Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Security in Energy & Utilities Industry


Published on

In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.

Published in: Technology, Business
  • Be the first to comment

Cyber Security in Energy & Utilities Industry

  1. 1. Holistic Enterprise SecuritySolutionSpeaker: Alex Ivkin
  2. 2. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
  3. 3. NERC CIP 2011 Violations & Fines Since January 2011, a significant increase in CIP fines  Largest numbers for Security Awareness and Testing Source: 3
  4. 4. Introduction Personal ID – personal accountability  Traditional identity management has always focused on these IDs.  Well covered and controlled  Commoditized Service ID - corporate accountability  Shared administrative ID  Programs, services, databases, scripting, testing, load testing, auditing, troubleshooting, you name it.  “Too hard to deal with”  “will be the next step” Other  Shared group IDs  IDs in transition  Template IDs • Exchange mailboxes 4
  5. 5. Service IDs Service IDs are everywhere Different systems have different exposure via the Service IDs 5
  6. 6. Identity & Access Management User Provisioning / Deprovisioning and Full Role ManagementSingleSign On& Managementof Web Access& Passwords The 3 Rs – Reconciliation, Security log management & reporting Recertification & Reporting R E N A LA MATCH? EP LTH I T Y
  7. 7. Identity and Access Management for Energy Companies •A holistic way to addressing corporate identities and access controls • Identity lifecycle support and review • Access provisioning, deprovisioning certification • Policy enforcement: password, access patterns, expiration • RBAC •IdM for FERC/NERC CIP applications • Energy management systems • Energy network components • Physical access control services • Customer Information Systems • Work Management System • Plant Maintenance Systems • Tower gateway base stations for Smart Meter infrastructure •SOX applications. SOX 404 • Corporate Reports • Financial systems •PCI, NIST, HIPAA7
  8. 8. CIP with IAM Step by Step CIP‐ 003‐ 1 Access enforcement, audit trails, reviews and roles • Access authorization enforcement maintained via identity lifecycle workflows with the robust approval framework and multilevel escalation. • The audit trails are preserved for each request and approval, ensuring access is given, modified and revoked only under proper supervision. • Automatic enforcement of access privileges is linked in and based on business roles. • Annual reviews and re‐certification of access are required from the management and system owners. CIP–004–1 Training, privilege revocation • Training program requirements are enforced via proper personnel on- boarding and transfer workflows, tied into the HR and training systems. • Revocation within 24 hours of termination is a part of the closely enforced identity lifecycle. • Critical asset access lists are available for review 24/7 by authorized personnel via a web interface8
  9. 9. CIP with IAM Step by Step CIP‐ 006‐ 1 Physical access protection • Implemented by integrating with card access and badge systems and tied into an identity lifecycle. CIP–007–1 Access to CCA, Shared accounts, Least Privilege • Enforcing the creation and management of user access to Critical Cyber Assets by employing industry standard role based access control certification, provisioning, rights and password management. • Directly assigning owners and custodians for individuals and shared system accounts on a "need to know basis" and subjecting it to periodic reviews. • Analysis and remediation of orphan accounts. • Password policies are deployed in the automated identity management system to ensure only qualified passwords are allowed.9
  10. 10. Service Identity Management is an essential part of IAMGovernance Expansion of the traditional Identity and Access Management to cover identities used by administrators, systems, software and automated processes. Assign responsibility for Service accounts, track people who manage the accounts, reports and enforces policies. Tracking accounts used by various IT assets  Databases  Enterprise applications  Devices  Scheduling and monitoring software  Automatic maintenance processes  and many more. 10
  11. 11. How PIM works 3E-SSO Authorization 1 • Tivoli Identity Manager (TIM) with custom module provisions privileged IDs and manages pools of shared IDs • Shared IDs are stored in a secured data store LDAP 1 ITIM AD 2 • Periodically recertify account authorizations through a consistent work flow. Email 3 • Admin logs into Tivoli Access Manager for E-SSO (TAM E-SSO) • TAM E-SSO automatically checks out/in shared ID as required to Recertification of privileged users ensure accountability while simplifying usage Event Logs 4 • Tivoli Compliance Insight Manager (TCIM) monitors all logs for 2 end to end tracking 4 TCIM Enterprise Reports
  12. 12. IBM Software Map for NERC CIP Requirements Tivoli Enterprise Portal NERC Compliance Portal Tivoli Netcool CIP-004 Cyber CIP-005 Electronic CIP-006 Physical CIP-007 Cyber CIP-008 Cyber CIP-009 Recovery CIP-001 Sabotage CIP-002 Critical CIP-003 Security Security – Pers. & Security Security of Cyber Security – Systems Security – Incident Plans for Critical Reporting Cyber Assets Mgmt. Controls Training Parameters Assets Security Mgmt Rept. & Response Cyber Assets Enterprise Content and Record Manager Tivoli Provisioning Manager Tivoli Identity Manager Tivoli Storage Manager Maximo Tivoli Access Manager Tivoli Security Compliance Manager Tivoli Security Tivoli Provisioning Manager Tivoli Security Lotus Learning Compliance Compliance Manager Management System Manager Tivoli Compliance Insight Manager Tivoli Security Tivoli Monitoring Operations Manager Internet Security Systems R1. Electronic Security Perimeter R1. Physical Security Plan R1. Test Procedures R1. Cyber Security Incident R1. Recovery PlansR1. Have procedures for R1. Critical Asset Identification R1. Cyber Security Policy R1. Awareness Response Planrecognition and reporting of Method R2. Electronic Access Controls R2. Physical Access Controls R2. Ports and Services R2. Excercisessabotage events. R2. Leadership R2. Training R2. Cyber Security Incident R2. Critical Asset Identification R3. Monitoring Electronic Access R3. Monitoring Physical Access R3. Security Patch Management Documentation R3 Change ControlR2. Have procedures for R3. Exceptions R3. Personnel Risk Assessmentcommunication of sabotage to R3. Critical Cyber Asset R4. Cyber Vulnerability R4. Logging Physical Access R4. Malicious Software R4. Backup and Restoreappropriate parties. Identification R4. Information Protection R4. Access Assessment Prevention R5. Access Log Retention R5. Testing Backup MediaR3. Have guideline for R4. Annual Approval R5. Access Control R5. Documentation Review and R5. Account Managementmonitoring and reporting. Maintenance R6. Maintenance and Testing R6. Change Control and R6. Security Status MonitoringR4: Have established Configuration Mgmt.communication contacts asapplicable with local authorities. Internet Security R7. Disposal or Redeployment Systems R8. Cyber Vulnerability Assessment R9. Documentation Review and Tivoli Compliance Insight Manager Maintenance Alerts Notification Auditing Reporting Workflow Team Definition Measurement
  13. 13. Prolifics-IBM Support For NIST Industrial Control Systems Security Objectives NIST Directive NIST Objectives IBM Technology NIST SP 800-12 Security Policies and Procedures TSPM, TIM, TAMeb NIST SP 800-53 Security Controls- Configuration Management TAM ESSO Access Management TAMeb-TAM OS TFIM NIST SP 800-94 Guidance on Intrusion Detection/Prevention Systems ISS Proventia NIST SP 800-61 Guidance on Incident Handling and Reporting TSIEM NIST SP 800-73/76 Guidance on Personal Identity Verification TIM, PIM NIST SP 800-63 Guidance on Remote Electronic Authentication TFIM NIST SP 800-64 Guidance on Security considerations for System Development Lifecycle Rational AppScan NIST SP 800-61 Guidance on Incident Handling/Audit Log Retention TSIEM NIST SP 800-56/57 Guidance on Cryptographic Key Establishment and Management TKLM
  14. 14. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
  15. 15. Application Vulnerabilities Continue to Dominate  Web app. vulnerabilities represent the largest category in vulnerability disclosures  In 1H10, 55.95% of all vulnerabilities are web application vulnerabilities  SQL injection and cross-site scripting are neck and neck in a race for the top spot IBM Internet Security Systems 2010 X-Force® Mid-Year Trend & Risk Report15
  16. 16. Motivation for becoming Secure by Design… 100,000x Unbudgeted Costs:Impact to Enterprise - e.g., Database hacked  Downtime Security Flaw  Customer notification/care  Fines/Litigation  Reputational damage  Cost to clean-up - e.g., Database crash Functional Flaw 10x 1x Development Test Deployment
  17. 17. Application Security Tools StrategyStatic Code Analysis = WhiteboxScanning source code for security issues Total Potential Security IssuesDynamic Analysis = Blackbox Static Complete Dynamic Analysis Coverage AnalysisPerforming security analysis of acompiled application Providing for numerous compliance requirements; including NERC-CIP CIP-007 Cyber CIP-002 Critical CIP-005 Security Security-Systems Cyber Assets Mgmt. Control Security Mgmt.
  18. 18. Database Servers Are The Primary Source ofBreached Data Source of Breached Records SQL injection played a role in 79% of records compromised during 2010 breaches “Although much angst and security funding is given to …. mobile devices and end-user systems, these assets are simply not a major point of compromise.” 2010 Data Breach Report from Verizon Business RISK Team … up from 75% in 2009 Report
  19. 19. Real-Time Database MonitoringHost-based Probes(S-TAPs) Collector • No DBMS or application changes • Cross-DBMS solution • Does not rely on DBMS-resident logs • Granular, real-time policies & auditing that can easily be erased by – Who, what, when, how attackers, rogue insiders • Automated compliance reporting, • 100% visibility including local DBA sign-offs & escalations (SOX, PCI, access NIST, etc.) • Minimal performance impact (1-2%) CIP-002 Critical CIP-003 Security CIP-007 Cyber CIP-005 Security Security-Systems Cyber Assets Mgmt. Controls Mgmt. Control Security Mgmt.
  20. 20. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
  21. 21. 21 Protocol Analysis Module (PAM) is the Engine Behind our Products Others: constant thrashing to address today’s latest threat. IBM with PAM: “Ahead of the Threat” What It Does: What It Does: What It Does: What It Does: What It Does: What It Does: Shields vulnerabilities Protects end users Protects Web Detects and prevents Monitors and identifies Manages control of from exploitation against attacks targeting applications against entire classes of threats unencrypted PII & other unauthorized applications independent of a applications used every sophisticated application- as opposed to a specific confidential information and risks within defined software patch, and day such as Microsoft level attacks such as exploit or vulnerability. for data awareness. Also segments of the network, enables a responsible Office, Adobe PDF, SQL Injection, XSS provides capability to such as ActiveX patch management Multimedia files and Web (Cross-site scripting), explore data flow through fingerprinting, Peer To process that can be browsers. PHP file-includes, CSRF the network to help Peer, Instant Messaging, adhered to without fear of (Cross-site request determine if any potential and tunneling. a breach forgery). risks exist. Why Important: Why Important: Why Important: Why Important: Why Important: Why Important: Enforces network At the end of At the end of 2009, Expands security Eliminates the need for Flexible and scalable application and service 2009, 52% of all vulnerabilities, which capabilities to meet both constant signature customized data search access based on vulnerabilities disclosed affect personal compliance requirements updates. Protection criteria; serves as a corporate policy and during the year had no computers, represented and threat evolution. includes the proprietary complement to data governance. vendor-supplied patches the second-largest Shellcode Heuristics security strategy. available to remedy the category of vulnerability (SCH) technology, which vulnerability. In disclosures and represent has an unbeatable track mid-2010, the percentage about a fifth of all record of protecting increased to 55%. vulnerability disclosures. against zero day vulnerabilities. CIP-007 Cyber 44 CIP-005 Security Security-Systems Mgmt. Control Security Mgmt.
  22. 22. 22 Preemptive Ahead of the Threat Security – backed up by data Top 61 Vulnerabilities 2009 341 Average days Ahead of the Threat 91 Median days Ahead of the Threat 35 Vulnerabilities Ahead of the Threat 57% Percentage of Top Vulnerabilities – Ahead of the Threat 9 Protection released post announcement 17 same day coverage 2010 – Average days Ahead of the Threat increased to 437! 45
  23. 23. Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4 Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers IBM Virtual Server Protection for VMware • VMsafe Integration • Firewall and Intrusion Detection & Prevention • Rootkit Detection & Prevention • Inter-VM Traffic Analysis • Automated Protection for Mobile VMs (VMotion) • Virtual Network Segment Protection • Virtual Network-Level Protection • Virtual Infrastructure Auditing (Privileged User Access) • Virtual Network Access Control • Virtual Patch © 2011 IBM Corporation
  24. 24. Tivoli Endpoint Manager: Smarter, Faster Endpoint Management• Network Asset Discovery• Endpoint HW, SW Inventory• Patch Management• Software Distribution• OS Deployment• Remote Desktop Control• Software Use Analysis (add on) Whether it’s a Mac connecting from hotel wi-fi, or a Windows laptop at 30K feet, or Red Hat Linux• Power Management Server in your data center, Tivoli Endpoint Manager has (add on) it covered. In real-time, at any scale. CIP-002 Critical CIP-003 Security CIP-007 Cyber CIP-005 Security Security-Systems Cyber Assets Mgmt. Controls Mgmt. Control24 Security Mgmt.
  25. 25. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
  26. 26. Experience  Treating identities as an enterprise asset  Consistent, standards based method for authentication and authorization  Provisioning and, more importantly, de-provisioning accounts within a specified period of time (account lifecycle)  Application accounts, Databases, Servers, Network devices  Approval process with multi-level escalation and delegation  Quarterly access certification reports  FERC M/T code throughout the whole system and in reports  Standardization helps with FERC reliability regulations  Energy Management Systems kept on an isolated network  SSO limits password exposure and simplifies sign on process  Service ID Management to address shared accounts (SOX)  Separation of Duties checks (SOX)26
  27. 27. Other features  Self-service user interface  Auditing and reporting enhancements  Dormant Accounts Management  External security audit recommended adding all enterprise applications, not just those covered by SOX and FERC regulations  Flexible life-cycle and operational workflows27
  28. 28. 28
  29. 29. By managing security for customers across the world, IBM has aclear and current picture of threats and attacks 3 Branches of + + + + 9 Security 9 Security 11 Security Solution 133 the Institute for Operations Research Development Advanced Monitored Centres Centres Centres Security (“IAS”) Countries IAS IAS Americas Europe IAS Asia Pacific IBM has the unmatched global and local expertise to deliver complete solutions – and manage the cost and complexity of security29
  30. 30. Our strategy: Comprehensive solutions that also leverage partners products Security Governance, Risk and Security Information and Event Professional Services GRC Compliance Management (SIEM) & Log Management Managed Services Identity & Access Products Management Identity Management Access Management Cloud Delivered Data Loss Prevention Data Entitlement Data Security Management Encryption & Key Lifecycle Management Messaging Security E-mail Database Monitoring Security Data Masking & Protection Application Web Application Application Security Vulnerability Scanning Firewall Access & Entitlement Web / URL Filtering SOA Security Management Infrastructure Vulnerability Virtual System Endpoint Protection Security Assessment Security Threat Security Event Managed Intrusion Prevention Analysis Management Mobility Svcs SystemIBM Security Solutions:2. Assess Risks Firewall, IDS/IPS Mainframe Security Audit, Security Configuration MFS Management Admin & Compliance & Patch Management3. Mitigate Risks4. Manage Security Controls Physical Security
  31. 31. Our strategy: IBM is investing in Security Solutions  The only security vendor in the market with end-to-end coverage of the security foundation  15,000 researchers, developers and SMEs on security initiatives  3,000+ security & risk management patents  200+ security customer references and 50+ published case studies  40+ years of proven success securing the zSeries environment  600+ security certified employees (CISSP,CISM,CISA,..) IBM Security acquisitions (1999 – 2010):DASCOM
  32. 32. Our strategy: Research = intelligence = security The mission of the IBM builds technology for IBM X-Force research and tomorrow based on IBM development team is to: Research • Identify mission-critical enterprise  Research and evaluate threat and protection assets and very sensitive data. issues • Build fine-grained perimeters  Deliver security protection for today’s security problems • Monitor fine-grained perimeters and  Develop new technology for tomorrow’s close the loop security challenges • End-to-end security  Educate the media and user communities • Secure by design • 13B analyzed Web pages & images • 150M intrusion attempts daily • 40M spam & phishing attacks • 54K documented vulnerabilities • Millions of unique malware samples
  33. 33. 33 The Importance of Research to Security: IBM Internet Security Systems X-Force® Research Team Research Technology Solutions Original Vulnerability X-Force Protection Engines Research  Extensions to existing engines  New protection engine creation Public Vulnerability Analysis X-Force XPU’s Malware Analysis  Security Content Update Development  Security Content Update QA Threat Landscape Forecasting X-Force Intelligence  X-Force Database Protection Technology Research  Feed Monitoring and Collection  Intelligence Sharing The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification- “Protecting people from themselves”
  34. 34. IBM’s security portfolio today IBM Security Offering Reference Model Security / Compliance Analytics and Reporting IBM Products  IBM OpenPages  GRC Consulting and Implementation Services IBM Services  Tivoli Security Information and  Audit and Compliance Assessment Services (e.g., PCI) Event Management  Privacy and Risk Assessments  DOORS  Cloud-based Vulnerability Management Portal Security  FocalPoint  Security Event and Log Management Consulting IT Infrastructure – Operational Domains Infrastructure Security Services People Data Applications Network Endpoint  Tivoli Identity and  InfoSphere  Rational AppScan  Tivoli Network  Tivoli EndpointIBM Products Implemen- Access Guardium Source Edition Intrusion Manager (anti- tation  Tivoli Federated  InfoSphere Optim  Rational AppScan Prevention virus using Trend Services ID Data Masking Standard Edition  WebSphere Micro)  Tape / Disk  Tivoli Security Datapower XML  Tivoli zSecure  Tivoli Single Sign- encryption Policy Manager Gateway Mainframe On  Tivoli Key Manager securityIBM Services  Identity  Data Security  Application  Penetration  Managed Mobile Assessment, Assessment Assessment Testing Protection (using Deployment and  Encryption and Services  Firewall, IPS, Juniper) Managed Hosting Services DLP Deployment  AppScan On Vulnerability Services Demand - SaaS Managed Services