Presentation is loading. Please wait.

Presentation is loading. Please wait.

DER DATA Security Best Practices

Published byАлина Тыртова Modified over 5 years ago

Similar presentations

Presentation on theme: "DER DATA Security Best Practices"— Presentation transcript:

1 DER DATA Security Best Practices
Energy Policy Roundtable in the PJM footprint March 21st, 2018 Dr. Erfan Ibrahim Founder & CEO The Bit Bazaar LLC

2 Key Questions Addressed in presentation
What is data security? How are data security requirements in IT and OT networks different? How do you develop a cybersecurity architecture to protect DER data? What are some steps you can take to improve your cybersecurity posture? What are the differences between systemic security and protocol security? How do you decide how much to spend on DER data security? The Bit Bazaar LLC

3 What is data security? – 5 Key attributes
Confidentiality – Who should have access to the data? Integrity – Is the data that is received the same as the data that was sent? Availability – What percentage of time is the data available over a few minutes, hours or days? Accountability – Can every data transaction be irrefutably attributed to a particular user or system? Reliability - What percentage of time is the data available over weeks, months or years? The Bit Bazaar LLC

4 How are data security requirements in IT and OT networks different?
IT networks have touch points to the Public Internet – OT networks typically do not IT networks protect data with firewalls, network segmentation, anti-virus software and signature based intrusion detection systems – OT networks require protocol savvy intrusion detection systems and in-line blocking tools that are context based (cyber tools require deep domain expertise in OT applications) IT networks can tolerate higher levels of false positives from IDS than OT networks – consequences of blocking OT network data are far more damaging The Bit Bazaar LLC

5 How do you develop a cybersecurity architecture to protect DER data?
Apply sound network hygiene principles Enforce strict role based access control on all utility firewalls facing DER assets Use subnet masking to logically isolate each DER asset in its own subnet Quiet down the network with granular access control lists on routers/switches attached to DER assets Place signature based malware Intrusion Detection Systems fed by taps on critical segments networks where DER technologies are attached Place in-line blocking tools in front of critical DER assets to protect against DoS attacks and insider threats Virtualize DER nodes with firewalled hypervisors, firewalled OS in VM instances and strong username/password security on DER applications The Bit Bazaar LLC

6 What are some steps you can take to improve your DER security posture
What are some steps you can take to improve your DER security posture? – 10 Sequential Tasks Perform a 1-day integrated DoE C2 M2 / NIST CSF cyber governance assessment for your DER infrastructure Implement the missing business process security controls from the assessment using the prioritized action item list that is generated from the assessment tool Perform due diligence on the DER related technologies that are needed to realize certain missing business process security controls from the assessment Author procurement language informed by the technology due diligence The Bit Bazaar LLC

7 What are some steps you can take to improve your DER security posture
What are some steps you can take to improve your DER security posture? – 10 Sequential tasks Ensure that all the DER related technologies selected fit into the overall cybersecurity architecture established for your DER network Check software binaries and source codes of selected DER related technologies for malware, backdoors, call back routines, poor coding techniques and implement appropriate mitigations (commercial tools available) Test the resilience of any DER related software applications selected to data fuzzing and implement appropriate mitigations (commercial tools available) The Bit Bazaar LLC

8 What are some steps you can take to improve your cybersecurity posture
What are some steps you can take to improve your cybersecurity posture? – 10 sequential tasks Perform cyber penetration tests of selected DER related technologies in experimental platforms with actual DER use cases running to identify and mitigate unknown risks Build incremental resilience in DER networks by developing mitigations for the industry documented failure scenarios (from DoE NESCOR study) Train the technical and corporate staff on the moves, adds and changes made to the DER infrastructure in Steps 2-8 The Bit Bazaar LLC

9 What are the Key differences between systemic security and protocol security to protect ot networks?
Protocol security is IT centric and embedded in the OT technologies (i.e. DNP3 – Secure Authentication, Secure ICCP (TASE-2), IEC , IEC , Smart Energy Profile V2.0) – does not protect against insider threats Systemic Security relies on sound network hygiene principles, intrusion detection systems and in-line blocking tools regardless of the maturity of endpoint security or protocol security – can protect against insider threats Protocol security requirements drive legacy systems to obsolescence rapidly Systemic security protects investments in legacy systems while allowing modern systems to operate seamlessly with a consistent cybersecurity layer across the entire IT/OT infrastructure The Bit Bazaar LLC

10 How do you decide how much to spend on DER data security?
Spending should be commensurate with the risk to corporate and DER infrastructure from data breaches Quantify risk with periodic cyber pen testing of critical DER related applications by third party testers – don’t drink your own Kool Aid when it comes to cyber protection Spend until the vulnerabilities identified in the cyber pen testing have been mitigated Repeat the cyber pen testing process at least annually (every 6 months highly recommended to keep pace with fast emerging cyber threats) The Bit Bazaar LLC

11 Concluding Remarks DER data security matters because of the growing contribution of electricity from DER There are good ways and ineffective ways to protect DER related data Don’t fall for the security hype of cyber or DER related technology vendors DER data security starts with sound business process security controls, documented business use cases to support operations and a comprehensive cybersecurity architecture to harden systems against known risks and monitor in real time for unknown risks Technology is part of the fulfillment, not the essence of DER data security DER data security is a lot like fishing or agriculture – you can spend tons of money on bait and fertilizer and not catch any fish or grow crops – learn good fishing and farming techniques first before expecting positive results in either endeavor The Bit Bazaar LLC

12 Q&A Contact: Erfan Ibrahim Founder & CEO The Bit Bazaar LLC The Bit Bazaar LLC (TBB) is a full-service consulting firm established by Dr. Erfan Ibrahim in San Francisco CA in August 2001 to address the critical needs in digital technology, cybersecurity and resilience for clients in enterprise, technology vendor, service provider, academia, government agencies and not-for-profit organization sectors. Over the past 16 years TBB has served clients such as Wells Fargo, Visa International, Electric Power Research Institute, Echelon, BC Hydro, Scitor Corporation (part of SAIC), Penn State University and DC Systems in a variety of consulting engagements providing advisory services, technology demonstrations and implementations in networking, network management, communications, Smart Grid, cybersecurity and resilience. TBB has a team of 15 seasoned experts in high tech, marketing, finance, networking and security. TBB is based in San Francisco CA with offices in Denver CO and Washington DC.

Download ppt "DER DATA Security Best Practices"

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network security policy: best practices

Network security policy: best practices
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.

GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Defense-in-Depth What Is It?

Defense-in-Depth What Is It?
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
OPSWAT Presentation for XXX Month Date, Year. OPSWAT & ____________ Agenda  Overview of OPSWAT  Multi-scanning with Metascan  Controlling Data Workflow.

OPSWAT Presentation for XXX Month Date, Year. OPSWAT & ____________ Agenda  Overview of OPSWAT  Multi-scanning with Metascan  Controlling Data Workflow.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Sandra C Security Advisor Energy Dan B Security Advisor Water

Sandra C Security Advisor Energy Dan B Security Advisor Water
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682 ) Business Convergence WS#2 Smart Grid Technologies.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.

Similar presentations

Ads by Google