Energy Sector Security Metrics - June 2013

© 2013 IBM Corporation

Energy Sector Security Metrics overviewJune 2013


You can't manage what you can't measure, right?

So what can we work on here:

Security metrics


Security metrics in the news

“Governance with Metrics is Risk Management”


IBM Security Systems

4

Risks utilities manage today

Very well indeed:–Economic–Supply chain–Theft–Commodities price–Storms and weather–Regulatory–Arboreal

Less well–Cybersecurity



5

Security Metrics start

For starters: business alignment

– Security Measurement Prerequisites/Preliminary Steps

• Identify your key / most critical business processes

• Understand the threat scenarios to those processes

• Identify the key controls for the threats to those processes

• Once you have that these things, then you can establish what you to measure

– Initial Security Metrics Categories

• Organization and People

• Data

• Applications

• Infrastructure

• Security Intelligence/Situational Awareness

• Resilience

3 Characteristics of Good Metrics:

1.Easy to Get2.Easy to Understand3.Easy to Share



6

Metrics start (cont).

People and OrganizationIs there a security governance board?

What is highest ranking person in company with security in their title and ...

Do they have authority to set and enforce security policy enterprise-wide

% completing refresher training course

# or % phishing events (how many employees clicked on dangerous links)

% of key employees using social media and/or portable media BYOD devices

Help Desk stats/measures - Security related tickets called in such as:

-- # of locked/forgotten password/malware infection

-- # of tickets resolved

-- # of tickets still open and under investigation

ApplicationsDoes the company have a current inventory of all the applications (built and bought) it depends on

Access controls:

-- # of applications using multi-factor authentication

-- # applications using web security (HTTPS, TLS-SSL)

% applications in portfolio scanned for security vulnerabilities in year

of apps scanned, avg # of high severity vulnerabilities per million lines of code

time between application vulnerability awareness and patching

InfrastructureIT/OT downtime for planned security updates

IT/OT downtime for unplanned security tasks

# of infected PCs, phones, meters, etc. detected and cleansed

time between system vulnerability notice and patching or mitigation

Data % critical databases protected

% total databases protected

Data loss related incidents:

-- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives)

-- # of unauthorized data disclosures

-- # of data loss near misses

% of system administrators with access to root or PII information without audit capabilities

Security Situational Awareness % of critical IT/OT systems instrumented ... logs being continuously analyzed

% of network segments protected by firewalls and IDS/IPS

% up-time and availability of network against DDoS and other network attacks

# of ICS/CERT alerts relevant to client

Resilience # of security and / or privacy breach exercises per year

Performance of teams re: incident response, rapid recovery, forensics, etc.

Maturity capability rating of people, processes and technologies performing the key controls for both of the above

# of critical servers/databases with root password and key escrow and without

Submitted to NIST March 2013:http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf


2012 CISO Study



8

– DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)• Metrics for utilities to use to baseline and gauge effectiveness

– DOE’s Electricity Subsector Risk Management Process (May 2012)• Help translating cybersecurity into risk management framework

– NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update)• Questions utilities will be asked by their state public utility commissions

– NIST’s NISTIR 7628 Assessment Guide (Aug 2012)

– NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011)

A measurement movement is forming



9

Demand for metrics rising

USPresidential EO and NIST Crit Infra Cybersecurity Framework

working groupDOE's Electricity Subsector Cybersecurity Capability Maturity

Model (ES-C2M2)California PUC

Rest of WorldEuropeAsiaAustralia


Security Governance guidance for utilities

1. Security as risk management

2. A fully integrated security

enterprise

3. Security by design

4. Business-oriented security

metrics and measurement

5. Change that begins at the top

6. IBM’s 10 essential security

actions

10


Andy Bochman

[email protected]

+1 781 962 6845

E&U/Crit Infra Security Metrics Team

Steve Dougherty

[email protected]

+1 916 467 7052

SWG/Security E&U Services and Cross-brand

GBS E&U CoC


ibm.com/energyibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Technology

Energy Sector Security Metrics - June 2013