Security conformity
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Security Conformity PowerPoint PPT Presentation


  • 59 Views
  • Uploaded on
  • Presentation posted in: General

Security Conformity. March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th. Discuss Security Testing & Certification Authority Review Security Testing Methodology Overview TCC and CSWG Testing & Certification Subgroup Revise Security Conformance & Charter.

Download Presentation

Security Conformity

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security conformity

Security Conformity

March 10, 2011

SF Bay Area


Agenda for thursday march 10th

Agenda for Thursday, March 10th

  • Discuss Security Testing & Certification Authority

  • Review Security Testing Methodology

  • Overview TCC and CSWG Testing & Certification Subgroup

  • Revise Security Conformance & Charter


Interoperability testing and certification authority itca

Interoperability Testing and Certification Authority (ITCA)

  • Which security standard are considering defining an ITCA for?

  • What about researching an ITCA responsible for security testing for certifying existing standards such as OpenADE, OpenADR, OpenHAN?

  • Standards Setting Organizations responsible for ensuring security is incorporated in standard

  • This ITCA could claim that it satisfies certain set of requirements


Other issues

Other Issues

  • What are good security metrics?

  • Need a good definition of testing vs. audits and assessments


Testing metrics

Testing & Metrics

  • GAO Report – “no metrics for evaluating cyber security”

  • Utilities, Vendors, Commissions all want

  • Open Source Security Testing Methodology Manual (OSSTMM) by Institute for Security and Open Methodologies

  • NIST SP800-115 Technical Guide to InfoSec Testing & Assessment and,

  • NIST SP800-42 Guideline on Network Security Testing


Other issues1

Other Issues

  • What are good security metrics?

  • Need a good definition of testing vs. audits and assessments


Security conformity

?


Security conformity

Smart Grid Security

Testing Council

NISTIR

7628

OSSTMM

CSWG T/C

AMI SP


Osstmm purpose

OSSTMM Purpose

  • Test conducted thoroughly

  • Test included all necessary channels

  • Posture for test complied with laws and regulations

  • Results are measurable

  • Results are consistent and repeatable

  • Results contain only facts derived from tests themselves


Security test audit report

Security Test Audit Report

  • Serves as proof of a factual test

  • Holds Analyst responsible for test

  • Provides clear result to client

  • Provides comprehensive overview

  • Provides understandable metrics


Security

Security

Security is a function of a separation.

Three logical and proactive ways to create separation:

  • Move the asset to create a physical or logical barrier between it and the threats.

  • Change the threat to a harmless state.

  • Destroy the threat.


Definitions

Definitions

  • Vector = direction of the interaction

  • Attack Surface = Lack of specific separations and functions that exist for a vector

  • Attack Vector = A sub-scope of a vector created in order to approach the security testing of a complex scope in an organized manner

  • Safety = A form of protection where the threat or its effects are controlled (e.g., breaker)


Definitions cont

Definitions cont.

  • Controls = Impact & loss controls (see notes)

  • Operations = the lack of security needed to be interactive, useful, public, open, or available

  • Limitations = the current state of perceived and known limits for channels, operations, and controls as verified within the audit (e.g., rusty lock; see notes)

  • Perfect Security = the balance of security and controls with operations and limitations


Testing scope

Testing Scope


Risk analysis

Risk Analysis

Analyzes Threats


Security analysis

Security Analysis

Measures Attack Surface

Cracks


Security conformity

(each target’s asset known to exist within the scope)

(the # of places where interaction can occur)

(measured as each relationship that exists wherever the target accepts interaction freely from another target within the scope)

Visibility

  • + Access

  • + Trust__

  • Porosity


Security metrics

Security Metrics


Rav worksheet

RAV Worksheet

Click here


Review cswg testing certification

Review CSWG Testing & Certification

  • Is NISTIR 7628 Testable / Actionable?

  • Is AMI Security Profile 2.0 Testable / Actionable?

  • SGIP TCC Coordination Tasks

  • Miscellaneous Tasks


Outward support

Outward Support

  • CSWG Testing & Certification Sub-group

  • SG Security CyberSec-Interop


Review security conformity tf charter

Review Security Conformity TF Charter

  • Establish security conformance requirements for laboratories desiring to certify smart grid components and systems and;

  • Establish clear scoping boundaries, perform research to identify existing models, and propose a high-level philosophy of approach.

  • Chair: Bobby Brown, EnerNex

  • Vice-chair: needed (Sandy Bacik)


Next steps

Next Steps?


  • Login