Bobbi Brown - presentation 5- Security Presentation B2
-
Upload
harrie-kuipers -
Category
Documents
-
view
221 -
download
1
description
Transcript of Bobbi Brown - presentation 5- Security Presentation B2
![Page 1: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/1.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.
US Cyber Security EffortsThe Good, The Bad, The Ugly
Presented By:Bobby Brown
EnerNex Corporation
![Page 2: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/2.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.2
About myself• Director of IT & Communication Security• Former CIO, 15+ years IT, 10 years Cyber
Security & Related• Co-author of NIST Framework & Roadmap for
Smart Grid Interoperability Standards, Security Profiles (AMI, 3PDA, Distribution Mgt.)
• Project Manager, Advanced Security Acceleration Project for Smart Grid (ASAP-SG)
• National Electric Sector Cyber Organization Resource Team
• Chair of SG Security Conformity and Vice-chair of SG Security in UCAIug OpenSG
![Page 3: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/3.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.3
NIST SGIP – The Good• EnerNex awarded to manage and technical
facilitation• Smart Grid Interoperability Panel
– Supports NIST in fulfilling responsibilities under the 2007 Energy Independence and Security Act
– Identifies, prioritizes and addresses new and emerging requirements for Smart Grid standards
– Developed the initial NIST Framework & Roadmap for Smart Grid Interoperability Standards (v1.0 January 2010)
• National public-private collaborative
![Page 4: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/4.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.4
NIST SGIP – The Good• Smart Grid Standards • Priority Action Plans • Testing and Certification of Standards • Smart Grid Conceptual Model • Smart Grid Cyber Security • The Interoperability Knowledge Base (IKB)
![Page 5: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/5.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.5
SGIP CSWG – The Good• Addresses cyber Smart Grid security
aspects• Provides overall cyber security strategy for
Smart Grid• Defense in-depth controls:
– Prevention– Detection– Response– Recovery
• 400+ member participation
![Page 6: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/6.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.6
Strategy Process
![Page 7: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/7.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.7
SGIP CSWG – The Bad• Risk mitigation strategy is confusing:
– Logical Interface Categories (LICs)– Requirements mapped to LICs (not data)
• Interoperability strategy is still under development
• Weak in utility representation
![Page 8: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/8.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.8
The UglyThe process is good, but…• Not actionable• Reference architecture is not
representative of real world systems• How to implement?
![Page 9: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/9.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.9
Lessons Learned – What’s Next?• Validate high-level reference architecture• More utility involvement• ‘Actionable’ & ‘implementable’ guidance
– Implementation Sub-group• Interoperability and Rigor
– Standards & Crypto Sub-groups– Testing & Certification Sub-group
• Updated NIST-IR 7628 (after 12 months)
![Page 10: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/10.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.10
NERC CIP - Good• Forces utilities to address security• Allows utilities to self-regulate
![Page 11: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/11.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.11
NERC CIP – Bad & Ugly• Immature regulation – too many revisions• Discretion of auditors; too much variance• Only addresses bulk power, many
aggregated threats not covered:– Distribution, – AMI– Automated demand response– Electric vehicles– Etc., etc.
• Utilities become reactive
![Page 12: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/12.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.12
NERC CIP – What’s Next?• CIP 10 and 11
– CIP 10 replaces CIP 2– CIP 11 replaces CIP 3 through 9
![Page 13: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/13.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.13
ASAP-SG - Good• Private-Public Collaborative• Vetted by utilities and vendors• Good adoption of controls:
– Utilities using in request for proposal (RFP) requirements
– Vendors using in product development requirements
– States (California Public Utility Commission) using in development of regulations
![Page 14: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/14.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.14
ASAP-SG Funding & Workflow
![Page 15: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/15.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.15
ASAP-SG Blueprint
![Page 16: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/16.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.16
ASAP-SG – Bad & Ugly• Too Academic• Too many steps
![Page 17: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/17.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.17
ASAP-SG - What’s Next• Wide Area Monitoring, Protection and
Control Security Profile– Synchrophasors
• Premise Area Network Security Profile– Home Area Network– Business Area Network– Industrial Network
• Update Security Profile Blueprint
![Page 18: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/18.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.18
Summary – Understand Attackers
Kill Chain• Recon• Weaponization• Delivery• Exploit• Installation• Command & Control (C2)
– Elevate privilege– Maintain presence
• Actions of Intent
Break points• Min attack surface (Deter)• Block attacks (Prevent)• Monitor/Report (Detect)• Business Continuity
(Respond)• Forensics & Incidence
Handling (Recovery)– Lessons learned
Defense in-depth > Break the Kill Chain
![Page 19: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/19.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.19
• Collaboration!• Regulation & Standards• Holistic system of
systems approach• Security components• Interfaces• Subsystems• Configuration
• Business Driven• Use Cases• Process• Risk Management
• Engineering Principles• Loose Coupling• Layered• Scalable• SDLC
Summary – Methodology
![Page 20: Bobbi Brown - presentation 5- Security Presentation B2](https://reader034.fdocuments.in/reader034/viewer/2022042718/568bd94e1a28ab2034a69168/html5/thumbnails/20.jpg)
© 2010 EnerNex Corporation. All Rights Reserved.20
Thank you!
Bobby [email protected]
Director, Cyber SecurityEnerNex