Energy Information Security
The American Recovery and Reinvestment Act (ARRA) has brought billions of dollars in funding to the energy market to form a “smart grid” capable of reducing the frequency, duration and scope of power outages, reducing the price of electricity through the interaction of consumers and suppliers, increasing operational efficiency, and supporting and leveraging evolving technologies including electric vehicles and solar/wind generation. With the dollars and the potential benefits comes a steep responsibility — securing the once isolated networks that will be connected into a (hopefully) secure grid.
Energy Industry Challenges
✔ Rapidly deploying evolving technology in accordance with even more rapidly evolving, overlapping, and ambiguous standards (e.g NIST, AMI-SEC, NERC, ISO 27002 Guidance).
✔Managing risk associated with the need to leverage third-party services to achieve business goals within current time and resource constraints.
✔ Ensuring that once isolated elements of a utilities infrastructure (e.g,SCADA / DNP3, DMS,) and the devices it supports are secured in a manner consistent with their vital importance.
✔ Supporting key deployed technologies with the policies, standards, procedures and technologies necessary to manage and monitor them.
Energy Industry Solutions
Typical engagements include:
✔ Design Gap Assessment – Is the design of our environment consistent with relevant NIST, AMI-SEC, NERC, ISO 27002 Guidance?
✔ Vulnerability Assessments and Penetration Tests at the application, network, device, database and physical levels to ensure net security objectives are being achieved.
✔Third party security risks and compliance requirements are identified and communicated.
✔Agreements evolve as business, technologies, and threats do.
✔Monitoring mechanisms ensure third parties achieve your security objectives.
✔Appropriate attestation is acquired either by assessing key risks directly (e.g., design reviews, penetration testing) or via receipt of attestation from an appropriately qualified and independent entity.
✔Security Incidents are identified, responded to, and learned from
Why Pivot Point Security?
Continually evolving technology, business requirements, regulations, and threats make “being secure” and “proving you’re compliant” increasingly complex for the energy industry. The only logical response: Simplify. We make it easier to prove that you are secure and compliant by:
✔ Focusing on the core group of security assessment services you need.
✔ Taking the time to understand your business and then optimizing our approach for your unique situation.
✔ Delivering reports and guidance that are easily understood and acted on by both management and technical personnel.
✔ Basing your assessment and recommendations on trusted, “open” (non-proprietary, non-vendor specific) guidance to simplify the process of operating and maintaining your Information Security Management System.
Protecting the integrity of the grid is exceptionally challenging in that it requires a holistic approach to ensuring the security of the processes that act on the information and the assets (servers, networks, applications, personnel, facilities) that support these processes.
✔Secure Data Flow Diagrams (SDFD) – Identify critical risks and the required security controls at each point where information (e.g., connect disconnect orders, customer data, SCADA data) is acted on in your environment.
✔Risk Assessment – The SDFD can easily be extended into a formal Risk Assessment to comply with relevant NERC, NIST, and ISO 27002 requirements.
✔SDFD Dependent – Use the SDFD to determine optimal assurance activities required to achieve smart grid security objectives (e.g., Policy Development, Web Application Security Assessment, Network Architecture Assessments, DMS Security Review, Incident Response Plan, Physical Security Assessments, Social Engineering, Security Event Monitoring, etc.).