the model ONG-C2M2 68 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source maturity indicator level MIL A measure of the cybersecurity maturity of an organization in a given domain of the model The model currently defines four maturity indicator levels MILs and holds a fifth level in reserve for use in future versions of the model Each of the four defined levels is designated by a number 0 through 3 and a name for example ―MIL3 managed ‖ A MIL is a measure of the progression within a domain from individual and team initiative as a basis for carrying out cybersecurity practices to organizational policies and procedures that institutionalize those practices making them repeatable with a consistently high level of quality As an organization progresses from one MIL to the next the organization will have more complete or more advanced implementations of the core activities in the domain ONG-C2M2 midstream activities Business category involving the processing storage and transportation sectors of the petroleum industry API STD 689 Collection and Exchange of Reliability and Maintenance Data for Equipment First Edition July 2007 monitoring Collecting recording and distributing information about the behavior and activities of systems and persons to support the continuous process of identifying and analyzing risks to organizational assets and critical infrastructure that could adversely affect the operation and delivery of services Adapted from CERT RMM monitoring and risk management monitoring requirements The requirements established to determine the information gathering and distribution needs of stakeholders CERT RMM multifactor authentication Authentication using two or more factors to achieve authentication Factors include i something you know e g password PIN ii something you have e g cryptographic identification device token iii something you are e g biometric or iv you are where you say you are e g GPS token See authentication Adapted from NIST 800-53 network architecture A framework that describes the structure and behavior of communications among IT and or OT assets and prescribes rules for interaction and interconnection See enterprise architecture and cybersecurity architecture Adapted from CNSSI 4009 IA architecture objective s See domain objectives and organizational objectives 69 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source operating picture Real-time or near-real-time awareness of the operating state of a system or function An operating picture is formed from data collected from various trusted information sources that may be internal or external to the system or function e g temperature weather events and warnings cybersecurity alerts The operating picture may or may not be presented graphically It involves the collection analysis including fusion and distribution of what is important to know to make decisions about the operation of the system A common operating picture COP is a single operating picture that is available to the stakeholders of the system or function so that all stakeholders can make decisions based on the same reported operating state See common operating picture ONG-C2M2 operational resilience The organization’s ability to adapt to risk that affects its core operational capacities Operational resilience is an emergent property of effective operational risk management supported and enabled by activities such as security and business continuity A subset of enterprise resilience operational resilience focuses on the organization’s ability to manage operational risk whereas enterprise resilience encompasses additional areas of risk such as business risk and credit risk See the related term operational risk CERT RMM operating states See pre-defined states of operation ONG-C2M2 operational risk The potential impact on assets and their related services that could result from inadequate or failed internal processes failures of systems or technology the deliberate or inadvertent actions of people or external events In the context of this model our focus is on operational risk from cybersecurity threats Adapted from CERT RMM operations technology OT Programmable systems or devices that interact with the physical environment or manage devices that interact with the physical environment Examples include industrial control systems building management systems fire control systems and physical access control mechanisms ONG-C2M2 organization An organization of any size complexity or positioning within an organizational structure that is charged with carrying out assigned mission and business processes and that uses IT and OT in support of those processes In the context of the model the organization is the entity using the model or that is under examination Adapted from DOE RMP organizational objectives Performance targets set by an organization See strategic objectives Adapted from CERT RMM periodic review activity A review or activity that occurs at specified regular time intervals where the organization-defined frequency is commensurate with risks to organizational objectives and critical infrastructure Adapted from SEI CMM Glossary personal information Information that reveals details either explicitly or implicitly about a specific individual’s household dwelling or other type of premises This is expanded beyond the normal individual component because there are serious privacy impacts for all individuals living in one dwelling or premise This can include items such as energy use patterns or other types of activities The pattern can become unique to a household or premises just as a fingerprint or DNA is unique to an individual NISTIR 7628 Vol 3 Glossary 70 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source physical control A type of control that prevents physical access to and modification of information assets or physical access to technology and facilities Physical controls often include such artifacts as card readers and physical barrier methods CERT RMM plan A detailed formulation of a program of action Merriam Webster com policy A high-level overall plan embracing the general goals and acceptable procedures of an organization Merriam Webster com position description A set of responsibilities that describe a role or roles filled by an employee Also known as a job description ONG-C2M2 practice An activity described in the model that can be performed by an organization to support a domain objective The purpose of these activities is to achieve and sustain an appropriate level of cybersecurity for the function commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 pre-defined states of operation Distinct operating modes which typically include specific IT and OT configurations as well as alternate or modified procedures that have been designed and implemented for the function and can be invoked by a manual or automated process in response to an event a changing risk environment or other sensory and awareness data to provide greater safety resiliency reliability and or cybersecurity For example a shift from the normal state of operation to a high-security operating mode may be invoked in response to a declared cybersecurity incident of sufficient severity The high-security operating state may trade off efficiency and ease of use in favor of increased security by blocking remote access and requiring a higher level of authentication and authorization for certain commands until a return to the normal state of operation is deemed safe ONG-C2M2 procedure In this model procedure is synonymous with process process A series of discrete activities or tasks that contribute to the fulfillment of a task or mission CERT RMM Business Process provisioning The process of assigning or activating an identity profile and its associated roles and access privileges See also deprovisioning CERT RMM recovery time objectives Documented goals and performance targets the organization sets for recovery of an interrupted function in order to meet critical infrastructure and organizational objectives ONG-C2M2 refining The control or management of any operation by which the physical or chemical characteristics of oil or products are changed but exclusive of the operations of passing oil through separators to remove gas placing oil in settling tanks to remove basic sediment and water dehydrating oil and generally cleaning and purifying oil Natural Resources Office of Conservation – General Operations Louisiana Administrative Code Title 43 Part XIX March 2013 71 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source risk A measure of the extent to which an organization is threatened by a potential circumstance or event and typically a function of 1 the adverse impacts that would arise if the circumstance or event occurs and 2 the likelihood of occurrence DOE RMP risk analysis A risk management activity focused on understanding the condition and potential consequences of risk prioritizing risks and determining a path for addressing risks Determines the importance of each identified risk and is used to facilitate the organization’s response to the risk Adapted from CERT RMM risk assessment The process of identifying risks to organizational operations including mission functions image reputation resources other organizations and the Nation resulting from the operation of an IT and ICS DOE RMP risk criteria Objective criteria that the organization uses for evaluating categorizing and prioritizing operational risks based on impact tolerance for risk and risk response approaches ES-C2M2 risk designation as in ―position risk designation‖ An indication such as high medium or low of the position’s potential for adverse impact to the efficiency integrity or availability of the organization’s services Adapted from OPM risk disposition A statement of the organization’s intention for addressing an operational risk Typically limited to ―accept ‖ ―transfer ‖ ―research ‖ or ―mitigate ‖ CERT RMM risk management program The program and supporting processes to manage cybersecurity risk to organizational operations including mission functions image reputation resources other organizations and the Nation It includes 1 establishing the context for risk-related activities 2 assessing risk 3 responding to risk once determined and 4 monitoring risk over time DOE RMP risk management RM The ONG-C2M2 domain with the purpose to establish operate and maintain an enterprise cybersecurity risk management program to identify analyze and mitigate cybersecurity risk to the organization including its business units subsidiaries related interconnected infrastructure and stakeholders ONG-C2M2 risk management strategy Strategic-level decisions on how senior executives manage risk to an organization’s operations resources and other organizations DOE RMP risk mitigation Prioritizing evaluating and implementing appropriate risk-reducing controls DOE RMP risk mitigation plan A strategy for mitigating risk that seeks to minimize the risk to an acceptable level CERT RMM risk parameter risk parameter factors Organization-specific risk tolerances used for consistent measurement of risk across the organization Risk parameters include risk tolerances and risk measurement criteria CERT RMM risk register A structured repository where identified risks are recorded to support risk management ONG-C2M2 risk response Accepting avoiding mitigating sharing or transferring risk to organizational operations resources and other organizations DOE RMP risk taxonomy The collection and cataloging of common risks that the organization is subject to and must manage The risk taxonomy is a means for communicating these risks and for developing mitigation actions specific to an organizational unit or line-of-business if operational assets and services are affected by them Adapted from CERT RMM 72 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source role A group attribute that ties membership to function When an entity assumes a role the entity is given certain rights that belong to that role When the entity leaves the role those rights are removed The rights given are consistent with the functionality that the entity needs to perform the expected tasks CNSSI 4009 secure software development Developing software using recognized processes secure coding standards best practices and tools that have been demonstrated to minimize security vulnerabilities in software systems throughout the software development life cycle An essential aspect is to engage programmers and software architects who have been trained in secure software development ONG-C2M2 separation of duties A security control that ―addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion Separation of duties includes for example i dividing mission functions and information system support functions among different individuals and or roles ii conducting information system support functions with different individuals e g system management programming configuration management quality assurance and testing and network security and iii ensuring security personnel administering access control functions do not also administer audit functions Organizations with significant personnel limitations may compensate for the separation of duty security control by strengthening the audit accountability and personnel security controls ‖ NIST 800-53 pp 31 F-13 service level agreement SLA Defines the specific responsibilities of the service provider including the satisfaction of any relevant cybersecurity requirements and sets the customer’s expectations regarding the quality of service to be provided Adapted from CNSSI 4009 situational awareness A sufficiently accurate and up-to-date understanding of the past current and projected future state of a system including its cybersecurity safeguards in the context of the threat environment and risks to the system’s mission to support effective decision making with respect to activities that depend on and or affect how well a system functions It involves the collection of data e g via sensor networks data fusion and data analysis which may include modeling and simulation to support automated and or human decision making for example concerning OT system functions Situational awareness also involves the presentation of the results of the data analysis in a form e g using data visualization techniques appropriate use of alarms that aids human comprehension and allows operators or other personnel to quickly grasp the key elements needed for good decision making Adapted from SGMM Glossary situational awareness SA The ONG-C2M2 domain with the purpose to establish and maintain activities and technologies to collect analyze alarm present and use cybersecurity information including status and summary information from the other model domains to form a common operating picture COP commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 sponsorship Enterprise-wide support of cybersecurity objectives by senior management as demonstrated by formal policy or by declarations of management’s commitment to the cybersecurity program along with provision of resources Senior management monitors the performance and execution of the cybersecurity program and is actively involved in the ongoing improvement of all aspects of the cybersecurity program ONG-C2M2 73 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source stakeholder An external organization or an internal or external person or group that has a vested interest in the organization or function that is being evaluated using this model and its practices Stakeholders involved in performing a given practice or who oversee benefit from or are dependent upon the quality with which the practice is performed could include those from within the function from across the organization or from outside the organization Adapted from CERT RMM standard A standard is a document established by consensus that provides rules guidelines or characteristics for activities or their results See guidelines Adapted from ISO IEC Guide 2 2004 states of operation See pre-defined states of operation strategic objectives The performance targets that the organization sets to accomplish its mission vision values and purpose CERT RMM strategic planning The process of developing strategic objectives and plans for meeting these objectives CERT RMM supply chain The set of organizations people activities information and resources for creating and moving a product or service including its sub-elements from suppliers through to an organization’s customers The supply chain encompasses the full product life cycle and includes design development and acquisition of custom or commercial off-the-shelf COTS products system integration system operation in its environment and disposal People processes services products and the elements that make up the products wholly impact the supply chain NISTIR 7622 Source of 1st paragraph cited as NDIA ESA supply chain risk Supply chain risk is measured by the likelihood and severity of damage if an IT or OT system is compromised by a supply chain attack and takes into account the importance of the system and the impact of compromise on organizational operations and assets individuals other organizations and the Nation Supply chain attacks may involve manipulating computing system hardware software or services at any point during the life cycle Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties leading to stolen critical data and technology corruption of the system infrastructure and or disabling of mission-critical operations See risks and supply chain Adapted from NIST 7622 pg 7 pg 10 supply chain and external dependencies management EDM The ONG-C2M2 domain with the purpose to establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 threat Any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation resources and other organizations through IT OT or communications infrastructure via unauthorized access destruction disclosure modification of information and or denial of service Adapted from DOE RMP 74 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source threat and vulnerability management TVM The ONG-C2M2 domain with the purpose to establish and maintain plans procedures and technologies to detect identify analyze manage and respond to cybersecurity threats and vulnerabilities commensurate with the risk to the organization’s infrastructure e g critical IT operational and organizational objectives ONG-C2M2 threat assessment The process of evaluating the severity of threat to an IT and ICS or organization and describing the nature of the threat DOE RMP threat profile A characterization of the likely intent capability and targets for threats to the function It is the result of one or more threat assessments across the range of feasible threats to the IT and OT of an organization and to the organization itself delineating the feasible threats describing the nature of the threats and evaluating their severity ONG-C2M2 threat source An intent and method targeted at the intentional exploitation of a vulnerability or a situation or a method that may accidentally exploit a vulnerability DOE RMP traceability The ability to determine whether or not a given attribute of the current state is valid e g the current configuration of a system or the purported identity of a user based on the evidence maintained in a historical record showing how the attribute was originally established and how it has changed over time ONG-C2M2 upstream activities Business category of the petroleum industry involving exploration and production e g offshore oil gas production facility drilling rig intervention vessel API STD 689 Collection and Exchange of Reliability and Maintenance Data for Equipment First Edition July 2007 upstream dependencies External parties on which the delivery of the function depends including suppliers and some operating partners ONG-C2M2 validate Collect and evaluate evidence to confirm or establish the quality of something e g information a model a product a system or component with respect to its fitness for a particular purpose ONG-C2M2 vulnerability A cybersecurity vulnerability is a weakness or flaw in IT OT or communications systems or devices system procedures internal controls or implementation that could be exploited by a threat source A vulnerability class is a grouping of common vulnerabilities Adapted from NISTIR 7628 Vol 1 pp 8 vulnerability assessment Systematic examination of an IT or product to determine the adequacy of cybersecurity measures identify security deficiencies provide data from which to predict the effectiveness of proposed cybersecurity measures and confirm the adequacy of such measures after implementation DOE RMP 75 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 GLOSSARY Term Definition Source workforce life cycle For the purpose of this model the workforce life cycle comprises the distinct phases of workforce management that apply to personnel both internal and external to the organization Specific cybersecurity implications and requirements are associated with each life cycle phase The workforce life cycle includes recruiting hiring onboarding skill assessments training and certification assignment to roles deployment professional growth and development re assignment and transfers promotions and demotions succession planning and termination or retirement The phases may not be in strict sequences and some phases like training re-assignment and promotions may recur ONG-C2M2 workforce management WM The ONG-C2M2 domain with the purpose to establish and maintain plans procedures technologies and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel commensurate with the risk to critical infrastructure and organizational objectives ONG-C2M2 workforce management objectives See cybersecurity workforce management objectives 76 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 ACRONYMS APPENDIX C ACRONYMS Acronym Definition C2M2 Cybersecurity Capability Maturity Model CBA cost-benefit analysis CERT®-RMM CERT® Resilience Management Model COP common operating picture COTS commercial off-the-shelf CVSS Common Vulnerability Scoring System DHS Department of Homeland Security DOE Department of Energy ES-C2M2 Electricity Subsector Cybersecurity Capability Maturity Model ICS industrial control system ICS-CERT Industrial Control Systems Cyber Emergency Response Team ICSJWG Industrial Control Systems Joint Working Group IEC International Electrotechnical Commission ISAC Information Sharing and Analysis Center IT information technology MIL maturity indicator level NIST National Institute of Standards and Technology ONG-C2M2 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model OT operations technology RPO recovery point objective RTO recovery time objective RMP Electricity Subsector Cybersecurity Risk Management Process Guideline SCADA supervisory control and data acquisition SEI Software Engineering Institute SLA service level agreement US-CERT United States Computer Emergency Readiness Team VoIP Voice over Internet Protocol 77 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1 1 NOTICES NOTICES This material is based on the Technical Report “Electricity Subsector Cybersecurity Capability Maturity Model Version 1 0 ES-C2M2 ” © 2012 Carnegie Mellon University This version of ONG-C2M2 is being released and maintained by the U S Department of Energy DOE The U S Government has at minimum unlimited rights to use modify reproduce release perform display or disclose this version the ONG-C2M2 or corresponding toolkits provided by DOE as well as the right to authorize others and hereby authorizes others to do the same ONG-C2M2 was created with the funding and support of DOE under the Federal Government Contract Number FA8721-05-C-0003 between the U S Department of Defense and Carnegie Mellon University for the operation of the Software Engineering Institute a federally-funded research and development center Capability Maturity Model® is a registered trademark of Carnegie Mellon University