irv badr: managing risk safety and security compliance
TRANSCRIPT
© 2015 IBM Corporation
IBM Analytics – Continuous Engineering
Managing Risk: Safety and Security Compliance
Irv Badr Industry Architect IBM Continuous Engineering, IoT [email protected]
Energy and Utility Sector Security Trends, Drivers and Impacts
IBM Approach and Benefits
Defining Safety Compliance
Nature of Safety (and security) standards
Design Compliance and its automation?
Client Success Stories
Agenda
Engineering
Manufacturing
Operations
Requirements
Market
Needs
Social
Sentiment
Testing and
Compliance
Device
Telematic
s Data
Learn
Predictive Analytics
Design
Models
Engineering Maintenance and Operations
Continuous
Engineering
Regulatory
Reporting
Warranty &
Repair Data
Continuous Engineering and Predictive Analytics close the product development loop
Energy and utility organizations are at the forefront of attacks
Utilities are among the most targeted verticals
• Organized cyber-crime, hacktivists, nation-states and exploit researchers
New vulnerabilities are being discovered
• Security testing through injecting invalid, unexpected or random data (fuzzing) have uncovered dozens of vulnerabilities in critical infrastructure systems
• Exploits can be implemented through physical access to networks or through techniques like brute-force password hacking Internet connected devices and phishing
Regulations provide guidance but do not protect against these recent exploits
• NERC CIP focus on IP communications, overlooking the real vulnerabilities that are present
• NIST CSF is process-based and voluntary
• ENISA Smart Grid Security Recommendations
• ENISA Protecting Industrial Control Systems
Grow the business
• Customer relationships
• Advanced metering and smart grid
optimization and efficiency Protect the business
• Customer data (usage data, credit
records, etc.)
• Intellectual property
• Internal/IT operations Comply with compliance and regulations
• NERC CIP
• NIST CSF
• ENISA Secure the grid
• Protect control systems and SCADA in
generation, transmission and distribution
• OT security
• Defend AMI/smart meter networks and
devices
Current trends are heightening the focus on utility security
Compliance Management
Security Risk Management
Secure Infrastructure
People Technology Information Process
The integration of physical
security and cyber security
is critical
Energy and utilities attacks – impact scenarios
Reliability impacts a potential brown/black out of a
large geographical area/or
concentrated at an area where other
critical infrastructures depend on
power, water treatment plants,
transportation centers, etc.
Safety impacts potential harms to utility personnel
and/or customers - re-energize systems
where maintenance crews are deployed
or exploding transformers with
hazardous waste
Reputation impacts exposure of sensitive customer data (e.g.,
usage info, govt. ID information, credit
card details, etc.) – extraction of such
data, including union employee healthcare
information
Productivity impacts Risks to utilities capacity, delivery
and overall ability to provide a
consistent product/service to their
customer base
CYBER ATTACKS
The balance of risk for energy and utility organizations is unique
A view of a transformed security environment
Current Environment Transformed Environment
Security Model based on
Defense in Depth
Security Model based on
Rapid Detection + Rapid Response
Security Operations
Steady State and Reactive
Security Operations
Elastic and Agile
Governance, Risk & Compliance
IT and Compliance Focused
Governance, Risk & Compliance
Enterprise Risk Management
Functional Domains
IT, OT, Telecom, Physical Silos
Functional Domains
Converged
Security Analysis
Manual and Fragmented
Security Analysis
Analytics and Intelligence
Reduce risks through greater visibility
Security
Intelligence is
BIG DATA
Develop greater visibility via security intelligence
and big data analytics
Client requirements:
A Threat and Risk Assessment review was conducted for a Danish energy company’s new Smart Grid DMS (Distribution Management System)/SCADA design and architecture. The purpose of the assessment was to identify and understand the transformational DMS architecture risks through a “Threat Based” architectural review.
Solution:
The engagement included review and assessment through interviews, observations, documentation reviews, industry best practices and a cross-business threat analysis and change workshop.
Key Deliverables included: Threat Matrix Heat Map, DMS Threat and Impact Assessment, DMS Design Considerations, DMS Security Roadmap
• Identified gaps
in architectural
design from un-
anticipated
threats
• Road map allow
prioritizing of
quick wins and
security
investment by risk
Benefits:
Country: Denmark Security area: SCADA Threat and Risk Assessment review
• Greater
understanding
of risk exposure
across business
units from cyber
threats
DONG Energy identifies and understands risks in its smart grid DMS/SCADA design and architecture with a threat review
What the analysts are saying about IBM
Gartner
Global Managed Security Services
Providers (MSSPs)
Strengths: IBM uses self-developed technology for data
collection, correlation, log query and reporting, and ticketing/workflow.
IBM has four North American SOCs, two in Europe, two in Asia/Pacific, and two in other regions.
IBM's advanced analytics and targeted attack detection capabilities are embedded in its MSS and hosted SIEM offerings, and are supported by IBM and third-party technology deployed by customers.
Gartner customers often include IBM in competitive MSS evaluations, and IBM has high visibility in North American, Asia/Pacific, and European markets.
IBM's MSS capabilities include support for a customer-deployed SIEM (from IBM and others) that is integrated into its standard MSS offerings.
IBM is a large, stable provider of security services and products with global delivery capabilities.
The Bottom Line: Enterprises with global service delivery requirements,
and those with strategic relationships with IBM, should
consider IBM for MSSs.
2014 Gartner Magic Quadrant for SIEM: LINK
IBM Security QRadar SIEM is #1 on “Ability to Execute” (the Y-axis) AND on “Completeness of vision” (the X-axis)
IBM Internal and BP Use Only
What the analysts are saying about IBM
IBM Security QRadar is in the SIEM
Leadership Quadrant for Sixth Straight Year
Ability to execute is an assessment of overall viability, product service, customer experience, market responsiveness, product track record, sales execution, operations, and marketing execution.
Completeness of Vision is a rating of product strategy, innovation, market understanding, geographic strategy, and other factors
IBM Press Release: LINK
Download the
Cyber Security
Intelligence
Index for
Energy and
Utilities
Read the
white paper:
Responding to—
and recovering
from—
sophisticated
security attacks
Read the
white paper:
How Mature is your
cyber-security risk
management?
Download the
white paper:
Best practices for
cyber security in
the electric power
sector
Learn more – select publications
CONTINUOUS ENGINEERING
Managing Security and Safety through
Source: Schneider Electric
Safety is accounted for during System Development
65% of incidents involving process control systems occur during the specification,
design, installation and commissioning phases of the product implementation.
15
Challenges We Face in the Power Industry (e.g. Nuclear)
Radioactive Waste
The impact on water resources,
aquatic habitats, and wildlife
Key drivers for Nuclear Energy Regulatory and Compliance Projects
Ensuring
Compliance
Environment
al Safety and
Security
Protect confidentiality,
integrity, privacy, and
assurance of utility systems
Protect the public in the
event of a serious reactor
accident.
Assure a regulatory
environment for the continued
safe and efficient operation of
nuclear plants.
Provides the governance,
oversight, and support to
assure corporate and site
regulatory and emergency
preparedness activities meet
corporate needs and
regulatory requirements.
Environmental
Impact
1. Requirements grow and change at rates in excess of 1 percent per calendar month.
2. Few applications include greater than 80 percent of user requirements in the first release.
3. Some requirements are dangerous or “toxic” and should not be included.
4. Some applications are overstuffed with extraneous features no one asked for.
5. Most software applications are riddled with security vulnerabilities.
6. Errors in requirements and design cause many high-severity bugs.
7. Effective methods such as requirement and design inspections are seldom used.
8. Standard, reusable requirements and designs are not widely available.
9. Mining legacy applications for “lost” business requirements seldom occurs.
10. The volume of paper documents may be too large for human understanding.
10 of the top issues with requirements Packaged applications create certain issues
Software Engineering Best Practices: Lessons from Successful Projects in the Top Companies by Capers Jones
17
Most enterprises have an inadequate compliance platform
Compliance
Documents
Costly manual effort to aggregate and analyze
for Completeness and Redundancy
Spreadsheets and word
processors
Document Management
Systems
Inadequate
tools
•Insufficient access controls
•Does not support distributed teams
•Cannot analyze the content of the
documents
•Information is not linked and offers no
traceability
18
18
Information Traceability - “Chaos to Order”
structured,
linked and
traced at
statement
level,
are
imported,
to produce
reports of
managed
information
Non-
integrated
project data
Autonomous
Word/Excel
Documents
with related
& dependent
Information
between them
Requirements have multiple dimensions
Functional
Safety
Procedural
Technical
Specs
Requirements
Management
Pumps, Valves,
Hardware
Level-1, Level-2,
….
Security, Cooling,
….
I&C, Software,
….
Business Contractual
Traceability
Impact
Dependency
Detailed Requirements cover more than just software
Requirements Areas
20
Impact Analysis: studied before changes are made
10 CFR Part 72 – related to
Nuclear Cyber Security
NEI is the industry trade
group that interpreted and
proposed a response to the
CFR
Determined by technical
SMEs in each utility.
Varies from site to site
Determined by technical
SMEs in each utility.
Varies from site to site
21
Asset inventory showing which system(s) use the assets (“where used)
A given asset can “touch” multiple
critical systems.
A critical “system” is typically
composed of multiple Critical Digital
Assets (CDAs)
22
Cause and Mitigation – Reactor Auxiliary Feedwater Inspection Guide
US Department of Energy (DOE) - Yucca Mountain Repository
Requirements in ~20 areas managed with DOORS
Emergency Mgt.
Safety and Heath
Safeguards & Security
The program used Rational’s DOORS product to develop an extensive requirements
database to track and manage an extremely broad range of program and regulatory
requirements ranging from US CFRs to Contract Requirements.
Customer example
Auto-generation of safety-relevant report
Fault Source Matrix, Fault Detection Matrix, Fault-Requirement Matrix, Hazard Analysis…
• Traceability improves the
ability to enforce safety
• Safety metadata guides
downstream engineering work
25
Epic B
Story 1
Story 2
Story 3
Dev Actions in support of a Business Requirements and IEC 61508 standard and guideline
The prioritized set of Epics supporting Business requirements that need to be addressed and/or not scheduled for
The set of Epics which are scheduled for the a different major release.
Specific Stories and Tasks to implement the Planned Epics.
Developing Control System
For example: Intelligent Electric Devices (IED)
Incoming Business
Dev Actions
Project/product
Milestone & Backlog
Release Milestone
and Backlog/Plan
Dev Action Epic A
Dev Action
Story 4
Epic C Top-level
safety function
Component/Iteration
Plan
Story 5 Epic D
#technical
Agile Project Planning Requirements
RM tool Imports IEC 61508 requirement guidelines
26
Link each requirement guideline to techniques/measure that we should follow
Traceability from requirements to Software requirements implementation state
27
Linking from each requirement guideline to the techniques/measures and System Integrity level (SILs)
28
Linking from each requirement guideline from IEC 61508-2 to the techniques/measures and System Integrity level (SILs) in part 7
29
30
Text based approaches introduce risk into the project
Method Requirements Completeness Requirements Defects per Function Point
Dynamic Modeling 97% 0.10
Quality Functional Deployment 96% 0.25
Requirements Inspections 95% 0.10
Use Cases 80% 0.80
Energy Legacy Applications 70% 0.20
Prototyping 62% 0.55
Information Requirements Gathering
57% 1.00
Normal Text Documents 50% 1.10
Requirements Methods (Capers 2010)
31
*Forrester Research Inc, October 23, 2012. Forrester Research, The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester
Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments.
Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are
subject to change.
IBM Rational Recognized As A Leader in ALM
Report Highlights
• Highest Scores among all vendors for
Current Offering & Strategy“
• “Not only has IBM continued
development of its strong suite of
products, but it has also stitched them
together in a more coherent way.”
• [IBM] has also made clearer the use
cases it supports ... such as Agile teams
and embedded software development"
The Forrester WaveTM: Application Life-cycle Management*
Link to report
DESIGN COMPLIANCE
Creating Architectural (e.g. SOA) Safety View in UML/SysML
• UML can be extended to
model metadata beyond its
standard usage, for example
• UML Profile for
Schedulability
Performance and Time
(SPT)
• Model Analysis of Real-
Time Systems (MARTE)
• Systems Modeling
Language (SysML)
• UML Profile for DoDAF
and
MoDAF (UPDM)
• A safety critical profile can be
developed that provides
• FTA diagrams
• FMEA and fault views
• Hazard analysis table
view
Safety-Critical Profile in UML
Model-Based Safety Analysis
Link to requirements
Link to manifestors
Link to extenuators Link to detectors
36
Design Standard: CIM - application and data integration and analysis
• IEC CIM v13 – Combined 61968 and 61970 models
• IEC CIM Model Transformation Plug-in (Harvested from AEP)
• EPRI Intelligrid Use Cases (Partial)
Innovation for a smarter planet
IBM Solutions for Systems and Software Engineering (SSE)
QUALITY MANAGEMENT Achieve “quality by design” with an
integrated, automated testing process
Rational Quality Manager
ARCHITECTURE & DESIGN Use modeling to validate requirements, architecture
and design throughout the development process
Rational Rhapsody
REQUIREMENTS MANAGEMENT Manage all system requirements
with full traceability across the lifecycle
Rational DOORS
COLLABORATION, PLANNING & CHANGE MANAGEMENT Collaborate across diverse engineering disciplines and development teams
Rational Team Concert
Open Services for Lifecycle Collaboration
38
Deployment for Development: Dong Energy
CIM
Control
CIM
Monitoring
T&D
System
Dong E
Applications
Control
System
Monitoring
System
IBM
Modeling
Solutions
Websphere
Servers
Rational
Development
Solutions
•WebSphere
Application Server
•WebSphere
Message Broker
•RAD
•ILOG JRules
Continuous Engineering Reference
SE for
Dummies
Book
− https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-
CERT_Monitor_%20Jan-April2014.pdf
− http://www.reuters.com/article/2014/05/21/us-usa-cybercrime-infrastructure-
idUSBREA4J10D20140521
− http://leblog.gdfsuez-dolcevita.fr/2014/03/13/alerte-securite-attention-au-
phishing/
− https://threatpost.com/shodan-search-engine-project-enumerates-internet-
facing-critical-infrastructure-devices-010913/77385
− http://www.shodanhq.com
− http://scadastrangelove.org
− http://www.digitalbond.com/tools/basecamp/
− http://blogs.computerworld.com/cybercrime-and-hacking/23402/hackers-
exploit-scada-holes-take-full-control-critical-infrastructure
Additional References
Questions?
© 2012 IBM Corporation
Building a smarter planet
© Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
www.ibm.com/software