Utility of the Future Virtual Event Series Monthly Virtual Studio Event Series for Utilities PART 1 OPERATIONAL AND CYBER SECURITY WITH AlertEnterprise WEDNESDAY, APRIL 30
Monthly Virtual Events Last Wednesday of Every Month Month TOPIC April 30 th May 28 June 25 July 30 August 27 September 24 October 29 November 26 Future of Operational and Cyber Security Future of Multichannel Foundation for Utilities Future of Utilities IT/OT Convergence Future of Pricing and Costing for Utilities Future of Cloud for Utilities SAP Utility in a Box Future of Waste and Recycling for Utilities Future of Energy and Porfolio Management, Payment and IDEX Future of Electro-mobility 2013 SAP AG or an SAP affiliate company. All rights reserved. 2
Summary Product Counts References Tools to Win Industry Summary Did you know... 2640+ utilities in 70 countries run SAP 1200+ utilities use SAP BusinessObjects 1450+ utilities running core ERP 660+ utilities managing 3B+ bills 550+ utilities managing assets 275+ power generation companies Energy & Natural Resources 1.6% 2.5% 1.5% 4.2% 20.8% 9.4% 11.8% SAP Oracle IBM Microsoft Infor Siemens Salesforce.com 380+ municipal utilities Source: 2012 CMI Market Model 135+ water utilities 140+ waste and environmental resources 78% of top 50 utilities (Forbes 2000) run SAP 100+ partners co-innovate with SAP Utilities 2013 SAP AG. All rights reserved. 3
91% of the utilities companies in the Forbes Global 2000 are SAP customers. 2013 SAP AG or an SAP affiliate company. All rights reserved. 4
Security Convergence to Enhance Critical Infrastructure Protection Ron Fabela Sr Product Manager AlertEnterprise, Inc. Slide 5
Overview Complex Threats Convergence (and Why) Cyber Security Identity & Access Operational Compliance Attack Scenario Slide 6
Complex Threats Slide 7
Need for a Holistic Approach can be seen in Todays Headlines: Threats are Complex and Extend Well Beyond IT #OPpetrol: Hactivist Group Anonymous announced June 20, 2013 Cyber Attack against Oil & Gas Infrastructure Slide 8
Complex/Blended Threats Span Across Many Industries (DHS sample list) Threats damaging business & reputation Sensitive Asset Diversion (Nuclear, Chemical..) Strict regulations (healthcare, utilities ) Bio Terrorism (Food & Beverage) Drug Diversion (Pharmaceuticals) Theft (Retail, Airlines, Airports etc.) Transportation (terrorism e.g. positive train control) Monitoring both Access and Behavior is a must Who has access to assets (physical, cyber..) Any suspicious behavior or activities Monitoring Privileged Users (guarding the guards) Effective Response, Command and Control Situational Awareness, Incident Response Slide 9
Traditional Incident Management and Response Hard to Scale, Things Get Missed Geographically Dispersed assets/locations Guards with guns not cost-effective Impossible to cover all locations Putting staff at risk 3 ring binders approach not effective Organized and State Sponsored Crime Too long to respond Audit trail of incident management How incident was handled learning tool Protection during emergency Monitoring First Responders Leveraging investments in technology IT, Physical, Operational Systems Existing security systems Slide 10
Why Convergence? Slide 11
Silos are Costly, Inefficient: Organizations Respond to Threats in Silos - Attackers Don t think that Way. Access Management Access Management Access Management Compliance Security Compliance Security Compliance Security IT PHYSICAL SCADA IT Resources Physical Access Control Systems ERP Directory Services GRC Slide 12
Current Security systems are misaligned or broken (heavy investments in silos, with little value) Slide 13
Cyber Security Slide 14
Addressing Cyber Controls [SANS Top 20] Examples Examples #10 Secure Configurations for Network Devices #12 Controlled Use of Administrative Privileges #14 Maintenance, Monitoring, and Analysis of Audit Logs #15 Controlled Access Based on the Need to Know #16 Account Monitoring and Control True Convergence AlertEnterprise Not Only Breaks Down Silos Within Each Control Enables Cross-Silo / Cross-Control Blended Security Combined With Physical Security Data For Real Context [People/Places] Slide 15
Addressing Cyber Controls [SANS Top 20] #10 Secure Configurations Configuration Security Across Silos Correlation of Configuration Changes Across IT/Physical/OT Not Only Was There A Change, But Was It Planned? Context! Slide 16
Addressing Cyber Controls [SANS Top 20] #12 Controlled Use of Admin Privileges Privileged User Access Control Know Privileges User Access Footprint Monitor Privileged Access Authorization React Authentic Yet Unauthorized Activities Slide 17
Real Time, Informed Response (IT/OT Convergence) Cross-Control & Cross-Silo Event Correlation Slide 18
Identity & Access Slide 19
Beyond Access Provisioning After-hours entry to a remote sub-station and change in critical SCADA device settings Slide 20
Safety Slide 21
Monitor How Access Is Used Contextual Information for Efficient Response User Behavior Monitoring to Detect Susupicious Actions Personnel Risk Scores Based on Event History, Level of Access, Privelege User Roles Automated and Recommended Remediation Steps Based on Event Slide 22
Reporting and Analytics Slide 23
Operational Compliance Slide 24
Moving Targets NERC CIP v4 NERC Physical Security NERC CIP v5 NIST Cyber Framework NERC CIP v6 FISMA / DHS / Cyber Law Hit the Moving Regulatory Targets: AlertEnterprise Solutions Provide the Holistic Framework to Meet Any Challenge AlertEnterprise Content Packs Quickly Adapt Without Custom Programming One Solution to Rule Them All Consolidated Data Provides Audit Confidence Slide 25
Increased Focus New Threat in the News? New Regulation On the Way Slide 26
Closing Thoughts Blended Defenses for New Threats Correlation of Events Within Cyber Context Across All Silos Identify Unusual Asset Interactions Elevating Context From Chaos Connecting the Dots Between Systems Identifying Authentic Yet Unauthorized Activities 360 Situational Awareness Not Just What is Happening, But Why Not Just Why, But How It Impacts Meet Today s Evolving Compliance Requirements Solid Convergence Foundation Enables Efficient Compliance Converged Platform Allows You to Be Ready For Anything Slide 27
Attack Scenario Slide 28
Example End to End Scenario Door Alarm * Sentry Event: Physical alarm followed by communications outage Door Alarm Network Outage Network Outage * Sentry Event: Physical alarm followed by communications outage Slide 29
Example End to End Scenario Concurrent threat indicators Physical security notified, deploy to Substations A/B Slide 30
Example End to End Scenario Line Outage Line Outage Escalate event focus for operators outage with physical/comms events present indicates malicious intent Slide 31
Example End to End Scenario LIVE LIVE LIVE Reroute Reroute Load Rerouted - Positions cameras on Substation C/D entry points, focus video monitoring on those locations. Slide 32
Example End to End Scenario Threat Impact EMS/TMS Operations center notified of physical/comms events (potential cause for outage) Impact Prevention Physical security informed of load balancing to Substations C/D, deploy guards to investigate/protect critical area Slide 33
Example End to End Scenario Notify EMS/TMS operator of increase risk to Substation C assets Gunfire Detected Physical access and maintenance ticket logs examined, determine if personnel are at risk in area Escalate remediation, physical security operations to notify deployed personnel Life/Safety issue Local law enforcement notified of active event [location, type, personnel in area] Slide 34
Example End to End Scenario Blackout Prevented Attack on Substation C/D prevented physical security / LEO in place at time of intrusion initiation Power delivery outage prevented Sentry correctly identifies potential new targets based on event correlation, deploy monitoring and personnel and prevent operations disruption Slide 35
AlertEnterprise bridges the gaps across silos to provide a holistic Security Solution and mitigate blended threats Identity Risk and Administration Operational Compliance Situational Awareness Incident Response Convergence Platform IT Resources Physical Access Control Systems GRC Slide 36
AlertEnterprise Ron.Fabela@alertenterprise.com Slide 37