3. SMART METERS
• Smart Meters increase
frequency of reporting
• They don’t know more, they
just talk now
• It’s not more columns, it’s more
rows
4. HEURISITCS
You want smart load shed
events
You want faults detected
quicker
Your bill goes down as
theft is eliminated
You probably don’t like us having heuristics of your daily
schedule, but…
5. • DataRaker analyzes electric meter data and account attributes
daily for AE’s entire customer base
• Deployed algorithms addressing Meter Operations and Revenue
Protection use cases
• AE reviews algorithm output for actionable results and issues
work orders accordingly
A couple of scenarios…
AUSTIN ENERGY AND
DATARAKER
6. REVENUE PROTECTION: INACTIVE WITH CONSUMPTION ALGORITHM
Purpose:
• Identify meters with unexpected consumption
Outcomes:
• Identifies process errors and tampering
• Recovered $1.2 million in unaccounted for
revenue within first 6 months, including 4
tamper events.
8. DYING POWER OUT ALGORITHM
• Purpose: The number of times a meter
issues a null report per minute is indicative
of failing meters.
• Analytics
• Dying Power Out algorithm runs & prioritizes
results:
• < 10 power outages reported by the meter in
past 10 days
• ≥10 and < 25 power outages in past 10 days
• ≥ 25 and < 100 power outages in past 10 days
• ≥ 100 power outages in past 10 days
Start
Logic
10. • AMI data is combined with ______ for billing?
• Texas Business and Commerce Code
http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
• NIST SP 800-122
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
• FACTA
https://www.ftc.gov/enforcement/statutes/fair-accurate-credit-transactions-act-2003
WHAT CONTROLS?
11. • Find the Information
Assurance Manager or a data
owner, or it's on you
• It matters more to know ALL
the risks and the mitigations
place than to have a clean sheet
of paper.
• Mitigations become risks
more often than desired
WHO’S IN CHARGE HERE?
12. • Technical controls > Administrative controls
TAKING CONTROL(S)
City policy says to throw this on the ground.
• You wont get every technical
control or log
• Decline. Every. Single. Gift.
13. • Legal Does legal lose their ability for recourse if a breach
happens in a foreign country?
• HR Do you know the current workforce requirements?
• NetOps Remote and/or local network access language
probably already exists.
• Compliance For matching controls to regulatory language,
they may high five you.
DEVELOPING CONTROLS: EVERYONE HAS A PART
14. Scrutinize your controls more than the others
If your controls double the price, you may get
of them, Business will win, every time.
BO-RING
Follow established
guidance – NIST may read
funny, but it has an
accepted meaning.
15. • Get Everything in Writing
• SAVE ALL OF THE THINGS!!!
ALL OF THE THINGS!
Controls were the easy part - now audit…
16. AUDITS
• If you can't audit the controls, 100% your fault. A
right to audit should be standard.
What you think you’ll look like
• How you audit the controls
and method of delivery
can vary greatly
• Provision and
deliverables should be
contractual
17. WHAT TO AUDIT
Database and OS logs/attestations
Physical access logs/attestations
What you Really Look Like
Procedures for the physical and
digital destruction of media
Change control for modifications
to the environment
Environment for tenancy and
status of certifications (e.g. SSAE
SOC)
18. SHOW ME WHAT YOU GOT
• Are you getting any feeds into
your SIEM from cloud solutions?
• Would you be able to see
anomalous activity like rogue DBA
login or large exfil?
• Are you seeing logs from the
applications that access the
environment?
• What would you expect from
similar internal deployments, why
is this different?
19. People do what you inspect, not
what you expect.
-Louis V. Gerstner, Jr.