1

Presentation #: CL02

Audie Whipple SRP Philip Santore DVS Security Scott Sieracki Quantum Secure

March 27, 2012

Unified Threat Management

2

Presented By

3

CL02: Unified Threat Management

Audie Whipple Salt River Project

4

Introduction/Overview Introduction/Overview of SRP SRPs Threat Environment Managing Threats Compliance Security Industry Support Conclusion/Question

5

Introduction 1903 Formation of Salt River Valley

Water Users Association 1937 Formation of Salt River Project

Agricultural Improvement and Power District

Combination of the two = SRP Today

6

SRP Threat Environment

7

SRP Threat Environment

8

SRP Threat Environment

9

SRP Threat Environment External Threats

Copper Theft Environmentalists/Protests Union Strikes Terrorist Attacks Against Critical Assets Sabotage Cyber Attacks/Social Engineering

10

SRP Threat Environment Internal Threats

Employee Theft/Fraud Sabotage Disgruntled Employees Work Place Violence Active Shooter Type Scenarios

11

Threat Management Adequate Security Controls and

Procedures Open and Regular Communication with

Law Enforcement Employee Education/Awareness Personnel Risk Assessments Threat Management Team

12

Compliance NERC/CIP Compliance

North American Electric Reliability Corp. Critical Infrastructure Protection

Potential for up to $1mil per day in fines for non-compliance

Significant driver of physical security policies and procedures

13

Industry Support Evolving Systems and Solutions Lower Technology Costs Increased awareness of compliance

requirements by Manuf./Integrators PIAM PSIM

14

Conclusion Wide Variety of threats Proper Threat Management Sound Compliance Program Adequate Industry Support

15

CL02: Unified Threat Management

Phil Santore DVS Security

16

Consultant Challenges Understanding the threat Identify potential mitigation strategies Develop ConOps Multiple systems Review available tools How far to the edge? Client participation

17

Consultant Challenges

Understanding the threat

18

Consultant Challenges Identify potential mitigation strategies

19

Consultant Challenges Develop ConOps

20

Consultant Challenges Multiple systems

21

Consultant Challenges Review available tools

22

Consultant Challenges How far to the edge?

COTS

CUTTING

BLEEDING

Cooperative Development

23

Consultant Challenges Client participation

MANUFACTURER

CLIENT

CONSULANT

24

CL02: Unified Threat Management

Scott Sieracki Quantum Secure

Unified Threat Management

25

New types of solutions create the opportunity for physical security consultants to be in the IT/Cyber security conversations PIAM (Physical Identity and Access Management)

solutions complete the 360 Life Cycle Identity Management Circle

Security Intelligence and Analytics solutions PSIM Other

26

Out of the Box Thinking = Results Consulting Engagements can be Strategic

Elevating physical security by aligning with a Value Proposition that the overall Business is driven by

Operational Cost Reduction Compliance Automation Risk Mitigation Future Proof and Capital Cost Mitigation

Consult for the physical security department but consult as an advisor to the business

Physical Security data is a best kept secretit is part of Big DATA

27

Unified: Physical and Cyber Security Compliance

Single Identity Related Compliance

CIP 004-3 R2 Training

CIP 006-3 R1 Restrict Area Perimeter; Control Physical Access To Restricted Areas

CIP 006-3 R4 CIP 004 R4.1 Screen & Control Access

CIP 006-3 R5 Monitoring

Alarms & Events

CIP 004-3 R3 Personnel Surety

CIP 006-3 R6 Reporting of Key Information

CIP 004-3 R4.2 Revoke Access If Not Needed

28

Exports EAR/ITAR

All Organizations Sarbanes-Oxley SAS 70, ISO-2700

Healthcare HIPAA Title II

Payment Card Industry PCI

Energy NERC/CIP

Airports TSA, SIDA AAAE

Banking Basel II, FSA

Government FIPS 201 HSPD-12

ICAM

Finance GLBA

Pharma DEA Regs,

21-CFR

Food & Drug FDA/DEA

Petrochem CFATS

Telecom TL-9000

Identity in Physical Security

Unified Compliance Examples

29

What Should You Expect Team approach to address end user

requirements Manufacturer should educate you on what they are

seeing, have experienced, where they need support Manufacturer should contribute in the design phase

of the engagement; part of your team Manufacturers should approach with a

solution not a technology Leverage Existing Infrastructure

Truly open standards and Interoperability

Align with IT strategy, technology, methodology

30

The Landscape is Changing IT Consultants and Integrators are

moving in to our space They have their Strengths

Physical Security Consultants have the domain knowledge

These new technologies are an open door for physical security consultants to move closer to CISO

Presentation #: CL02Presented ByCL02: Unified Threat ManagementIntroduction/OverviewIntroductionSRP Threat EnvironmentSRP Threat EnvironmentSRP Threat EnvironmentSRP Threat EnvironmentSRP Threat EnvironmentThreat ManagementComplianceIndustry SupportConclusionCL02: Unified Threat ManagementConsultant ChallengesConsultant ChallengesConsultant ChallengesConsultant ChallengesConsultant ChallengesConsultant ChallengesConsultant ChallengesConsultant ChallengesCL02: Unified Threat ManagementUnified Threat ManagementOut of the Box Thinking = Results Unified: Physical and Cyber Security ComplianceSlide Number 28What Should You ExpectThe Landscape is Changing