LESSONS LEARNED IN SMART GRID CYBER SECURITY

Similar documents
ISE North America Leadership Summit and Awards

Changing face of endpoint security

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Certified Information Security Manager (CISM) Course Overview

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Smart Grid Standards and Certification

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

What It Takes to be a CISO in 2017

Designing and Building a Cybersecurity Program

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

K12 Cybersecurity Roadmap

Summary of Cyber Security Issues in the Electric Power Sector

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Cisco Secure Ops Solution

Bradford J. Willke. 19 September 2007

Secure Development Lifecycle

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Reinvent Your 2013 Security Management Strategy

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Smart Grid vs. The NERC CIP

CCISO Blueprint v1. EC-Council

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

The Connected Water Plant. Immediate Value. Long-Term Flexibility.

Innovation policy for Industry 4.0

Improving Security in the Application Development Life-cycle

Proven results Unsurpassed interoperability Fast, secure and adaptable network. Only EnergyAxis brings it all together for the Smart Grid

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Standard CIP Cyber Security Systems Security Management

Compliance Audit Readiness. Bob Kral Tenable Network Security

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Security Challenges in Smart Distribution

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Statement for the Record

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Sirius Security Overview

IoT & SCADA Cyber Security Services

Internet of Things Toolkit for Small and Medium Businesses

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Digital Wind Cyber Security from GE Renewable Energy

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Breaking the Blockchain: Real-World Use Cases, Opportunities and Challenges

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Security analysis and assessment of threats in European signalling systems?

GDPR Update and ENISA guidelines

Cyber Security for Process Control Systems ABB's view

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Standard CIP Cyber Security Systems Security Management

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

External Supplier Control Obligations. Cyber Security

Electric Sector Security & Privacy Plans for 2011

Sage Data Security Services Directory

MEETING ISO STANDARDS

Cyber Security Maturity Model

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cybersecurity. Securely enabling transformation and change

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

BRING EXPERT TRAINING TO YOUR WORKPLACE.

GUIDE. MetaDefender Kiosk Deployment Guide

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Cyber Security Solutions Mitigating risk and enhancing plant reliability

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity Session IIA Conference 2018

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Process System Security. Process System Security

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Certified Cyber Security Specialist

Securing the Grid and Your Critical Utility Functions. April 24, 2017

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Grid Modernization Challenges for the Integrated Grid

ANATOMY OF AN ATTACK!

The Information Age has brought enormous

Altius IT Policy Collection

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

NEXT GENERATION SECURITY OPERATIONS CENTER

Security by Default: Enabling Transformation Through Cyber Resilience

Standard CIP 007 3a Cyber Security Systems Security Management

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017

European Union Agency for Network and Information Security

Transcription:

LESSONS LEARNED IN SMART GRID CYBER SECURITY Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection lmcghie@quanta-technology.com Page 1

Agenda Smart Grid Cyber Security Challenges IT OT Traditional Integration Challenges More Interconnectivity, Distribution and Access Points Cyber Security Vs. Compliance Smart Grid Vendor Management Challenges Software Assurance Other Observations Positive directions - things are changing Page 2

Smart Grid Cyber Security Issues and Challenges System complexity is growing through expanding interconnectivity of systems and the extension of the electronic perimeter to new grid components and participants Increasingly distributed assets (AMI, HAN) Lots of legacy investments that need to be secured along side newer, unproven technologies Security upgrades to legacy systems are limited by inherent limitations of the equipment and architectures Operations and control networks previously thought to be inherently protected through private networks, serial connections and proprietary protocols are increasingly more vulnerable as networks are connected Page 3

Smart Grid Cyber Security Issues and Challenges SCADA vulnerabilities and malware (Vendor access, USBs, disgruntled employees) Aurora Project proves that control networks can be penetrated Cyber threats are unpredictable and evolve faster than the sector s ability to develop and deploy countermeasures Threat, vulnerability, incidents and mitigation information sharing is insufficient among government and industry Page 4

Smart Grid Cyber Security Issues and Challenges Increasing concern for privacy issues Weak business case for cyber security investment by industry Regulatory uncertainty in energy sector cyber security DOE SGIG investments Provided a boost to cyber security awareness and enhancement, but what is next? Business drivers to change traditional IT / OT boundaries Page 5

IT OT Integration Challenges Typically do not work together OT views the corporate network as vulnerable and resources inadequate OT networks and systems have different performance and reliability requirements Differing security architectures and risk management goals OT legacy systems challenging to support, upgrade and integrate Multiple support systems that do not integrate or interoperate change management, ticketing, tracking and reporting, configuration management, patch management, audit and monitoring Page 6

New Technology Challenges Traditional Approaches More Interconnectivity, distribution and access points Mobile devices Wireless network security Encryption and authentication Distributed key management Need a secure network for key management Integrated and active monitoring Page 7

Cyber Security Vs. Compliance Culture of compliance, culture of security Compatible goals? Many utilities didn t have a centralized security function prior to NERC CIP Security modeled after NERC CIP Process not technology oriented Risk management and security governance programs are not in place Getting management s attention and building the business case for cyber security after NERC CIP Page 8

Smart Grid Vendor Management Challenges Without skilled resources, many utilities rely on vendors to configure device security Vendors do not know utilities cyber security requirements and do not configure to implement a defined policy or integrated architecture No linkage from vendor to vendor Defense in depth? Vendors ship products with little or no security turned on by default Rush to bring products to market without testing to ensure that they actually work as advertised or integrate Utilities typically don t have test environments and rely on vendors to test Technology and standards continue to evolve Vendors won t share system certifications or provide proof of testing Page 9

Software Assurance Secure software development Integrated systems testing Testing code from third-party vendors Code testing Vendor mergers and use of third-parties Built in backdoors for troubleshooting Performance/acceptance testing of new control and communication solutions is difficult without disrupting operations Page 10

Other Smart Grid Deployment Observations Smart grids inherent goal to provide consumers with more information to make informed decisions regarding energy consumption But what about concerns for the protection and sharing of usage information and privacy information? Loss of traditional physical security perimeters with more distributed assets requiring physical and logical security to work together Aging infrastructure many legacy smart grid assets are not being upgraded or patched Outsourced hardware and software support many partners Anti-virus problem still not solved integrated solutions and management Current cyber security skill set and ability to recruit Incident Management continues to evolve and integrate Page 11

Positive Directions Things are Changing Beginning to see a risk management Vs. pure compliance approach to security within the utilities Government, vendors, research and universities and utilities are working together Practical, business-oriented metrics and measurement mechanisms are being developed and used Increased visibility and understanding of current state and challenges, and to facilitate prioritization Beginning to describe security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability More attention to Operational-side issues Page 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback