Cyber Security & Data Privacy. January 22, 2014

Transcription

1 Cyber Security & Data Privacy January 22, 2014

2 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies

3 Housekeeping You will receive a copy of the slides To the you used to register You can ask questions as we go along Simply type into the question box, as we will explain or raise questions during the Q&A We will answer all the questions submitted If we are unable to get to all the questions, they will be answered individually after the presentation

4 Questions & Audio If this is what you see Click on the orange arrow to expand your dashboard. In order to ask questions over the phone, please log in with your Audio Pin Click on the + sign to open up the questions box. Use the Questions box at any time to type questions. You can ask questions as we go along. Yes, you will receive the slides after the webinar.

5 Agenda 1. Introduction to Cyber Security & Data Privacy Why the Consumer Conversation is Important Available Materials 2. An Overview Example (Aclara Technologies) Examples of Customer Data Presentment Security Risks and Best Practices The Aclara Experience 3. Questions & Answers Session

6 The Consumer Conversation Google s NEST acquisition, what does it mean to the industry? Prompting more than a few privacy concerns, legitimate and otherwise Vulnerability of a large, centralized system and the potential for hacking System will be advanced enough to track a person s movements inside a home

7 Available Materials

8 Speaker #1 Name Background Bob DiBella Director of Product Management Aclara Technologies Leads the development and marketing of Aclara s consumer engagement solutions for web, mobile, and print channels Previously directed the development of several transformative products including the customer dashboard, online billing analysis, and AMI data presentment Over 20 years of experience in the energy industry as an energy auditor, project manager, consultant, and product manager

9 Speaker #2 Name Background Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies Responsible for technology strategy and non-functional requirements for Consumer Engagement business system which is internet based, multi-tenant, multi-layer, multi-tier, 24x7 software system hosted on the.net platform Currently working with Aclara Product Team to focus on big data analytics and user experience More than 20 years of experience in software development, management, and consulting in the space of energy software solutions, healthcare information systems, content management solutions, and ecommerce applications

10 Cyber Security and Data Privacy

11 Overview Speakers Bob DiBella, Director Product Management Srini Ambati, Application Architect About Aclara Examples of Customer Data Presentment Security Risks and Best Practices Aclara experience 11

12 About Aclara Division of ESCO Technologies Industry leading Intelligent Infrastructure technologies Device networking, data-value management, and customer communications Serving water, gas, and electric utilities Over 500 utilities globally Providing print and digital consumer engagement for utilities since

13 Consumer Engagement Common set of objectives and benefits Increased awareness and participation Acceptance and adoption of Smart- Grid technologies Sustainable energy and water savings Provide access to electric, gas, and water data Make the data easy to understand Provide engaging content and tools Help consumers manage and control their use Provide measurable value back to the utility 13

14 Examples of Data Presentment Impact of AMI data presentment on the customer portal Fresh personal information is available daily Enables customers that want to be proactive about bills Creates recurring engagement 14

15 Examples of Data Presentment Proactive daily/weekly feedback and alerting Customer alerts program Bill to date Cost threshold Analyze data on customer s behalf Identify trends and anomalies Alert customer before trouble occurs Provide actionable advice 15

16 Do YOU trust computer systems? Most people don t! 16

17 Cyber Security Principles - CIA Confidentiality, Integrity, and Availability Triad Confidentiality Preventing disclosure of information to unauthorized users Security Control(s): Encryption, access control Integrity Preventing/detecting unauthorized modification of data, source code and binaries. Security Control(s): authentication, authorization, digital signatures, HMACs Availability Ensuring information, services, and equipment are available within tolerable response times Security Control(s): throttling, timeouts, resource cleanups Note: In addition, other properties, such as authenticity, non-repudiation, etc. can also be involved. 17

18 Cyber Security Important Definitions Weakness A deficiency The condition or quality of being weak Threat Undesired event or potential occurrence; may or may not be malicious in nature Might damage or compromise an asset or objective Vulnerability Weakness is some aspect or feature of a system that makes an exploit possible Can exist at the network, host, or application level Attack (or exploit) An action taken that uses one or more vulnerabilities to realize a threat Could be someone following through on a threat or exploiting a vulnerability Countermeasures Address vulnerabilities to reduce the probability of attacks or impacts of threats Do no directly address threats but address the factors that define the threats Range from improving application design, or improving code, to improving an operation practice. 18

19 Sound Familiar? Architecture Phase COMPLETE Design Phase COMPLETE Development COMPLETE Testing COMPLETE Security Audit/Review Uh..oh! Why didn t we think of security before? 19

20 Security Traumas at a Glance Loss or Compromise of Data Legal Consequences Business Interruption of Business Processes Great features won't matter unless customers trust our software Damage to Customer & Investor Confidence Loss of Revenue ~ Bill Gates Damage to Reputation 20

21 Securing Applications - Challenges Attackers vs. Defenders Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Security vs. Usability Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security As an Afterthought Developers and management think that security does not add any business value Cost of addressing security issues only increases as software design lifecycle proceeds 21

22 Securing Applications - Tradeoff Low Cost You often get to pick any two, sometimes only one! Secure Usable 22

23 OWASP Top 10 Critical Application Security Flaws The Open Web Application Security Project (OWASP) Top 10: Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards (Reference: 23

24 Don t forget Flaws Related To Host Layer Security Network Layer Security 24

25 Secure Software Characteristics Secure by Design Secure by Default Secure by Deployment Secure by Communications 25

26 Secure Design Principles Use least privilege Promote privacy Reduce attack surface Use defense in depth Don't trust user input Fail securely Use secure defaults Assume that external systems are insecure 26

27 Finding, Fixing and Preventing Vulnerabilities Secure at the Source Information Security Standards Secure Coding Standards Secure Development Process Security Training Find and Fix Vulnerability Scanning Penetration Testing 27

28 Aclara Cyber Security Practices Cyber Security Security Design and Code Reviews as part of SDLC Access Control Policies Security Awareness Training and Education Personnel Security with Background Checks Security Model based on NIST Standards SSAE 16 (replaced SAS 70) SSAE 16 (SOC 2) compliance Annual review by third party auditors Third Party Application\Network Security Reviews Microsoft code review Third party vulnerability assessment/penetration tests 28

29 THANK YOU

30 Takeaways & Questions

31 Thank you! You will receive a copy of the slides to the address you used to register. Bob DiBella Director of Product Management Aclara Technologies RDibella@aclara.com Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies sambati@aclara.com Links and Resources: SGCC s Data Privacy and Smart Meters Fact Sheet - Aclara Technologies homepage -