Ross Johnson, CPP Capital Power Edmonton, Alberta Security Management Seminar SSID PSAV_Event_Solutions Passcode NERC0001
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Ross Johnson, CPP
Capital Power
Edmonton, Alberta
Security Management
Seminar
SSID PSAV_Event_SolutionsPasscode NERC0001
•Security Management Programs
•Security Risk Management
•Design Basis Threat
•Security Measures Selection
•Threat Response Planning
Agenda
Security Management Programs
3
• Sets organization-wide policies and procedures that define how the program integrates into the company’s overall management system
• Includes management commitment and accountability
• Includes:
• Accountability
• Implementation
• Competence
• External Practices
• Internal Practices4
Security Management Program
• Ensures that all aspects of security are considered
• Provides 'best practice' guidance
• Developed by a large group of security practitioners, ensuring that it is based on a broad base of experience
• Provides guidance on requirements, objectives, and metrics
• Demonstrates professionalism to senior management and external stakeholders
• Tells you what to do, not how to do it5
Advantages
1. Security Management Program
2. Security Risk Management
3. Information Security Management
4. Information Technology/Control Systems Security
5. Personnel Security
6. Physical Security Measures
7. Security Incident Management
8. Contingency Planning
9. Threat Response Planning
10. Change Management Process
11. Evaluation & Review
12. Continuous Improvement6
Security Management Program Elements
Based on the Canadian StandardAssociation’s Z246.1-09 Security Management for Petroleum and Natural Gas Industry Systems
• Identify and classify security risks
• Develop and implement strategies and security controls to eliminate or mitigate risks
• Security risk management activities must consider asset:
• Type
• Size
• Location
• Criticality
• Risk should be continually assessed across the organization by determining the likelihood and impact of potential threats
7
Security Risk Management
• Policies and procedures for protecting both hard-copy and digital information from the time of conception through to its final disposition
• Should include documented policies and procedures
• Areas to consider include classification and labelling, handling, destruction, training, incident reporting and investigation, and audit, compliance, and disaster recovery
• Determination of what to protect is done by risk assessment: what information could hurt the company if it got into the wrong hands, either accidently or on purpose?
8
Information Security Management
• Information technology is protected by a combination of controls, processes, procedures, organizational structures, software, and hardware
• The aim is to protect data confidentiality, integrity, and availability
• ISO 27002 provides best practice recommendations on information security management
9
Information Technology Security
• Control systems run industrial production equipment, and are heavily used in the energy industry
• Often targeted by hackers or other threat actors
• NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security is an excellent resource on this subject
• NERC CIP standards might have a thing or two to say on this
10
Industrial Control Systems Security
11
Personnel Security
• Protection of personnel
• Workplace Violence Assessment & Prevention
• Security Training and Awareness
• Personnel Screening
• Personnel Termination
• Employee Travel
• Minimum physical security guidelines
• Vehicle searches
• Signage standards
• Chain-link fencing standards
• CCTV cameras
• Copper/metal theft prevention
• Guard force management
12
Physical Security Measures
FacilityType
AccessControl
FencewithTopGuard
FencelineIntrusionDetection
CCTV/Lighting ElectronicCardAccess
InteriorIntrusionDetection
LockedFenceGateswithCCTV
LockedExteriorAccessDoors
VisitorManagement
BackgroundChecksforallUnescortedPersonnel
Signage
CriticalAssetMannedPowerPlant ● ● ● ● ● DuringSilentHours ● ● ●
UnmannedPowerPlant ● ● ● ● ● ● ● ● ● ●
ControlRoom ● ● ● ● ● ●
PEECC ● ● ● ● ● ● ●Switchyard ● ● ● ● ● ● ● ● ●
Non-CriticalAssetThermalPowerPlant ● ● SeeNote1. ● DuringSilentHours ● ● ●
WindFacility ● ● ● ● ●
SolarFacility ● ● ● ● ●
ControlRoom ● ● ● ● ●
PEECC Optional ● ● ●
Switchyard ● ● ● ● ●
OfficeBuilding/DataCentre ● ● ● ● ● ●
ConstructionSite ● ● ● ● ●
13
14
FacilityTypeGuards Regulatory
Requirements
FixedPost MobilePatrols SafeWalkProgram SecurityShuttle NERCEOP
004/ARSCIP-001NERC/ARSCIP-002toCIP-014
CriticalAsset
MannedPowerPlant ● ● ● ●
UnmannedPowerPlant ● ● ●
ControlRoom ● ● ● ●PEECC ● ● ●Switchyard ● ● ●Non-CriticalAssetControlRoom ● ●PEECC ●
ThermalPowerPlant ● ●
Switchyard ● ●WindFacility ● ●SolarFacility ● ●
OfficeBuilding/DataCentre Guardsmaybeusedifdeemednecessarybecauseoflocalsecurityconditions
ConstructionSite ●
• Incident reporting
• Investigations
• Workplace violence incident management
• Lessons Learned
• Security Management Program upgrades
15
Security Incident Management
5 Oct 2014 23:27
Investigations
Investigations
6 Oct 2014 05:27
7 Oct 2014 23:28
Investigations
• Business Continuity Management
• Emergency Response Program
• Crisis Management Planning
19
Contingency Planning
• Business Continuity Management
• Emergency Response Program
• Crisis Management Planning
20
Contingency Planning
§ Includes loss of:§ People§ Office space§ Critical IT systems
• Business Continuity Management
• Emergency Response Program
• Crisis Management Planning
21
Contingency Planning
o Used at the production facility level
o Includes communications, equipment, and tactical response plans for all the scenarios deemed of concern during a Hazard Risk Vulnerability Assessment
• Business Continuity Management
• Emergency Response Program
Ø Crisis Management Planning
22
Contingency Planning
o Used at the corporate level to marshal resources and senior executive leadership to solve problems that threaten the company's people, assets, or reputation
o Part of the emergency response program
• Threat and vulnerability assessment
• Security measures
• Observation plan
• Random security measures
• Response plan
• Communications
• Training and review23
Threat Response Planning
TRPs bring together a number of elements of the security management program: they are not part of the CSA standard
• Use of a standardized security management program template can help you to ensure that all elements of security are considered in your security plan
• They add dignity to what would otherwise be a vulgar brawl
• We are trying to develop an security management program template in the electricity sector, and we could use your help
24
Conclusion
25
Questions?
Related Documents
