GridWise 2010 Cyber Security Update


Published on

Presentation on security issues affecting national electric grid and Smart Grid made at GridWise Annual Membership Meeting, NYC Dec 2010.

Published in: Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

GridWise 2010 Cyber Security Update

  1. 1. Smart Grid Cyber Security in 2011: Untenable meets Intractable Andy Bochman, Energy Security Lead - IBM Rational, and Editor - the Smart Grid Security Blog Presented at GridWise Annual Membership Meeting Hosted by National Grid, Brooklyn, NY, 7 December 2010
  2. 2. Intractable Untenable 2011
  3. 3. Overview <ul><li>Personal notes from an IBMer and a blogger </li></ul><ul><li>The security year that was: Google, Stuxnet, Wikileaks </li></ul><ul><li>E&U security by best practices and/or regulation </li></ul><ul><li>Conclusions from a GridWise Alliance cybersec perpective </li></ul>
  4. 4. Personal notes <ul><li>The view from the Smart Grid Security Blog </li></ul><ul><ul><li>Biggest threat to SG isn’t security </li></ul></ul><ul><ul><li>First mover disadvantage </li></ul></ul><ul><ul><li>Stuxnet, FERC vs. NERC … </li></ul></ul>
  5. 5. Personal notes <ul><li>The view from inside IBM’s extended E&U cybersecurity team </li></ul><ul><ul><li>Services </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Security Strategy </li></ul></ul><ul><ul><li>X-Force </li></ul></ul><ul><ul><li>R&D </li></ul></ul>
  6. 6. This year’s trifecta <ul><li>Google – IP theft at dozens of co’s </li></ul><ul><li>Stuxnet –finds a way in; root kit for PLCs </li></ul><ul><li>Wikileaks – ultimate insider attack </li></ul>
  7. 7. Back to basics – Jack’s 3 questions <ul><li>Why are you doing this? </li></ul><ul><li>What are you trying to secure? </li></ul><ul><li>What will happen if you don't do this right? </li></ul>
  8. 8. Approaches to security <ul><li>Security through regulation </li></ul><ul><li>NERC CIP + </li></ul><ul><li>SP 800-53 + </li></ul><ul><li>NISTIR 7628 </li></ul><ul><li>… equals a secure (enough) grid? </li></ul>http:// /
  9. 9. Approaches to security <ul><li>Security through best practices </li></ul><ul><ul><li>Keeping up with the neighbors </li></ul></ul><ul><ul><li>Some signs of leadership </li></ul></ul><ul><ul><li>Paying attention to threats and guidance (e.g. software security for portals and other SG apps) </li></ul></ul>
  10. 10. Evolving Policy + Practices <ul><li>NERC CIP 007, R8 - vulnerability scans </li></ul><ul><li>NISTIR 7628, 7.3 </li></ul><ul><ul><li>Input and output validation </li></ul></ul><ul><ul><li>Authorization vulnerability </li></ul></ul><ul><ul><li>Password and password mgt </li></ul></ul><ul><ul><li>Error handling, cyrpto, logging and auditing, etc. </li></ul></ul><ul><li>Supply chain diligence </li></ul>
  11. 11. Software security considerations by origin <ul><li>Internal </li></ul><ul><ul><li>development teams tasked with complicated deliverables and tight timelines, where security is only one of many critical requirements </li></ul></ul><ul><li>Packaged applications </li></ul><ul><ul><li>have been created to the manufacturer’s standards, which may or may not stand up to utility security requirements </li></ul></ul><ul><li>Outsourced </li></ul><ul><ul><li>requires very detailed descriptions of expected secure development standards </li></ul></ul><ul><li>Free and open source (FOSS) </li></ul><ul><ul><li>developed by groups which may or may not meet the regulations and security standards utilities require </li></ul></ul>
  12. 12. Additional resources for software security <ul><li>NIST </li></ul><ul><ul><li>NISTIR 7628 1.0 Vol. 3 </li></ul></ul><ul><li>DHS </li></ul><ul><ul><li>Software Assurance working group and “Build Security In” </li></ul></ul><ul><li>MITRE CVE and CWE </li></ul><ul><ul><li>Common Vulnerabilities and Exploits , and Common Weakness Enumeration </li></ul></ul><ul><li>OWASP </li></ul><ul><ul><li>Open Web Application Security Project </li></ul></ul><ul><li>Cigital BSIMM </li></ul><ul><ul><li>Building Security in Maturity Model </li></ul></ul><ul><li>IBM X-Force </li></ul><ul><ul><li>Worldwide cyber threat and risk analysis team </li></ul></ul>
  13. 13. Conclusions <ul><li>Momentum towards NIST </li></ul><ul><li>Secure supply chain issues move to fore </li></ul><ul><li>Security + survivability </li></ul><ul><li>Getting the word out </li></ul>
  14. 14. Thanks! Andy Bochman IBM/Rational [email_address] The Smart Grid Security Blog