Digital Infrastructure - A Model For Success

Size: px

Start display at page:

Download "Digital Infrastructure - A Model For Success"

Duane Taylor
3 years ago
Views:

1 Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Session 6 : Securing Your Fortress Best practices, standards, techniques and technologies secure your organization from cyber criminals. 5 July 2011 Dani Michaux

2 Back to basics Statistics Understanding the underlying complexities and issues with organization (real life experiences) Defining strategies and techniques Global remediation efforts within organizations with complex environments Challenges Education/Awareness 2

3 Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected Information can exist in many forms database, system documentation, user manual, operational procedures and research information 3

4 Security Breaches in 2010 Worrying Statistics Source: MyCERT 4

5 Security Breaches in 2010 Scary.. Stuxnet APT Cyber Intelligence Cyber Warfare 5

6 .. Organizer: Security Breaches in 2010 Scary.. 6

7 .. Organizer: Security Breaches in 2010 Scary.. 7

8 Latest case of customer data being leaked.. 8

9 .. Organizer: Security Breaches in 2011 Scary.. 9

10 Underlying complexities real cases No clearly defined roles and responsibilities (grey operational areas) No clear understanding of different technology advancements and the potential security implications of adopting new technologies No clear understanding or potential risk attack vectors (where the threats come from? and rare understanding of BIA ) 10

11 Underlying complexities Wrong attitude Nothing happened for the past 25 years, why happen now, what's changed? Full trust on vendors They should know best, this is their system, they are the experts 11

12 Defining Strategies and Techniques 12

13 CNII to be ISMS Certified by

14 Standards Overview API 1164 SCADA Security The SCADA security standard, API 1164, provides guidance to the operators of oil and gas liquid pipeline systems for managing SCADA system integrity and security. The use of this document is not limited to pipelines regulated under Title 49 CFR 195.1, but should be viewed as a long listing of best practices to be employed when reviewing and developing standards for a SCADA system. The API standard, to date, applies only to pipeline operators and does not cover refineries. Previously released cyber-security guidelines are considered by API to be adequate for refineries at this time. Although the standard does address physical security, the primary thrust of this document is cyber security and access control. This document embodies "API Security Guidelines for the Petroleum Industry," and is specifically designed to provide the operators with a description of industry practices in SCADA security and to provide the framework needed to develop sound security practices within the operator s individual companies. NERC Security Guidelines Security Guidelines for the Electricity Sector The NERC Security Guidelines for the Electrical Sector consists of 14 sections addressing both physical and cyber security. These guidelines describe general approaches, considerations, practices, and planning philosophies to be applied in protecting the electric infrastructure systems. These guidelines are advisory in nature, and each user determines how they will be used. 14

15 Standards Overview NERC 1200 Urgent Action Standard 1200 Cyber Security North American Electric Reliability Council (NERC), recognized as the energy sector coordinator by FERC, DOE, and DHS, developed the Urgent Action Cyber Security Standard (NERC 1200) as a temporary standard to establish a set of defined security requirements related to the energy industry and to reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets. NERC 1200 applies to entities performing various electric system functions, as defined in the functional model approved by the NERC Board of Trustees in June, NERC 1300 Cyber Security The current draft NERC standard was Draft Version 1 of NERC This is the document that was reviewed. The current draft NERC cyber security standard, CIP-002 through CIP-009, when released, will replace NERC 1200, Urgent Action Cyber Security Standard. These standards are in the review process by the North American Electric Reliability Council. The first drafts of these standards were released for review on September 15, 2004; review comments submitted on the third draft are now in review by the standards committee. These standards are expected to cover essentially the same material as NERC 1200, but in more detail. 15

16 Governance achieving success Effective governance framework: Vision Stakeholder identification, engagement and management Sponsorship What for are you creating versus plugging in to Communication language, passion, risk and business focus and clarity Culture Delivery 16

17 Benefits of a harmonised governance system A single control framework allows integrated assurance Benefits: Reduced assurance costs Single view of compliance state Easily demonstrable to stakeholders Reduced business interruption Fewer audits Controls optimisation and automation 17

18 A way of operating effectively Today Project oriented Viewed in isolation Managed disparately Separated from the flow of business Owned by compliance Manual and reactive Reactive compliance model What happens when? People leave Processes are improved New systems are implemented Businesses are sold/acquired Processes are outsourced Tomorrow The way we do business Dynamic and actionoriented Integrated into processes Process and data centric Owned by the business Automated and preventive Proactive organisational capabilities driven approach 18

19 The Sweet Spot for Harmonised IT Compliance COMPLIANCE MATURITY / BUSINESS RISK Today BUSINESS RISK COMPLIANCE PROCESS Sweet Spot PROGRAM SPEND( ) / TIME Diminishing Returns 19

20 Control model What types of controls do you implement? Mandatory legislation specific to country Data Protection Act, Computer Crime Act Core customer requirements, industry requirements PCI, SOX, Basel II/III, ITIL, Voluntary business driven ISO 27001, ISO 20000, BS 25999, 20

21 Key Thoughts IT compliance will grow more complex GOAL Multiple requirements / controls one control framework Multiple audits, multiple auditors one auditor Integrated assurance can Reduce assurance costs Provide a single view of compliance and manage business risk Minimise business interruption 21

22 Global Remediation Efforts - Challenges Example of remediation efforts Complex environments within Utility s sector Core business Vs. enterprise IT (do we understand the difference, what our policies cover) SCADA, PCD Networks, Core Telco, NGN, etc. Convergence Risks (old infra with new)? Vendors / Third Parties They know best and they have access to support us attack vectors? 22

23 Global Remediation Efforts - Challenges No standardized policies No standardized technologies Various system and systems generations (can we have standardized logging)? Controls over the operational environment (operational / convenience vs. control and security) No right skills in house for incident response (admin to perform all tasks, dependence on key staff) 23

24 Global Remediation Efforts - Challenges Inability to understand the extend of the attacks Commercialization risks If I get my vendor to support my operations through remote connectivity do I fully understand the associated risks? My provider will monitor my network for me can we see any associated risks? Have we included in risk register? How are we managing it through contracts / or based on trust? 24

25 Importance of education and awareness

26 Q&A

AURORA Vulnerability Background

AURORA Vulnerability Background Southern California Edison (SCE) September 2011-1- Outline What is AURORA? Your Responsibility as a Customer Sectors Impacted by AURORA Review of Regulatory Agencies History