© 2012 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation Electric Sector Security Awareness Rising 1 May 2013 IBM Industry Security

© 2012 IBM Corporation

IBM Security Systems

1© 2013 IBM Corporation

Electric Sector Security Awareness Rising

1 May 2013

IBM Industry Security



2© 2013 IBM Corporation2

In the beginning ...




Presenting: the grid



4© 2013 IBM Corporation4

The great convergence




Grid operations and security



6

Both sides of the aisle care about this



7

Environment & Smart Grid security: connecting the dots

1) Environment improves when fossil fuel use is reduced

2) Utility-scale and DG wind, solar, hydro + EE + DR help reduce fossil fuel use

3) But the legacy grid can't tolerate the high levels of intermittency in wind and solar

4) So in the US and elsewhere we're modernizing the grid for this (and a number of other reasons)

5) However, if adversaries can reveal the Smart Grid to be susceptible to repeated, disruptive attacks, we won't trust it enough to deploy it

6) Many orgs and individuals are working to secure the Smart Grid

7) However, since we don't measure security it's hard to know how secure/insecure we are at present, and if/when it's secure enough based on risk tolerance

8) Developing and deploying mutually agreed version 1.0 security metrics and using them to identify gaps and roadmap to an improved state can get us back to the top



8

– Presidential EO and NIST Crit Infra Cybersecurity Framework working group (Mar 2013)• Developing metrics to baseline CI providers

– DOE's Electricity Subsector Cybersecurity Maturity Model (Jun 2012)• Metrics for utilities to use to baseline and gauge effectiveness

– DOE’s Electricity Subsector Risk Management Process (May 2012)• Help translating cybersecurity into risk management framework

– NARUC's Cybersecurity for State Regulators (Jun 2012, Feb 2013 update)• Questions utilities will be asked by their state public utility commissions

– NIST’s NISTIR 7628 Assessment Guide (Aug 2012)

– NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011)

A measurement movement is forming



9

Security Governance for utilities

1. Security as risk management

2. A fully integrated security

enterprise

3. Security by design

4. Business-oriented security metrics

and measurement

5. Change that begins at the top

6. IBM’s 10 essential security

actions



10

Making security metrics – here's a start



11

Ibm.com/energyibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Andy Bochman

WW Energy Security Lead

[email protected]

Andy Bochman

WW Energy Security Lead

[email protected]

Documents

© 2012 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation Electric Sector Security Awareness Rising 1 May 2013 IBM Industry Security