150 likes | 530 Views
Security Focus Group A Vendor & Customer Collaboration. EMS Users Conference September 14, 2009. Rich White AREVA T&D. Security Focus Group Presentation Overview. Background Formation Approach Timeline Role of the Security Focus Group
E N D
Security Focus GroupA Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA T&D
Security Focus GroupPresentation Overview • Background • Formation • Approach • Timeline • Role of the Security Focus Group • Help the participants to achieve NERC CIP compliance • Oversee specific security activities • Address security of products and services • A forum to address security issues as they arise • Results of the Security Focus Group • Deliverables and Recommendations • Collaborative management and solutions • Raising the quality and visibility bar on security • What’s next ?
Background • Formation of the Security Focus Group • Started after June 2007 AREVA T&D Users Group conference • Initial group of customer volunteers + open invitation process • Mandate to focus on NERC CIP readiness • Approach • Meeting agenda and invitations distributed in advance • 1 hour conference call meetings every other week • Detailed meeting summaries published on the web • Use of on-line surveys to clarify interests, priorities of the group • “Top 10 Security Concerns” • NERC CIPs prioritization • Change Management “Significant Change” classification
Background (cont’d)Timeline • Phase I Security Focus Group (25 participants from 13 different companies) • Phase II Security Focus Group (55 participants from 20 different companies) Commissioned at June 2007 AREVA T&D Users Group conference Results presented at ‘08 UG conference Meetings from Oct. ’07 – Apr. ’08 2007 2008 2009 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Commissioned at June ‘08 AREVA T&D Users Group conference Results presented at ‘09 UG conference Meetings from Oct. ’08 – May ’09
Presentation Overview Background Formation Approach Timeline Role of the Security Focus Group Help the participants to achieve NERC CIP compliance Oversee specific security activities Address security of products and services A forum to address security issues as they arise Results of the Security Focus Group Deliverables and Recommendations Collaborative management and solutions Raising the quality and visibility bar on security What’s Next ?
NERC CIP Compliance Discussions • On-line survey of SFG participants to identify top security concerns, and to prioritize NERC CIPs discussion • Agenda of successive SFG meetings following this priority order C = Compliant AC = Auditably Compliant by end of 2nd Qtr 2009
Security Activities Oversight Independent Security Vulnerability Testing Customer Operational system pre-deployment test Customer Patch Management and Significant Change Test AREVA T&D Operating System Vendor Patch Compatibility Testing AREVA T&D Third Party Vendor Patch Compatibility Testing Business Security Policy / NERC CIP Requirements • AREVA T&D Security Activities which the Security Focus Group has assumed oversight for include: • Security Patch Compatibility Testing Services • Independent Security Vulnerability Testing Services • Security Patch Communications and Release Processes
Security of AREVA T&D Products and Services • AREVA T&D Security Documents: • 3rd Party Software Documentation • Security Solutions document developed and published (mapping NERC CIPs to AREVA product features and configurations) • AREVA T&D System and Network Security Guides reviewed and updated. • Review of AREVA T&D Security policies and processes • Security training process • Background checking procedure • Secure management of remote system access
Addressing Security Issues as they Arise • Security audits and assessment findings • Forum for open discussion and sharing of audit experiences • Insights from an auditor • Bandolier templates for AREVA T&D systems • AREVA T&D Security Patch processes • Customer Security Bulletins • Security Patch Release process • Industry / regulatory coordination (US-CERT, NERC) • Discussion of 3rd party security tools utilization • Tools for security event logging consolidation • Security assessment and scanning tools • Security audit and change management tools
Presentation Overview Background Formation Approach Timeline Role of the Security Focus Group Help the participants to achieve NERC CIP compliance Oversee specific security activities Address security of products and services A forum to address security issues as they arise Results of the Security Focus Group Deliverables and Recommendations Collaborative management and solutions Raising the quality and visibility bar on security What’s Next ?
Deliverables and Recommendations Highlights of deliverables and recommendations include: INL Phase III Independent Vulnerability Test Scope SFG Significant Change List CIP-007-1 R1 Significant Change Survey Results Log Management White Paper AREVA T&D Personnel Risk Assessment Verification Third Party Software Document Security Focus Group Meeting Summaries Vulnerability assessment and testing methodologies, procedures, and tools document AREVA Security Patch testing and Product Release testing scope expansion AREVA project and support personnel change notification policy and procedures
Collaboration and Quality Management responsibilities representing the User Community Independent Vulnerability Testing Security Patch Compatibility Testing Raising the quality and visibility bar on security Focus Group activities and recommendations are high priority to AREVA T&D Meeting format makes it possible for both vendor and customers to bring their experts together to discuss specific security subjects Broad and consistent user representation gives the Focus Group good credibility to the user community
Benefits of the Participants Helping the user community define a common interpretation of the NERC CIP requirements Assisting users efforts to achieve NERC CIP compliance Facilitating sharing of experience and successes among the participants Providing users an opportunity to influence and improve AREVA T&D’s security features and services Empowering user representatives to oversee specific AREVA T&D security activities
What’s Next • The 2009 / 2010 Security Focus Group will hold it’s first meeting on October 1st • Key subjects the Security Focus Group will concentrate on: • NERC CIPs compliance (audit experiences, best practices, etc..) • Product security testing [including INL, security patch compatibility, other] • Product security features / configuration / documentation • Product security integration [e.g. third-party tools] • Security policies and procedures (disclosure & notification, security tools &best practices, etc..)