Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Conformity March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th Discuss Security Testing & Certification Authority Review Security Testing.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Conformity March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th Discuss Security Testing & Certification Authority Review Security Testing."— Presentation transcript:

1 Security Conformity March 10, 2011 SF Bay Area

2 Agenda for Thursday, March 10th Discuss Security Testing & Certification Authority Review Security Testing Methodology Overview TCC and CSWG Testing & Certification Subgroup Revise Security Conformance & Charter

3 Interoperability Testing and Certification Authority (ITCA) Which security standard are considering defining an ITCA for? What about researching an ITCA responsible for security testing for certifying existing standards such as OpenADE, OpenADR, OpenHAN? Standards Setting Organizations responsible for ensuring security is incorporated in standard This ITCA could claim that it satisfies certain set of requirements

4 Other Issues What are good security metrics? Need a good definition of testing vs. audits and assessments

5 Testing & Metrics GAO Report – “no metrics for evaluating cyber security” Utilities, Vendors, Commissions all want Open Source Security Testing Methodology Manual (OSSTMM) by Institute for Security and Open Methodologies NIST SP800-115 Technical Guide to InfoSec Testing & Assessment and, NIST SP800-42 Guideline on Network Security Testing

6 Other Issues What are good security metrics? Need a good definition of testing vs. audits and assessments

7

8 NISTIR 7628 AMI SP OSSTMM CSWG T/C

9 OSSTMM Purpose Test conducted thoroughly Test included all necessary channels Posture for test complied with laws and regulations Results are measurable Results are consistent and repeatable Results contain only facts derived from tests themselves

10 Security Test Audit Report Serves as proof of a factual test Holds Analyst responsible for test Provides clear result to client Provides comprehensive overview Provides understandable metrics

11 Security Security is a function of a separation. Three logical and proactive ways to create separation: 1.Move the asset to create a physical or logical barrier between it and the threats. 2.Change the threat to a harmless state. 3.Destroy the threat.

12 Definitions Vector = direction of the interaction Attack Surface = Lack of specific separations and functions that exist for a vector Attack Vector = A sub-scope of a vector created in order to approach the security testing of a complex scope in an organized manner Safety = A form of protection where the threat or its effects are controlled (e.g., breaker)

13 Definitions cont. Controls = Impact & loss controls (see notes) Operations = the lack of security needed to be interactive, useful, public, open, or available Limitations = the current state of perceived and known limits for channels, operations, and controls as verified within the audit (e.g., rusty lock; see notes) Perfect Security = the balance of security and controls with operations and limitations

14 Testing Scope

15 ChannelOSSTMM SectionDescription PHYSSECHumanComprises the human element of communication where interaction is either physical or psychological. PhysicalPhysical security testing where the channel is both physical and nonelectronic in nature. Comprises the tangible element of security where interaction requires physical effort or an energy transmitter to manipulate. SPECSECWireless Communications Comprises all electronic communications, signals, and emanations which take place over the known EM spectrum. This includes ELSEC as electronic communications, SIGSEC as signals, and EMSEC which are emanations untethered by cables. COMSECData NetworksComprises all electronic systems and data networks where interaction takes place over established cable and wired network lines. TelecommunicationsComprises all telecommunication networks, digital or analog, where interaction takes place over established telephone or telephone-like network lines.

16 Risk Analysis Analyzes Threats

17 Security Analysis Cracks Measures Attack Surface

18 (each target’s asset known to exist within the scope) (the # of places where interaction can occur) (measured as each relationship that exists wherever the target accepts interaction freely from another target within the scope) Visibility + Access + Trust__ Porosity

19 Security Metrics

20 RAV Worksheet Click here

21 Review CSWG Testing & Certification Is NISTIR 7628 Testable / Actionable? Is AMI Security Profile 2.0 Testable / Actionable? SGIP TCC Coordination Tasks Miscellaneous Tasks

22 Outward Support CSWG Testing & Certification Sub-group SG Security CyberSec-Interop

23 Review Security Conformity TF Charter Establish security conformance requirements for laboratories desiring to certify smart grid components and systems and; Establish clear scoping boundaries, perform research to identify existing models, and propose a high-level philosophy of approach. Chair: Bobby Brown, EnerNex Vice-chair: needed (Sandy Bacik)

24 Next Steps?

Download ppt "Security Conformity March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th Discuss Security Testing & Certification Authority Review Security Testing."

Similar presentations

AAA Monitoring Framework

AAA Monitoring Framework
SG Security Working Group Face-to-Face Meeting – July Vancouver, BC  Usability Analysis Task Force  Cybersec-Interop Task Force  Embedded Systems.

SG Security Working Group Face-to-Face Meeting – July Vancouver, BC  Usability Analysis Task Force  Cybersec-Interop Task Force  Embedded Systems.
UCAIug HAN SRS v2.0 Summary August 12, 2010. 2 Scope of HAN SRS in the NIST conceptual model.

UCAIug HAN SRS v2.0 Summary August 12, Scope of HAN SRS in the NIST conceptual model.
May 2010 Slide 1 SG Communications Boot Camp Matt Gillmore 03/07/11.

May 2010 Slide 1 SG Communications Boot Camp Matt Gillmore 03/07/11.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Control and Accounting Information Systems

Control and Accounting Information Systems
OpenHAN Boot Camp July 19, 2010. OpenHAN TF Overview Chair Erich W. Gunther, EnerNex – Co-chair Mary Zientara, Reliant Energy -

OpenHAN Boot Camp July 19, OpenHAN TF Overview Chair Erich W. Gunther, EnerNex – Co-chair Mary Zientara, Reliant Energy -
Draft 1-15-09 February 2010 OpenHAN TFSlide 1 Submission Title: OpenSG San Francisco Opening Report Date Submitted: February xx, 2010 Source: OpenHAN Task.

Draft February 2010 OpenHAN TFSlide 1 Submission Title: OpenSG San Francisco Opening Report Date Submitted: February xx, 2010 Source: OpenHAN Task.
September 30, 2011 OASIS Open Smart Grid Reference Model: Standards Landscape Analysis.

September 30, 2011 OASIS Open Smart Grid Reference Model: Standards Landscape Analysis.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Cyber Security Working Group March 17, 2010. 2 Smart Grid Cyber Security Strategy Establishment of a Cyber Security Coordination Task Group (CSCTG) Established.

Cyber Security Working Group March 17, Smart Grid Cyber Security Strategy Establishment of a Cyber Security Coordination Task Group (CSCTG) Established.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.

SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.
1 Accelerating Standards for the Smart Grid David Wollman National Institute of Standards and Technology 301-975-2433

1 Accelerating Standards for the Smart Grid David Wollman National Institute of Standards and Technology
SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.

SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.
© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

Similar presentations

Ads by Google