Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Slides:

Advertisements

Similar presentations

UCAIug HAN SRS v2.0 Summary August 12, Scope of HAN SRS in the NIST conceptual model.

Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Vendor Briefing May 26, 2006 AMI Overview & Communications TCM.

Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

September 30, 2011 OASIS Open Smart Grid Reference Model: Standards Landscape Analysis.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

ISS IT Assessment Framework

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.

Stephen S. Yau CSE , Fall Security Strategies.

Fraud Prevention and Risk Management

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

SEC835 Database and Web application security Information Security Architecture.

The Evergreen, Background, Methodology and IT Service Management Model

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

HIPAA COMPLIANCE WITH DELL

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Engineering Essential Characteristics Security Engineering Process Overview.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

Build the Right Team 1 Organize for Success 2 Build Coalition with Business Partners 3 Maintain Flexibility 4 Key Success Factors KSF 1.1: Relentlessly.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

IT Controls Global Technology Auditing Guide 1.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

June California Investor Owned Utilities (IOU) HAN vision statement development 15 June 2007.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.

Protecting your Managed Services Practice: Are you at Risk?

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Metering Americas April 24, 2006 Advanced Metering.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.

Dr. Ir. Yeffry Handoko Putra

Security measures deployed by e-communication providers

BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

CIM Modeling for E&U - (Short Version)

I have many checklists: how do I get started with cyber security?

Securing Your Digital Transformation

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

IS4680 Security Auditing for Compliance

AMI Security Roadmap April 13, 2007.

Group Meeting Ming Hong Tsai Date :

Data Governance & Management Skills and Experience

IT Management Services Infrastructure Services

Presentation transcript:

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007

© Copyright 2007, Southern California Edison 2 Security History and Status Pre-RFP –Initial security analysis focused on threat assessments, information classification, NERC CIP analysis, and functional expectations –Conceptual security architecture based on business and regulatory requirements. This architecture showed the system capabilities and end to end cryptographic information flow –Functionality represented within the conceptual architecture focused on: Preventing unauthorized access/control of the AMI network Secure meter registration and revocation AMI device authentication Customer data integrity/confidentiality Advanced intrusion detection –Conceptual security architecture validated with technology and method specific design example (AMI Reference Architecture). Design used AMI Lightweight Cryptographic Services (ALCS) based on robust secret sharing techniques. Reference architecture used for internal validation only… –Confirmed vendor responsibility –Continuing concerns over vendors technical capability maturity RFP –Requirements abstracted to highest functional representation to allow for vendor design flexibility –Conceptual architecture and information shown as an example –Capability maturity risk mitigation: Recommend partnering with a third party security vender Current –Vendors RFP security response confirmed capability concerns (varied by vendor) –In general, current vendor security related capability maturity is low

© Copyright 2007, Southern California Edison 3 Strategies and Principles AMI security artifacts are specified and designed as a response to business requirements, regulatory requirements and environmental threats –Uses Unified Information Assurance Framework (i.e., System engineering based methodologies) –Functional requirements are appropriate given risk analysis AMI security services are part of unified business enterprise (i.e., TDBU, CSBU, IT) Use industry engagement (when appropriate) to further industry capabilities –motivate vendors through standards –design vetting –establish best practices Use Evolutionary/Spiral development to roll capabilities out over a several releases (realistic expectations) Security capabilities enable functionality and ultimately add business value

© Copyright 2007, Southern California Edison 4 Goals of AMI Security Design & Implementation Security is viewed as an enabling function to increase capabilities over time Security Design is focused on mitigating the impact of the realization of AMI security requirements on the performance of the entire AMI solution Security is design in the context of the overall AMI System of Systems Context Threats and vulnerabilities are evaluated in the context of the risk to the business processes AMI enables Security Design in the context of the overall AMI System

© Copyright 2007, Southern California Edison 5 Security Technology Capability Maturity (Updated)

© Copyright 2007, Southern California Edison 6 Field Test: Capabilities and Architecture - Initial Configuration of Cryptographic Services - Field Test Configuration primarily used for Performance related testing (Crypto Latency: Computational and Network) - Vendors support Field Test Capabilities (Pre-placed keys)

© Copyright 2007, Southern California Edison 7 Release One: Capabilities and Architecture - Initial Key Management Services - Integration with Infrastructure Services (e.g., IDM, Access Controls) - Complete Network Configuration (e.g., firewall and IPS services)

© Copyright 2007, Southern California Edison 8 Release Two: Capabilities and Architecture - Add HAN Device Authentication & Confidentiality - Key Management and Cryptographic Updates (RFP Compliances)

© Copyright 2007, Southern California Edison 9 Release Three: Capabilities and Architecture - Complete set of Security Services - Cryptographic Update: Complete Registration, Authentication, Distribution - Integrated with IT PKI - HAN Security Update

© Copyright 2007, Southern California Edison 10 Unified Enterprise Context - Cryptographic scheme unified across enterprise - Complete enterprise (AMI+DA+CSN) view through audit services - All field elements are registered and authenticated - Centralized security operations for field assets - Leverages existing IT services (e.g., IDM) - Common/shared management services

© Copyright 2007, Southern California Edison 11 Next Steps Internal engagement within SCE –Security workshops (TDBU, CSBU, IT) –Business policy alignment External engagement with Vendors –Clarify vendor direction –Clarify adherence to industry and SCE policies –Ensure vendor integration within SCE enterprise External engagement with Industry –Push and monitor security standards (e.g., Title-24, openHAN, utilityAMI, UtiliPoint, etc.) –Use open Innovation approach to lead the way in AMI Security