GridWise 2010 Cyber Security Update

2,911 views

Published on

Presentation on security issues affecting national electric grid and Smart Grid made at GridWise Annual Membership Meeting, NYC Dec 2010.

Published in: Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,911
On SlideShare
0
From Embeds
0
Number of Embeds
507
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

GridWise 2010 Cyber Security Update

  1. 1. Smart Grid Cyber Security in 2011: Untenable meets Intractable Andy Bochman, Energy Security Lead - IBM Rational, and Editor - the Smart Grid Security Blog Presented at GridWise Annual Membership Meeting Hosted by National Grid, Brooklyn, NY, 7 December 2010
  2. 2. Intractable Untenable 2011 http://www.flickr.com/photos/coda/
  3. 3. Overview <ul><li>Personal notes from an IBMer and a blogger </li></ul><ul><li>The security year that was: Google, Stuxnet, Wikileaks </li></ul><ul><li>E&U security by best practices and/or regulation </li></ul><ul><li>Conclusions from a GridWise Alliance cybersec perpective </li></ul>
  4. 4. Personal notes <ul><li>The view from the Smart Grid Security Blog </li></ul><ul><ul><li>Biggest threat to SG isn’t security </li></ul></ul><ul><ul><li>First mover disadvantage </li></ul></ul><ul><ul><li>Stuxnet, FERC vs. NERC … </li></ul></ul>
  5. 5. Personal notes <ul><li>The view from inside IBM’s extended E&U cybersecurity team </li></ul><ul><ul><li>Services </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Security Strategy </li></ul></ul><ul><ul><li>X-Force </li></ul></ul><ul><ul><li>R&D </li></ul></ul>http://www.flickr.com/photos/calsidyrose/4129867536/sizes/m/in/photostream/
  6. 6. This year’s trifecta <ul><li>Google – IP theft at dozens of co’s </li></ul><ul><li>Stuxnet –finds a way in; root kit for PLCs </li></ul><ul><li>Wikileaks – ultimate insider attack </li></ul>http://www.flickr.com/photos/tomsaint/
  7. 7. Back to basics – Jack’s 3 questions <ul><li>Why are you doing this? </li></ul><ul><li>What are you trying to secure? </li></ul><ul><li>What will happen if you don't do this right? </li></ul>http://www.flickr.com/photos/fontplaydotcom/504443770/sizes/m/in/photostream/
  8. 8. Approaches to security <ul><li>Security through regulation </li></ul><ul><li>NERC CIP + </li></ul><ul><li>SP 800-53 + </li></ul><ul><li>NISTIR 7628 </li></ul><ul><li>… equals a secure (enough) grid? </li></ul>http:// www.flickr.com/photos/seattlemunicipalarchives /
  9. 9. Approaches to security <ul><li>Security through best practices </li></ul><ul><ul><li>Keeping up with the neighbors </li></ul></ul><ul><ul><li>Some signs of leadership </li></ul></ul><ul><ul><li>Paying attention to threats and guidance (e.g. software security for portals and other SG apps) </li></ul></ul>
  10. 10. Evolving Policy + Practices <ul><li>NERC CIP 007, R8 - vulnerability scans </li></ul><ul><li>NISTIR 7628, 7.3 </li></ul><ul><ul><li>Input and output validation </li></ul></ul><ul><ul><li>Authorization vulnerability </li></ul></ul><ul><ul><li>Password and password mgt </li></ul></ul><ul><ul><li>Error handling, cyrpto, logging and auditing, etc. </li></ul></ul><ul><li>Supply chain diligence </li></ul>
  11. 11. Software security considerations by origin <ul><li>Internal </li></ul><ul><ul><li>development teams tasked with complicated deliverables and tight timelines, where security is only one of many critical requirements </li></ul></ul><ul><li>Packaged applications </li></ul><ul><ul><li>have been created to the manufacturer’s standards, which may or may not stand up to utility security requirements </li></ul></ul><ul><li>Outsourced </li></ul><ul><ul><li>requires very detailed descriptions of expected secure development standards </li></ul></ul><ul><li>Free and open source (FOSS) </li></ul><ul><ul><li>developed by groups which may or may not meet the regulations and security standards utilities require </li></ul></ul>
  12. 12. Additional resources for software security <ul><li>NIST </li></ul><ul><ul><li>NISTIR 7628 1.0 Vol. 3 </li></ul></ul><ul><li>DHS </li></ul><ul><ul><li>Software Assurance working group and “Build Security In” </li></ul></ul><ul><li>MITRE CVE and CWE </li></ul><ul><ul><li>Common Vulnerabilities and Exploits , and Common Weakness Enumeration </li></ul></ul><ul><li>OWASP </li></ul><ul><ul><li>Open Web Application Security Project </li></ul></ul><ul><li>Cigital BSIMM </li></ul><ul><ul><li>Building Security in Maturity Model </li></ul></ul><ul><li>IBM X-Force </li></ul><ul><ul><li>Worldwide cyber threat and risk analysis team </li></ul></ul>
  13. 13. Conclusions <ul><li>Momentum towards NIST </li></ul><ul><li>Secure supply chain issues move to fore </li></ul><ul><li>Security + survivability </li></ul><ul><li>Getting the word out </li></ul>
  14. 14. Thanks! Andy Bochman IBM/Rational [email_address] The Smart Grid Security Blog smartgridsecurity.blogspot.com twitter.com/sgsblog http://gridwise.org/

×