Professional Documents
Culture Documents
DOE Cybersecurity Framework
DOE Cybersecurity Framework
DOE Cybersecurity Framework
Cybersecurity Framework
Foreword
The Abu Dhabi Department of Energy aims to
facilitate secure and sustainable development of
the energy sector.
“
transformation in energy systems, which are
increasingly becoming distributed and digitally
The ongoing structural shift in enabled.
the energy sector with Energy companies looking to thrive in a new
integration of new technologies energy world need to both seize the opportunities
and digitization has delivered from digitally driven transformative change as well
significant benefits while at the as protect themselves from the associated risks to
same time, it has exposed the maintain the trust of their customers, stakeholders
“
sector to new cyber challenges
that must be proactively
and regulators. Having robust cybersecurity
capabilities has become vital in this era of digital
disruption in the energy sector.
addressed.
With this backdrop and to ensure that the energy
HE Eng. Awaidha Murshed Al Marar sector safely and securely traverses the
transformation journey, the Abu Dhabi Department
Chairman of the Department of Energy of Energy has developed the ‘Cybersecurity
Framework’ for the Energy Sector that outlines the
core set of principles and defines the necessary
building blocks for establishing a resilient
cybersecurity program.
“
operations are exposed to security risks and the
attack surface has exponentially increased.
Emerging technology trends in
Cyber risk in energy sector extends far beyond the
energy sector are leading to
company and physical location of a cyber-attack.
gradual IT and OT Such events, whether deliberate or inadvertent,
convergence. The rapid digital threaten public and employee safety, national
transformation is exposing the economic stability, reliability and resiliency of
sector to variety of cyber operations and consumer privacy. Thus it is
threats. It is vital for the sector imperative for the sector to adopt a proactive,
pragmatic, and strategic approach to manage
to implement measures to
cybersecurity risks.
prevent cyber-attacks as well
1 Introduction 5
4 Framework Overview 20
5 Security Domains 22
AM Asset Management 58
BM Backup Management 78
CS Cloud Security 86
Annexures
Abbreviation Details
ACL Access Control List
ADMS Advanced Distribution Management System
AM Asset Management
AMI Automatic Metering Infrastructure
BCM Business Continuity Management
BIA Business Impact Analysis
BM Backup Management
BMS Backup Media Storage
BYOD Bring Your Own Device
C, I, A, S Confidentiality /Integrity/ Availability /Safety
CAB Change Advisory Board
CC Cryptography Control
CCM Configuration and Change Management
CISO Chief Information Security Officer
CPU Central Processing Unit
CS Cloud Security
CSCM Cybersecurity Continuity Management
CSG Cybersecurity Governance
CSIM Cybersecurity Incident Management
CSP Cybersecurity Policy
CSPE Cybersecurity Performance Evaluation
CSPM Cybersecurity in Project Management
CSRM Cybersecurity Risk Management
CSSC Cybersecurity Steering Committee
CST Cybersecurity Team
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
DCS Distributed Control Systems
Abbreviation Details
DHCP Dynamic Host Configuration Protocol
DLP Data Loss Prevention
DMZ De-Militarized Zone
DNS Domain Name Server
DoE Abu Dhabi, Department of Energy
DoS Denial of Service
DPO Data Protection Officer
DPP Data Protection and Privacy
DRM Disaster Recovery Management
EMM Enterprise Mobility Management
EMS Energy Management System
EPP End Point Protection
FAT Factory Acceptance Test
FIM File Integrity Monitoring
GPO Group Policy Object
GPS Global Positioning System
GRC Governance, Risk and Compliance
HMI Human Machine Interface
HR Human Resource
HRS Human Resource Security
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
IAM Identity and Access Management
ICS Industrial Control System
IDS Intrusion Detection System
IED Intelligent Electronic Device
IEEE The Institute of Electrical and Electronics Engineers
IP Internet Protocol
IPS Intrusion Prevention System
Abbreviation Details
ISP Internet Services Providers
IT Information Technology
KPI Key Performance Indicator
LAN Local Area Network
LCRC Legal, Contractual and Regulatory Compliance
LM Logging and Monitoring
MAC Media Access Control
MTD Mobile Threat Defense
NAC Network Access Control
NAT Network Address Translation
NCEMA National Emergency Crisis and Disasters Management Authority
NSM Network Security Management
NTP Network Time Protocol
OEM Original Equipment Manufacturer
OS Operating System
OT Operational Technology
PaaS Platform as a Service
PAM Privileged Access Management
PES Physical and Environmental Security
PGP Pretty Good Privacy
PLC Programmable Logic Controller
PMU Phasor Measurement Unit
POP3 Post Office Protocol 3
PT Penetration Testing
RPO Recovery Point Objective
RTO Recovery Time Objective
RTU Remote Terminal Unit
SaaS Software as a Service
SAM Software Asset Management
Abbreviation Details
SAN Storage Area Network
SAT Site Acceptance Test
SCADA Supervisory Control And Data Acquisition
SIEM Security Information and Event Management
SIS Safety Instrumented System
SLA Service-Level Agreement
SNMP Simple Network Management Protocol
SOC Security Operation Centre
SOP Standard Operating Procedure
SSID Service Set Identifier
SSL Secure Sockets Layer
TEE Trusted Execution Environment
TLS Transport Layer Security
TPRM Third-party Risk Management
UAE United Arab Emirates
UAT User Acceptance Test
UHF Ultra High Frequency
UTC Universal Time Coordinated
VHF Very High Frequency
VM Vulnerability Management
VPN Virtual Private Network
Term Definition
Access Ability and means to enter a facility, to communicate with or
otherwise interact with a system, to use system resources, to gain
information the system contains, or to control system components
and functions.
Access Control Limiting access to organizational assets only to authorized entities
(e.g., users, programs, processes, or other systems).
Asset Something of value to the organization. Assets can include
software, hardware, information, personnel, facilities in IT and OT/
ICS environments. They may be applications, servers, database,
switches, routers, firewalls, security tools, utility software, networks
within and interfacing to the OT/ ICS, PLCs, DCS, SCADA,
instrument-based systems that use monitoring device such as an
HMI, systems that use routable protocol or are dial-up accessible
Authentication Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources.
Availability Ensuring timely and reliable access to information and systems.
Business Impact Analysis The process of determining the criticality of business activities and
associated resource requirements to ensure operational resilience
and continuity of operations during and after a business disruption.
Term Definition
Cybersecurity The preservation of Confidentiality, Integrity, Availability and Safety
of IT/ OT systems and processing facilities.
Cybersecurity Event Any observable occurrence in a system or network that is related to
cybersecurity (confidentiality, integrity, or availability).
Cybersecurity Risk The risk to organizational (including financial, legal, regulatory,
functions, reputation), due to the potential for unauthorized access,
disclosure, disruption, modification, or destruction/ damage of IT
and ICS/ OT systems.
Information Technology Electronic information resources organized for the collection,
processing, maintenance, use, sharing, dissemination, or
disposition of information.
Logging Logging typically refers to automated recordkeeping of system,
network, or user activity. Logging may also refer to keeping a
manual record (e.g., a sign-in sheet) of physical access by
personnel to a protected asset or restricted area, although
automated logging of physical access activity is commonplace.
Monitoring Critically observe the activity, process, or system that is being
monitored.
Operations Technology Programmable systems or devices that interact with the physical
environment (or manage devices that interact with the physical
environment). Examples include industrial control systems, building
management systems, fire control systems etc.
Policy Document stating the management’s direction and expectations
with high level directives.
Procedure Step wise guidance, detailing the way of carrying out a process.
Process Series of activities or tasks that contribute to the fulfilment of a task.
Purdue Reference Model The Purdue model, also known as Purdue Enterprise Reference
Architecture (PERA) is a reference architecture that was adopted
by ISA-99 as a concept model for ICS network segmentation.
Service Level Agreement Defines specific responsibilities of the service provider and sets the
customer's expectations regarding the quality of service.
Standard Standard is a document that describes mandatory set of
requirements.
Threat Any circumstance or event with the potential to adversely impact
the confidentiality, integrity, availability and safety of information/
systems.
Vulnerability Vulnerability is a weakness or flaw in IT, ICS/ OT systems, network,
procedures or controls that can be exploited by a threat.
Classification code – Classification: Public 14
Scope and Compliance 03
3.1. Scope
Abu Dhabi Department of Energy Cybersecurity
Framework is applicable to the entities holding a license
issued by the Abu Dhabi Department of Energy.
Cybersecurity Framework
Cybersecurity Governance
Asset Backup Human Resource Identity Access Logging & Network Security
Management Management Security Management Monitoring Management
Configuration &
CS Continuity CS Project Third-party Risk Vulnerability
Cloud Security Change
Management Management Management Management
Management
Legal,
Cryptography Data Protection & CS Incident
Contractual & Physical & Environmental Security
Control Privacy Management
Regulatory
Roles
Responsibilities
Abu Dhabi,
Department of • Development and update of framework: Department of Energy has
Energy developed the Cybersecurity Framework and will regularly review and
update this framework based emerging sector trends, emerging
technologies, and evolving cybersecurity threats.
• Compliance Enforcement: Department of Energy will regularly
evaluate the licensed entity’s adherence to the requirements set forth
in the framework. Further the Department of Energy will provide
ongoing support and guidance to the licensed entities to help them
achieve satisfactory level of compliance.
Roles
Responsibilities
This framework can be adapted to any IT and ICS/OT environments like power and/or water
generation, transmission, distribution, and sewerage treatment. It can be applied to any existing
cybersecurity program regardless of the overall maturity.
Each domain has multiple controls which in turn have one or several sub controls that
collectively aid in achieving the control’s specific security objectives.
Sub controls can include administrative, technical, people, process and physical aspects of
cybersecurity. Each sub control is supported by detailed implementation guidance.
Domain Name
Objective
Overall objective for implementing controls and sub controls related to specific area of security.
Description
Applicability
Statement suggesting sub controls prescribed under the domain are mandatory or risk based.
Implementation Guidance
Suggested methodology to implement the sub control in both IT systems and ICS/ OT systems. This is suggestive
guidance and the licensed entity can amend or customize it as per their requirements.
IAM-1-1
IAM 1 1
Objective
Description
Applicability
It is mandatory for the licensed entity to implement the controls and sub controls prescribed in
this domain.
Objective
To proactively identify risks associated with IT/ OT systems and processing facilities and take
appropriate risk management actions.
Description
Applicability
It is mandatory for the licensed entity to implement the controls and sub controls prescribed in
this domain.
Cybersecurity
Risk
Management
Implementation Guidance
Risk evaluation assists in making decisions, based on the outcomes of the risk analysis, about
which risks need treatment and the priority for treatment implementation. A risk rating determines
the level of risk posed in terms of consequence and likelihood. Once this rating is determined,
the risk evaluation step determines whether this assessed level of risk is acceptable or not.
Acceptability, or accepted level of “tolerance”, directly relates to the risk appetite of licensed
entity. The licensed entity’s risk appetite will determine the appropriate treatment to be applied.
During the risk evaluation stage, contractual, legal, and regulatory requirements are factors that
should be taken into account in addition to the estimated risks.
For further guidance about the risk evaluation process refer the Annexure I: Cybersecurity Risk
Management Process.
ICS/ OT Systems Supplementary Guidance
No additional information specific to ICS/ OT systems.
Sub control The IT/ OT security risks shall be continually monitored and reviewed.
Implementation Guidance
Ongoing monitoring and review are necessary to ensure that the context, the outcomes of the
risk assessment as well as treatment plans, remain relevant and appropriate.
The licensed entity should regularly verify that the criteria used to measure the risk and its
elements are still valid and consistent with business objectives, strategies and policies, and that
changes to the business context are taken into consideration adequately during the CSRM
process.
The risk monitoring and review process helps in determining whether procedures adopted, and
information gathered for identifying the risks were appropriate and whether all significant risks
have been identified or not. It also helps to validate that mitigation controls put in place for risks
are appropriate.
Risk Assessment should be performed at least once annually, to address any changes to the
risks affecting the IT/ OT security requirements. The following triggers might also warrant risk
assessments:
i. Major changes which may affect the originally assessed risk levels;
ii. Weak performances of the implemented controls;
iii. Any new vulnerabilities identified;
iv. Any new threat due to evolving threat landscape;
v. Any change in the management’s decision on acceptable level of risk;
vi. Any change to the legal or regulatory requirements;
vii. New assets that have been included in the Risk Management scope;
viii. Increased impact or consequences of assessed threats, vulnerabilities and risks in
aggregation resulting in an unacceptable level of risk; and
ix. Cybersecurity incidents.
ICS/ OT Systems Supplementary Guidance
No additional information specific to ICS/ OT systems.
Objective
To evaluate that the IT/ OT security controls are designed adequately and are operating as
desired.
Description
It is crucial for the licensed entity to regularly evaluate the controls implemented to ensure that
they are adequate, designed properly and operating as expected. The evaluation should be
carried out by an independent party. Evaluation may be performed by conducting interviews with
the concerned stakeholders, reviewing system settings, performing physical walkthroughs, or
requesting documentation/ artefacts for review. Evaluation should be concluded with assessment
reports to document the nonconformities, and corrective and preventive action plans to address
them.
Applicability
It is mandatory for the licensed entity to implement the controls and sub controls prescribed in
this domain.
Cybersecurity Audit
Management Review
Cybersecurity
Performance
Evaluation
Cybersecurity Audit
Corrective Action Plan Report
Objective
To identify and classify information assets, and define the storage, handling, and secure disposal
measures to protect the unauthorized access, loss, modification or destruction of data.
Description
Energy sector is witnessing an influx of new asset classes in IT/ OT environment that are
network connected. In order to be effective and supportive of the licensed entity’s business and
security objectives, it is important that asset are securely managed throughout the asset
lifecycle, from procurement through disposal.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
• Asset Management
Procedure • Information Asset
Classification
Asset
Management
Implementation Guidance
Removable media can be disposed securely to minimize the risk of confidential information
leakage to unauthorized persons. Following recommendation may be considered for removable
media disposal:
i. Media containing confidential information should be disposed of securely by incineration or
shredding, or erasure of data for use by another application within the licensed entity;
ii. Disposal of removable media can be outsourced to suitable external party with adequate
controls; and
iii. Disposal of sensitive items should be logged in order to maintain an audit trail.
ICS/ OT Systems Supplementary Guidance
No additional information specific to ICS/ OT systems.
Objective
To ensure IT/ OT system data backup is maintained securely, in line with business requirements,
and can be recovered in case of loss or corruption of data.
Description
Data loss events can arise owing to hardware or software failures, data corruption, malware
outbreaks, natural disasters, or accidental deletion. This loss of data can have catastrophic
impact on the licensed entity’s operations and may lead to disruptions.
BM practice protects the licensed entity against such data loss and equips the entity with the
capability to restore the lost data. It entails taking the backup of primary copy of data in one or
more locations, stored in a separate system or medium at pre-determined frequencies (online
synchronization, daily, weekly, monthly etc.), and at different capacities (full, incremental,
differential etc.).
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Procedure
Backup
Strategy
Backup Media
Management
Backup
Management
Backup Media
Storage,
Movement and
Backup Restoration
Disposal
and Testing
Further, the licensed entity may consider the controls and sub controls mentioned in this domain
and include them in the BM procedure, as applicable, based on the risk assessment.
ICS/ OT Systems Supplementary Guidance
No additional information specific to ICS/ OT systems.
In addition to the scheduled the backups, backups may be taken in case any of the major
changes like system upgrades, hardware changes which may affect system etc.
ICS/ OT Systems Supplementary Guidance
Backup strategy for ICS/ OT systems may consider defining the schedule and methodology of
taking periodic configuration backups of following key systems:
i. Process and bay level devices like Programmable Logic Controller (PLC), numerical relays,
Analog/ Digital Input/ Output cards, analyzers, smart meters, RTU, gateways, Intelligent
Electronic Device (IED), managed switches, routers, multiplexers, firewalls, wireless routers,
safety devices etc.; and
ii. ICS/ OT systems applications like Supervisory Control and Data Acquisition (SCADA),
Distributed Control System (DCS), EMS, Advanced Distribution Management System
(ADMS), Automatic Metering Infrastructure (AMI), Safety Instrumented Systems (SIS) etc.
Classification code – Classification: Public 81
Backup Management (BM) (contd.)
BM-1-3 Backup Media Management
The media used for taking backups shall be labelled and managed
Sub control securely.
Implementation Guidance
The following measures may be implemented to securely manage the backup media:
i. All backup media should have proper labelling, which can help in tracking and retrieval of
backup media whenever required;
ii. The backup administrator (IT/ OT staff responsible for BM) should ensure that the labelling
on the backup tapes is not tampered with;
iii. The backup media may be labelled and numbered automatically by the backup system or
manually by the IT/OT staff taking the backup. Example format of the label that may be used
is: ‘<Sys>-Friday-1/1-‘On/Off’ (where ‘Sys’ means the relevant ‘System’ , tape number of
number of tapes used for the backup and ‘On’ or ‘Off’ denotes the sites of storage of the
backups – onsite/ offsite);
iv. Backup media should be encrypted if the data contained in the media is confidential, based
on the licensed entity’s data classification scheme. Refer AM-4-1 (Classification of
Information Assets) for details;
v. Backup media register should be developed and maintained to record the media details,
determine the write cycles, and track movement of media;
vi. Expiry date for individual backup media should also be tracked using the backup media
register;
vii. OEM’s instructions must be adhered to with regard to the permissible write cycles. The
backup administrator should document the permissible write cycles for each type of tape in
the backup media register (or in the backup procedure); and
viii. The backup media should be replaced immediately after encountering the error or at
predefined time intervals whichever is earlier.
ICS/ OT Systems Supplementary Guidance
No additional information specific to ICS/ OT systems.
Periodic audits of the offsite storage location to ensure back up media are treated in a secure
manner and in line with the requirements of the backup procedure should be conducted. Further,
periodic backup media inventory reviews can also be considered to ensure that all the media is
accounted for (both onsite and offsite).
ICS/ OT Systems Supplementary Guidance
No additional information specific to ICS/ OT systems.
Objective
To implement appropriate safeguards for mitigating risks associated with cloud computing and
usage of cloud services.
Description
The adoption of cloud computing introduces changes in how computing resources are designed,
operated, and governed. While adopting cloud solutions, the licensed entity needs to select a
cloud service, considering the possible gaps between the entity's cybersecurity requirements
and the cybersecurity capabilities of the cloud service provider. Once a cloud service is selected,
the licensed entity should manage the use of the cloud service in such a way that it meets
cybersecurity requirements.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Agreement with
Cloud Service
Provider
Objective
To govern and manage configurations of and changes to IT/ OT systems in a secure manner,
ensuring that only authorized changes and updates occur in a planned and controlled manner
and integrity of IT/ OT systems is maintained.
Description
As the complexity of IT/ OT systems increases, the complexity of the processes used to maintain
these systems also increases, as does the probability of accidental errors in configuration and
changes. The impact of these errors puts data and systems that may be critical to business
operations at significant risk. Having a CCM process to protect against these risks is vital to the
overall security posture of the licensed entity. The licensed entity need to consider cybersecurity
implications with respect to the development, operation and maintenance of systems including
hardware, software, applications, and documentation.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Implementation Guidance
Following key aspects should be considered for developing and maintaining in the minimum
baseline security standards:
i. Minimum baselines security standards for all key configuration items should be developed
and maintained. These can be for various databases, operating systems, end points,
network devices, network security devices etc.;
ii. Baseline configurations should be defined and approved by cybersecurity department ,CAB
and other relevant authorities as appropriate;
iii. Baseline configuration should ensure that all unnecessary software / services are removed.
Wherever applicable this includes but not limited to (as applicable):
•OS built in leisure games;
•Device drivers for hardware not included;
•Messaging services;
•Servers or clients for unused internet or remote access services;
•Software compilers (except from non-production, development machines);
•Unused protocols and services;
•Unused administrative utilities, diagnostics, network management and system
management functions;
• Test and sample programs or scripts;
• Unused productivity suites like adobe acrobat, open office, etc.;
• Unlicensed tools and sharewares;
• Universal Plug and Play services; and
• Default accounts.
iv. All approved baseline configurations should be stored in configuration management
database;
v. The asset induction process should include a check to validate that the system being
inducted supports approved baselines;
vi. Periodic hardening/ baseline configuration reviews should be conducted to detect and
remediate deviations from approved baselines; and
vii. Baseline configuration should be regularly reviewed and approved by CAB or relevant
authorities when changes/ updates are to be made.
ICS/ OT Systems Supplementary Guidance
No additional information specific to the ICS/ OT system.
Objective
Description
The protection of electronic information and access to information that is stored or is being
transmitted is vital. Cryptography technologies, if implemented effectively can provide a
significant level of protection to information while it is being stored, transmitted or processed.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Implementation Guidance
Appropriate key management requires establishing secure processes for generating, storing,
archiving, retrieving, distributing, retiring, and destroying cryptographic keys. Cryptographic
algorithms, key lengths and usage practices should be selected based on risk assessment and
should be aligned with best practices.
The key management procedure should include the guidelines related to:
i. Generation of keys for different cryptographic systems and different applications;
ii. Issuing and obtaining public key certificates;
iii. Distributing keys to intended entities, including how keys should be activated when received;
iv. Storing keys, including how authorized users obtain access to keys;
v. Changing or updating keys, including rules on when keys should be changed and how this
will be done;
vi. Dealing with compromised keys;
vii. Revoking keys including how keys should be withdrawn or deactivated, e.g., when keys
have been compromised or when a user leaves an organization (in which case keys should
also be archived);
viii. Recovering keys that are lost or corrupted;
ix. Backing up or archiving keys;
x. Destroying keys; and
xi. Logging and auditing of key management related activities.
In case an automated key management system is not available, and the licensed entity has
implemented a manual key management process, for each cryptographic protection scheme
implemented, process for management of the keys should be established which should be
based on Industry accepted standards. The manual process should cover, at minimum the
requirements for:
Objective
To protect critical business processes from the effects of major failures of information systems or
disasters and to ensure their timely resumption in a secure manner.
Description
Information systems have become fundamental to business operations. Hence it necessary for
the licensed entity to maintain the information systems availability and establish capability to
effectively respond to and recover from a disruptive event while continuing to maintain business
critical operations.
The Department of Energy has issued the “BCM Policy for the Energy Sector” policy, to direct
entity holding a license issued by the Department of Energy to develop and maintain a Business
Continuity Management (BCM) Program, in accordance to NCEMA Standard 7000 for BCM, in
order to ensure the continued performance of their prioritized activities (at a minimum) during
and following an Emergency, Crisis, or Disaster.
Thus, the CSCM domain of Department of Energy Cybersecurity Framework should be read in
conjunction with the “BCM Policy for the Energy Sector” policy issued by Department of Energy.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Cybersecurity Cybersecurity
Continuity Continuity Redundancies
Requirements Management
Objective
To integrate cybersecurity into the licensed entity’s project management and systems
acquisition, development and maintenance practices to ensure that cybersecurity risks are
identified and adequately addressed.
Description
To ensure that the projects are successful in delivering their desired outcomes in a secure
manner, it is important to ensure that cybersecurity is given due consideration in the entire
project lifecycle. Cybersecurity risks and implications should be identified addressed and
reviewed regularly in all projects. Further, Systems Acquisition, Development and Maintenance
practices should include the security requirements such as access control, source code control,
protection from unauthorized modifications and misuse of application data, etc..
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Cybersecurity in Project
Lifecycle
Cybersecurity in
Project
Management
Implementation Guidance
Giving due consideration to cybersecurity requirements at the early stages of system
development, while developing, acquiring new systems or making enhancements, ensures that
the appropriate controls are factored at the outset, and thus avoid the complexity and challenge
of having to incorporate the said security requirements in an already procured or developed
product/ service.
Following activities may be considered during information system development:
i. The development actives should adhere to the requirements of the Secure Development
Policy;
ii. Security requirements should be identified and agreed prior to the development and/ or
implementation of information systems;
iii. At the system level, security should be architected and then engineered into the design of
the system; and
iv. Systems should be tested and evaluated prior to being implemented. Tests should be
conducted against the security requirements identified, to ensure that the development
efforts have adequately covered the security control requirements
Considerations for system acquisition:
i. Security specifications should be included in request for proposal/ quotation document for
acquisition of systems or services, that are shared with third party;
ii. The security requirements should be included in the formal agreements/ contracts (Refer
TPRM-1-4 (Third Party Agreements)); and
iii. In case of system acquisition, FAT should be performed to validate that the offered system
complies with the functional and security requirements.
Additional considerations where information system development is outsourced:
i. Licensing arrangements, code ownership and intellectual property rights related to the
outsourced content;
ii. Contractual requirements for secure design, coding, and testing practices;
iii. Acceptance testing for the quality and accuracy of the deliverables;
iv. Provision of evidence that sufficient testing has been applied to guard against the absence
of both intentional and unintentional malicious content upon delivery;
Objective
To establish a formal process for timely, effective and orderly response to cybersecurity
incidents.
Description
Incident management process helps in ensuring a timely, orderly, and effective response to
cybersecurity incidents and thus helps to minimize the potential financial, operational, legal or
reputational impacts. Further, applying the lessons learnt in the aftermath of an incident can
enable the licensed entities being better prepared for any future incidents.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Cybersecurity
Cybersecurity Incident Detection
Incident
Incident and Analysis
Management Plan
Management
Containment,
Eradication, and
Recovery
Implementation Guidance
Cybersecurity Incident Response Team (CIRT) is responsible for assessing, containing, and
responding to incidents, as well as those responsible for assessing the business and legal
impacts, reporting incidents as appropriate, communicating to internal and external
stakeholders, and engaging with industry and government response partners to coordinate
information and resource sharing when needed.Since incidents can be of varied nature,
following tiered approach for CIRT formation may be considered:
Cybersecurity Incident First Response Team:
This team is the first point of contact and first recipient of reported events.
i. Members:
• IT Technical Response Team or Lead; and
• OT Technical Response Team or Lead.
ii. Responsibilities:
• Conduct initial investigation of reported events;
• Validate whether the reported event is a Cyber Security incident or not and declare the
incident; and
• Notify core CIRT.
Core Cybersecurity Incident Response Team:
This team is the core part of CIRT, and depending on the nature of incidents, it will invite
additional members (internal and/ or external) to assist in the incident response process.
i. Members:
• Manager of IT Technical Response Team;
• Manager of OT Technical Response Team; and
• Chief Information Security Officer;
• Cyber Security Incident Response Manager
ii. Responsibilities:
• Assess and confirm the First Response Team's declaration of a cyber incident;
• Classify cyber incident;
• Finalized composition of full CIRT and notify full CIRT members;
• Oversee incident investigation, response, and reporting; and
• Elevate the incident and notify the senior management in case of significant incidents.
Classification code – Classification: Public 131
Cybersecurity Incident Management
(CSIM) (contd.)
CSIM-1-3 Incident Response Team
Implementation Guidance
Full Cybersecurity Incident Response Team:
Since the cyber security incidents can be of varied nature and have different characteristics, in
addition of the Core CIRT, additional members might have to be invited to be a part of the CIRT
and assist in the incident response process. The below members are only indicative, and one or
more of these might be included in the CIRT based on the incident type:
i. Members:
• IT Technical Resources;
• OT Technical Resources;
• Vendors;
• Human Resource;
• Legal;
• Finance;
• Internal Communications
• Public Affairs/Communications; and
• Physical Security.
ii. Responsibilities:
• CIRT members are assigned roles based on department they belong to;
• Arrange additional resources based on the needs of the incident response; and
• Interact with government agencies and other external organizations based on the needs
of the incident response.
Refer to Annexure XV: Cybersecurity Incident Response Team Roles, of the indicative role of
above members who would be invited based on the nature of the incident.
ICS/ OT Systems Supplementary Guidance
No additional information specific to the ICS/ OT system.
Objective
To ensure personal data is given due protection, in accordance with the applicable laws and
regulations.
Description
The licensed entity collect and processes personal data to perform essential business functions.
This personal data may be of the entity’s employees or of customers. Breach of personal data
can lead to loss of customers trust and affect entity’s reputation. Hence, the licensed entity must
undertake required due diligence to protect the personal data and to conform to applicable data
privacy related laws and regulations.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”
Data Protection
and Privacy
Objective
To ensure that personnel security is implemented to address the risks of human error, theft,
fraud or misuse of information and information processing systems and assist all personnel in
creating a secure working environment
Description
The HRS domain specifies the cybersecurity requirements that need to be integrated in the HR
processes including pre-employment, during employment and after the end of employment of
employees. It also deals with ensuring that all employees and contract staff are aware of their
obligations towards cybersecurity and that their roles and responsibilities are defined in relation
to securing the licensed entity's information and IT/ OT systems.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”
Human
Resources
Security
Employee During
Separation Employment
Implementation Guidance
Employee separation can occur on account of employee’s resignation or termination.
The licensed entity can consider inclusion of the below aspects in the employee separation
process, to implement this control:
i. All departing personnel should be explained explicitly that all confidentiality agreements
remain in force and that no information obtained in the course of his/ her work may be
disclosed;
ii. Responsibilities and duties that still valid after employee separation should be contained in
the employee’s or third-party’s terms and conditions of employment. As part of the exit
interview, the departing employees should be made aware that they have signed an
agreement (Refer HRS-2-2 (Terms and Conditions of Employment))that remains valid even
after employee separation; and
iii. Obtaining written undertaking from the departing employee, stating that he/she should not
disclose any confidential information.
ICS/ OT Systems Supplementary Guidance
No additional information specific to the ICS/ OT system.
Objective
The objective of the IAM practice is to prevent unauthorized access to information assets by
implementing appropriate authentication, authorization, and accountability controls, covering
both user and system accounts.
Description
IAM is a crucial component for the licensed entity's cybersecurity and entails controls related to
controlling access to the enterprise assets that users and systems have rights to in the given
context. IAM includes provisioning of access to new users and systems, strong authentication
controls, granting access based on principles of ‘need to know’ and ‘least privileges’,
deprovisioning of access in a timely manner, logging the actions taken on systems to ensure
accountability and non-repudiation etc.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Identity Access
Management
Objective
To ensure compliance with applicable statutory, regulatory, legal, and contractual compliance
obligations to related to IT/ OT security.
Description
The licensed entity has to comply with different statutory, regulatory, and contractual obligations
related to IT/ OT systems. Non-compliance with these obligations can result in imposition of
fines, breach of contractual terms and may also impact the reputation of the licensed entity.
Thus, it is important for the licensed entity to proactively identify, document and ensure
adherence to all relevant and applicable statutory, regulatory, legal, and contractual compliance
obligations. The licensed entity should create, maintain, and protect the records to demonstrate
the due care and due diligence undertaken by the licensed entity to comply with the applicable
compliance and regulatory requirements.
Applicability
It is mandatory for the licensed entity to implement the controls and sub controls prescribed in
this domain.
Objective
To maintain situational awareness of IT/ OT security events through collection and monitoring of
event logs from IT/ OT systems such as applications, databases, servers, network devices,
security solutions etc.
Description
Effective LM entails having a comprehensive visibility into the events that are being generated in
the IT/ OT infrastructure components such as servers, databases, applications, network devices
and other log sources. The proactive monitoring of such events reduces the likelihood that a
malicious activity would go unnoticed. It equips the licensed entity with situational awareness
and facilitates taking timely corrective actions to prevent or minimize damage that might have
been caused by the malicious actors.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Logging and
Monitoring
Protection of Clock
Log Information Synchronization
Objective
To ensure the protection of information in networks and its supporting information processing
facilities.
Description
Communication networks are the backbone on which the information is shared. Absence of
proper controls around network and communications infrastructure can lead to risks like
unplanned network outages, traffic being sniffed while in transit on the network etc. Thus, it
becomes critical for the licensed entity to effectively and securely design, manage, and control
its network infrastructure as well as to have situational awareness of network activities. The
licensed entity should ensure sufficient controls are implemented to protect the confidentiality,
integrity, availability, and safety of the licensed entity’s network infrastructure.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Network Security
Management
Implementation Guidance
Network must be segmented logically and/or physically in different security zones based on
sensitivity, security requirements, internet exposure and business requirements. This
segmentation should restrict the ingress and egress network flow between different zones and
improves overall security.
Following recommendations may be considered for segmenting the network into security zones:
i. Systems sharing common security requirement should be grouped into common security
zones;
ii. There should be logical or physical segmentation between IT and ICS/ OT networks. If the
network is logically separated, appropriate perimeter security devices should be put in place.
If the network is physically separated, controls should be in place to protect physical access
to the network points at all ends;
iii. There should be logical segmentation within IT/ OT network, based on criticality of different
IT systems, their application/ function, and exposure (e.g. De-Militarized Zone (DMZ) where
publicly accessible systems are hosted, an internal Local Area Network (LAN) zone, a
secure zone where critical servers/ databases/ network devices are located, etc.);
iv. DMZ should be maintained where all external facing servers including but not limited to web
servers, email gateways, proxy servers should be placed. The DMZ should be segregated
from the internal server segment by a firewall;
v. Servers which have been identified as critical or contain sensitive and critical information
should be placed inside the internal network zone protected by firewall;
vi. Separate server and user segments should be created and access between them must be
controlled with adequate rule bases;
vii. Separate segment should be created for Production and Development/ Test systems. Users
from Development/ Test environment should not have access to systems in Production;
viii. There should be a separate network segment for wireless networks; and
ix. There should be separate out-of-band network management zone, dedicated for
management access to, network devices, security devices etc. for securely monitoring,
troubleshooting and administering network infrastructure (Out-of-band management
provides a way to log into your network devices without going through the same network
through which the data travels).
Implementation Guidance
Wireless technologies may include, microwave, packet radio (Ultra High Frequency (UHF)/ Very
High Frequency (VHF)), 802.11x, Cellular and Bluetooth etc. Following are the key
considerations that can be referred to while implementing this control:
i. Segregation:
• Treat the wireless network as an untrusted, external network and ensure that all relevant
protection measures recommended for external networks in NM-2-2 are considered while
considering the right level of security for wireless networks connecting with other
segments of the licensed entity’s communication network; and
• The wireless network should be considered as a separate security zone, and the wireless
network traffic should pass through a firewall before entering the IT/ OT network.
ii. Hardening:
• All wireless infrastructure devices, including but not limited to access points should be
hardened as per the licensed entity’s minimum-security baseline standards (CCM-2-2);
• Default administrator passwords should be changed, conforming with the licensed entity’s
Password Policy;
• Service Set Identifier (SSID) of the access point should be changed from the factory
default;
• SSID for the corporate wireless network should be hidden (not broadcasted) to reduce the
likelihood for unauthorized access; and
• Simple Network Management Protocol (SNMP) Community strings should be changed
from manufacturer default to unique, unpublished strings.
iii. Access:
• Unauthorized devices connected to the wireless network should be blocked. The wireless
access point should utilize MAC address filtering so that only known systems are able to
connect to the wireless network; and
• Split tunnelling mode should be disabled while connecting through VPN.
iv. Physical security:
• The wireless access points should be protected and mounted in a way that they cannot be
stolen, moved, vandalized, blocked, or damaged. This may be achieved by mounting the
access points in locked enclosures, installing them in hard to reach/ concealed areas etc.;
and
• Cabling to and from access points should be secured so that it cannot be accessed
without difficulty.
Objective
To prevent unauthorized physical access to the licensed entity’s facilities, ensure security of
information and equipment and protect the systems from environmental factors.
Description
Physical and environmental security aspects are critical elements to secure data processing,
data storage, data communication/sharing, data hosting and data disposal. PES defines the
various measures or controls that protect licensed entity from loss of connectivity, availability of
information processing facilities, storage (backup and archival) equipment/facilities and
operational equipment’s/devices caused by theft, fire, natural disasters, intentional destruction,
unintentional damage, mechanical failure, power failure, etc.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Physical &
Environment
Security
Objective
To ensure that security controls are in place to identify, evaluate, monitor, and manage the risks
associated with third parties (e.g., third party, suppliers, service providers etc.).
Description
In energy sector entities are relying on third parties more than ever before to achieve their
business objectives. This growing dependency exposes the companies to new risks that need to
be managed. While services and functions can be outsourced, it is important to note that the
risks associated with these processes are still the responsibility of the company. Adequate due
diligence needs to be undertaken to ensure that external stakeholders are compliant with the
licensed entity’s security requirements.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Objective
To manage the risks associated with technical vulnerabilities, by establishing good vulnerability
and patch management practices.
Description
VM refers to the proactive practice of managing the security weaknesses that exist in the
technology systems. It is an ongoing process that includes identifying, prioritizing, and mitigating
the technical security flaws that might exist in systems in a risk prioritized and timely manner.
Applicability
The applicability of controls and sub controls prescribed in this domain shall be based on the risk
assessment.
Appropriate justification and formal approval from senior management (or relevant management
body like CSSC, Enterprise Risk Management Committee etc.) is required if any of the controls
and sub controls prescribed in this domain are deemed to be “Not Applicable”.
Vulnerability Identification of
Management Vulnerabilities
Procedure
Vulnerability
Management
SR 1.9 –
Strength of
public key
authentication
Awareness and
Training
Identity Access Access control Access Control FR 1 –
Management Identification
Identification and
and authentication
Authentication control
FR 2 – Use
control
Cybersecurity Information Contingency FR 7 – AE/SCNS/NCE
Continuity security aspects Planning Resource MA 7000:2021
Management of business availability
continuity
management
Cybersecurity in Organization of
Project information
Management security
(Information
security in project
management)
Cybersecurity Information Incident NIST 800-61
Incident Security Incident Response
Management Management
Context Establishment
Risk assessment
Risk identification
Risk communication and consultation
Risk evaluation
Risk treatment
Risk acceptance
Figure-1
An example is as follows :
Classification code – Classification: Public 260
Annexure I: Cybersecurity Risk Management Process
(contd.)
Likelihood of
occurrence- Low Medium High
Threat
Ease of
L M H L M H L M H
Exploitation
0 0 1 2 1 2 3 2 3 4
1 1 2 3 2 3 4 3 4 5
Asset
2 2 3 4 3 4 5 4 5 6
Value
3 3 4 5 4 5 6 5 6 7
4 4 5 6 5 6 7 6 7 8
Table-1
For each asset, the relevant vulnerabilities and their corresponding threats are considered. If
there is a vulnerability without a corresponding threat, or a threat without corresponding
vulnerability, there is presently no risk (but care should be taken in case this situation changes).
Now the appropriate row in the matrix is identified by the asset value, and the appropriate
column is identified by the likelihood of the threat occurring and the ease of exploitation. For
example, if the asset has the value 3, the threat is “high” and the vulnerability “low”, the measure
of risk is 5. Assume an asset has a value of 2, e.g. for modification, the threat level is “low” and
the ease of exploitation is “high”, then the measure of risk is 4.
The size of the matrix, in terms of the number of threat likelihood categories, ease of exploitation
categories and the number of asset valuation categories, can be adjusted to the needs of the
licensed entity. Additional columns and rows will necessitate additional risk measures. The value
of this approach is in ranking the risks to be addressed.
A similar Matrix as shown in Table-2 results from the consideration of the likelihood of an incident
scenario, mapped against the estimated business impact. The likelihood of an incident scenario
is given by a threat exploiting a vulnerability with a certain likelihood. The Table maps this
likelihood against the business impact related to the incident scenario. The resulting risk is
measured on a scale of 0 to 8 that can be evaluated against risk acceptance criteria. This risk
scale could also be mapped to a simple overall risk rating, for example as:
• Low risk: 0-2
• Medium Risk: 3-5
• High Risk: 6-8
Low 1 2 3 4 5
Business
Medium 2 3 4 5 6
Impact
High 3 4 5 6 7
Very High 4 5 6 7 8
Table-2
Likelihood of
Threat Consequence Measure of
threat Threat Ranking
Descriptor (asset) Value Risk
occurrence (e)
(a) (b) (d)
(c)
Threat A 5 2 10 2
Threat B 2 4 8 3
Threat C 3 5 15 1
Threat D 1 3 3 5
Threat E 4 1 4 4
Table-3
As shown above, this is a procedure which permits different threats with differing consequences
and likelihood of occurrence to be compared and ranked in order of priority, as shown here. In
some instances, it will be necessary to associate monetary values with the empirical scales used
here.
Levels of
L M H L M H L M H
Vulnerability
Likelihood Value of an
0 1 2 1 2 3 2 3 4
incident scenario
Table-4
Next, an asset/threat score is assigned by finding the intersection of asset value and likelihood
value in Table-5. The asset/threat scores are totaled to produce an asset total score. This figure
can be used to differentiate between the assets forming part of a system.
Asset Value
Likelihood 0 1 2 3 4
Value
0 0 1 2 3 4
1 1 2 3 4 5
2 2 3 4 5 6
3 3 4 5 6 7
4 4 5 6 7 8
Table-5
The impact of a change describes the effect that a change may have on the IT/ OT infrastructure
or the impact on the business, not performing the change may have on the licensed entity. The
impact rating of change may be assigned based on the following matrix:
Rating Value Examples
• Critical business impact
Critical 4 • Change will impact significant parts of the IT/ OT operations
• Majority of users would be impacted
• Major operational impact
High 3
• Multiple users would be impacted.
• Minor operational impact
Medium 2 • Only noncritical business operations affected
• Limited users would be impacted
• No or Minor Impact on operations.
Low 1
• No significant impact on users
The overall change priority is derived from the ‘Impact’ and ‘Urgency’ ratings.
Priority = Urgency X Impact
Urgency 4 3 2 1
Critical 4 Critical (16) Critical (12) High (8) Medium (4)
High 3 Critical (12) High (9) Medium (6) Low (3)
Medium 2 High (8) Medium (6) Medium (4) Low (2)
Low 1 Medium (4) Low (3) Low (2) Low (1)
Availability,
Resilience 3 4 Unlinkability
Integrity 2 5 Transparency
Confidentiality 1 6 Intervenability
Personal Data
Protection Goals
Collection
Data Quality
Limitation
Purpose
Accountability
Specification
Fair Information
Practices
Individual
Use Limitation
Participation
Security
Openness
Safeguards
Proactive, not
reactive 1 7 User centric
Privacy embedded
into design 3 5 End-to-end security
Full functionality
These job roles/ profiles may be categorized on career levels and the licensed entity may refer to
these (in conjunction with the inputs from the training/ HR department etc.) to determine the
support required for each career level:
i. Entry-Level Cybersecurity Professional:
• Profile:
o College graduate or postgraduate, and career changers; new to Cybersecurity;
o Focused on learning fundamentals; and
o Acclimatizing to organizational environment, establishing support network, and gaining
work experience.
• Support:
o Encourage two-way dialogue for open communication;
o Provide frequent feedback on job performance;
o Provide quality supervision and mentorship;
o Provide opportunities to acquire new skills through established training program,
challenging job assignments, attending seminars etc.; and
o Recognize staff for strong work performance.
The below password management guidelines may be referred and customized based on the
licensed entity’s requirements:
i. Storage of Critical Passwords
• OT Security team should ensure that the written copy of critical passwords is kept in a
sealed tamper proof envelope; and
• Content of the Password Envelopes: The following information should be documented on
the face of the envelope:
o Name / Identity of the Plant operating application, ICS/ OT system Operating System,
or Historian Database etc. for which the password has been recorded; and
o Name of user and his/ her department, designation, and username who is owner of
the password.
• The custodian of stored passwords should release the password only on formal written
request of the parties mentioned above on completion of the following steps:
o Release of a password should be noted in the log maintained by custodian; and
o Once opened, password is to be considered ‘compromised’ and should be changed.
v. Periodic Monitoring of the Password Envelopes
• The relevant stakeholders as per the licensed entity’s organization structure, should monitor
the password envelopes from time to time and ensure that: all password envelopes are
accounted for. (In comparison to the password envelopes registered in the password log)
and ensure envelopes have not been tampered with.
• If the OT Security team detects that password envelopes are missing or have been
tampered with, then he should immediately instruct all relevant users to change their
passwords with immediate effect.
Site
Site Resource Manufacturing
Router Domain Application Office
controller Server Workstations
Plant Operation
Domain Controller Management Systems Data Historian
Gateway
Safety System Zone
Intelligent Devices
Controller-1 Controller-2 Controller-3
Level 1
Safety Instrumented Systems
Multiple
business
Personal data protection
Personal processes
policy shall be documented,
Data involve storage
established, and reviewed
1 DPP DPP-1 Protection Applicable and processing
periodically, in accordance
Policy of personal
with applicable laws and
(DPP-1-1) data related to
regulations.
customers and
employee
Cloud Security policy shall
be documented,
established, and
There is no
periodically reviewed that
Cloud adoption of any
enforce guidelines to be
Security Not- cloud
2 CS CS-1 followed while adopting and
Policy Applicable technologies/
integrating cloud solution to
(CS-1-1) services in our
ensure its consistency with
environment.
the licensed entity’s
acceptable levels of
cybersecurity risks.
Hosting of There is no
The licensed entity shall
Data in adoption of any
ensure that cloud service
Cloud Not- cloud
3 CS CS-1 provider host their data
Computin Applicable technologies/
inside the boundary of
g services in our
United Arab Emirates.
(CS-1-2) environment.
Agreemen
There is no
t with All relevant legal and
adoption of any
Cloud cybersecurity requirements
Not- cloud
4 CS CS-1 Service shall be established and
Applicable technologies/
Provider agreed with cloud service
services in our
(CS-1-3) provider.
environment.
Investigate and analyse cyber incidents; and identify and conduct actions necessary to
contain, eradicate, and recover from an incident under direction of the Cyber Incident
Response Manger. Required capabilities include:
• Network : Technical understanding of the utility’s network to analyse, block, or restrict data
IT Technical flow in and out of network;
Response Team • System Administration: Analyse compromised workstations and servers;
• Forensic Investigation: Gather and analyse incident-related evidence in a legally acceptable
manner; conduct root cause analysis; and;
• Applications/Database Administration: Understanding of the normal/baseline operation of
enterprise applications to analyse abnormal behaviour.
Coordinate with IT Technical Response Team and operations staff during cyber incident that
could affect operations.
OT Technical
Assess and communicate potential impacts of a cyber incident on control systems.
Response Team
Communicate impacts to the Cyber Incident Response Manager.
Requires a working knowledge of the entity’s critical operations systems.
Ensure staff resources to enable 24/7 response operations as directed by the Cyber Incident
Response Manager.
Human
Assist with managing any internal communications with employees relating to the cyber
Resources
incident.
Assist in taking disciplinary action against offenders.
Obtain briefing about the nature of incident, extent of damage/ impact, mitigation measures
undertaken, further plan of action other relevant information from Cyber Incident Response
Manager.
Provide input into overall incident response and communications strategy from legal and
Legal regulatory standpoint.
Review the cyber incident communication messages and statements prepared by the CIRT
members and provide advice from legal, regulatory and compliance perspective. This will
include; but not limited to press releases, response to media queries, replying/ reporting to
regulator’s queries etc.
Finance Support with procurement of services and tools as required during incident response efforts.
Obtain the briefing about the nature of incident, extent of damage/ impact, mitigation measures
undertaken, further plan of action other relevant information from Cyber Incident Response
Manager.
Providing input into internal communications strategy based on likely concerns raised by
Internal internal stakeholders. Share periodic updates of developments.
Communications
Identify appropriate channels/ mechanisms for sharing the communications like email, intranet
postings, notices etc. and initiate formal communication to all internal stakeholders.
Get feedback from the stakeholders on the communications shared and adjust messages if
required. Prepare FAQs and publish them through intranet, emails etc.
Obtain the briefing about the nature of incident, extent of damage/ impact, mitigation measures
undertaken, further plan of action other relevant information from Cyber Incident Response
Manager.
Communications with regulators (i.e., Abu Dhabi, Department of Energy, etc.):
• Draft incident communication messages in consultation with Cyber Incident Response
Manager and Legal team;
• Share incident communication message with regulators after approval from senior
management; and
Media Communication:
• Provide inputs into external communications strategy based on likely questions that might
be raised by media;
• Field all media and public inquiries regarding incident.
• Ensures media information requests are fulfilled; as well as ensure that any communication
Public Affairs/ shared is first approved by senior management;
Communications • Prepare FAQs based on common media queries and publish them through website, press
releases, emails etc.;
• Prioritizes requests for interviews;
• Work to ensure that all media inquiries are routed to appropriate stakeholders;
• Coordinate press releases, and manage news teams and interviews, etc.;
• Prepare statements for press release; and
• Create a log of inquiries received from external parties like media/ journalists etc.
Media Monitoring:
• Monitor and track media to gauge what is being circulated on media regarding incident.
• Issue responses to rectify inaccurate information;
• Assess the level of focus of external interest. Analysis of what is being reported;
• Assess the reputational impact to entity and recommend corrective actions; and
• Identify concerns, interests, and needs arising from the incident and the response.
Physical Security Manage and ensure needed physical access to on-site and off-site premises and physical
Team protection of infrastructure.
Critical system
power or water provide a critical additional resources threat to the
information was
delivery at one or operational service to and outside help are provision of wide-
compromised
multiple areas all users needed scale critical services
Compromise of
network or system
that controls Likely to result in a
Entity can no longer Unpredictable;
Level 4
Likely to result in a
Sensitive, PII, or
Compromise or Entity can no longer demonstrable impact
proprietary Unpredictable;
Level 3