Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011

© 2011 IBM Corporation2

3 What is Security? Is Security achievable? Where to begin? IBM has a long history in IT Security in the Banking, Financial Industry and Public Sector. What can one benefit from this expertise for Smart Metering? Only a in depth concept can reduce Security risks to an acceptable level. Manage Licensing Processes with Regulators Corporate Compliance Rate Case Processes Compliance Information Collection Common Compliance Practices Cyber Security Compliance Management The answer is an End2End Security Process

© 2011 IBM Corporation4 Requirement: Sabotage Reporting Sabotage Reporting provides directives and procedures for detection, recognition and reporting of sabotage events. It specifies procedures for communications to appropriate parties and local authorities. It expects security monitoring tools to provide near real- time notifications for reporting. IBM can help an utility to continuously monitor security violations during operations, as well as detect out-of- compliance conditions. Such products can even help to track user activity for privileged users, including physical location, deterring insider attacks.

© 2011 IBM Corporation5 Requirement: Critical Asset Identification Critical Asset Identification has recognized the need for identification and documentation of critical assets. Identifying these assets and their relationship will provide the basis for applying security principles within each asset’s function as well as communication between the asset and other assets in the grid value chain. IBM can assist in building an integrated asset management solution.

© 2011 IBM Corporation6 Requirement: Security Management This requirement calls to document and implement a security policy to represent the company’s commitment to security and their ability to secure critical assets. IBM can provide: 1.policy management, 2.authentication and authorization of grid systems commands, 3.protection and inspection of all XML traffic across network boundaries, 4.management of keys used in encryption of data stored, 5.enablement of change management processes for configuration changes to cyber assets, 6.comparison of activity logs against security policies, and provision of centralized identity, access, attestation and audit services.

© 2011 IBM Corporation7 Requirement: Personnel & Training This requirement defines the obligations of utility management to conduct thorough personnel risk assessments in accordance with federal, state, provincial, and local laws. All personnel having authorized cyber access or authorized unescorted physical access to critical cyber assets as well as field assets must get access on a “need-to-know” basis. IBM can help oversee the entire process of managing personnel risk assessments, including enrollment, proofing, and background checks as part of the identity vetting process.

© 2011 IBM Corporation8 Requirement: Electronic Security Perimeter The utility is responsible for ensuring that every critical asset resides within an electronic security perimeter. This perimeter needs to be identified and all its access points need to be identified, documented, and controlled. IBM solutions for intrusion and anomaly detection can not only protect IT networks from worms, malware and viruses, but also monitor traffic between intelligent field devices for signs of suspicious activity.

© 2011 IBM Corporation9 Requirement: Physical Security of Critical Assets This requirement defines the physical security of a critical asset as being comprised of five distinct elements: deterrence, detection, assessment, communications, and response. This step provides for command and control center solution advanced physical security integration, enabling organizations to control, monitor and maintain disparate security systems and assets through its interfaces. IBM can help in process definition an security analysis.

© 2011 IBM Corporation10 Requirement: Systems Security Management This requirement directs security management and testing procedures, patch management, account management, and vulnerability analysis. Organizations need to ensure that new assets and significant changes to existing cyber assets within the electronic security perimeter do not adversely affect existing cyber security controls. IBM has a worldwide team called xForce to support customers. A periodically report is free accessible via Web.

© 2011 IBM Corporation11 Requirement: Incident Reporting and Response Planning This requirement calls for the IT and process-control operations to develop and maintain a cyber security incident response plan, documenting procedures to classify and escalate events and report security incidents to authorities. IBM’s service, incident, and problem management capabilities help manage processes for security incidents with a well-documented, repeatable workflow.

© 2011 IBM Corporation12 Requirement: Recovery Plans for Critical Cyber Assets This requirement ensures that recovery plans are put in place for critical assets and that these plans follow established business continuity and disaster recovery techniques and practices. IBM can help to enable services delivery and support processes for the most dynamic IT infrastructures, ensuring business resilience and promoting faster recovery during failures.

© 2011 IBM Corporation13 To Meet the requirements we need Security by Architectural Thinking Security design should be an integral part of the first phase of developing smart metering architecture to maximize its benefits and minimize future risks

© 2011 IBM Corporation14 Thank you Christian Leichtfried BDE Smart Energy IBM Österreich Obere Donaustraße 95 A-1020 Wien Tel: mailto: