bobbi brown - presentation 5- security presentation b2
DESCRIPTION
Presented By: Bobby Brown EnerNex Corporation © 2010 EnerNex Corporation. All Rights Reserved.TRANSCRIPT
© 2010 EnerNex Corporation. All Rights Reserved.
US Cyber Security EffortsThe Good, The Bad, The Ugly
Presented By:Bobby Brown
EnerNex Corporation
© 2010 EnerNex Corporation. All Rights Reserved.2
About myself• Director of IT & Communication Security• Former CIO, 15+ years IT, 10 years Cyber
Security & Related• Co-author of NIST Framework & Roadmap for
Smart Grid Interoperability Standards, Security Profiles (AMI, 3PDA, Distribution Mgt.)
• Project Manager, Advanced Security Acceleration Project for Smart Grid (ASAP-SG)
• National Electric Sector Cyber Organization Resource Team
• Chair of SG Security Conformity and Vice-chair of SG Security in UCAIug OpenSG
© 2010 EnerNex Corporation. All Rights Reserved.3
NIST SGIP – The Good• EnerNex awarded to manage and technical
facilitation• Smart Grid Interoperability Panel
– Supports NIST in fulfilling responsibilities under the 2007 Energy Independence and Security Act
– Identifies, prioritizes and addresses new and emerging requirements for Smart Grid standards
– Developed the initial NIST Framework & Roadmap for Smart Grid Interoperability Standards (v1.0 January 2010)
• National public-private collaborative
© 2010 EnerNex Corporation. All Rights Reserved.4
NIST SGIP – The Good• Smart Grid Standards • Priority Action Plans • Testing and Certification of Standards • Smart Grid Conceptual Model • Smart Grid Cyber Security • The Interoperability Knowledge Base (IKB)
© 2010 EnerNex Corporation. All Rights Reserved.5
SGIP CSWG – The Good• Addresses cyber Smart Grid security
aspects• Provides overall cyber security strategy for
Smart Grid• Defense in-depth controls:
– Prevention– Detection– Response– Recovery
• 400+ member participation
© 2010 EnerNex Corporation. All Rights Reserved.6
Strategy Process
© 2010 EnerNex Corporation. All Rights Reserved.7
SGIP CSWG – The Bad• Risk mitigation strategy is confusing:
– Logical Interface Categories (LICs)– Requirements mapped to LICs (not data)
• Interoperability strategy is still under development
• Weak in utility representation
© 2010 EnerNex Corporation. All Rights Reserved.8
The UglyThe process is good, but…• Not actionable• Reference architecture is not
representative of real world systems• How to implement?
© 2010 EnerNex Corporation. All Rights Reserved.9
Lessons Learned – What’s Next?• Validate high-level reference architecture• More utility involvement• ‘Actionable’ & ‘implementable’ guidance
– Implementation Sub-group• Interoperability and Rigor
– Standards & Crypto Sub-groups– Testing & Certification Sub-group
• Updated NIST-IR 7628 (after 12 months)
© 2010 EnerNex Corporation. All Rights Reserved.10
NERC CIP - Good• Forces utilities to address security• Allows utilities to self-regulate
© 2010 EnerNex Corporation. All Rights Reserved.11
NERC CIP – Bad & Ugly• Immature regulation – too many revisions• Discretion of auditors; too much variance• Only addresses bulk power, many
aggregated threats not covered:– Distribution, – AMI– Automated demand response– Electric vehicles– Etc., etc.
• Utilities become reactive
© 2010 EnerNex Corporation. All Rights Reserved.12
NERC CIP – What’s Next?• CIP 10 and 11
– CIP 10 replaces CIP 2– CIP 11 replaces CIP 3 through 9
© 2010 EnerNex Corporation. All Rights Reserved.13
ASAP-SG - Good• Private-Public Collaborative• Vetted by utilities and vendors• Good adoption of controls:
– Utilities using in request for proposal (RFP) requirements
– Vendors using in product development requirements
– States (California Public Utility Commission) using in development of regulations
© 2010 EnerNex Corporation. All Rights Reserved.14
ASAP-SG Funding & Workflow
© 2010 EnerNex Corporation. All Rights Reserved.15
ASAP-SG Blueprint
© 2010 EnerNex Corporation. All Rights Reserved.16
ASAP-SG – Bad & Ugly• Too Academic• Too many steps
© 2010 EnerNex Corporation. All Rights Reserved.17
ASAP-SG - What’s Next• Wide Area Monitoring, Protection and
Control Security Profile– Synchrophasors
• Premise Area Network Security Profile– Home Area Network– Business Area Network– Industrial Network
• Update Security Profile Blueprint
© 2010 EnerNex Corporation. All Rights Reserved.18
Summary – Understand Attackers
Kill Chain• Recon• Weaponization• Delivery• Exploit• Installation• Command & Control (C2)
– Elevate privilege– Maintain presence
• Actions of Intent
Break points• Min attack surface (Deter)• Block attacks (Prevent)• Monitor/Report (Detect)• Business Continuity
(Respond)• Forensics & Incidence
Handling (Recovery)– Lessons learned
Defense in-depth > Break the Kill Chain
© 2010 EnerNex Corporation. All Rights Reserved.19
• Collaboration!• Regulation & Standards• Holistic system of
systems approach• Security components• Interfaces• Subsystems• Configuration
• Business Driven• Use Cases• Process• Risk Management
• Engineering Principles• Loose Coupling• Layered• Scalable• SDLC
Summary – Methodology
© 2010 EnerNex Corporation. All Rights Reserved.20
Thank you!
Bobby [email protected]
Director, Cyber SecurityEnerNex