White Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks



Similar documents
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Security Basics: A Whitepaper

Managing IT Security with Penetration Testing

Network Security: Introduction

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Issues with Integrated Smart Buildings

Five keys to a more secure data environment

Understanding SCADA System Security Vulnerabilities

Current IBAT Endorsed Services

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

How Secure is Your SCADA System?

Conquering PCI DSS Compliance

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

SECURITY. Risk & Compliance Services

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Managed Security Services for Data

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

INFORMATION SECURITY PROGRAM

How To Protect Your It Infrastructure

Reining in the Effects of Uncontrolled Change

1. Thwart attacks on your network.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Cisco Security Optimization Service

THE TOP 4 CONTROLS.

Stable and Secure Network Infrastructure Benchmarks

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Information Technology Security Review April 16, 2012

Managed Security Services

Payment Card Industry Data Security Standard

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Verve Security Center

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

AUTOMATED PENETRATION TESTING PRODUCTS

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

SECURITY CONSIDERATIONS FOR LAW FIRMS

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

INFORMATION TECHNOLOGY ENGINEER V

Information Security Services

Is the PCI Data Security Standard Enough?

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

CYBER SECURITY GUIDANCE

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Western Australian Auditor General s Report. Information Systems Audit Report

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Are You Ready for PCI 3.1?

Injazat s Managed Services Portfolio

Best Practices For Department Server and Enterprise System Checklist

future data and infrastructure

Top tips for improved network security

SMALL BUSINESS. the basics. in telecommunications solutions

Nine Steps to Smart Security for Small Businesses

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

State of Texas. TEX-AN Next Generation. NNI Plan

Preemptive security solutions for healthcare

Managing business risk

GE Measurement & Control. Cyber Security for NERC CIP Compliance

IBM Global Small and Medium Business. Keep Your IT Infrastructure and Assets Secure

HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

Designing a security policy to protect your automation solution

A Decision Maker s Guide to Securing an IT Infrastructure

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Cisco Advanced Services for Network Security

Office of Inspector General

Business Case. for an. Information Security Awareness Program

Secure Remote Control Security Features for Enterprise Remote Access and Control

Readiness Assessments: Vital to Secure Mobility

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Transcription:

White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

According to a recent Harris Interactive survey, the country s leading business executives consider the threat posed by viruses and IT security breaches and the threat of power outages to be two of the top concerns they face today. While these are separate issues for most businesses, the risks are much greater and real for utilities management organizations responsible for service delivery and the protection of their own critical business infrastructure. As a utility management organization, securing your information systems is the biggest challenge of your operations today, and the task is exceedingly difficult. On one hand, your systems are vital to the delivery of reliable services to your customers. Your organization is an essential link in a nationwide network relied on all the time, by everyone. On the other hand, your IT infrastructure is under constant attack from malicious software, hackers and other Internet threats. You remain a potential terrorist target. And finally, compliance standards requirements complicate matters and place increased pressure on your ability to operate a profitable business. The Risks of an Unsecured Network Without superior protection for your SCADA systems and your internal business networks, you risk financial loss, legal risks and a myriad of other consequences that can dramatically impact the continuity of your operations. A brief network outage could result in catastrophic shutdown of entire communities. Damage to internal systems could create disruptions or inaccurate billing, resulting in fines or legal ramifications. To prevent disaster from occurring in your organization and to ensure you are meeting all current and emerging compliance requirements for your IT security (including those proposed by the NERC, which will likely become the new standards for utility security regulation), you need to have a firm grasp on the risks posed by today s threats to your SCADA and business networks and to identify a more cost-effective and proactive solution for meeting your ongoing IT security challenges. Threats to Business Operations As the threats and vulnerabilities facing the health and reliability of your network continue to increase, you need to protect your bottom line. Technology has revolutionized the utilities management industry, helping you to increase efficiency and to lower your business costs, but it comes with risks. Unauthorized Access to Your Network While improvements such as automated and wireless meter reading and integrated financials have created an automated system for billing customers, these same improvements have created new risks associated with the weaknesses found within the Internet environment and within the software systems used to power your businesses. Reports vary when it comes to the severity of the volume of hacker attacks against utilities. While some industry experts predict 100-500 hacker attacks occur against utilities each year, publications such as InformationWeek recently reported that utilities face hundreds of hacker attacks each day. Regardless of the accuracy and reality of the data, it s evident that the number will continue to climb as utility companies switch from internal control systems to Windows-based networks that are easier for hackers to penetrate. Reports on unauthorized users gaining access to utilities are becoming more common, especially those with wireless capabilities. International headlines included two Russian hackers that took control of a gas pipeline for 24 hours by penetrating the electronic control system and the story of a disgruntled employee in Australia that released 250 million tons of raw sewage by attacking a waste water management control system. 1 None of these examples is the catastrophic, terrorist attack on which so many are focused. Nevertheless, they created an enormous financial burden for the utilities involved, damaged their reputation with customers and most likely resulted in employee lay-offs. Organizations need to be proactive in protecting themselves from new and emerging threats before they cause critical disruption to their operations. 1 On the Net: SCADA vs. the Hackers, Mechanical Engineering Magazine site: http://www.memagazine.org/ backissues/dec02/features/scadavs/scadavs.html Page 1

The Threat of Worms and Viruses Hackers are only part of the problem when it comes to the risks that affect the performance of information systems. A recent survey of enterprise security decision-makers found that 63 percent of organizations have been attacked by viruses or worms in the past year. More than 45 percent have been affected by Trojans and backdoor viruses, and 35 percent have been victims of internal attacks according to research conducted by Amplitude Research. As utilities become more technologically advanced to streamline operations and reduce costs, they have become a prime target for malicious attacks by hackers that want to disrupt or cripple critical information systems. The Vulnerabilities of SCADA Systems It s estimated that more than 85 percent of utility management organizations have implemented web-integrated Supervisory Control and Data Acquisition (SCADA) systems to streamline operations and reduce costs. While this is major progress for the industry, new generation SCADA systems incorporate open standards, including Internet protocols and networked communications, which increase the risks posed by constant hacker attacks. To mitigate the risk of potential service disruptions, process redirection or manipulation of operational data that could result in public safety concerns, organizations are now putting SCADA security at the top of their IT priority lists for the coming year. While SCADA systems are meant to improve monitoring and security, experienced hackers can access those systems that operate over the Internet. Securing the SCADA infrastructure is of critical importance to the energy industry. Improving the security environment for SCADA communications is essential to national security and new standards will be put into place beginning June 1, 2006. Regardless of how new your SCADA system is, or what steps you have taken to secure it, you most likely have vulnerabilities that hackers can exploit. Most common are: Remote Access anytime you provide access to your critical systems from outside your organization, you increase the likeliness that your system can be accessed by unauthorized users Network Configurations if a firewall is bypassed or configured incorrectly, you can create a door for hackers to enter Disgruntled Employees no security measure can prevent an attack from within; it s essential to take internal threats into consideration when preparing a comprehensive security plan Security holes, patches, viruses third party security holes in operating systems, commercial databases and other applications can become security issues for SCADA systems Communication protocols not encrypted older solutions that might still be in place are more vulnerable to attack Partners like SecureWorks help utilities proactively detect and prevent malicious attacks against the infrastructure of computers and applications to exceed security requirements of North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) and other emerging requirements. Protecting Business Continuity Inadequate security can severely handicap the dayto-day operations of a utility. From automated meter reading (AMR), to customer record management, to online bill pay, both uptime and back-up are critical to maintaining your business. In addition, recent legislation means you can now face legal ramifications for failing to protect consumer information. Utilities are responsible and accountable for the accuracy of their meters. The International Utilities Protection Association (IURPA) estimates that utility companies lose up to two percent in potential revenue per year due to energy theft. Utilities are instituting tighter controls to protect their income, including tighter monitoring of meter security. In order to eliminate financial losses and remain compliant, utilities need tighter controls on their information security. Compliance is also crucial to your business, both for receiving subsidies from the government and for meeting the new requirements set forth by the ERO. As more customers migrate to the use of online bill pay and self-service account management, utilities have the added risk and responsibility of protecting sensitive personal financial information from falling Page 2

into the wrong hands. Your information security strategy must incorporate solutions for protecting against data theft and loss, and from infiltration from hackers seeking consumer information for identity theft and online fraud. SecureWorks has the expertise and services designed to keep your business running, and will ensure that you don t lose time or money because of faulty network security. A Picture of Today s Security for Utilities Typical Internet security measures at utility management organizations include firewalls and antivirus software, intrusion-detection software, patch management, access management and monitoring, and regular penetration testing. Though most utilities organizations are reluctant to share data on security violations with the public due to the negative publicity and the business implications, a recent confidential survey of utility IT management found that four percent have been infiltrated by a hacker in the past year. In reality, this number is larger, yet unreported because of the reluctance to report security breaches. 71 percent of all organizations in the U.S. reported unauthorized computer system use last year, with 28 percent of organizations reporting that they don t know if they have been infiltrated, according to the July 2005 report published by The Computer Security Institute with participation from the FBI. Current federal and state standards for utility management organizations focus heavily on physical security measurements and disaster recovery preparedness and information security compliance requirements have increased. Many organizations believe that compliance to security standards is required to safeguard the utility infrastructure of the United States. Tighter restrictions and increased standards will be created through partnerships with the government and industry. How SecureWorks Helps Utilities What if you could add 75 security experts to your staff overnight? Hundreds of utilities have tapped into the power of the SecureWorks team of security experts to do just that. SecureWorks acts as an outsourced security team, protecting both your SCADA and business networks by detecting and preventing attacks through efficient and cost-effective solutions. Our experts quickly identify your risks and assist you in assessing, targeting and repairing gaps to your system at the perimeter, preventing network intrusion. In addition, we can help you design a Disaster Recovery Plan that meets ERO requirements. SecureWorks can help you: Comply with government and industry regulations and compliance requirements such as ERO, DHS, NERC and FERC Proactively manage your risks of network outages by preventing malicious viruses, hackers and Distributed Denial of Service (DDoS) attacks Avoid costly network outages and disruption of services Demonstrate disaster recovery and prevention preparedness Realize greater return on investment and lower total cost of management from a comprehensive outsourced solution What if you could anticipate attacks before they happen? SecureWorks believes in pro-action, not reaction. Instead of patching problems as they occur, we continuously look for potential problems, providing the necessary updates as we find them. Protecting more than 1200 networks globally gives us more than 1200 different viewpoints and allows us to identify trends and stop attacks before they get to you. What SecureWorks Will Do For Your Utility Seal your network from attacks. SecureWorks Intrusion Prevention contains three levels of protection. First, the isensor appliance stops attacks real-time; we manage any necessary updates. Second, our expert security analysts continuously monitor your network, taking action as needed. Lastly, you ll receive detailed, yet easyto-understand reports that can be shared throughout departments. Page 3

Take a preventative approach to network security. SecureWorks Network Vulnerability Assessment tool reviews all aspects of your network from behind the firewall and identifies potential gaps. The SecureWorks Vulnerability Assessment analyzes every IP address, computer, server and networked device on your utility network and also checks all operating systems, Web server platforms, mail servers, routers, switches and hubs. The process takes less than an hour and at the end you ll receive a detailed explanation with recommended fixes for any vulnerabilities found. Whether you are looking for a partner to secure your SCADA, business or Internet network environment, SecureWorks has industry-specific information security experts and solutions to meet your needs. As the threats and vulnerabilities facing the health and reliability of your network continue to increase, you need a partner that understands your industry and has specific solutions to solve new and emerging challenges. Stop Attacks Before They Even Get to the Door. SecureWorks Firewall Management includes policy design, installation, configuration, reporting and emergency response and our security operations center is a state-of-the-art facility constructed with network, power and system redundancies. Comprehensive firewall monitoring is conducted by our security experts twenty-four hours a day, seven days a week. Let the experts do the work. SecureWorks Professional Services team provides the expertise and analysis to help you assess your compliance and security posture and to recommend improvements. Our team helps you comply with government and industry regulations and compliance requirements, such as ERO, DHS, NERC and FERC. Strengthen the entire network. Utilities are linked to others from all sides, whether it is the grid back to your electric provider or the connection to the company you use to offer online bill pay. This linkage creates greater risk for your network and greater responsibility for your security. Plus, your network is open to attack twenty-four hours a day, seven days a week. Make sure you have a way of protecting it. SecureWorks provides comprehensive services to protect your network on every level. Our experts, coupled with our cost-efficient solutions, provide you with a one-stop resource for total network security with constant network monitoring. Page 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information