The American Recovery and Reinvestment Act (ARRA) has brought billions of dollars in funding to the energy market to form a “smart grid” capable of reducing the frequency, duration and scope of power outages, reducing the price of electricity through the interaction of consumers and suppliers, increasing operational efficiency, and supporting and leveraging evolving technologies including electric vehicles and solar/wind generation. With the dollars and the potential benefits comes a steep responsibility — securing the once isolated networks that will be connected into a (hopefully) secure grid.
Energy Industry Challenges
- Rapidly deploying evolving technology in accordance with even more rapidly evolving, overlapping, and ambiguous standards (e.g NIST, AMI-SEC, NERC, ISO 27002 Guidance).
- Managing risk associated with the need to leverage third-party services to achieve business goals within current time and resource constraints.
- Ensuring that once isolated elements of a utilities infrastructure (e.g, SCADA / DNP3, DMS,) and the devices it supports are secured in a manner consistent with their vital importance.
- Supporting key deployed technologies with the policies, standards, procedures and technologies necessary to manage and monitor them.
Energy Industry Solutions
Aligning key initiatives with security best practices is critical to ensuring the integrity of the smart grid.
- Compliance Simplified
Typical engagements include:
- Design Gap Assessment – Is the design of our environment consistent with relevant NIST, AMI-SEC, NERC, ISO 27002 Guidance?
- Security Certification & Accreditation – Validating the design and implementation to ensure that it reduces key risks (e.g., DNP3, customer data) to an acceptable level.
- Vulnerability Assessments and Penetration Tests at the application, network, device, database and physical levels to ensure net security objectives are being achieved.
- Third Party Risk Simplified
Our Vendor Risk Management practice ensures:
- Third party security risks and compliance requirements are identified and communicated.
- Agreements evolve as business, technologies, and threats do.
- Monitoring mechanisms ensure third parties achieve your security objectives.
- Appropriate attestation is acquired either by assessing key risks directly (e.g., design reviews, penetration testing) or via receipt of attestation from an appropriately qualified and independent entity.
- Security Incidents are identified, responded to, and learned from.
- Security Simplified
Protecting the integrity of the grid is exceptionally challenging in that it requires a holistic approach to ensuring the security of the processes that act on the information and the assets (servers, networks, applications, personnel, facilities) that support these processes.
- Secure Data Flow Diagrams (SDFD) – Identify critical risks and the required security controls at each point where information (e.g., connect disconnect orders, customer data, SCADA data) is acted on in your environment.
- Risk Assessment – The SDFD can easily be extended into a formal Risk Assessment to comply with relevant NERC, NIST, and ISO 27002 requirements.
- SDFD Dependent – Use the SDFD to determine optimal assurance activities required to achieve smart grid security objectives (e.g., Policy Development, Web Application Security Assessment, Network Architecture Assessments, DMS Security Review, Incident Response Plan, Physical Security Assessments, Social Engineering, Security Event Monitoring, etc.).
Why Pivot Point Security?
Continually evolving technology, business requirements, regulations, and threats make “being secure” and “proving you’re compliant” increasingly complex for the energy industry. The only logical response: Simplify. We make it easier to prove that you are secure and compliant by:
- Focusing on the core group of security assessment services you need.
- Taking the time to understand your business and then optimizing our approach for your unique situation.
- Delivering reports and guidance that are easily understood and acted on by both management and technical personnel.
- Basing your assessment and recommendations on trusted, “open” (non-proprietary, non-vendor specific) guidance to simplify the process of operating and maintaining your Information Security Management System.
More Thoughts on Energy Information Security
- US Department of Energy Hacked as Obama Signs Cybersecurity Order
- Utility Cybersecurity Vulnerabilities — They’re “No Secret” in 2013
- Warnings of Smart Grid Threats in the Wake of Hurricane Sandy
- Information Security Surprises Keep Energy Organizations Off Balance
- More Regulations, Recommendations and Ramifications for Smart Grid Security