w ebcast Series Volume 3 Smart Grid  (IT) Systems Security Andy Bochman Editor : The Smart Grid Security Blog July 2010
Jack   Andy <ul><li>Founder/CEO of two security software companies, both sold </li></ul><ul><li>IBM Security Exec </li></u...
<ul><li>Shorter (probably) /sweeter (not likely) </li></ul><ul><li>No/low Jack for now (dude’s busy) </li></ul><ul><li>Ala...
<ul><li>What systems are we talking about </li></ul><ul><li>Primary systems security concerns </li></ul><ul><li>Best pract...
The systems in question
What’s in an IT system? <ul><li>(First, what’s not in this talk) </li></ul><ul><ul><li>Network stuff, applications, physic...
The future is here: cloud/utility computing <ul><li>Remotely hosted application logic and data services </li></ul><ul><li>...
More new stuff: virtualization <ul><li>Can save money, but … </li></ul><ul><li>Gartner finds: </li></ul><ul><ul><li>Throug...
Best IT systems security practices <ul><li>Classic Mainframe –  </li></ul><ul><ul><li>Like alligators, these systems have ...
Best IT systems security practices <ul><li>Client/Server </li></ul><ul><ul><li>Most often found in the form of packaged or...
Best IT systems security practices <ul><li>Middleware –  </li></ul><ul><ul><li>Designed to link different application and ...
Best IT systems security practices <ul><li>Databases –  </li></ul><ul><ul><li>Where the jewels are kept </li></ul></ul><ul...
For official guidance on securing IT systems <ul><li>ISO 27001 and 27002 security guidance and controls </li></ul><ul><li>...
That’s a wrap http://www.flickr.com/photos/ajturner/3362409021/   Systems security 101 = risk management
Where we’ve been and what’s next <ul><li>Intro to Smart Grid Security </li></ul><ul><li>Data Security  </li></ul><ul><li>S...
Thanks ! … and keep an eye open for SGSB Webcast 4 on  Smart Grid standards & compliance  in August The Smart Grid Securit...
Upcoming SlideShare
Loading in...5
×

SGSB Webcast 3: Smart Grid IT Systems Security

1,298

Published on

The Smart Grid is being constructed of out systems old and new, from creaking mainframes, to shiny new ones that live in the clouds, and everything in between. Utilities professionals, and those who serve them, need to ensure that they are secure so that we can build out and operate the future grid with confidence. This short presentation, the 3rd in a 10 part series on Smart Grid security, offers an easy to digest, business-level introduction to the topic.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,298
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Starts with current grid Smart Meters and Advanced Metering Infrastructure (AMI) are just the beginning More C words: connected, complex, computerized More R words: responsive, resilient, reliable Bi-directional comms and power Enabler of industry scale wind, solar and V2G, not to mention new business models Solution to DOD’s “brittle grid” challenge
  • SGSB Webcast 3: Smart Grid IT Systems Security

    1. 1. w ebcast Series Volume 3 Smart Grid (IT) Systems Security Andy Bochman Editor : The Smart Grid Security Blog July 2010
    2. 2. Jack Andy <ul><li>Founder/CEO of two security software companies, both sold </li></ul><ul><li>IBM Security Exec </li></ul><ul><li>Holder of 5 patents in areas of IT and IT security </li></ul><ul><li>20+ years of speaking and writing on IT Security Topics </li></ul><ul><li>Founder of Smart Grid Security and DOD Energy Blogs </li></ul><ul><li>IBM Energy Lead </li></ul><ul><li>Researcher / analyst in energy and tech markets </li></ul><ul><li>20+ years of DoD and alternative energy leadership </li></ul>Security meets Energy
    3. 3. <ul><li>Shorter (probably) /sweeter (not likely) </li></ul><ul><li>No/low Jack for now (dude’s busy) </li></ul><ul><li>Alarmism still not allowed </li></ul><ul><li>Business case uber alles </li></ul><ul><li>Q&A before/after (but different) </li></ul>New format rules
    4. 4. <ul><li>What systems are we talking about </li></ul><ul><li>Primary systems security concerns </li></ul><ul><li>Best practices </li></ul><ul><li>What’s up next in SGSB series </li></ul>Overview
    5. 5. The systems in question
    6. 6. What’s in an IT system? <ul><li>(First, what’s not in this talk) </li></ul><ul><ul><li>Network stuff, applications, physical security, SCADA and ICS, compliance, people stuff </li></ul></ul><ul><li>Hardware </li></ul><ul><ul><li>Systems run on utilities’ hardware in data center or in the cloud (coming up) </li></ul></ul><ul><li>Operating systems </li></ul><ul><ul><li>Windows (including Windows 95), Linux, Solaris, Mainframe </li></ul></ul><ul><li>Middleware </li></ul><ul><ul><li>Web and application servers like Apache, WebSphere, Weblogic </li></ul></ul><ul><li>Databases </li></ul><ul><ul><li>Oracle, SQLServer, DB2, MySQL </li></ul></ul>
    7. 7. The future is here: cloud/utility computing <ul><li>Remotely hosted application logic and data services </li></ul><ul><li>We all use them today, and utilities, while sometimes slower to adopt new tech than others, are no exception </li></ul><ul><li>Examples include Geographic Information Systems (GIS), email, increasingly, productivity apps, social networking, etc. </li></ul><ul><li>All of these are as secure as their designers and developers have chosen to make them </li></ul><ul><li>Need to ask about how data (and privacy) is protected, in transit and at rest </li></ul>
    8. 8. More new stuff: virtualization <ul><li>Can save money, but … </li></ul><ul><li>Gartner finds: </li></ul><ul><ul><li>Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace </li></ul></ul><ul><ul><li>Garner blames organizations' failure to involve the IT security team in its deployment projects, in addition to immature tools to protect these new environments </li></ul></ul><ul><ul><li>“ In some cases, they [operations] are worried because they think information security will come and say, 'No, we can't do this.'&quot; </li></ul></ul><ul><ul><li>For example, if attackers are able to compromise the virtualization layer, that could lead to a compromise of all hosted applications and data </li></ul></ul>&quot;I think the worst thing is that people pretend there aren't any differences [between virtual and physical] and they move right ahead and don't have any discussions at all&quot; Neil MacDonald, Gartner VP, 2Q2010 http://www.scmagazineus.com/gartner-virtualization-security-will-take-time/article/165932/
    9. 9. Best IT systems security practices <ul><li>Classic Mainframe – </li></ul><ul><ul><li>Like alligators, these systems have been around forever and are always just a year or two away from replacement </li></ul></ul><ul><ul><li>Most were developed initially deployed pre-Internet era and therefore security was neither designed in nor bolted on </li></ul></ul><ul><ul><li>Formerly protected primarily by their isolation, these old workhorses are becoming increasingly connected as their data (e.g., customer, financial, accounting, etc.) become increasingly important to other systems in a Smart Grid world </li></ul></ul><ul><ul><li>Primarily it’s their data that needs protecting </li></ul></ul><ul><ul><li>Check out the web interfaces/wrappers that have likely been added in recent years for security faults </li></ul></ul>http://images.travelpod.com/users/cobra1899/pauls_journey.1201056060.mainframe-digital-computer.jpg
    10. 10. Best IT systems security practices <ul><li>Client/Server </li></ul><ul><ul><li>Most often found in the form of packaged or &quot;commercial off the shelf&quot; (COTS) applications, and often with some customization </li></ul></ul><ul><ul><li>Include a server component including logic and a database, and client-side software that sits on PCs </li></ul></ul><ul><ul><li>Typically manufactured by large, well known software vendors, these systems are most secure when configured properly, patched quickly, and kept up to date on the most current release. Note: these systems are as secure as their vendors have chosen to make them </li></ul></ul><ul><ul><li>Think: configuration, patch management and watch out for web interfaces </li></ul></ul>http://geniushackers.com/blog/wp-content/uploads/2009/03/client-server.png
    11. 11. Best IT systems security practices <ul><li>Middleware – </li></ul><ul><ul><li>Designed to link different application and database systems together … hence they’re in the “middle” </li></ul></ul><ul><ul><li>Often combination of open source and packaged offerings </li></ul></ul><ul><ul><li>Both types need scrutiny in terms of patches and configurations </li></ul></ul>http://www.thomaslaupstad.com/bilder/red_sunset800.jpg
    12. 12. Best IT systems security practices <ul><li>Databases – </li></ul><ul><ul><li>Where the jewels are kept </li></ul></ul><ul><ul><li>Access should be highly guarded … but sometimes isn’t </li></ul></ul><ul><ul><li>Input/outputs should be checked/validated </li></ul></ul><ul><ul><li>Certain databases may experience massive growth as usage data goes through roof via AMI/Smart Meters and increasingly frequent meter reads </li></ul></ul><ul><ul><li>See “ It’s time to get serious about Smart Grid data volumes ” </li></ul></ul>http://farm1.static.flickr.com/31/54067048_e407035935.jpg
    13. 13. For official guidance on securing IT systems <ul><li>ISO 27001 and 27002 security guidance and controls </li></ul><ul><li>NIST national checklist program repository </li></ul><ul><li>NERC CIP (early stages) and NISTIR 7628 (growing fast) </li></ul><ul><li>… from my DOD background: Defense Information Security Agency (DISA) Security Technical Implementation Guides (STIGs) and STIG checklists </li></ul>http:// www.flickr.com/photos/kevcole /
    14. 14. That’s a wrap http://www.flickr.com/photos/ajturner/3362409021/ Systems security 101 = risk management
    15. 15. Where we’ve been and what’s next <ul><li>Intro to Smart Grid Security </li></ul><ul><li>Data Security </li></ul><ul><li>System Security Challenges and the Smart Grid </li></ul><ul><li>Smart Grid-related Standards and Regulations </li></ul><ul><li>Securing the SoftGrid </li></ul><ul><li>Approaches to securing AMI </li></ul><ul><li>Security and privacy from the customers' point of view </li></ul><ul><li>Understanding and empowering a Smart Grid CSO </li></ul><ul><li>Violable but reliable : preparing for the inevitable break down in Smart Grid security </li></ul><ul><li>10th session recap of Smart Grid security and plotting future course </li></ul>
    16. 16. Thanks ! … and keep an eye open for SGSB Webcast 4 on Smart Grid standards & compliance in August The Smart Grid Security Blog smartgridsecurity.blogspot.com [email_address] Twitter.com/sgsblog

    ×