Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SGSB Webcast 3: Smart Grid IT Systems Security


Published on

The Smart Grid is being constructed of out systems old and new, from creaking mainframes, to shiny new ones that live in the clouds, and everything in between. Utilities professionals, and those who serve them, need to ensure that they are secure so that we can build out and operate the future grid with confidence. This short presentation, the 3rd in a 10 part series on Smart Grid security, offers an easy to digest, business-level introduction to the topic.

Published in: Technology, News & Politics
  • Be the first to comment

SGSB Webcast 3: Smart Grid IT Systems Security

  1. 1. w ebcast Series Volume 3 Smart Grid (IT) Systems Security Andy Bochman Editor : The Smart Grid Security Blog July 2010
  2. 2. Jack Andy <ul><li>Founder/CEO of two security software companies, both sold </li></ul><ul><li>IBM Security Exec </li></ul><ul><li>Holder of 5 patents in areas of IT and IT security </li></ul><ul><li>20+ years of speaking and writing on IT Security Topics </li></ul><ul><li>Founder of Smart Grid Security and DOD Energy Blogs </li></ul><ul><li>IBM Energy Lead </li></ul><ul><li>Researcher / analyst in energy and tech markets </li></ul><ul><li>20+ years of DoD and alternative energy leadership </li></ul>Security meets Energy
  3. 3. <ul><li>Shorter (probably) /sweeter (not likely) </li></ul><ul><li>No/low Jack for now (dude’s busy) </li></ul><ul><li>Alarmism still not allowed </li></ul><ul><li>Business case uber alles </li></ul><ul><li>Q&A before/after (but different) </li></ul>New format rules
  4. 4. <ul><li>What systems are we talking about </li></ul><ul><li>Primary systems security concerns </li></ul><ul><li>Best practices </li></ul><ul><li>What’s up next in SGSB series </li></ul>Overview
  5. 5. The systems in question
  6. 6. What’s in an IT system? <ul><li>(First, what’s not in this talk) </li></ul><ul><ul><li>Network stuff, applications, physical security, SCADA and ICS, compliance, people stuff </li></ul></ul><ul><li>Hardware </li></ul><ul><ul><li>Systems run on utilities’ hardware in data center or in the cloud (coming up) </li></ul></ul><ul><li>Operating systems </li></ul><ul><ul><li>Windows (including Windows 95), Linux, Solaris, Mainframe </li></ul></ul><ul><li>Middleware </li></ul><ul><ul><li>Web and application servers like Apache, WebSphere, Weblogic </li></ul></ul><ul><li>Databases </li></ul><ul><ul><li>Oracle, SQLServer, DB2, MySQL </li></ul></ul>
  7. 7. The future is here: cloud/utility computing <ul><li>Remotely hosted application logic and data services </li></ul><ul><li>We all use them today, and utilities, while sometimes slower to adopt new tech than others, are no exception </li></ul><ul><li>Examples include Geographic Information Systems (GIS), email, increasingly, productivity apps, social networking, etc. </li></ul><ul><li>All of these are as secure as their designers and developers have chosen to make them </li></ul><ul><li>Need to ask about how data (and privacy) is protected, in transit and at rest </li></ul>
  8. 8. More new stuff: virtualization <ul><li>Can save money, but … </li></ul><ul><li>Gartner finds: </li></ul><ul><ul><li>Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace </li></ul></ul><ul><ul><li>Garner blames organizations' failure to involve the IT security team in its deployment projects, in addition to immature tools to protect these new environments </li></ul></ul><ul><ul><li>“ In some cases, they [operations] are worried because they think information security will come and say, 'No, we can't do this.'&quot; </li></ul></ul><ul><ul><li>For example, if attackers are able to compromise the virtualization layer, that could lead to a compromise of all hosted applications and data </li></ul></ul>&quot;I think the worst thing is that people pretend there aren't any differences [between virtual and physical] and they move right ahead and don't have any discussions at all&quot; Neil MacDonald, Gartner VP, 2Q2010
  9. 9. Best IT systems security practices <ul><li>Classic Mainframe – </li></ul><ul><ul><li>Like alligators, these systems have been around forever and are always just a year or two away from replacement </li></ul></ul><ul><ul><li>Most were developed initially deployed pre-Internet era and therefore security was neither designed in nor bolted on </li></ul></ul><ul><ul><li>Formerly protected primarily by their isolation, these old workhorses are becoming increasingly connected as their data (e.g., customer, financial, accounting, etc.) become increasingly important to other systems in a Smart Grid world </li></ul></ul><ul><ul><li>Primarily it’s their data that needs protecting </li></ul></ul><ul><ul><li>Check out the web interfaces/wrappers that have likely been added in recent years for security faults </li></ul></ul>
  10. 10. Best IT systems security practices <ul><li>Client/Server </li></ul><ul><ul><li>Most often found in the form of packaged or &quot;commercial off the shelf&quot; (COTS) applications, and often with some customization </li></ul></ul><ul><ul><li>Include a server component including logic and a database, and client-side software that sits on PCs </li></ul></ul><ul><ul><li>Typically manufactured by large, well known software vendors, these systems are most secure when configured properly, patched quickly, and kept up to date on the most current release. Note: these systems are as secure as their vendors have chosen to make them </li></ul></ul><ul><ul><li>Think: configuration, patch management and watch out for web interfaces </li></ul></ul>
  11. 11. Best IT systems security practices <ul><li>Middleware – </li></ul><ul><ul><li>Designed to link different application and database systems together … hence they’re in the “middle” </li></ul></ul><ul><ul><li>Often combination of open source and packaged offerings </li></ul></ul><ul><ul><li>Both types need scrutiny in terms of patches and configurations </li></ul></ul>
  12. 12. Best IT systems security practices <ul><li>Databases – </li></ul><ul><ul><li>Where the jewels are kept </li></ul></ul><ul><ul><li>Access should be highly guarded … but sometimes isn’t </li></ul></ul><ul><ul><li>Input/outputs should be checked/validated </li></ul></ul><ul><ul><li>Certain databases may experience massive growth as usage data goes through roof via AMI/Smart Meters and increasingly frequent meter reads </li></ul></ul><ul><ul><li>See “ It’s time to get serious about Smart Grid data volumes ” </li></ul></ul>
  13. 13. For official guidance on securing IT systems <ul><li>ISO 27001 and 27002 security guidance and controls </li></ul><ul><li>NIST national checklist program repository </li></ul><ul><li>NERC CIP (early stages) and NISTIR 7628 (growing fast) </li></ul><ul><li>… from my DOD background: Defense Information Security Agency (DISA) Security Technical Implementation Guides (STIGs) and STIG checklists </li></ul>http:// /
  14. 14. That’s a wrap Systems security 101 = risk management
  15. 15. Where we’ve been and what’s next <ul><li>Intro to Smart Grid Security </li></ul><ul><li>Data Security </li></ul><ul><li>System Security Challenges and the Smart Grid </li></ul><ul><li>Smart Grid-related Standards and Regulations </li></ul><ul><li>Securing the SoftGrid </li></ul><ul><li>Approaches to securing AMI </li></ul><ul><li>Security and privacy from the customers' point of view </li></ul><ul><li>Understanding and empowering a Smart Grid CSO </li></ul><ul><li>Violable but reliable : preparing for the inevitable break down in Smart Grid security </li></ul><ul><li>10th session recap of Smart Grid security and plotting future course </li></ul>
  16. 16. Thanks ! … and keep an eye open for SGSB Webcast 4 on Smart Grid standards & compliance in August The Smart Grid Security Blog [email_address]