security focus group a vendor customer collaboration l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security Focus Group A Vendor & Customer Collaboration PowerPoint Presentation
Download Presentation
Security Focus Group A Vendor & Customer Collaboration

Loading in 2 Seconds...

play fullscreen
1 / 15

Security Focus Group A Vendor & Customer Collaboration - PowerPoint PPT Presentation


  • 306 Views
  • Uploaded on

Security Focus Group A Vendor & Customer Collaboration. EMS Users Conference September 14, 2009. Rich White AREVA T&D. Security Focus Group Presentation Overview. Background Formation Approach Timeline Role of the Security Focus Group

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Focus Group A Vendor & Customer Collaboration' - johana


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security focus group a vendor customer collaboration

Security Focus GroupA Vendor & Customer Collaboration

EMS Users Conference

September 14, 2009

Rich White

AREVA T&D

security focus group presentation overview
Security Focus GroupPresentation Overview
  • Background
    • Formation
    • Approach
    • Timeline
  • Role of the Security Focus Group
    • Help the participants to achieve NERC CIP compliance
    • Oversee specific security activities
    • Address security of products and services
    • A forum to address security issues as they arise
  • Results of the Security Focus Group
    • Deliverables and Recommendations
    • Collaborative management and solutions
    • Raising the quality and visibility bar on security
    • What’s next ?
background
Background
  • Formation of the Security Focus Group
    • Started after June 2007 AREVA T&D Users Group conference
    • Initial group of customer volunteers + open invitation process
    • Mandate to focus on NERC CIP readiness
  • Approach
    • Meeting agenda and invitations distributed in advance
    • 1 hour conference call meetings every other week
    • Detailed meeting summaries published on the web
    • Use of on-line surveys to clarify interests, priorities of the group
      • “Top 10 Security Concerns”
      • NERC CIPs prioritization
      • Change Management “Significant Change” classification
background cont d timeline
Background (cont’d)Timeline
  • Phase I Security Focus Group

(25 participants from 13 different companies)

  • Phase II Security Focus Group

(55 participants from 20 different companies)

Commissioned at June 2007 AREVA T&D Users Group conference

Results presented at ‘08 UG conference

Meetings from Oct. ’07 – Apr. ’08

2007

2008

2009

Q3

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Commissioned at June ‘08 AREVA T&D Users Group conference

Results presented at ‘09 UG conference

Meetings from Oct. ’08 – May ’09

presentation overview
Presentation Overview

Background

Formation

Approach

Timeline

Role of the Security Focus Group

Help the participants to achieve NERC CIP compliance

Oversee specific security activities

Address security of products and services

A forum to address security issues as they arise

Results of the Security Focus Group

Deliverables and Recommendations

Collaborative management and solutions

Raising the quality and visibility bar on security

What’s Next ?

nerc cip compliance discussions
NERC CIP Compliance Discussions
  • On-line survey of SFG participants to identify top security concerns, and to prioritize NERC CIPs discussion
  • Agenda of successive SFG meetings following this priority order

C = Compliant AC = Auditably Compliant by end of 2nd Qtr 2009

security activities oversight
Security Activities Oversight

Independent

Security Vulnerability

Testing

Customer

Operational system

pre-deployment test

Customer

Patch Management and

Significant Change Test

AREVA T&D Operating

System Vendor Patch

Compatibility Testing

AREVA T&D

Third Party Vendor Patch

Compatibility Testing

Business Security Policy

/ NERC CIP

Requirements

  • AREVA T&D Security Activities which the Security Focus Group has assumed oversight for include:
    • Security Patch Compatibility Testing Services
    • Independent Security Vulnerability Testing Services
    • Security Patch Communications and Release Processes
security of areva t d products and services
Security of AREVA T&D Products and Services
  • AREVA T&D Security Documents:
    • 3rd Party Software Documentation
    • Security Solutions document developed and published (mapping NERC CIPs to AREVA product features and configurations)
    • AREVA T&D System and Network Security Guides reviewed and updated.
  • Review of AREVA T&D Security policies and processes
    • Security training process
    • Background checking procedure
    • Secure management of remote system access
addressing security issues as they arise
Addressing Security Issues as they Arise
  • Security audits and assessment findings
    • Forum for open discussion and sharing of audit experiences
    • Insights from an auditor
  • Bandolier templates for AREVA T&D systems
  • AREVA T&D Security Patch processes
    • Customer Security Bulletins
    • Security Patch Release process
    • Industry / regulatory coordination (US-CERT, NERC)
  • Discussion of 3rd party security tools utilization
    • Tools for security event logging consolidation
    • Security assessment and scanning tools
    • Security audit and change management tools
presentation overview10
Presentation Overview

Background

Formation

Approach

Timeline

Role of the Security Focus Group

Help the participants to achieve NERC CIP compliance

Oversee specific security activities

Address security of products and services

A forum to address security issues as they arise

Results of the Security Focus Group

Deliverables and Recommendations

Collaborative management and solutions

Raising the quality and visibility bar on security

What’s Next ?

deliverables and recommendations
Deliverables and Recommendations

Highlights of deliverables and recommendations include:

INL Phase III Independent Vulnerability Test Scope

SFG Significant Change List

CIP-007-1 R1 Significant Change Survey Results

Log Management White Paper

AREVA T&D Personnel Risk Assessment Verification

Third Party Software Document

Security Focus Group Meeting Summaries

Vulnerability assessment and testing methodologies, procedures, and tools document

AREVA Security Patch testing and Product Release testing scope expansion

AREVA project and support personnel change notification policy and procedures

collaboration and quality
Collaboration and Quality

Management responsibilities representing the User Community

Independent Vulnerability Testing

Security Patch Compatibility Testing

Raising the quality and visibility bar on security

Focus Group activities and recommendations are high priority to AREVA T&D

Meeting format makes it possible for both vendor and customers to bring their experts together to discuss specific security subjects

Broad and consistent user representation gives the Focus Group good credibility to the user community

benefits of the participants
Benefits of the Participants

Helping the user community define a common interpretation of the NERC CIP requirements

Assisting users efforts to achieve NERC CIP compliance

Facilitating sharing of experience and successes among the participants

Providing users an opportunity to influence and improve AREVA T&D’s security features and services

Empowering user representatives to oversee specific AREVA T&D security activities

what s next
What’s Next
  • The 2009 / 2010 Security Focus Group will hold it’s first meeting on October 1st
  • Key subjects the Security Focus Group will concentrate on:
    • NERC CIPs compliance (audit experiences, best practices, etc..)
    • Product security testing [including INL, security patch compatibility, other]
    • Product security features / configuration / documentation
    • Product security integration [e.g. third-party tools]
    • Security policies and procedures (disclosure & notification, security tools &best practices, etc..)