Download presentation
Presentation is loading. Please wait.
Published byLaura Bailey Modified over 9 years ago
1
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA T&D
2
AREVA T&D Security Focus Group - 09/14/092 Security Focus Group Presentation Overview 1. Background Formation Approach Timeline 2. Role of the Security Focus Group Help the participants to achieve NERC CIP compliance Oversee specific security activities Address security of products and services A forum to address security issues as they arise 3. Results of the Security Focus Group Deliverables and Recommendations Collaborative management and solutions Raising the quality and visibility bar on security What’s next ?
3
AREVA T&D Security Focus Group - 09/14/093 Background Formation of the Security Focus Group Started after June 2007 AREVA T&D Users Group conference Initial group of customer volunteers + open invitation process Mandate to focus on NERC CIP readiness Approach Meeting agenda and invitations distributed in advance 1 hour conference call meetings every other week Detailed meeting summaries published on the web Use of on-line surveys to clarify interests, priorities of the group “Top 10 Security Concerns” NERC CIPs prioritization Change Management “Significant Change” classification
4
AREVA T&D Security Focus Group - 09/14/094 Background (cont’d) Timeline Q3Q4Q1Q2Q3Q4Q1Q2 200720082009 Commissioned at June 2007 AREVA T&D Users Group conference Phase I Security Focus Group (25 participants from 13 different companies) Results presented at ‘08 UG conference Meetings from Oct. ’07 – Apr. ’08 Commissioned at June ‘08 AREVA T&D Users Group conference Phase II Security Focus Group (55 participants from 20 different companies) Results presented at ‘09 UG conference Meetings from Oct. ’08 – May ’09
5
AREVA T&D Security Focus Group - 09/14/095 Presentation Overview 1. Background Formation Approach Timeline 2. Role of the Security Focus Group Help the participants to achieve NERC CIP compliance Oversee specific security activities Address security of products and services A forum to address security issues as they arise 3. Results of the Security Focus Group Deliverables and Recommendations Collaborative management and solutions Raising the quality and visibility bar on security What’s Next ?
6
AREVA T&D Security Focus Group - 09/14/096 NERC CIP Compliance Discussions Covered in SFG Phase ICovered in SFG Phase II C = Compliant AC = Auditably Compliant by end of 2 nd Qtr 2009 On-line survey of SFG participants to identify top security concerns, and to prioritize NERC CIPs discussion Agenda of successive SFG meetings following this priority order
7
AREVA T&D Security Focus Group - 09/14/097 Security Activities Oversight AREVA T&D Security Activities which the Security Focus Group has assumed oversight for include: Security Patch Compatibility Testing Services Independent Security Vulnerability Testing Services Security Patch Communications and Release Processes AREVA T&D Operating System Vendor Patch Compatibility Testing AREVA T&D Third Party Vendor Patch Compatibility Testing Independent Security Vulnerability Testing Customer Operational system pre-deployment test Business Security Policy / NERC CIP Requirements Customer Patch Management and Significant Change Test
8
AREVA T&D Security Focus Group - 09/14/098 Security of AREVA T&D Products and Services AREVA T&D Security Documents: 3 rd Party Software Documentation Security Solutions document developed and published (mapping NERC CIPs to AREVA product features and configurations) AREVA T&D System and Network Security Guides reviewed and updated. Review of AREVA T&D Security policies and processes Security training process Background checking procedure Secure management of remote system access
9
AREVA T&D Security Focus Group - 09/14/099 Addressing Security Issues as they Arise Security audits and assessment findings Forum for open discussion and sharing of audit experiences Insights from an auditor Bandolier templates for AREVA T&D systems AREVA T&D Security Patch processes Customer Security Bulletins Security Patch Release process Industry / regulatory coordination (US-CERT, NERC) Discussion of 3 rd party security tools utilization Tools for security event logging consolidation Security assessment and scanning tools Security audit and change management tools
10
AREVA T&D Security Focus Group - 09/14/0910 Presentation Overview 1. Background Formation Approach Timeline 2. Role of the Security Focus Group Help the participants to achieve NERC CIP compliance Oversee specific security activities Address security of products and services A forum to address security issues as they arise 3. Results of the Security Focus Group Deliverables and Recommendations Collaborative management and solutions Raising the quality and visibility bar on security What’s Next ?
11
AREVA T&D Security Focus Group - 09/14/0911 Deliverables and Recommendations Highlights of deliverables and recommendations include: INL Phase III Independent Vulnerability Test Scope SFG Significant Change List CIP-007-1 R1 Significant Change Survey Results Log Management White Paper AREVA T&D Personnel Risk Assessment Verification Third Party Software Document Security Focus Group Meeting Summaries Vulnerability assessment and testing methodologies, procedures, and tools document AREVA Security Patch testing and Product Release testing scope expansion AREVA project and support personnel change notification policy and procedures
12
AREVA T&D Security Focus Group - 09/14/0912 Collaboration and Quality Management responsibilities representing the User Community Independent Vulnerability Testing Security Patch Compatibility Testing Raising the quality and visibility bar on security Focus Group activities and recommendations are high priority to AREVA T&D Meeting format makes it possible for both vendor and customers to bring their experts together to discuss specific security subjects Broad and consistent user representation gives the Focus Group good credibility to the user community
13
AREVA T&D Security Focus Group - 09/14/0913 Benefits of the Participants Helping the user community define a common interpretation of the NERC CIP requirements Assisting users efforts to achieve NERC CIP compliance Facilitating sharing of experience and successes among the participants Providing users an opportunity to influence and improve AREVA T&D’s security features and services Empowering user representatives to oversee specific AREVA T&D security activities
14
AREVA T&D Security Focus Group - 09/14/0914 What’s Next The 2009 / 2010 Security Focus Group will hold it’s first meeting on October 1 st Key subjects the Security Focus Group will concentrate on: NERC CIPs compliance (audit experiences, best practices, etc..) Product security testing [including INL, security patch compatibility, other] Product security features / configuration / documentation Product security integration [e.g. third-party tools] Security policies and procedures (disclosure & notification, security tools &best practices, etc..)
15
AREVA T&D Security Focus Group - 09/14/0915
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.