How Much Cyber Security is Enough?

How Much Cyber Security is Enough? Business Drivers of Cyber Security Common Challenges and Vulnerabilities Cyber Security Maturity Model Cyber Security Assessments September 30, 2010 Business in the Right Direction. Go West. 1

Presenters Dan Belmont Senior Principal Dan Belmont 312-980-9385 dbelmont@westmonroepartners.com Background 20 years in industry related engineered technology and telecommunications products sales, marketing, business and market development Other Related Experiences Vice President and Founder of wireless broadband company that designed, financed, developed and grew a 30 tower 3000 endpoint Motorola Canopy wireless broadband network throughout the Chicago suburban market Key contributor to Smart Grid Utility initiatives through assessment, business case, vendor relationships, RFP design and development, project management and deployment for over 30 vendors and 4 separate RFPs at a major Midwest utility Papers & Presentations Smart Grid IP Communications Network: A NERC/CIP Compliant MPLS Approach Utilimetrics Autovation Denver, CO September2009 The Smart Grid Journey Create Your Smart Grid Assessment Profile S- GAP West Monroe Partners Newsletter August 2009 Smart Grid Stimulus and IP Communications Technology Webinar with Alcatel-Lucent May 2009 Creating a NERC/CIP Compliant Smart Grid IP Communications Network West Monroe Partners White Paper February 2009 2

Presenters Michael Manske Security Principal Michael Manske 312-980-9431 mmanske@westmonroepartners.com Background With a focus on network design and security, Michael brings over 10 years of experience providing variety of technologies including networking hardware and software, security, voice over IP, and client/server software solutions. Related Experiences Completed Cyber Security Plans required by the Department of Energy (DOE) for five grant winners. The DOE has approved and accepted all five Cyber Security Plans Led the requirements gathering for an IP/MPLS microwave backbone communications network mobile voice, mobile data, and data collection for 500,000 AMI meters covering an area of 6,000 square miles. These requirements were centered around the network remaining NERC/CIP compliant and the exercise ultimately led to the creation of a NERC/CIP Security Handbook. Key Relevant Skills Cisco CCSP (Cisco Certified Security Professional) CCNP (Cisco Certified Network Professional) Extensive knowledge of cyber security requirements, particularly around NERC/CIP and NIST requirements Extensive experience with MPLS routing and IP design. 3

Agenda Topics & Takeaways Key Topics Past Security Projects and Experiences Understanding Cyber Security Pain Points and Challenges Benefits of Cyber Security Business Drivers of Cyber Security Security Maturity Model Common Industry Gaps Grid Security Approach Cyber Security Assessment Cyber Security Solution Key Takeaways Understand Cyber Security Challenges Determine, how much security is enough? Cyber Security Assessment 4

Past Security Projects and Experiences West Monroe s Energy and Utilities Practice Past and Present Cyber Security Projects Business in the Right Direction. Go West. 5

West Monroe s Energy and Utilities Practice Design Manage Integrate Evaluate & Implement Develop Assess Develop & Execute Enhance Create Smart Grid solutions appropriate for the utilities and their customer base Create enterprise PMO s to manage large scale programs or day to day IT operations Design and implement IT infrastructure and security needs and future oriented infrastructure strategies Apply smart Grid applications, hardware and solutions Design and integrate new IT applications Examine resources including IT, people, process, facilities, customer, and strategy aspects Integrate IT operations and critical business processes Grow and encourage collaboration and content management through portals and other tools Business intelligence capabilities that manage both large scale projects and day to day operations ComEd Rappahannock Electric Cooperative Dayton Power & Light Southwest Transmission Cooperative Seattle City Light Knoxville Utility Board Upper Peninsula Power Co. City of Naperville Wisconsin Public Service Integrys Mohave Sulphur Springs Valley Electric Coop 6

American Recovery & Reinvestment Act Grant (ARRA) Completed Cyber Security Plans required by the Department of Energy (DOE) for five grant winners DOE has approved and accepted all five Cyber Security Plans Smart Grid Investment Grant Program (SGIG) Created and delivered well over a dozen customized and detailed Cyber Security plans for utilities during the Smart Grid Investment Grant Application Process. Feedback received from the DOE following application review indicated that the Cyber Security Plans were considered strengths of the applications. Cyber Security Assessments Cyber Security Handbook Network design with security best practices Cyber Security requirements for Smart Grid Systems AMI, MDMS, OMS, BSB, DMS, SCADA, eportal, etc Past Security Projects and Experiences Cyber Security Experience 7

Past Security Projects and Experiences Current Project Example Assessment Grant Application Cyber Security Plan Design Architecture Deploy Testing and Audit Finalization and Training Infrastructure Design (Server/Network) Designs Firewalls Remote Access Centralized Authentication Access Segmentation Server Shared Services Deliverables Infrastructure Design Document Equipment Requirements Document Cyber Security Handbook Security Deployment Plans Active Directory Firewalls Redundancy and Load Balancing Intrusion Prevention System Centralized Authentication and Logging Sever 8 8

Understanding Cyber Security Business Drivers of Cyber Security Pain Points and Challenges Benefits of Cyber Security Security Maturity Model Common Industry Gaps Grid Security Approach Business in the Right Direction. Go West. 9

Understanding Cyber Security Business Drivers of Cyber Security #1 #2 Grid Reliability Prevent Security Breaches Grid Reliability Security Breaches #3 Control System Failures Compliance and Audits #4 Compliance and Audits #5 Consumer Information Privacy Cyber Security Business Drivers 10

Understanding Cyber Security How much security is enough? Questions Utilities Are Asking What are your security gaps and costs associated to being industry complainant? How are you controlling operating cost and experiences related to smart grid security? Required Optional? 11

Understanding Cyber Security Smart Grid Field Technology Enabled with Communications Home Area Network (HAN) Home Energy Display Programmable Thermostats Load Control Relays Renewable Energy Generation PHEV/EV Smart Charging AMI AMI Communications Smart Meters Distribution Automation Microwave/Fiber Backhaul Backbone IP Communications Connectivity to AMI comm. Connectivity to substations Connectivity to 2 Way Radio 2 Way Voice & Data Power Quality Meters Vehicular Radios Portable Radios ) Service Center IT IT Hand off Hand Off Substation & Distribution Communications Microwave or Fiber Based Broadband SCADA to Substations Communications to AMI equipment Distribution Automation ENTERPRISE BUS Customer Billing/CRM Load Control Management System Meter Data Management System Outage Management System Distribution Management System Energy Management System 12

Integration Benefits Integration Challenges Understanding Cyber Security Systems Integration Challenges 13

Interoperability and Technology Challenges Lack of Standards Bleeding Edge Technologies Evolving Security Standard Complex Cyber Security Standards IEEE 1686 2007 AMI SEC v1.01 NERC CIPs Industry Standards NIST IR 7628 NIST SP800 53 NIST SP800 82 14

Other Security Concerns Is your infrastructure ready for: Hackers? Insider threats? Cyber terrorists? What are the costs for: Filling Security Gaps? Continuous Operational Diligence? Ongoing Staff training on Smart Grid technologies? 15

Understanding Cyber Security How much security is enough? Reduce Grid Reliability Security Breaches Required Optional? Compliance and Audits Cyber Security Main Business Drivers 16

Understanding Cyber Security Security Maturity Model Investing (Non Compliant) Integrating (Compliance) Optimizing (Industry Best Practices) Innovating (Beyond Compliance) Initiating (Unsecure) Undocumented security policies and procedures Flat networks Isolated IT and Control Networks Some documented security policies and procedures Limited Segmentation Manual server Management (antimalware and patching) Documented security policies and procedures Segmentation and firewalling Security audits Documented disaster recovery procedures Intrusion detection Automated Server Management (antimalware and patching) Network Access Control Log Correlation Penetration tests All critical systems in disaster recovery with annual tests Intrusion prevention Media protections Full end to end encryptions Event Management Security cameras, door sensors, and badge reader at all substations. Fully automated disaster recovery location Yearly penetration tests Redundant and vendor diverse security systems Centralized authentication and logging 17

Cyber Security Plan Steps Creating a Cyber Security Plan 1. Roles and Responsibilities 2. Logical Interface Analysis 3. Risk Management and Assessment Strategy 4. Identify Security Controls 5. Defensive Strategy 6. Business Case Cyber Security Approach 18

Cyber Security Plan: Roles and Responsibilities Roles and Responsibilities Cyber Security Approach Cyber Security Program Sponsor Security Manager (Physical and Cyber Security) Cyber Security Program Manager Cyber Security Specialist (SCADA) Cyber Security Specialist (IT) Cyber Security Incidence Response Team Members Auxiliary Staff 19

Cyber Security Plan: Logical Interface Analysis Logical Interface Analysis Cyber Security Approach 20

Cyber Security Plan: Risk Management and Assessment Risk Management and Assessment Strategy Identify Threats and Vulnerabilities Policy and Procedure Vulnerabilities Platform Vulnerabilities Network Vulnerabilities Communication Vulnerabilities Perform Risk Assessment Mitigation, Likelihood, and Impact Cyber Security Approach 21

Cyber Security Approach Cyber Security Plan: Security Controls Strategy Security Controls Strategy Management Controls Operational Controls Technical Controls Defensive Strategy Technical Management Operational 22

Business Case Identify business benefit and impacts Create a cost benefit analysis Cyber Security Approach Cyber Security Plan: Business Case Develop a GAP analysis with short term and longterm execution plans 23

Understanding Cyber Security Common Industry Gaps Investing (Non Compliant) Are you here? Integrating (Compliance) Optimizing (Industry Best Practices) Innovating (Beyond Compliance) Initiating (Unsecure) Common Industry Gaps Network Segmentation and Firewalls Centralized Monitoring and Logging Intrusion Prevention/Detection (IPS/IDS) Authentication Server and Workstation Management Encryption and Media Protection Polices and Procedures Security Assessments and Audits 24

Common Industry Question Common Industry Questions Do I need a firewall at every substation? What servers should be segmented? Understanding Cyber Security How do I provide user access to firewalled Smart Grid applications? 25

Grid Security Approach What should your security approach be? Design for reliability and resilience Comply with Industry Regulations Build security around industry standards Create a Cyber Security Plan 26

West Monroe s Cyber Security Offerings Cyber Security Handbook Cyber Security Handbook Executive Summary Cyber Security Roles and Responsibilities System Characterization (Logical Interface Analysis) Risk Management and Assessment Strategy Defense In Depth Strategies Security Controls Strategy Business Case 27

West Monroe s Cyber Security Offerings Cyber Security Solution Why West Monroe Offerings Business in the Right Direction. Go West. 28

Why West Monroe West Monroe leverages industry expertise and previous cyber security projects: DOE Approved cyber security and interoperability plans American Recovery & Reinvestment Act Grant (ARRA) Smart Grid Investment Grant Program (SGIG) Solid cyber security framework Experienced West Monroe Resources Subject matter experts and industry certified Understand marketplace trends Participation in industry roundtables Experience in AMI, MDMS, LCMS, GIS, SCADA, and telecommunication systems Vendor independent design solutions Understand latest security standards West Monroe s Cyber Security Offerings 29

Solutions West Monroe can provide: West Monroe Offerings Security Assessments Detailed Infrastructure Design Identify Equipment Requirements and RFPs Policy Development/Creation Security System Implementation Services Telecommunication Assessments Security Project Management Security subject Matter Expert West Monroe s Cyber Security Offerings 30

West Monroe s Cyber Security Offerings Next Steps How do I move forward? Cyber Security Assessment Initial Interviews, Assessment and Gap Analysis (1 2 wks) Cyber Security Plan High Level Network Design and Cyber Security Handbook (4 6 wks) Implementation and Integration plan Deployment and Configuration Managed Services 24/7 management and monitoring Intrusion Protection 31

Questions? Dan Belmont 312 980 9385 dbelmont@westmonroepartners.com Michael Manske 312 980 9431 mmanske@westmonroepartners.com Business in the Right Direction. Go West. 32

Security Design Services Network Design and Security Assessment (Firewall, VPN, NAC, MPLS, and IPS) Hardware and Vendor Selection: Firewall, VPN, NAC, MPLS, and IPS Firewall Design: VLANs, interfaces, vendor/client access, and traffic flows Security: Security Zones, access restrictions (users and applications) Optimization: Failover, redundancy, and performance Management: Centralized management Implementation Services Firewall: Routing, security, and ACL configuration VPN: Site to Site VPN and Remote access (IPsec and SSL) Network Access Control (NAC) Server and user configuration and testing Intrusion Prevention Systems (IPS) Configuration, optimization, and logging Maintenance Services Deliverables Audits: Firewall rule and access control list audits Security Design and Configuration Guide Security Handbook Relevant Experience 33 33

Relevant Experience High Availability Network Design Network Design Services Highly available and redundant network designs Planning for disaster recovery and business continuity planning Design and implement solutions for many industries with the highest uptime requirements Vendor Selection Services Compare solutions and recommend hardware and circuit vendors that fit the client s needs Point of contact for vendor negotiations Leverage industry knowledge for estimating costs Implementations Services User, application, and network migration planning Equipment configuration and cutover Failover and performance testing Documentation and knowledge transfer Deliverables Network Design Document 34 34

Case Study High Availability and Disaster Recovery Planning, design, and implementation. West Monroe Partners has the ability to lead all phases of a disaster recovery project. Financial industry client offers an Application Service Provider hosting solution for electronic futures trading. The ability for the client to provide a reliable network delivering maximum stability is the backbone of their business model. The client has three robust, redundant data centers to furnish fast, reliable market connectivity to many of the world s largest exchanges. Business Case: As the client grew their client base, the need to improve efficiency and reliability became paramount. Additional datacenter space Improved efficiency and reliability of the network Disaster recovery Design and Implementation Solutions: With a deep understanding of both the application and network technologies, West Monroe Partners developed a solution that would utilize multiple datacenters in an active active architecture. Three (3) datacenter active active architecture Automatic failover for all networking equipment Secure communication to trading exchanges and customers Technologies Implemented: Cisco ASA Firewalls Cisco VPN Concentrator Cisco Routers and Switches F5 Load Balancers and Link Controllers OSPF and Multicast Routing 35