Security Conformity March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th Discuss Security Testing & Certification Authority Review Security Testing.

Slides:

Advertisements

Similar presentations

AAA Monitoring Framework

Advertisements

SG Security Working Group Face-to-Face Meeting – July Vancouver, BC  Usability Analysis Task Force  Cybersec-Interop Task Force  Embedded Systems.

UCAIug HAN SRS v2.0 Summary August 12, Scope of HAN SRS in the NIST conceptual model.

May 2010 Slide 1 SG Communications Boot Camp Matt Gillmore 03/07/11.

Software Quality Assurance Plan

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Control and Accounting Information Systems

OpenHAN Boot Camp July 19, OpenHAN TF Overview Chair Erich W. Gunther, EnerNex – Co-chair Mary Zientara, Reliant Energy -

Draft February 2010 OpenHAN TFSlide 1 Submission Title: OpenSG San Francisco Opening Report Date Submitted: February xx, 2010 Source: OpenHAN Task.

September 30, 2011 OASIS Open Smart Grid Reference Model: Standards Landscape Analysis.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Cyber Security Working Group March 17, Smart Grid Cyber Security Strategy Establishment of a Cyber Security Coordination Task Group (CSCTG) Established.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

By: Ashwin Vignesh Madhu

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.

1 Accelerating Standards for the Smart Grid David Wollman National Institute of Standards and Technology

SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

Application Threat Modeling Workshop

Complying With The Federal Information Security Act (FISMA)

Information Technology Audit

IPRM Overview Zahra Makoui SG Conformity Vice Chair March 2011 Source: SGIP SGTCC

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

McLean VA, May 3, 2010 SG Systems Systems Requirements Specification Approach Overview.

A Proposed Risk Management Regulatory Framework Commissioner George Apostolakis Presented at the Organization of Agreement States 2012 Annual Meeting Milwaukee,

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.

Threats, Risk Assessment, and Policy Management in UbiComp Workshop on Security in UbiComp UBICOMP 2002, 29th Sept. Göteborg, Sweden Philip Robinson, SAP.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

Lecture 11 Managing Project Execution. Project Execution The phase of a project in which work towards direct achievement of the project’s objectives and.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All SMART GRID ICT: SECURITY, INTEROPERABILITY & NEXT STEPS John O’Neill, Senior Project Manager CSA.

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

Lecture 7: Requirements Engineering

OpenSG Status UCAIug Members Meeting Chris Knudsen – Chair Gary Stuebing – Vice-Chair November 9 th, 2009.

WebCast 5 May 2003 Proposed NERC Cyber Security Standard Presentation to IT Standing Committee Stuart Brindley, IMO May 26, 2003.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

1 SGIP PAP 11 PEV V2G DEWG Dec 2-3, 2010 Grid InterOp 2010 Eric Simmon, NIST Jerry Melcher, EnerNex SGIP PAP 11 PEV V2G DEWG Grid InterOp 2010 Meeting.

DGS Recommendations to the Governor’s Task Force on Contracting & Procurement Review Report Overview August 12, 2002.

1 NIST Key State Models SP Part 1SP (Draft)

Knoxville, TN October 20, 2009 SG-Systems Systems Requirements Specification Team Status and Breakout Session.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

Boot Camp - Conformity July 19, 2010 Detroit, USA.

IEEE SA SCC Full Revision PAR Development Meeting SCC21 Meeting – October 1-2, 2014 Piscataway, New Jersey Dick DeBlasio, IEEE SCC21 Chair Tom.

6 January 2016Conformity Boot Camp1 Boot Camp Edge / Enterprise Conformity.

SG-Systems Working Group Status: Active, meet once at each face-to-face meeting Charter: The SG-Systems Working Group defines requirements, policies, and.

OpenHAN SRS v1.95 Overview June 8, OpenHAN SRS v Introduction  OpenHAN area of focus within the NIST conceptual model.

OpenSG SG Conformity – Security Conformity July 22, 2010 Bobby Brown.

© 2010 EnerNex Corporation. All Rights Reserved. SGIP TCC / OSG Cooperation Presented By: Erich Gunther EnerNex Corporation 2010.

1 Dr. Spyros Papastergiou, University of Piraeus (Greece)–Dept. of Informatics M. Zaharias Singular Logic (Greece) CYSM Risk Assessment Methodology.

Thandi Tesfagiorgis Supervisor: Prof John Ledger (University of Johannesburg) Co Supervisor: Andrew Paverd (Oxford University)

© ITT Educational Services, Inc. All rights reserved. IS3440 Linux Security Unit 1 Introduction to Linux Security.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

© 2011 EnerNex. All Rights Reserved. NERC Update  2011 GridEx – Cybersecurity exercise completed yesterday  Smart Grid Task Force  Cyber.

“SG-Systems” (Smart Grid – Operational Applications Integration) “Boot Camp” Overview Brent Hodges, Chair, SG-Systems Greg Robinson, Co-Chair, SG-Systems.

Boot Camp - Conformity March 7, 2011 SF Bay Area.

Group Meeting Ming Hong Tsai Date :

Discussion points for Interpretation Document on Cybersecurity

Presentation transcript:

Security Conformity March 10, 2011 SF Bay Area

Agenda for Thursday, March 10th Discuss Security Testing & Certification Authority Review Security Testing Methodology Overview TCC and CSWG Testing & Certification Subgroup Revise Security Conformance & Charter

Interoperability Testing and Certification Authority (ITCA) Which security standard are considering defining an ITCA for? What about researching an ITCA responsible for security testing for certifying existing standards such as OpenADE, OpenADR, OpenHAN? Standards Setting Organizations responsible for ensuring security is incorporated in standard This ITCA could claim that it satisfies certain set of requirements

Other Issues What are good security metrics? Need a good definition of testing vs. audits and assessments

Testing & Metrics GAO Report – “no metrics for evaluating cyber security” Utilities, Vendors, Commissions all want Open Source Security Testing Methodology Manual (OSSTMM) by Institute for Security and Open Methodologies NIST SP Technical Guide to InfoSec Testing & Assessment and, NIST SP Guideline on Network Security Testing

Other Issues What are good security metrics? Need a good definition of testing vs. audits and assessments

NISTIR 7628 AMI SP OSSTMM CSWG T/C

OSSTMM Purpose Test conducted thoroughly Test included all necessary channels Posture for test complied with laws and regulations Results are measurable Results are consistent and repeatable Results contain only facts derived from tests themselves

Security Test Audit Report Serves as proof of a factual test Holds Analyst responsible for test Provides clear result to client Provides comprehensive overview Provides understandable metrics

Security Security is a function of a separation. Three logical and proactive ways to create separation: 1.Move the asset to create a physical or logical barrier between it and the threats. 2.Change the threat to a harmless state. 3.Destroy the threat.

Definitions Vector = direction of the interaction Attack Surface = Lack of specific separations and functions that exist for a vector Attack Vector = A sub-scope of a vector created in order to approach the security testing of a complex scope in an organized manner Safety = A form of protection where the threat or its effects are controlled (e.g., breaker)

Definitions cont. Controls = Impact & loss controls (see notes) Operations = the lack of security needed to be interactive, useful, public, open, or available Limitations = the current state of perceived and known limits for channels, operations, and controls as verified within the audit (e.g., rusty lock; see notes) Perfect Security = the balance of security and controls with operations and limitations

Testing Scope

ChannelOSSTMM SectionDescription PHYSSECHumanComprises the human element of communication where interaction is either physical or psychological. PhysicalPhysical security testing where the channel is both physical and nonelectronic in nature. Comprises the tangible element of security where interaction requires physical effort or an energy transmitter to manipulate. SPECSECWireless Communications Comprises all electronic communications, signals, and emanations which take place over the known EM spectrum. This includes ELSEC as electronic communications, SIGSEC as signals, and EMSEC which are emanations untethered by cables. COMSECData NetworksComprises all electronic systems and data networks where interaction takes place over established cable and wired network lines. TelecommunicationsComprises all telecommunication networks, digital or analog, where interaction takes place over established telephone or telephone-like network lines.

Risk Analysis Analyzes Threats

Security Analysis Cracks Measures Attack Surface

(each target’s asset known to exist within the scope) (the # of places where interaction can occur) (measured as each relationship that exists wherever the target accepts interaction freely from another target within the scope) Visibility + Access + Trust__ Porosity

Security Metrics

RAV Worksheet Click here

Review CSWG Testing & Certification Is NISTIR 7628 Testable / Actionable? Is AMI Security Profile 2.0 Testable / Actionable? SGIP TCC Coordination Tasks Miscellaneous Tasks

Outward Support CSWG Testing & Certification Sub-group SG Security CyberSec-Interop

Review Security Conformity TF Charter Establish security conformance requirements for laboratories desiring to certify smart grid components and systems and; Establish clear scoping boundaries, perform research to identify existing models, and propose a high-level philosophy of approach. Chair: Bobby Brown, EnerNex Vice-chair: needed (Sandy Bacik)

Next Steps?