320 likes | 467 Views
Managing Cyber Security. Jeff Scheidel Oracle Security Architect Rex Thexton PriceWaterhouseCoopers Managing Director. Program Agenda. Security vs. Compliance Auditors: Friend or Foe? NERC and others Inventory of Audit Support Structures
E N D
Managing Cyber Security Jeff Scheidel Oracle Security Architect Rex ThextonPriceWaterhouseCoopers Managing Director
Program Agenda • Security vs. Compliance • Auditors: Friend or Foe? • NERC and others • Inventory of Audit Support Structures • Security/compliance deployment specifics • NERC CIP : v3 vs v4 vs v5
What is the lesson? • Security # compliance • Compliance # security • Reporting # either
Alphabet Soup FFIEC SAS-70 HIPAASOX PCI NERC-CIPGLB EUROFISMA
Moving to NERC-CIP v5 – the leap over v4 Once approved, 24 months to comply • Encryption – more PCI-like • Multiple compliance levels: low, medium, high • Role-based classifications (rather than risk-based) • Multi-factor authentication • Serial connections • Triggers for recovery plans • All software to be known (COTS and homegrown) • Security patches from beginning of time to be published • CIP-10 and CIP-11 get uglier • “Evidence of compliance”
Are auditors the enemy? Of course not • They light the fires • They free up budgets • They make you “clean” • They provide the measuring stick
So how do you pass the audit? Know what’s in the black box !!!
Make them happy, so they’ll go away • What they ask for directly • What they “ask” for indirectly • Evidence of compliance • Satisfy NERC and other requirements • Satisfy compliance and security
Inventory of Assets Authoritative Sources Policies, Processes, Change Management
The most important change management process? Terminations !!!
Dev. and test procedures Data security, backups and audit Segregation of Duties
Privileged Users Reporting Exceptions
Certifications Education Disaster Recovery Plan
Threats Risk !!! Documentation Words = deeds?
Tips, hints, nitty-gritty • Know where your PII lives • Regulatory compliance requirements • Customers’ requirements • Know the penalties • Enforcement duties • Active Directory & Sharepoint • Access Rights • Privileged Users • Granularity • Using service providers? • You’re still on the hook Quick story: Fatal Audit
PwC’s Oracle Security Practice Highlights The only five-time Oracle Titan Award winner • 80% of PwC’s IdM implementation revenue is Oracle • Over 160 staff currently engaged on 23 Oracle security engagements • Since 2011 all PwC Security Consulting new hires receive training on Oracle IdM or DB Security technologies • Over 60 resources trained on OIG11gR2 in the US and India in May & June • In Fy13 PwC invested over 6,000 Oracle training hours, including over 2000 hours of training on Oracle IdM and Database Security • FY14 investments on Oracle security related initiatives will increase over FY13
Major changes from CIP v3 to v4/v5 CIP-002 Risk-Based Assessment becoming “Bright-Line Criteria” • Black start resources • Additional generation and transmission facilities • Facilities performing automatic load shedding • Over 60 resources trained on OIG11gR2 in the US and India in May & June • Remaining standards (003 to 009) mostly unchanged • Effective July 2014
Impact to utilities and power generators CIP-002 Risk-Based Assessment becoming “Bright-Line Criteria” • More substations • Potentially includes distribution assets • Additional power plants in scope • Generation management systems • On average, we see an increase in critical cyber assets of at least 20-30%
Representative impact of version 4 Eg. Independent power producer • NERC CIP v3 • No critical assets (CA’s) • No critical cyber assets (CCA’s) • NERC CIP v4 • 11 sites / locations • Generation Management System • 85 CCA’s • Physical access – 110 personnel • Cyber access – 85 personnel
Representative impact of version 5 Eg. Single utility • NERC CIP v5 • 22 sites/locations • 218 CCA’s • Physical access – 380 personnel • Cyber access – 190 personnel • NERC CIP v3 • 12 sites/locations • 104 CCA’s • Physical access – 210 personnel • Cyber access – 165 personnel
Most common CIP compliance issues Top 12 Violated Standards – June 1, 2011 to May 31, 2012 007-Systems Security Mgmt 005-ESP 006-Physical Security 004-Personnel/training 003-Security Mgmt Controls
For more information Jeff Scheidel Oracle Security Architect Jeff.G.Scheidel@oracle.com 630.667.1100 Rex Thexton PwC Managing Director Rex.thexton@us.pwc.com 908.868.1386