Cyber Security Plan Template
Name of Co-op> NRECANRECACyber Security Plan
<date>
Prepared by:
1 of 27
Table of Contents
Preface
Purpose
Scope
Target Audience
Contacts
Using the Template
Executive Summary
Building a Risk Management Program
Risk Management Program Plan
Addressing People and Policy Risks
Cyber Security Policy
Cyber Security Policy Plan
Personnel and Training
Personnel and Training Plan
Addressing Process Risks
Operational Risks
Operational Risk Plan
Insecure Software Development Life Cycle (SDLC) Risks
Secure Software Development Life Cycle Plan
Physical Security Risks
Physical Security Plan
Third-Party Relationship Risks
Third-Party Relationship Plan
Addressing Technology Risks
Network Risks
Network Security Plan
Platform Risks
Platform Security Plan
Application Layer Risks
Application Security Plan
Security Requirements and Controls for Each Smart Grid Activity Type
Advanced Metering Infrastructure (AMI)
Advanced Metering Infrastructure Plan
Meter Data Management (MDM)...... 35
Meter Data Management Plan
Communication Systems (COMM)
Communication Systems Plan
Supervisory Control and Data Acquisition (SCADA)
Supervisory Control and Data Acquisition (SCADA) Plan...... 50
In-Home Display (IHD) / Web Portal Pilots
In-Home Display (IHD)/Web Portal Pilots Plan
Demand Response over Advanced Metering Infrastructure (AMI) Networks...... 52
Demand Response over Advanced Metering Infrastructure (AMI) Networks Plan
Interactive Thermal Storage...... 54
Interactive Thermal Storage Plan
Smart Feeder Switching
Smart Feeder Switching Plan
Advanced Volt/VAR Control...... 57
Advanced Volt/VAR Control Plan
Conservation Voltage Reduction (CVR)
Conservation Voltage Reduction (CVR) Plan...... 59
Appendix A: Reference Documentation
Security Standards
National Institute of Standards and Technology Special Publications
Other Guidance Documents
Appendix B: Glossary
Appendix C: Acronyms
Appendix D: Minimum Security Requirements
1 of 27
Preface
Purpose
This plan baselines existing cybersecurity–related activities and controls at our organization against the Guide to Developing a Cyber Security and Risk Mitigation Plan. For areas covered by existing processes and/or technologies, the plan briefly documents how and where this is accomplished.For identified gaps, the plan documents current deviation from the recommended security controls and specifies whether to accept or mitigate the risk, the actions needed to close the gaps, the responsible party, and the implementation timeline.
Scope
This plan goes through the cybersecurity controls that our organization already has in place or plans to implement in order to mitigate the risks introduced by smart grid technologies.
Target Audience
Security team, IT organization, leadership team.
Contacts
The following are the primary individuals who assistedin preparation of the cyber security plan:
Contact / Title / Contact / E-mail Address<list individuals>
Using the Template
Each section of the template is divided into two subsections. The first contains a table for identifying best practices and their current use in the cooperative:
Figure 1. Use of the Assessment Table
Using the dropdown box, select the option that best describes the cooperative’s status regarding the best practice.
- If the cooperative is substantiallycompliant with the best practice, select“Yes.” This indicates that there are no substantial opportunities for improvement in the implementation.
- If the cooperative is partially compliant with the best practice, select“Partial.” This indicates that there are substantial opportunities for improving the implementation of the practice.
- If the cooperative is not compliantwith the best practice, select “No.” This indicates that very few or no activities are currently taking place related to the implementation of the practice.
To list documents where the cooperative’s implementation of the best practice is described, use the “Associated Documentation” column.
The second subsection contains a table for listing deviations from the recommended best practices (those marked as “Partial” or “No” in the first table), decisions to accept or mitigate the risk posed by not implementing the best practices, the person or group responsible for the risk’s acceptance or mitigation, the estimated completion date (if applicable),and a strategy for mitigating the risk (if applicable).
Figure 2. Use of the Planning Table
Again, use this table to list all security activities or controls that are currently either partially in place or not in place. For each identified activity or control, describe the way in which the cooperative does not meet the best practice as captured in the Guide to Developing a Cyber Security and Risk Mitigation Plan. Use the dropdown box to either “Accept” or “Mitigate” the risk posed by not implementing the best practice. Assign a person or group responsible for mitigating or accepting the risk posed by not implementing the best practice. Provide an estimated completion date of mitigation in the “Estimated Completion Date” column, or use “n/a” for risk acceptance. Describe the strategy that will be used to implement the activity or control, or use “n/a” for risk acceptance.
Introduction to the Updated Version
Three things have inspired most of the changes made to the guide in this update: the experience and feedback of applying the guide and the plan template in the field, changes in the cyber security space as they relate to the energy sector, and theU.S. Department of Energy’s (DOE’s) development of ES-C2M2.
This latest version of the template has been updated to introduce maturity levels and to cover additional subject areas that were not previously part of the guide, to complement the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2, Version 1.0)[1] published by DOE. In addition, each item in the template has been individually numbered to improve usability.
If yourorganization has previously completed the guide and template, it will be able to leverage its existing responses to address the vast majority of the updated template. In this case, you should first account for any changes in the organizational security posture since the guide/template was originally completed, and then focus on the changes in the guide since the previous version. A detailed document is available from NRECA that lists all changes reflected in this version of the template; overall, 23 new activities were added and five existing activities were updated. The updated template contains 191 activities, compared to a previous total of 168.
NRECA performed a detailed content analysis of ES-C2M2 and the guide/template, developing a mapping of template responses to the appropriate domains and objectives within ES-C2M2. In many cases, this mapping is performed at the individual item level, and in some cases the mapping is summarized at the objective level (comprising an average of 5−8 items). Based on this mapping, NRECA has published a scoring tool that can be used to obtain an estimate of how an organization would score on a full ES-C2M2 assessment.
It is important to note that the scoring tool only provides an estimation of a representative ES-C2M2 score for the organization and does not take the place of a full ES-C2M2 assessment.The concept is similar to a practice exam that a candidate would take prior to the real exam in order to gauge the level of preparedness and identify areas of improvement. Refer to item 7 in the instructions below for additional details about the key scoring differences between the tools. NRECA views its Cyber Security Guide and Plan Template materials as complementary to ES-C2M2 materials, with the former developed specifically with the needs of NRECA member co-ops in mind.
Instructions for ES-C2M2 “Practice Score” Reporting
- Completely fill out this template document by selecting Yes, No, or Partial for each Activity listed in the tables below, then save the document.
- Download and open the Cyber Security Template Scoring Worksheet, making sure to enable Excel macros if prompted.
- In the CS Template tab, click the Select File button at top right, then select the Word document that contains the filled-out template, as shown in Figure 3 below.
Figure 3. Importing Template Responses into Excel
- If the data imported successfully, you will see all of the template responses filled into column F in the spreadsheet's CS Template tab. If you receive an error message, refer to the details in the message and make sure that neither the reporting spreadsheet nor the template has been structurally altered.
- Review the scoring results in the ES-C2M2 Objectives and ES-C2M2 Domains tabs, which can be directly compared to the Objective and Domain tabs in the ES-C2M2 Report Builder spreadsheet or to a full ES-C2M2 report.
Figure 4. Sample ES-C2M2 Domain Reporting Output
- The “donut charts” in Figure 4 above essentially show how close the organization is to achieving each of the maturity levels (MIL1-3) in each of the 10 ES-C2M2 domains. For example, the circle on the very top left indicates that at MIL3 in the Risk domain, there are 24 total activities, and out of these, 3 are not implemented, 14 are partially implemented, and 7 are fully implemented. For detailed instructions on interpreting these results and charts, please refer to the ES-C2M2 materials (available at including the section titled “Using the Model” (see
p. 48). The worksheet also produces charts organized by objective, showing a donut chart for each objective within a domain. The example in Figure 5 below shows the Response domain objectives.
Figure 5. Sample ES-C2M2 Objective Reporting Output
- Note: There are two important differences to consider when comparing scoring output:
- This template uses a three-item scale (Yes, No, Partial) to determine the organization’s level of implementation, while ES-C2M2 uses a fourth item (“Largely Implemented”) in its scale, which can sometimes be open to interpretation. Since the template does not use this concept, all items are mapped to the three corresponding levels in ES-C2M2:
- Yes – Fully Implemented
- Partial – Partially Implemented
- No – Not Implemented
- Since thistemplate does not explicitly score the “Manage DOMAIN Activities” objectives in each ES-C2M2 domain, these are not reflected in the Objectives tab.
Executive Summary
This document provides checklists of security activities and controls designed to help an electric cooperative improve the security posture of its smart grid. The checklists are drawn fromthe Guide to Developing a Cyber Security and Risk Mitigation Plan, and provide a mechanism to baseline existing security activities and controls against recommended best practices, identify gaps, capture the decision for risk acceptance or mitigation, and document an appropriate plan of action.
Each section contains tables; filling these in will help the electric cooperative to:
- Identify missing activities and security controls.
- Consolidate planned activities and controls per topic.
- Prioritize activity and control implementation.
- Track activity and control implementation.
It is important to note that implementing security activities and controls should be done with care and sufficient planning. The environment will require testing to ensure that changes to controls do not break important functionality or introduce new risks.
This document provides cyber security planning support in each of the following categories:
- People and policy security
- Operational security
- Insecure software development life cycle (SDLC)
- Physical security
- Third-party relationship
- Network security
- Platform security
- Application security
1 of 27
<Name of Co-op> Cyber Security PlanAddressing Process Risks
Building a Risk Management Program
No usable system is 100 percent secure or impenetrable. The goal of a risk management program is to identify the risks, understand their likelihood and impact on the business, and then put in place security controls that mitigate the risks to a level acceptable to the organization. In addition to assessment and mitigation, a robust risk management program includes ongoing evaluation and assessment of cyber security risks and controls throughout the life cycle of smart grid component software.
The following checklist summarizes security best practices and controls that an organization should consider implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.
/ ID / Activity / Security Control / Rationale / Associated DocumentationChoose an item. / 1 / Define the system. / Careful system definitions are essential to the accuracy of vulnerability and risk assessments and to the selection of controls that will provide adequate assurances of cyber security.
Choose an item. / 2 / Identify and classify critical cyber assets. / It is important to understand the assets that may need to be protected, along with their classification (e.g., confidential information, private information, etc.). That way, an informed decision can be made as to the controls needed to protect these assets, commensurate with risk severity and impact on the business.
Choose an item. / 3 / Provide active executive sponsorship. / Active and visible support from executive management at each stage of planning, deploying, and monitoring security efforts is crucial to success.
Choose an item. / 4 / Identify and analyze the electronic security perimeter(s) (ESPs). / To build a threat model, it is important to understand the entry points that an adversary may use to go after the assets of an organization. The threat model then becomes an important component of the risk assessment.
Choose an item. / 5 / Perform a vulnerability assessment. / Realistic assessments of (a) weaknesses in existing security controls and (b) threats and their capabilities create the basis for estimating the likelihood of successful attacks. They also help to prioritize remedial actions.
Choose an item. / 6 / Assess risks to system information and assets. / The risk assessment combines the likelihood of a successful attack with its assessed potential impact on the organization’s mission and goals. It helps ensure that mitigation efforts target the highest security risks and that the controls selected are appropriate and cost-effective for the organization.
Choose an item. / 7 / Select security controls. / Appropriate management, operational, and technical controls cost-effectively strengthen defenses and lower risk levels. In addition to assessed risks, selection factors might include the organization’s mission, environment, culture, and budget.
Choose an item. / 8 / Monitor and assess the effectiveness of controls. / Effective testing and ongoing monitoring and evaluation can provide a level of confidence that security controls adequately mitigate perceived risks.
Choose an item. / 9 / Assign responsibility for security risk management to a senior manager. / Assigning responsibility ensures that security risk mitigation, resource-allocationdecisions, and policy enforcement roll up to a clearly defined executive with the requisite authority.
Risk Management Program Plan
The table below outlines the activities and controls that are currently missing from the risk management of the organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for its implementation and maintenance.
Activity / Security Control / Existing Guideline Deviation / Accept or Mitigate Risk / Responsible Party / Estimated Completion Date / Mitigation StrategyChoose an item. /
Addressing People and Policy Risks
Training people to adopt security-conscious behaviors and establishing policies for maintaining a secure environment go a long way toward improving an organization’s overall security posture. The next two sections cover the people and policy dimensions of cyber security.
Cyber Security Policy
/ ID / Activity / Security Control / Rationale / Associated DocumentationChoose an item. / 10 / Define security-related roles and responsibilities. / Employees at virtually every organizational level have responsibility for some part of developing or applying security policies and procedures. Defined roles and responsibilities will clarify decision-making authority and responsibility at each level, along with expected behavior in policy implementation. Creating a multidisciplinary oversight committee ensures that all stakeholders are represented.
Choose an item. / 11 / Establish and document a clear strategy for the cyber security program, one that addresses the organization’s cyber security objectives and is aligned with the major risks and threat model. / Provide the foundation for a robust cyber security program that is in line with the organization’s threat model and risk profile.
Choose an item. / 12 / Provide active executive sponsorship and adequate resources/funding for the cyber security program. As part of the program, both in-house application development and third-party software procurement include secure SDLC considerations. / Ensure that the program has both the financial and organizational support to be successful.
Choose an item. / 13 / Assign responsibility for developing, implementing, and enforcing cyber security policy to a senior manager. Ensure that the senior manager has the requisite authority across departments to enforce the policy. / The development and implementation of effective security policies, plans, and procedures require the collaborative input and efforts of stakeholders in many departments of the organization. Assigning a senior manager to organize and drive the efforts, with the authority to make and enforce decisions at each stage, raises the chances of success.
Choose an item. / 14 / Identify security aspects to be governed by defined policies. / An effective security program requires policies and procedures that address a wide range of management, personnel, operational, and technical issues.
Choose an item. / 15 / Document a brief, clear, high-level policy statement for each issue identified. / The high-level policy statements express three things:
- The organization management’s commitment to the cyber security program.
- The high-level direction and requirements for plans and procedures addressing each area.
- A framework to organize lower-level documents.
Choose an item. / 16 / Reference lower-level policy documents. / Lower-level policies, plans, and procedures provide the details needed to put policy into practice.
Choose an item. / 17 / Define the implementation plan and enforcement mechanisms. / A careful rollout of the program, well-documented policies that are accessible to the personnel they affect, and clearly communicated consequences of violating policies will help ensure compliance.
Choose an item. / 18 / Define a policy management plan. / This will help maximize compliance by providing mechanisms to:
- Request, approve, document, and monitor policy exceptions.
- Request, approve, implement, and communicate changes to policies, plans, and procedures.
Choose an item. / 19 / The cyber security program is regularly reviewed, and achieved milestones are validated by an independent third party. / Ensure that external experts agree with the organization’s assessment of its cyber security posture and program performance.
Cyber Security Policy Plan
The table below outlines the activities and controls that are currently missing from the cyber security policy of the organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for its implementation and maintenance.