Successfully reported this slideshow.
May 24, 2013
The US Congress, DHS and the man on the street say the grid is not secure enough. Well how do they know? How does anyone know how secure they are today? And how would one define how secure is secure enough? Unless we can begin to measure, we'll never be able to baseline, and never be able to road map to a demonstrable, more secure future state. So let's get started.
© 2013 IBM CorporationEnergy Sector Security Metrics overviewJune 2013
© 2012 IBM CorporationYou cant manage what you cant measure, right?So what can we work on here:Security metrics
© 2012 IBM CorporationSecurity metrics in the news“Governance with Metricsis Risk Management”
© 2012 IBM CorporationIBM Security Systems4Risks utilities manage today Very well indeed:–Economic–Supply chain–Theft–Commodities price–Storms and weather–Regulatory–Arboreal Less well–Cybersecurity
© 2012 IBM CorporationIBM Security Systems5Security Metrics start For starters: business alignment– Security Measurement Prerequisites/Preliminary Steps• Identify your key / most critical business processes• Understand the threat scenarios to those processes• Identify the key controls for the threats to those processes• Once you have that these things, then you can establish what you to measure– Initial Security Metrics Categories• Organization and People• Data• Applications• Infrastructure• Security Intelligence/Situational Awareness• Resilience3 Characteristics ofGood Metrics:1.Easy to Get2.Easy to Understand3.Easy to Share
© 2012 IBM CorporationIBM Security Systems6Metrics start (cont).People and OrganizationIs there a security governance board?What is highest ranking person in company with security in their title and ...Do they have authority to set and enforce security policy enterprise-wide% completing refresher training course# or % phishing events (how many employees clicked on dangerous links)% of key employees using social media and/or portable media BYODdevicesHelp Desk stats/measures - Security related tickets called in such as:-- # of locked/forgotten password/malware infection-- # of tickets resolved-- # of tickets still open and under investigationApplicationsDoes the company have a current inventory of all the applications (built andbought) it depends onAccess controls:-- # of applications using multi-factor authentication -- # applications using web security (HTTPS, TLS-SSL)% applications in portfolio scanned for security vulnerabilities in yearof apps scanned, avg # of high severity vulnerabilities per million lines ofcodetime between application vulnerability awareness and patchingInfrastructureIT/OT downtime for planned security updatesIT/OT downtime for unplanned security tasks# of infected PCs, phones, meters, etc. detected and cleansedtime between system vulnerability notice and patching or mitigationData % critical databases protected % total databases protected Data loss related incidents: -- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives) -- # of unauthorized data disclosures -- # of data loss near misses % of system administrators with access to root or PII information without auditcapabilitiesSecurity Situational Awareness % of critical IT/OT systems instrumented ... logs being continuously analyzed % of network segments protected by firewalls and IDS/IPS % up-time and availability of network against DDoS and other network attacks # of ICS/CERT alerts relevant to clientResilience # of security and / or privacy breach exercises per year Performance of teams re: incident response, rapid recovery, forensics, etc. Maturity capability rating of people, processes and technologies performingthe key controls for both of the above # of critical servers/databases with root password and key escrow and withoutSubmitted to NIST March 2013:http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf
© 2012 IBM Corporation2012 CISO Study
© 2012 IBM CorporationIBM Security Systems8– DOEs Electricity Subsector Cybersecurity Maturity Model (June 2012)• Metrics for utilities to use to baseline and gauge effectiveness– DOE’s Electricity Subsector Risk Management Process (May 2012)• Help translating cybersecurity into risk management framework– NARUCs Cybersecurity for State Regulators (June 2012, Feb 2013 update)• Questions utilities will be asked by their state public utility commissions– NIST’s NISTIR 7628 Assessment Guide (Aug 2012)– NRECAs Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011)A measurement movement is forming
© 2012 IBM CorporationIBM Security Systems9Demand for metrics risingUSPresidential EO and NIST Crit Infra Cybersecurity Frameworkworking groupDOEs Electricity Subsector Cybersecurity Capability MaturityModel (ES-C2M2)California PUCRest of WorldEuropeAsiaAustralia
© 2012 IBM CorporationSecurity Governance guidance for utilities1. Security as risk management2. A fully integrated securityenterprise3. Security by design4. Business-oriented securitymetrics and measurement5. Change that begins at the top6. IBM’s 10 essential securityactions10
© 2012 IBM CorporationAndy Bochmanbochman@us.ibm.com+1 781 962 6845E&U/Crit Infra Security Metrics TeamSteve Doughertysdougherty@us.ibm.com+1 916 467 7052SWG/Security E&U Servicesand Cross-brandGBS E&U CoC
© 2012 IBM Corporationibm.com/energyibm.com/security© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposesonly, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the useof, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating anywarranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreementgoverning the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available inall countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s solediscretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in anyway. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the UnitedStates, other countries or both. Other company, product, or service names may be trademarks or service marks of others.