Addressing Cyber Security in Oracle Utilities Applications Anthony Shorten Principal Product Manager Oracle Utilities Global Business Unit Sept, 2014
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Session Agenda 1 2 3 4 5 Cyber Security for Utilities Overview Oracle's Development Security Overview Oracle Utilities Application Framework Security Features Oracle's Security Solutions Security Roadmap 4
Rapid Evolving Utilities 100 yr Simple, One Directional 7 yr Online Customer Accounts Today Smart Devices Sell Energy Back State Commands Device Control Data Energy Account Transactions Home Energy Controller Smart Thermostat Home Area Network Home Display Devices Smart Meters Web Browser Renewables Energy Usage Reports This new, bi-directional data exchange brings with it new complexities, new processes, new relationships and new risks. 5
Security Challenges It is not just about malicious hackers! Complex regulatory and privacy frameworks Continued requirement to demonstrate compliance Difficulty of managing risks in global ever-changing business environment (e.g., cloud ) Increasingly complex security requirements for networked applications and systems Potential risks associated with insider threats 6
Multi-Dimensional Aspects of Security IP theft and economic espionage Financial fraud and organized crime Sophisticated hackers Opportunistic insiders Today s threats What s at stake Intellectual property Customer, employee, citizen, corporate data Financial loss Reputational loss Fines & penalties Internal and external audits Changing regulatory landscape Data and systems consolidation Changing environments (mobile devices, cloud, etc.) Other challenges 7
Utility CIP Cyber Security Best Practices NERC CIP Regulation Background Response to Northeast blackout "make reliability standards mandatory and enforceable, with penalties for noncompliance" FERC approval on January 16, 2008 gives the authority to invoke fines and penalties: Self-assessment for compliance Audited by Regional Reliability Org. Access to data and audit records for 3 years Penalties for noncompliance 8
Utilities Industry Standards Industry standards Critical Infrastructure Protection Industry Driven Compliance Utilities are certified, vendors support Processes supported by software for compliance CIP # CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 CIP-010 CIP-011 Standards Area Critical Cyber Asset Identification Security Management Controls Personnel & Training Electronic Security Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets Config. Change Mgmt. and Vulnerability Assessments Information Protection 9
CIP-007: Systems Security Management Provide for Cyber Asset Security & Business Continuity Management/Disaster Recovery Secure critical and non-critical cyber assets in an electronic security perimeter Business Continuity Management/Disaster Recovery requirements include: Security patch management Identification of vulnerabilities and responses Change control and configuration management Operating status monitoring tools Back up and recovery systems and procedures Test procedures 10
OWASP Based Security Oracle uses industry standards Assessments against threats on an ongoing basis Built into development process Assessed using internal tools and industry assessment tools A1 A2 A3 A4 A5 A6 A7 A8 A9 Standard Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards https://www.owasp.org/index.php/category:owasp_top_ten_project 11
Oracle's Security DNA Security is integral part of our development process Basic Tenets: Security never sleeps Security is part of every design Oracle has strict security requirements for its products Code is developed using Secure Coding Standards All products are security assessed manually and automatically Security Design Secure Coding Practices Security Assessments Security Procedures 12
Basic Implementation Tenets of Security Security Design Security Configuration Security Monitoring
Oracle Utilities Security Features 14
Compliance Features of Oracle Utilities products Security Features Authentication Services Authorization Services Auditing Services Encryption Services Security Testing Training Simulator (NMS) to simulate security Oracle Application Testing Suite for Oracle Utilities Security feature testing Business Continuity Support Oracle Maximum Availability Architecture (MAA) Oracle Enterprise Manager Patch Identification Patch Management Asset Tracking Availability Tracking Security Tracking Intrusion Tracking 15
Oracle Utilities Security Principles Protect all facets of security Authorization Who are you? Authentication What can you do? Encryption Protect the data you have Protect all channels (online, mobile, batch, web services) Use Oracle technology for security integration Offer out of the box solutions Offer integration to Oracle extensive security products Offer flexible and extendable security facilities 16
Infrastructure Security Working within Infrastructure Authentication Authorization Roles Audit Policy Store Security Providers Oracle WebLogic Oracle Database Oracle Utilities Application Oracle Utilities Schema Security Options Encryption Database Vault Audit Vault Network Security 17
Securing Access and Rights Authentication Who Are You? User records are stored and managed in Security Repository Oracle integrates to a wide range of security repositories Support for advanced authentication (e.g. Biometrics, Client Certificate, Kerberos, WS-*, X.509, SAML etc) Support for user enablement Security Cache support Support for User Provisioning Authentication What Data and Process can you access? Data, Menu and Function access by user and user group Access Mode Support Effective Date support Extensible Security Model via Security Type support JAAS Support Administration functions are protected via roles Support for Authorization Provisioning 18
Encryption and Data Masking Protecting Your Data Encryption of key data and security information Support for various cryptography standards (e.g. AES, DES, Triple-DES, SHA etc) Support for flexible key strength (e.g. 128 1024) Support for column encryption Support for column masking Support for hashing and padding for advanced security Support for JCEKS key stores 19
Other Security Facilities Introduction of timeouts Inactivity timeouts Transaction timeouts Decreased security cache latency Auditing Support Inbuilt Auditing Facility including inquiry auditing Audit Vault Support for enterprise wide auditing Identity Propagation Tagging Support Propagating security information across architecture 20
Oracle's Security Solutions Augmenting product security 21
Augmenting Security Security Product Oracle Identity Manager Oracle Access Manager Oracle Adaptive Access Manager Oracle Internet Manager Oracle Virtual Manager Network Encryption Transparent Data Encryption Database Vault Audit Vault Web Services Manager Identity Analytics Use Cases User Provisioning and Password Rule Management, Identity Self Service Access Control, SSO, Login Services, Password Management, User Tracking Fraud Detection LDAP based security repository LDAP virtualization, provides LDAP interface for non-ldap Database connection encryption Data File level encryption Database permission control Centralized externalized Auditing Access Control and Advanced Security for Web Services Security Tracking, Security KPI's 22
Security Architecture Identity Provisioning Identity Manager Access Governance Access Manager Security Analytics Identity Analytics Oracle Utilities Application Directory Services Internet Directory Virtual Directory Unified Directory Database Permissions Database Vault Web Services Web Services Manager Audit Services Audit Vault Fraud Detection Adaptive Access Manager 23
Security Roadmap 24
Security Roadmap Security Never Sleeps Enterprise Wide Security Oracle Platform Security Services integration Allowing flexible security providers (e.g. Entitlements Server) Allow lower level access controls Security Dashboards (AMPOU) Real Time Security Metrics for Oracle Utilities applications Enterprise Wide Tracking ECID Support REUI/BTM Support 25
Oracle Platform Security Services Cloud Apps Applications Devices Utilities Applications Developers Fusion Middleware Oracle Platform Security Services Authentication Authorization Roles Audit Directory Services User Provisioning Policy Store Session Management Security Providers LDAP Files Database 26
For More Information Oracle Security Solutions Oracle Software Security Assurance Oracle Utilities Whitepapers 27
Questions 28