1 / 24

Security Conformity

Security Conformity. March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th. Discuss Security Testing & Certification Authority Review Security Testing Methodology Overview TCC and CSWG Testing & Certification Subgroup Revise Security Conformance & Charter.

jean
Download Presentation

Security Conformity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Conformity March 10, 2011 SF Bay Area

  2. Agenda for Thursday, March 10th • Discuss Security Testing & Certification Authority • Review Security Testing Methodology • Overview TCC and CSWG Testing & Certification Subgroup • Revise Security Conformance & Charter

  3. Interoperability Testing and Certification Authority (ITCA) • Which security standard are considering defining an ITCA for? • What about researching an ITCA responsible for security testing for certifying existing standards such as OpenADE, OpenADR, OpenHAN? • Standards Setting Organizations responsible for ensuring security is incorporated in standard • This ITCA could claim that it satisfies certain set of requirements

  4. Other Issues • What are good security metrics? • Need a good definition of testing vs. audits and assessments

  5. Testing & Metrics • GAO Report – “no metrics for evaluating cyber security” • Utilities, Vendors, Commissions all want • Open Source Security Testing Methodology Manual (OSSTMM) by Institute for Security and Open Methodologies • NIST SP800-115 Technical Guide to InfoSec Testing & Assessment and, • NIST SP800-42 Guideline on Network Security Testing

  6. Other Issues • What are good security metrics? • Need a good definition of testing vs. audits and assessments

  7. ?

  8. Smart Grid Security Testing Council NISTIR 7628 OSSTMM CSWG T/C AMI SP

  9. OSSTMM Purpose • Test conducted thoroughly • Test included all necessary channels • Posture for test complied with laws and regulations • Results are measurable • Results are consistent and repeatable • Results contain only facts derived from tests themselves

  10. Security Test Audit Report • Serves as proof of a factual test • Holds Analyst responsible for test • Provides clear result to client • Provides comprehensive overview • Provides understandable metrics

  11. Security Security is a function of a separation. Three logical and proactive ways to create separation: • Move the asset to create a physical or logical barrier between it and the threats. • Change the threat to a harmless state. • Destroy the threat.

  12. Definitions • Vector = direction of the interaction • Attack Surface = Lack of specific separations and functions that exist for a vector • Attack Vector = A sub-scope of a vector created in order to approach the security testing of a complex scope in an organized manner • Safety = A form of protection where the threat or its effects are controlled (e.g., breaker)

  13. Definitions cont. • Controls = Impact & loss controls (see notes) • Operations = the lack of security needed to be interactive, useful, public, open, or available • Limitations = the current state of perceived and known limits for channels, operations, and controls as verified within the audit (e.g., rusty lock; see notes) • Perfect Security = the balance of security and controls with operations and limitations

  14. Testing Scope

  15. Risk Analysis Analyzes Threats

  16. Security Analysis Measures Attack Surface Cracks

  17. (each target’s asset known to exist within the scope) (the # of places where interaction can occur) (measured as each relationship that exists wherever the target accepts interaction freely from another target within the scope) Visibility • + Access • + Trust__ • Porosity

  18. Security Metrics

  19. RAV Worksheet Click here

  20. Review CSWG Testing & Certification • Is NISTIR 7628 Testable / Actionable? • Is AMI Security Profile 2.0 Testable / Actionable? • SGIP TCC Coordination Tasks • Miscellaneous Tasks

  21. Outward Support • CSWG Testing & Certification Sub-group • SG Security CyberSec-Interop

  22. Review Security Conformity TF Charter • Establish security conformance requirements for laboratories desiring to certify smart grid components and systems and; • Establish clear scoping boundaries, perform research to identify existing models, and propose a high-level philosophy of approach. • Chair: Bobby Brown, EnerNex • Vice-chair: needed (Sandy Bacik)

  23. Next Steps?

More Related