value of a cybersecurity self-assessmentrc3 self-assessment panel • bobby smith, vice president,...
TRANSCRIPT
![Page 1: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/1.jpg)
VALUE OF A CYBERSECURITY SELF-ASSESSMENT
![Page 2: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/2.jpg)
![Page 3: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/3.jpg)
RC3 Self-Assessment Research Program
![Page 4: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/4.jpg)
RC3 Self-Assessment Research Program
![Page 5: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/5.jpg)
E&O Information Technology (IT)
CEO/GM
Accounting Finance
Directors
Member Services Marketing
HR
Cybersecurity Ecosystem
![Page 6: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/6.jpg)
RC3 Self-Assessment Research Program
![Page 7: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/7.jpg)
RC3 Self-Assessment Research Program
![Page 8: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/8.jpg)
RC3 Self-Assessment Research Program
![Page 9: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/9.jpg)
RC3 Self-Assessment Research Program
Initial findings…
![Page 10: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/10.jpg)
RC3 Self-Assessment Panel• Bobby Smith, Vice President, Information Systems, Laurens Electric
Cooperative, Inc., SC
• Justin Luebbert, Information Security and Business Technology Manager, Central Electric Power Cooperative, MO
• Sherry Fix, Manager of Information Technology, Grand Valley Power, CO
• Jim Haler, Member Services Manager, South Central Electric Association & Redwood Electric Cooperative, MN
![Page 11: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/11.jpg)
RC3 and Cybersecurity Awareness
Bobby SmithVP of Information Technology
![Page 12: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/12.jpg)
Board Awareness
“This is two hours of my life that I will never get back.”
IDENTIFY PROTECT RESPONDDETECT RECOVER
![Page 13: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/13.jpg)
Management Awareness
Cybersecurity is not limited to IT
Importance of Cyber-specific Policies
![Page 14: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/14.jpg)
IT Awareness
Inventory of Assets
Importance of Documentation
“Trace every cable”
![Page 16: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/16.jpg)
Justin LuebbertManager of Information Security & Business Technology
Central Electric Power Cooperative (G&T)Jefferson City, Missouri
![Page 17: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/17.jpg)
CENTRAL ELECTRIC POWER COOPERATIVE
Collectively we deliver power to a 22,000 square mile area in central
Missouri.
1. Boone Electric
2. Callaway Electric
3. Central Missouri Electric
4. Co-Mo Electric
5. Consolidated Electric
6. Cuivre River Electric
7. Howard Electric
8. Three Rivers Electric
8 Distribution Cooperatives
TRANSMISSION COOPERATIVE
![Page 18: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/18.jpg)
• What is the value of a cybersecurity self-assessment?
• What are some of our key takeaways from participating in the NRECA RC3 program?
![Page 19: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/19.jpg)
• NRECA RC3 Self Assessment \ NIST
• IDENTIFY
• PROTECT
• DETECT
• RESPOND
• RECOVER
Communicate risk in ways everyone can understand, from Server Room to the Board Room.
PROVIDES A COMMON LANGUAGECEO to CSR
![Page 20: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/20.jpg)
BENCHMARKING• Creates a benchmark to evaluate your current cybersecurity state.• Helps you understand your cyber posture and what your biggest
vulnerabilities and risk are related to your cooperative.
ABILITY TO EVALUATE CYBERSECURITY POSTURE
PLAN
ANALYZE
IMPLEMENTCOLLECT
MEASURE
BENCHMARKING
PRIORITIZATION• Allows you to set security priorities based on risks, resources and investment.• Enables you to have a better understanding how you can merge:
• cybersecurity priorities and initiatives with business priorities and initiatives.
![Page 21: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/21.jpg)
GOALS• Allows your cooperative to set realistic goals and to measure success of
current initiatives and future initiatives.
SECURITY IS A NEVER ENDING GOAL
ABILITY TO EVALUATE CYBERSECURITY POSTURE
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
EFFICIENCY• Less chance of duplication of efforts within your organization.• Allow different departments to work together toward common goals
and set of standards. • Decreases the chance of shadow IT.
![Page 22: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/22.jpg)
Cybersecurity is no longer just a technology issue, it is also a business issue.
• Understanding of the different roles and needs within an organization related to cybersecurity
• We must embrace cyber security as a business risk, not merely a technology risk.
• Staff and General Manager need to be discussing risk management.
• Review Cooperative Policies: Cybersecurity Integration
• Cyber Insurance & Data Ownership
• Legal Team: Regulatory or Compliance issues, State Laws
• Information Technology & Operational Technology Convergence
• Cyber Incident Response Planning: Table Top Exercises
• Cyber Communications Planning and Media Communications
IT IS NOT JUST AN IT DEPARTMENT PROBLEM
![Page 23: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/23.jpg)
Self-Assessment highlights importance of choosing your vendors & cloud providers
• Not all vendors are taking the required steps when it comes to cybersecurity and can pose huge risk for a cooperative.
• You must manage your cybersecurity risk when making purchasing decisions.
• Get vendor security practices in writing before you sign the contract.
• Create minimum vendor security requirements that all vendors must follow:
• How they connect? When they connect?
• What security practices does the vendor have in place?
• Don’t make assumptions in regards to security responsibilities. Follow Up.
YOUR VENDORS ROLE IN CYBERSECURITY
![Page 24: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/24.jpg)
“THE HUMAN FIREWALL”
• Know what visitors and contractors are coming in and out of your organizations.• Controlling access into facilities entry and exist points, exterior building doors and
critical server or data room doors. • if you SEE something SAY something
IMPORTANCE OF PHYSICAL SECURITY
EDUCATION - EDUCATION - EDUCATION• The importance in educating your employees on their role in:
• “DEFENDING THEIR COOPERATIVE AGAINST CYBER THREATES”• You must empower your employees. Let them know what you are doing and what they can do.• Employees are the first line of defense and the biggest asset.
![Page 25: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/25.jpg)
“THE HUMAN FIREWALL” EDUCATION - EDUCATION - EDUCATION
• Educate employees on cyber crime and who is carrying it out.• Cybercrime is a business • Nations State actors are a real threat (US CERTS)
• What are my cooperatives risk associated with a cybersecurity breach?• Financial, Reputational, Regulatory • How can it negatively affect the cooperative?
• Create Cybersecurity Program similar to cooperative Safety Programs.• Keeps everyone on the same page, focused toward the same goals.
![Page 26: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/26.jpg)
“THE BIG PICTURE”FINAL POINTS: THE VALUE OF SELF-ASSESMENT
An effective cyber security self-assessment will:• Define clear strategic goals within your organization.• Establish security standards to ensure that your cooperative has the best chance to defend itself in
the event of a breach. • Empower your employees and departments to take charge of their own role related to security.• Identify cybersecurity initiatives and how to merge those with the overall business strategy.• Helps define the role cybersecurity plays in the delivery of the cooperatives critical services.
“KEEPING THE LIGHTS ON”
![Page 27: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/27.jpg)
Grand Valley PowerChanges & Challenges Sherry Fix, IT Manager
![Page 28: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/28.jpg)
Grand Valley Power
18,000 meter coop in Western Colorado Founded in 1936 Employed for 36 years 43 Employees
![Page 29: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/29.jpg)
Changes & Challenges• Increased cyber security training with
KnowBe4• Replaced Access Control system/added 7
new cameras • Locked ports to known mac addresses• Insured unused ports not patched• Beginning work on Policy creation• Enhancing our asset management
application
![Page 30: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/30.jpg)
Cyber Security Self-AssessmentSouthwestern Minnesota Co-ops
Jim HalerSouth Central Electric Association
Redwood Electric Cooperative
![Page 31: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/31.jpg)
Southwest Minnesota Co-ops
South Central Electric Association
Redwood Electric Cooperative
Brown County REA
Federated REA
Nobles Cooperative Electric
5 Cooperatives with no IT staff.Each with a different IT vendor.
![Page 32: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/32.jpg)
What we learned……
• We need a plan.• We need to educate our employees and board.
![Page 33: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/33.jpg)
Why the self-assessment is important.
You need a place to start!
155 Questions36 Not applicable78 No or partial
![Page 34: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/34.jpg)
RC3 Self-Assessment Panel• Bobby Smith, Vice President, Information Systems, Laurens Electric
Cooperative, Inc., SC
• Justin Luebbert, Information Security and Business Technology Manager, Central Electric Power Cooperative, MO
• Sherry Fix, Manager of Information Technology, Grand Valley Power, CO
• Jim Haler, Member Services Manager, South Central Electric Association & Redwood Electric Cooperative, MN
![Page 35: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/35.jpg)
• 2018 Self-Assessment Research Program
• Training!!• SANS Voucher Program (Andre Joseph)• EnergySec’s Security Education Week, April 23-27 (from $3,495
to $2,500 with NRECA/APPA discount)
• Cybersecurity Summits – 5 planned in 2018
![Page 36: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/36.jpg)
TechUpdateTwice-monthly email newsletter containing the latest information on RC3 Program opportunities and technical publications, articles, reports, webinars, and conferences.
Sign-up at: [email protected]
![Page 37: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/37.jpg)
![Page 38: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/38.jpg)
Accessible
![Page 39: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/39.jpg)
Accessible Affordable
![Page 40: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/40.jpg)
Accessible Affordable Appropriate
![Page 41: VALUE OF A CYBERSECURITY SELF-ASSESSMENTRC3 Self-Assessment Panel • Bobby Smith, Vice President, Information Systems, Laurens Electric Cooperative, Inc., SC • Justin Luebbert,Information](https://reader033.vdocuments.mx/reader033/viewer/2022042015/5e7438dfb10140021616beb4/html5/thumbnails/41.jpg)
Dr. Tim HeidelDeputy Chief Scientist, NRECA
Lauren KhairRegional Economic Analyst, NRECA
Sarah KielyPrincipal, IT Community Support, NRECA
Dr. Craig MillerChief Scientist, NRECA
Jona OkothSenior Consultant, Synopsys
Andre JosephCybersecurity Principal, NRECA
Dr. Cynthia HsuCybersecurity Program ManagerOffice: 703-907-5500Mobile: 703-403-8698Email: [email protected]
Bob GibsonConsultant
Robin ChristiansonSenior Manager, Engagement & Strategy, NRECA
Adaora IfebighProject Manager, NRECA
Maureen GattiConsultant
Alvin RazonSenior Director, Distribution Optimization, NRECA