SlideShare a Scribd company logo

Energy Sector Security Metrics - June 2013

Download as PPT, PDF
Andy Bochman
Andy Bochman

The US Congress, DHS and the man on the street say the grid is not secure enough. Well how do they know? How does anyone know how secure they are today? And how would one define how secure is secure enough? Unless we can begin to measure, we'll never be able to baseline, and never be able to road map to a demonstrable, more secure future state. So let's get started.

TechnologyBusiness
1 of 12
© 2013 IBM Corporation Energy Sector Security Metrics overview June 2013
© 2012 IBM Corporation You can't manage what you can't measure, right? So what can we work on here:  Security metrics
© 2012 IBM Corporation Security metrics in the news “Governance with Metrics is Risk Management”
© 2012 IBM Corporation IBM Security Systems 4 Risks utilities manage today  Very well indeed: –Economic –Supply chain –Theft –Commodities price –Storms and weather –Regulatory –Arboreal  Less well –Cybersecurity
© 2012 IBM Corporation IBM Security Systems 5 Security Metrics start  For starters: business alignment – Security Measurement Prerequisites/Preliminary Steps • Identify your key / most critical business processes • Understand the threat scenarios to those processes • Identify the key controls for the threats to those processes • Once you have that these things, then you can establish what you to measure – Initial Security Metrics Categories • Organization and People • Data • Applications • Infrastructure • Security Intelligence/Situational Awareness • Resilience 3 Characteristics of Good Metrics: 1.Easy to Get 2.Easy to Understand 3.Easy to Share
© 2012 IBM Corporation IBM Security Systems 6 Metrics start (cont). People and Organization Is there a security governance board? What is highest ranking person in company with security in their title and ... Do they have authority to set and enforce security policy enterprise-wide % completing refresher training course # or % phishing events (how many employees clicked on dangerous links) % of key employees using social media and/or portable media BYOD devices Help Desk stats/measures - Security related tickets called in such as: -- # of locked/forgotten password/malware infection -- # of tickets resolved -- # of tickets still open and under investigation Applications Does the company have a current inventory of all the applications (built and bought) it depends on Access controls: -- # of applications using multi-factor authentication  -- # applications using web security (HTTPS, TLS-SSL) % applications in portfolio scanned for security vulnerabilities in year of apps scanned, avg # of high severity vulnerabilities per million lines of code time between application vulnerability awareness and patching Infrastructure IT/OT downtime for planned security updates IT/OT downtime for unplanned security tasks # of infected PCs, phones, meters, etc. detected and cleansed time between system vulnerability notice and patching or mitigation Data  % critical databases protected  % total databases protected  Data loss related incidents:  -- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives)  -- # of unauthorized data disclosures  -- # of data loss near misses  % of system administrators with access to root or PII information without audit capabilities Security Situational Awareness  % of critical IT/OT systems instrumented ... logs being continuously analyzed  % of network segments protected by firewalls and IDS/IPS  % up-time and availability of network against DDoS and other network attacks  # of ICS/CERT alerts relevant to client Resilience  # of security and / or privacy breach exercises per year  Performance of teams re: incident response, rapid recovery, forensics, etc.  Maturity capability rating of people, processes and technologies performing the key controls for both of the above  # of critical servers/databases with root password and key escrow and without Submitted to NIST March 2013: http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf
© 2012 IBM Corporation 2012 CISO Study
© 2012 IBM Corporation IBM Security Systems 8 – DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) • Metrics for utilities to use to baseline and gauge effectiveness – DOE’s Electricity Subsector Risk Management Process (May 2012) • Help translating cybersecurity into risk management framework – NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update) • Questions utilities will be asked by their state public utility commissions – NIST’s NISTIR 7628 Assessment Guide (Aug 2012) – NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011) A measurement movement is forming
© 2012 IBM Corporation IBM Security Systems 9 Demand for metrics rising US Presidential EO and NIST Crit Infra Cybersecurity Framework working group DOE's Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) California PUC Rest of World Europe Asia Australia
© 2012 IBM Corporation Security Governance guidance for utilities 1. Security as risk management 2. A fully integrated security enterprise 3. Security by design 4. Business-oriented security metrics and measurement 5. Change that begins at the top 6. IBM’s 10 essential security actions 10
© 2012 IBM Corporation Andy Bochman bochman@us.ibm.com +1 781 962 6845 E&U/Crit Infra Security Metrics Team Steve Dougherty sdougherty@us.ibm.com +1 916 467 7052 SWG/Security E&U Services and Cross-brand GBS E&U CoC
© 2012 IBM Corporation ibm.com/energy ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Recommended

Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
CA Technologies
 
Smart Grid for the CSO
Smart Grid for the CSOSmart Grid for the CSO
Smart Grid for the CSO
Andy Bochman
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iran
Ahmadreza Ghaznavi
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
Paul F. Roberts
 
Cyber Security in Smart Buildings
Cyber Security in Smart Buildings Cyber Security in Smart Buildings
Cyber Security in Smart Buildings
GAURAV. H .TANDON
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart grids
IBM Italia Web Team
 
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
Jim "Brodie" Brazell
 
Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters
GAURAV. H .TANDON
 

Recommended

Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
CA Technologies
 
Smart Grid for the CSO
Smart Grid for the CSOSmart Grid for the CSO
Smart Grid for the CSO
Andy Bochman
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iran
Ahmadreza Ghaznavi
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
Paul F. Roberts
 
Cyber Security in Smart Buildings
Cyber Security in Smart Buildings Cyber Security in Smart Buildings
Cyber Security in Smart Buildings
GAURAV. H .TANDON
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart grids
IBM Italia Web Team
 
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
Jim "Brodie" Brazell
 
Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters
GAURAV. H .TANDON
 
Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network Model
Schneider Electric
 
Cyber-Physical Systems
Cyber-Physical SystemsCyber-Physical Systems
Cyber-Physical Systems
Sinem Coleri Ergen
 
Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challenges
Schneider Electric
 
Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011
Schneider Electric
 
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationCyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Michael Heiss
 
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsIoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
Eurotech
 
Cyber physical systems and robotics
Cyber physical systems and roboticsCyber physical systems and robotics
Cyber physical systems and robotics
trinhanhtuan247
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
Schneider Electric
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric India
 
Getting More Value Out of Your Data
Getting More Value Out of Your DataGetting More Value Out of Your Data
Getting More Value Out of Your Data
InnoTech
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
stacybre
 
Process Automation - The Future
Process Automation - The FutureProcess Automation - The Future
Process Automation - The Future
Schneider Electric
 
It Capabilities.2009
It Capabilities.2009It Capabilities.2009
It Capabilities.2009
Diontealley
 
The Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsThe Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on Products
Arian Razmi Farooji
 
Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...
Schneider Electric
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2M
Eurotech
 
Industrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerIndustrial sawmill solution Wood Mizer
Industrial sawmill solution Wood Mizer
Schneider Electric
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
TheAnfieldGroup
 
SERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolSERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_school
Henry Muccini
 
A framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROIA framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROI
Schneider Electric
 
Connecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDConnecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-RED
OpenEnergyMonitor
 
Heatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringHeatpumps and Heatpump Monitoring
Heatpumps and Heatpump Monitoring
OpenEnergyMonitor
 

More Related Content

What's hot

Cyber-Physical Systems
Cyber-Physical SystemsCyber-Physical Systems
Cyber-Physical Systems
Sinem Coleri Ergen
 
Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011
Schneider Electric
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
Schneider Electric
 
It Capabilities.2009
It Capabilities.2009It Capabilities.2009
It Capabilities.2009
Diontealley
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
TheAnfieldGroup
 

What's hot (20)

Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network Model
 
Cyber-Physical Systems
Cyber-Physical SystemsCyber-Physical Systems
Cyber-Physical Systems
 
Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challenges
 
Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011
 
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationCyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovation
 
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsIoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
 
Cyber physical systems and robotics
Cyber physical systems and roboticsCyber physical systems and robotics
Cyber physical systems and robotics
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)
 
Getting More Value Out of Your Data
Getting More Value Out of Your DataGetting More Value Out of Your Data
Getting More Value Out of Your Data
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
 
Process Automation - The Future
Process Automation - The FutureProcess Automation - The Future
Process Automation - The Future
 
It Capabilities.2009
It Capabilities.2009It Capabilities.2009
It Capabilities.2009
 
The Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsThe Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on Products
 
Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2M
 
Industrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerIndustrial sawmill solution Wood Mizer
Industrial sawmill solution Wood Mizer
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
 
SERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolSERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_school
 
A framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROIA framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROI
 

Viewers also liked

GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_
Stan Dacre
 
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Carly Snodgrass
 
A Report on Managed Services Industry in India
A Report on Managed Services Industry in IndiaA Report on Managed Services Industry in India
A Report on Managed Services Industry in India
University of Connecticut
 
Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure Management
Prime Infoserv
 

Viewers also liked (15)

Connecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDConnecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-RED
 
Heatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringHeatpumps and Heatpump Monitoring
Heatpumps and Heatpump Monitoring
 
GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_
 
Magic Quadrant for On-Premises Application Platforms
Magic Quadrant for On-Premises Application PlatformsMagic Quadrant for On-Premises Application Platforms
Magic Quadrant for On-Premises Application Platforms
 
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
 
It infrastructure management services @ yash
It infrastructure management services @ yashIt infrastructure management services @ yash
It infrastructure management services @ yash
 
Infrastructure Management Services
Infrastructure Management ServicesInfrastructure Management Services
Infrastructure Management Services
 
A Report on Managed Services Industry in India
A Report on Managed Services Industry in IndiaA Report on Managed Services Industry in India
A Report on Managed Services Industry in India
 
Infrastructure management services in india
Infrastructure management services in indiaInfrastructure management services in india
Infrastructure management services in india
 
Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure Management
 
IDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
IDC Nutanix - Hyperconvergence and the Pulling Forces in the DatacenterIDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
IDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
 
Market Research Report : Facilities management services market in india 2014 ...
Market Research Report : Facilities management services market in india 2014 ...Market Research Report : Facilities management services market in india 2014 ...
Market Research Report : Facilities management services market in india 2014 ...
 
Remote Infrastructure Management Services (RIMS)
Remote Infrastructure Management Services (RIMS)Remote Infrastructure Management Services (RIMS)
Remote Infrastructure Management Services (RIMS)
 
Final year project on Remote Infrastructure Management
Final year project on Remote Infrastructure ManagementFinal year project on Remote Infrastructure Management
Final year project on Remote Infrastructure Management
 
ITS Managed Services Introduction
ITS Managed Services IntroductionITS Managed Services Introduction
ITS Managed Services Introduction
 

Similar to Energy Sector Security Metrics - June 2013

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
IBM Security
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM
AGILLY
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
IBM Security
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control Costs
IBM Security
 

Similar to Energy Sector Security Metrics - June 2013 (20)

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_references
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
IBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesIBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn Series
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control Costs
 
Smarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesSmarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst Services
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOs
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Energy Sector Security Metrics - June 2013

  • 1. © 2013 IBM Corporation Energy Sector Security Metrics overview June 2013
  • 2. © 2012 IBM Corporation You can't manage what you can't measure, right? So what can we work on here:  Security metrics
  • 3. © 2012 IBM Corporation Security metrics in the news “Governance with Metrics is Risk Management”
  • 4. © 2012 IBM Corporation IBM Security Systems 4 Risks utilities manage today  Very well indeed: –Economic –Supply chain –Theft –Commodities price –Storms and weather –Regulatory –Arboreal  Less well –Cybersecurity
  • 5. © 2012 IBM Corporation IBM Security Systems 5 Security Metrics start  For starters: business alignment – Security Measurement Prerequisites/Preliminary Steps • Identify your key / most critical business processes • Understand the threat scenarios to those processes • Identify the key controls for the threats to those processes • Once you have that these things, then you can establish what you to measure – Initial Security Metrics Categories • Organization and People • Data • Applications • Infrastructure • Security Intelligence/Situational Awareness • Resilience 3 Characteristics of Good Metrics: 1.Easy to Get 2.Easy to Understand 3.Easy to Share
  • 6. © 2012 IBM Corporation IBM Security Systems 6 Metrics start (cont). People and Organization Is there a security governance board? What is highest ranking person in company with security in their title and ... Do they have authority to set and enforce security policy enterprise-wide % completing refresher training course # or % phishing events (how many employees clicked on dangerous links) % of key employees using social media and/or portable media BYOD devices Help Desk stats/measures - Security related tickets called in such as: -- # of locked/forgotten password/malware infection -- # of tickets resolved -- # of tickets still open and under investigation Applications Does the company have a current inventory of all the applications (built and bought) it depends on Access controls: -- # of applications using multi-factor authentication  -- # applications using web security (HTTPS, TLS-SSL) % applications in portfolio scanned for security vulnerabilities in year of apps scanned, avg # of high severity vulnerabilities per million lines of code time between application vulnerability awareness and patching Infrastructure IT/OT downtime for planned security updates IT/OT downtime for unplanned security tasks # of infected PCs, phones, meters, etc. detected and cleansed time between system vulnerability notice and patching or mitigation Data  % critical databases protected  % total databases protected  Data loss related incidents:  -- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives)  -- # of unauthorized data disclosures  -- # of data loss near misses  % of system administrators with access to root or PII information without audit capabilities Security Situational Awareness  % of critical IT/OT systems instrumented ... logs being continuously analyzed  % of network segments protected by firewalls and IDS/IPS  % up-time and availability of network against DDoS and other network attacks  # of ICS/CERT alerts relevant to client Resilience  # of security and / or privacy breach exercises per year  Performance of teams re: incident response, rapid recovery, forensics, etc.  Maturity capability rating of people, processes and technologies performing the key controls for both of the above  # of critical servers/databases with root password and key escrow and without Submitted to NIST March 2013: http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf
  • 7. © 2012 IBM Corporation 2012 CISO Study
  • 8. © 2012 IBM Corporation IBM Security Systems 8 – DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) • Metrics for utilities to use to baseline and gauge effectiveness – DOE’s Electricity Subsector Risk Management Process (May 2012) • Help translating cybersecurity into risk management framework – NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update) • Questions utilities will be asked by their state public utility commissions – NIST’s NISTIR 7628 Assessment Guide (Aug 2012) – NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011) A measurement movement is forming
  • 9. © 2012 IBM Corporation IBM Security Systems 9 Demand for metrics rising US Presidential EO and NIST Crit Infra Cybersecurity Framework working group DOE's Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) California PUC Rest of World Europe Asia Australia
  • 10. © 2012 IBM Corporation Security Governance guidance for utilities 1. Security as risk management 2. A fully integrated security enterprise 3. Security by design 4. Business-oriented security metrics and measurement 5. Change that begins at the top 6. IBM’s 10 essential security actions 10
  • 11. © 2012 IBM Corporation Andy Bochman bochman@us.ibm.com +1 781 962 6845 E&U/Crit Infra Security Metrics Team Steve Dougherty sdougherty@us.ibm.com +1 916 467 7052 SWG/Security E&U Services and Cross-brand GBS E&U CoC
  • 12. © 2012 IBM Corporation ibm.com/energy ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.