Cyber Security in Energy & Utilities Industry

Holistic Enterprise Security Solution

Speaker: Alex Ivkin


The “Blind Slide” The Insider Threat. Identity Controls and Data Loss

protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field

3

NERC CIP 2011 Violations & Fines Since January 2011, a significant increase in CIP fines

Largest numbers for Security Awareness and Testing

Source: http://www.nerc.com/filez/enforcement

Introduction Personal ID – personal accountability

Traditional identity management has always focused on these IDs. Well covered and controlled Commoditized

Service ID - corporate accountability Shared administrative ID Programs, services, databases, scripting, testing, load testing,

auditing, troubleshooting, you name it. “Too hard to deal with” “will be the next step”

Other Shared group IDs IDs in transition Template IDs

• Exchange mailboxes

4

Service IDs Service IDs are everywhere Different systems have different exposure via the Service IDs

5

Identity & Access Management

SingleSign On& Management of Web Access & Passwords

User Provisioning / Deprovisioning and Full Role Management

The 3 Rs – Reconciliation, Recertification & Reporting

Security log management & reporting

THE PLAN

REALITY

MATCH?

•A holistic way to addressing corporate identities and access controls• Identity lifecycle support and review• Access provisioning, deprovisioning certification• Policy enforcement: password, access patterns, expiration• RBAC

•IdM for FERC/NERC CIP applications• Energy management systems• Energy network components• Physical access control services• Customer Information Systems• Work Management System• Plant Maintenance Systems• Tower gateway base stations for Smart Meter infrastructure

•SOX applications. SOX 404• Corporate Reports• Financial systems

•PCI, NIST, HIPAA

7

Identity and Access Management for Energy Companies

CIP with IAM Step by Step

CIP‐003‐1 Access enforcement, audit trails, reviews and roles• Access authorization enforcement maintained via identity lifecycle

workflows with the robust approval framework and multilevel escalation.• The audit trails are preserved for each request and approval, ensuring

access is given, modified and revoked only under proper supervision.• Automatic enforcement of access privileges is linked in and based on

business roles. • Annual reviews and re‐certification of access are required from the

management and system owners.

CIP–004–1 Training, privilege revocation• Training program requirements are enforced via proper personnel on-

boarding and transfer workflows, tied into the HR and training systems.• Revocation within 24 hours of termination is a part of the closely

enforced identity lifecycle.• Critical asset access lists are available for review 24/7 by authorized

personnel via a web interface

8

CIP with IAM Step by Step

CIP‐006‐1 Physical access protection • Implemented by integrating with card access and badge systems and tied

into an identity lifecycle.

CIP–007–1 Access to CCA, Shared accounts, Least Privilege • Enforcing the creation and management of user access to Critical Cyber

Assets by employing industry standard role based access control certification, provisioning, rights and password management.

• Directly assigning owners and custodians for individuals and shared system accounts on a "need to know basis" and subjecting it to periodic reviews.

• Analysis and remediation of orphan accounts.

• Password policies are deployed in the automated identity management system to ensure only qualified passwords are allowed.

9

Service Identity Management is an essential part of IAM Governance Expansion of the traditional Identity and Access Management to cover

identities used by administrators, systems, software and automated processes.

Assign responsibility for Service accounts, track people who manage the accounts, reports and enforces policies.

Tracking accounts used by various IT assets Databases Enterprise applications Devices Scheduling and monitoring software Automatic maintenance processes and many more.

10

How PIM works

LDAP

Email

ADITIM

1 • Tivoli Identity Manager (TIM) with custom module provisions privileged IDs and manages pools of shared IDs

• Shared IDs are stored in a secured data store

2 • Periodically recertify account authorizations through a consistent work flow.

4 • Tivoli Compliance Insight Manager (TCIM) monitors all logs for end to end tracking

TCIMEnterprise

Reports

Event Logs

Recertification of privileged users

Authorization

3 • Admin logs into Tivoli Access Manager for E-SSO (TAM E-SSO)• TAM E-SSO automatically checks out/in shared ID as required to

ensure accountability while simplifying usage

E-SSO

1

2

4

3

IBM Software Map for NERC CIP Requirements

R1. Have procedures forrecognition and reporting ofsabotage events.

R2. Have procedures forcommunication of sabotage toappropriate parties.

R3. Have guideline formonitoring and reporting.

R4: Have establishedcommunication contacts asapplicable with local authorities.

CIP-001 SabotageReporting

R1. Critical Asset IdentificationMethod

R2. Critical Asset Identification

R3. Critical Cyber AssetIdentification

R4. Annual Approval

CIP-002 CriticalCyber Assets

R1. Cyber Security Policy

R2. Leadership

R3. Exceptions

R4. Information Protection

R5. Access Control

R6. Change Control andConfiguration Mgmt.

CIP-003 SecurityMgmt. Controls

R1. Awareness

R2. Training

R3. Personnel Risk Assessment

R4. Access

CIP-004 CyberSecurity – Pers. &

Training

R1. Electronic Security Perimeter

R2. Electronic Access Controls

R3. Monitoring Electronic Access

R4. Cyber VulnerabilityAssessment

R5. Documentation Review andMaintenance

R1. Physical Security Plan

R2. Physical Access Controls

R3. Monitoring Physical Access

R4. Logging Physical Access

R5. Access Log Retention

R6. Maintenance and Testing

CIP-006 PhysicalSecurity of Cyber

Assets

R1. Test Procedures

R2. Ports and Services

R3. Security Patch Management

R4. Malicious SoftwarePrevention

R5. Account Management

R6. Security Status Monitoring

R7. Disposal or Redeployment

R8. Cyber VulnerabilityAssessment

R9. Documentation Review andMaintenance

CIP-007 CyberSecurity – Systems

Security Mgmt

R1. Cyber Security IncidentResponse Plan

R2. Cyber Security IncidentDocumentation

CIP-008 CyberSecurity – IncidentRept. & Response

R1. Recovery Plans

R2. Excercises

R3 Change Control

R4. Backup and Restore

R5. Testing Backup Media

CIP-009 RecoveryPlans for Critical

Cyber Assets

Tivoli SecurityCompliance Manager

Tivoli SecurityOperations Manager

Tivoli Storage Manager

Alerts Notification Auditing Reporting Workflow Team Definition Measurement

NERC Compliance Portal

CIP-005 ElectronicSecurity

Parameters

Tivoli Identity Manager

Tivoli SecurityCompliance

Manager

Tivoli Access Manager

Lotus LearningManagement System

Enterprise Content and Record Manager

Internet SecuritySystems

Tivoli ProvisioningManager

Maximo

Tivoli Monitoring

Tivoli Provisioning Manager

Tivoli Security Compliance Manager

Tivoli Compliance Insight Manager

Tivoli Enterprise Portal Tivoli Netcool

Tivoli Compliance Insight Manager

Internet Security Systems

Prolifics-IBM Support For NIST Industrial Control Systems Security Objectives

NIST Directive NIST Objectives IBM Technology

NIST SP 800-12 Security Policies and Procedures TSPM, TIM, TAMeb

NIST SP 800-53 Security Controls- Configuration Management

Access Management

TAM ESSO

TAMeb-TAM OS

TFIM

NIST SP 800-94 Guidance on Intrusion Detection/Prevention Systems ISS Proventia

NIST SP 800-61 Guidance on Incident Handling and Reporting TSIEM

NIST SP 800-73/76 Guidance on Personal Identity Verification TIM, PIM

NIST SP 800-63 Guidance on Remote Electronic Authentication TFIM

NIST SP 800-64 Guidance on Security considerations for System Development Lifecycle Rational AppScan

NIST SP 800-61 Guidance on Incident Handling/Audit Log Retention TSIEM

NIST SP 800-56/57 Guidance on Cryptographic Key Establishment and Management TKLM




15

Application Vulnerabilities Continue to Dominate Web app. vulnerabilities represent the largest category in vulnerability disclosures In 1H10, 55.95% of all vulnerabilities are web application vulnerabilities SQL injection and cross-site scripting are neck and neck in a race for the top spot

IBM Internet Security Systems 2010 X-Force®

Mid-Year Trend & Risk Report

Motivation for becoming Secure by Design…

100,000x

10x

1x

Development Test Deployment

Imp

act

to E

nte

rpri

se

Functional Flaw

Security Flaw

- e.g., Database crash

- e.g., Database hacked

Unbudgeted Costs:

Downtime Customer notification/care Fines/Litigation Reputational damage Cost to clean-up

Application Security Tools Strategy

Static Code Analysis = Whitebox

Scanning source code for security issues

Dynamic Analysis = Blackbox

Performing security analysis of a compiled application

Total PotentialTotal PotentialSecurity IssuesSecurity Issues

DynamicDynamicAnalysisAnalysis

StaticStaticAnalysisAnalysis

Complete Coverage


CIP-005 SecurityMgmt. Control

CIP-007 CyberSecurity-Systems

Security Mgmt.

Providing for numerous compliance requirements; including NERC-CIP

SQL injection played a role in 79% of records compromised during

2010 breaches

SQL injection played a role in 79% of records compromised during

2010 breaches

“Although much angst and security funding is given to …. mobile

devices and end-user systems, these assets are simply not

a major point of compromise.”

“Although much angst and security funding is given to …. mobile

devices and end-user systems, these assets are simply not

a major point of compromise.”

Database Servers Are The Primary Source of Breached Data

2010 Data Breach Report from Verizon Business RISK Teamhttp://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Source of Breached Records

… up from 75% in 2009 Report

http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Real-Time Database Monitoring

• No DBMS or application changes

• Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders

• 100% visibility including local DBA access

• Minimal performance impact (1-2%)

• Cross-DBMS solution

• Granular, real-time policies & auditing– Who, what, when, how

• Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)

CollectorHost-based Probes (S-TAPs)



Security Mgmt.






21

Protocol Analysis Module (PAM) is the Engine Behind our Products

What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

Why Important:Eliminates the need for constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

What It Does:Monitors and identifies unencrypted PII & other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.

What It Does:Protects Web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.

What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.

Why Important:Enforces network application and service access based on corporate policy and governance.

What It Does:Protects end users against attacks targeting applications used every day such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.

Why Important:At the end of 2009, vulnerabilities, which affect personal computers, represented the second-largest category of vulnerability disclosures and represent about a fifth of all vulnerability disclosures.

What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach

Why Important:At the end of 2009, 52% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability. In mid-2010, the percentage increased to 55%.

Others: constant thrashing to address today’s latest threat. IBM with PAM: “Ahead of the Threat”

44CIP-005 SecurityMgmt. Control


Security Mgmt.

Preemptive Ahead of the Threat Security – backed up by data

22

Top 61 Vulnerabilities 2009

341 Average days Ahead of the Threat

91 Median days Ahead of the Threat

35 Vulnerabilities Ahead of the Threat

57% Percentage of Top Vulnerabilities – Ahead of the Threat

9 Protection released post announcement

17 same day coverage

45

2010 – Average days Ahead of the Threat increased to 437!

© 2011 IBM Corporation

Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4

Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers

• VMsafe Integration

• Firewall and Intrusion Detection & Prevention

• Rootkit Detection & Prevention

• Inter-VM Traffic Analysis

• Automated Protection for Mobile VMs (VMotion)

• Virtual Network Segment Protection

• Virtual Network-Level Protection

• Virtual Infrastructure Auditing (Privileged User Access)

• Virtual Network Access Control

• Virtual Patch

IBM Virtual Server Protection for VMware

http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/

http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/

http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/

Tivoli Endpoint Manager: Smarter, Faster Endpoint Management

• Network Asset Discovery

• Endpoint HW, SW Inventory

• Patch Management

• Software Distribution

• OS Deployment

• Remote Desktop Control

• Software Use Analysis (add on)

• Power Management (add on)

Whether it’s a Mac connecting from hotel wi-fi, or a Windows laptop at 30K feet, or Red Hat Linux Server in your data center, Tivoli Endpoint Manager hasit covered. In real-time, at any scale.

24



Security Mgmt.






Experience

Treating identities as an enterprise asset Consistent, standards based method for authentication and authorization Provisioning and, more importantly, de-provisioning accounts within a specified period of time (account lifecycle) Application accounts, Databases, Servers, Network devices Approval process with multi-level escalation and delegation Quarterly access certification reports FERC M/T code throughout the whole system and in reports Standardization helps with FERC reliability regulations Energy Management Systems kept on an isolated network SSO limits password exposure and simplifies sign on process Service ID Management to address shared accounts (SOX) Separation of Duties checks (SOX)

26

Other features

Self-service user interface Auditing and reporting enhancements Dormant Accounts Management External security audit recommended adding all enterprise applications, not just those covered by SOX and FERC regulations Flexible life-cycle and operational workflows

27

28

29

By managing security for customers across the world, IBM has a clear and current picture of threats and attacks

IBM has the unmatched global and local expertise to deliver complete solutions – and manage the cost and complexity of security

9 Security Research Centres

9 Security Operations

Centres

9 Security Operations

Centres

11 Security Solution Development

Centres

11 Security Solution Development

Centres++ ++ 133 Monitored Countries

133 Monitored Countries

3 Branches of the Institute for

Advanced Security (“IAS”)

3 Branches of the Institute for

Advanced Security (“IAS”)

IAS Americas

IAS Americas

IAS Europe

IAS Europe

IASAsia Pacific

IASAsia Pacific

Our strategy: Comprehensive solutions that also leverage partners products

Professional Services

Products

Managed Services

Cloud Delivered

Security Governance, Risk and Compliance

Security Information and Event Management (SIEM) & Log Management

Identity & Access Management

Identity Management Access Management

GRCGRCGRCGRC

Data Security

Database Monitoring & Protection

Encryption & Key Lifecycle Management

Data Loss Prevention Data Entitlement Management

Data Masking

Messaging Security

E-mail Security

Application Security

Web / URL Filtering

Application Vulnerability Scanning

Access & Entitlement Management

Web Application Firewall

SOA Security

Infrastructure Security

Threat Analysis

Firewall, IDS/IPS MFS Management

Physical Security

Mainframe Security Audit, Admin & Compliance

Security Event Management

Security Configuration & Patch Management

Intrusion Prevention System

Endpoint ProtectionVirtual System Security

Vulnerability Assessment

Managed Mobility Svcs

IBM Security Solutions:

1. Assess Risks

2. Mitigate Risks

3. Manage Security Controls

IBM Security Solutions:

1. Assess Risks

2. Mitigate Risks

3. Manage Security Controls

Our strategy: IBM is investing in Security Solutions The only security vendor in the market with

end-to-end coverage of the security foundation

15,000 researchers, developers and SMEs on security initiatives

3,000+ security & risk management patents

200+ security customer references and 50+ published case studies

40+ years of proven success securing the zSeries environment

600+ security certified employees (CISSP,CISM,CISA,..)

DASCOM

IBM Security acquisitions (1999 – 2010):

The mission of the IBM X-Force research and

development team is to:

Research and evaluate threat and protection issues

Deliver security protection for today’s security problems

Develop new technology for tomorrow’s security challenges

Educate the media and user communities

IBM builds technology for tomorrow based on IBM Research

• Identify mission-critical enterprise assets and very sensitive data.

• Build fine-grained perimeters• Monitor fine-grained perimeters and

close the loop• End-to-end security• Secure by design

Our strategy: Research = intelligence = security

• 13B analyzed Web pages & images

• 150M intrusion attempts daily

• 40M spam & phishing attacks

• 54K documented vulnerabilities

• Millions of unique malware samples

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-spsm-tiv-sec-wp&S_PKG=IBM-X-Force-2010-Trend-Risk-Report

33

Solutions

The Importance of Research to Security:IBM Internet Security Systems X-Force® Research Team

Protection Technology Research

Threat Landscape Forecasting

Malware Analysis

Public Vulnerability Analysis

Original Vulnerability Research

Research

The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification-

“Protecting people from themselves”

The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification-

“Protecting people from themselves”

X-Force Protection Engines

Extensions to existing engines New protection engine creation

X-Force XPU’s

Security Content Update Development

Security Content Update QA

X-Force Intelligence

X-Force Database Feed Monitoring and Collection

Intelligence Sharing

Technology

IBM’s security portfolio today

IT Infrastructure – Operational Domains

Security / Compliance Analytics and Reporting

IBM OpenPages Tivoli Security Information and

Event Management

GRC Consulting and Implementation Services Audit and Compliance Assessment Services (e.g., PCI) Privacy and Risk Assessments Cloud-based Vulnerability Management Portal Security Event and Log Management

Tivoli Identity and Access

Tivoli Federated ID

Tivoli Single Sign-On

Identity Assessment, Deployment and Hosting Services

InfoSphere Guardium

InfoSphere Optim Data Masking

Tape / Disk encryption

Tivoli Key Manager

Data Security Assessment

Encryption and DLP Deployment

Rational AppScan Source Edition

Rational AppScan Standard Edition

Tivoli Security Policy Manager

Application Assessment Services

AppScan On Demand - SaaS

Tivoli Network Intrusion Prevention

WebSphere Datapower XML Gateway

Penetration Testing

Firewall, IPS, Vulnerability Managed Services

Tivoli Endpoint Manager (anti-virus using Trend Micro)

Tivoli zSecure Mainframe security

Managed Mobile Protection (using Juniper)

IBM

Pro

du

cts

IBM

Ser

vic

es

Security Consulting

Implemen-tation

Services

ManagedServices

Sec

urity

Ser

vice

sPeople Data Applications InfrastructurePeople Data Applications Infrastructure

IBM

Pro

du

cts

IBM

Ser

vic

es

IBM Security Offering Reference Model

Network Endpoint

DOORS FocalPoint

Cyber Security in Energy & Utilities Industry

Technology

electronic

tivoli access

critical cyber

tivoli endpoint

tivoli provisioning

cyber vulnerability

physical security

cyber security