IT Security In The Real-time Data Processing Of VSE Based .
ABBNetwork Manager Forum 2013IT security in the real-time data processing of VSEbased on the ISO/IEC 27000 StandardArno Gross, ISMS Officer, VSE Verteilnetz GmbHHeidelberg October 2013
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion2/ VSE-Gruppe 2013
Tradition and InnovationFrom power utility to regional technology service providersfor private customers, municipalities, industry and commerceHeadquarters in Saarbrücken, Saarland 1912: VSE founded Beginning 1991: Founding of municipalconsortia with cities and communities Energy generation and supplyEnergy, servicesTelecommunicationsRegional engagementClaim: The partner in the region for energy, innovation, efficiency3/ VSE-Gruppe 2013
SaarlandSource: Wolfgang Staudt4/ VSE-Gruppe 2013
Structure of the VSE GroupBasis: 20105/ VSE-Gruppe 2013
VSE Distribution Network in ttlachSt.WendelAlsweilerFührtMerzigLebachSaar wellingenSaarlouisHülz weilerUchtelfangenOttweilerNeun ückenVölk lingen110 kV VSE35 kV VSE6/ VSE-Gruppe 2013 55 substations,3 voltage levelsSchmelzRehlingen380/220 kV RWE 24/7 network security on1050 kmFreisenDorf imWarndtKleinblittersdorf Partner to everymunicipality in Saarland fordecades
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion7/ VSE-Gruppe 2013
IT Security Problem Situation in the Real-time DataProcessing Environment Process control and automation systemsare often not viewed as IT systems Use of standard IT technologies isnot always obvious Small group of users, individual developments IT security has generally not been a design goal(until now) Originally existing isolation of processand control system networks is no longer a given8/ VSE-Gruppe 2013
IT Security Problem Situation in the Real-time DataProcessing Environment Systems have other time horizons: long periods ofuse and development cycles Problematic patch and update management:distributed structures, frequently no approval fromthe manufacturer, comprehensive tests needed Frequent use of non-secure network structuresand non-secure special protocols Conventional security measures fromOffice IT are often not applicable: real-timerequirements, availability9/ VSE-Gruppe 2013
The Opposition“Know your enemy and know yourself and you canfight a hundred battles without disaster.” Sun Tzu Chinese general 10/ VSE-Gruppe 2013
Reasons for Network Attacks Espionage Public attention Revenge Personal satisfaction Terrorism/cyber war Commercial intentions11/ VSE-Gruppe 2013
Phases of a Network Attack Spying Penetration Privilege escalation Attack Cover/hiding12/ VSE-Gruppe 2013
Attacks Made EasySpying Search for Password FilesHacker13/ VSE-Gruppe 2013
Attacks Made EasyKey Logger and no, that's not a keyboardextensionHardware key logger14/ VSE-Gruppe 2013
Penetration Search Attack ProgramsRTDP Systems Increasingly in Focus Comprehensive hacker toolboxes are freely available on the Internet Collections of preconfigured attack programs (called "exploits") for a variety ofapplications and systems Tools that are also simple for laypeople to operate, relieving the attacker of mostthinking tasks Example: Metasploit Project: More than 445 exploits Modularly expandable Automatic update service Exploits for "SCADAsystems" are also now integrated15/ VSE-Gruppe 2013
Attacks Made EasySwitches are Transparent Preparing sniffer attacks ARP spoofing Cache poisoning MAC duplication Sniffing Collecting Analyzing Cracking passwords16/ VSE-Gruppe 2013
Current Security Incidents in the ProcessingEnvironmentCyber Attacks Report , Spiegel Online August 06th 2013, 1:31 PMSimulated waterworks lures hackers into a trap Kyle Wilhoit (malware specialist) simulates the water pumping controller of a small US city in his cellar. Cyber attackers fall for the simulation while they're looking around for targets on the Internet. (honeypot) Within a few months, 74 attacks by hackers with specialized SCADA skills are observed. Kyle Wilhoit observed how malware (introduced via Word file) siphons off data. Wilhoit himself hacks the attacker's processor and discovers additional stolen data, including fromgovernment agencies. Why the Scada cracker takes an interest in his honeypot in particular remains unclear:"Now I certainly haven't mimicked the infrastructure from Exxon Mobile or Shell.Nevertheless, a few of the attackers spent a lot of time stealing data from my honeypot."17/ VSE-Gruppe 2013
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion18/ VSE-Gruppe 2013
ISMS Necessity and Significance German Corporate Sector Supervision and Transparency ActKonTraG Sec. 91(2) Aktiengesetz (German Stock Corporation Act)Management board is obligated to establish and operate monitoring systems(risk management system). German Energy Industry Act Sec. 11, entered into force on August 2011Provision not yet introduced; expected to correspond to theISO/IEC TR 27019 standard.19/ VSE-Gruppe 2013
RWE AG's Decision Regarding Overall ISMS Introduction February 2010: RWE AG's decision that all group subsidiaries should implement anISMS for all areas based on ISO/IEC 27001: Information Technology (IT) Communications Technology (TK) Real-time data processing, process control engineering Media and building services engineering Already existing ISMS in RTDP remain unaffected as long as they don't contraveneISMS group policy requirements. Transfer of RWE security policy and additional regulations for the office area into ISMSaccording to ISO/IEC 27001 classification.20/ VSE-Gruppe 2013
Process Instead of Measures Solving security problems through individual, ad hoc measures does notgenerally lead to the desired (sustained) success: Combating symptoms, not the actual causes Additional risks remain undetected until concrete problems occur Most of the conventional standard measures are not applicable in the RTDPenvironment.Plan Instead, establishment of a comprehensivemanagement process that defines basic security goals, takes appropriate measures, and continually improves them.Establishment ofISMSDoImplementationand OperationDevelopment,maintenance andimprovementcycleMaintenanceProceduresReview and AuditProceduresCheck ISMS enables individual selection and adjustment of security concepts tospecial systems and environments – no rigid specification of measures21/ VSE-Gruppe 2013Act
ISMS Standards ISO/IEC 27001, 27002ISO/IEC 27001:2005ISO/IEC 27002:2005PlanDoProzessCheck22/ VSE-Gruppe 2013ActSecurity PolicyOrganization of Information SecurityAsset ManagementHuman Resources SecurityPhysical and Environmental SecurityCommunications and Operations ManagementAccess ControlIS Acquisition, Development and MaintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance
Standardization under ISO/IEC 27000 Standards Seriesin Cooperation with Additional ConsortiaISO/IEC 27001: Information Security Management System (ISMS)ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 ControlsISO/IEC 27011:Guidelines forTelecommunicationVDE/DKE and DIN (*): DIN SPEC 27009:Guidance on Power Control SystemsBDEW white paper: Requirements for Secure Controland Telecommunication Systems (**)BDEW and Oesterreichs Energie (*): JointImplementation Guidelines for white paperOffice IT,commercialapplicationsTelephony, transmission,and communicationsengineeringSCADA, real-time dataprocessingUnified management* Approved** The BDEW white paper only focuses on the typical application of telecommunication as part ofRTDP, but not comprehensively with all of the systems included in ISO/IEC 27001.23/ VSE-Gruppe 2013
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion24/ VSE-Gruppe 2013
Plan: Systematic Risk AnalysisPlanEstablishment ofISMSDoImplementationand OperationDevelopment,maintenance andimprovementcycleMaintenanceProceduresActReview and AuditProceduresCheck Basics of the "Plan" phase are document creation, asset recording, protectionrequirements assessment, and expanded risk analysis if necessary. Objective: Definition of measures to be implemented.25/ VSE-Gruppe 2013
Establishing an ISMS and BCM The combined protection requirements assessment and business impact analysis is afirst Elevatedprotection needsRisk analysis26/ VSE-Gruppe 2013
Protection Requirements Analysis – What is That? The protection requirements analysis determines the protection requirement for assets. The protection requirement defines the level of protection an object needs from thecompany's perspective. “Protection requirements" are not synonymous with "vulnerability." Therefore, thefollowing are irrelevant with regard to the protection requirements analysis. Currently existing vulnerabilities Already implemented security measures An asset's protection requirement results from the damage that, for example, its failure causes; the influence that it has on overall operational or business workflows.27/ VSE-Gruppe 2013
Which Protection Requirement Categories Exist? Each asset is analyzed with regard to the significance of the following protection goals: confidentiality (protection from knowledge by unauthorized third parties) integrity (correctness and manipulation security of the processing) availability (usability of the application or data)and classified into a protection requirement category. The protection requirement categories are Normal High Very high28/ VSE-Gruppe 2013———limited damage effectsconsiderable damage effectsexistence-threatening damage effects
Do: Implementation of MeasuresPlanEstablishment ofISMSDoImplementationand OperationDevelopment,maintenance andimprovementcycleMaintenanceProceduresActReview and AuditProceduresCheck The "Do" phase comprises the implementation of standard measures and additionalmeasures from the risk analysis.29/ VSE-Gruppe 2013
Examples of Measures Implementation Standard measures Application of the BDEW white paper "Secure Control and Telecommunication Systems"for new systems to be procured Application of VSE service guidelines for ensuring security on the part of servicepartners Structure of secure, regulated IT operation concepts/operation manuals Examples of further additional measures Installation of an update server in the process network Network segmentation within RTDP networks Formulation of security concepts for peripheral processors30/ VSE-Gruppe 2013
Check: Self-review and AuditsPlanEstablishment ofISMSDoImplementationand OperationDevelopment,maintenance andimprovementcycleMaintenanceProceduresActReview and AuditProceduresCheck The "Check" phase encompasses all measures intended for identifying deviations,especially: Conducting audits and reporting security incidents31/ VSE-Gruppe 2013
Conducting Audits Conducting internal audits is the most important tool for self-monitoring and the mostimportant component of the "Check" phase. Section 6 in ISO/IEC 27001 ("Internal ISMS Audits") requires that internal audits beconducted. Goal pursuant to VSE template for operational ISMS policy: Each area in the ISMS scope should have been audited at least once within five years.32/ VSE-Gruppe 2013
Incident Management Internal process for detection of security incidents, appropriate immediate reaction, forwarding and evaluation by the ISMS section, and formulation of measures for avoiding recurrences. Current form-based process, integration into the ISMS software tool"pro sec ISMS"33/ VSE-Gruppe 2013
Act: Adaptation and MaintenancePlanEstablishment ofISMSDoImplementationand OperationDevelopment,maintenance andimprovementcycleMaintenanceProceduresActReview and AuditProceduresCheck The "Act" phase describes the implementation of the improvement requirementsidentified in the "Check" phase.34/ VSE-Gruppe 2013
Measures in the "Act" Phase Examples of measures from audits conducted Establishment of firewall structures between switching systems with IEC-104 orsubstation control technology Review and tightening of the firewall rules that enable access to the process datanetwork (PDN) Making the network control system more impenetrable and secure (patch, passwords) Agreement on the service provider policy with service providers Remote maintenance access is reconfigured in both hardware and software35/ VSE-Gruppe 2013
Annual Security Reports to the Executive Boards The security report is the basis for the"Management Evaluation of ISMS" (ISO/IEC 27001, Section 7)PlanEstablishment ofISMSDoImplementationand OperationDevelopment,maintenance andimprovementcycleReview and AuditProceduresCheck36/ VSE-Gruppe 2013MaintenanceProceduresAct
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion37/ VSE-Gruppe 2013
ISMS Set-up Structure38/ VSE-Gruppe 2013
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion39/ VSE-Gruppe 2013
Project Costs in the ISMS Set-up PhaseDocuments Creation of ISMS documents (guidelines, scope of validity, etc.) Asset recording, protection requirements assessment, riskanalysis Definition of standard measuresProcesses Handling security incidents Setting up emergency planning (BCM) ISMS control activityTrainingCostsOperation40/ VSE-Gruppe 2013 Training managers/employees for control activities Training relating to BDEW white paper and service providerpolicy Creation of operating concepts Documentation of the operation
Cost of Real-time Data Processing ISMS250Projektaufwand externProjektaufwand intern2004001508471laufende Aufwände extern350laufende Aufwände 2011Costs in person-days41/ VSE-Gruppe 20132012
Contents of the Presentation Introduction to VSE Group Motivation: Security in real-time data processing Backgrounds: ISMS activities in the VSE Group What does ISMS mean under ISO/IEC 27001? Introduction of ISMS at VSE ISMS costs Conclusion42/ VSE-Gruppe 2013
Précis Technology alone is not enough for IT security when organizational measures are notadequate (see change management). It is not only attackers at layers 1-4 that can cause big problems. A result can be majornetwork failures even at the application layer (IEC 104; see Austrian failure) withouthacker attacks. Personnel and sufficient resources must be made available for security. Training plays a big role in security – and that costs resources. Not just large companies are attacked (see Kyle Wilhoit's honeypot). Use of intrusion detection systems (IDS) Use of encryption technologies43/ VSE-Gruppe 2013
RealityA constructive approach is important in all casesin order to create acceptance for measures;otherwise the measures will come to nothing.44/ VSE-Gruppe 2013
Still have questions?Thank you very muchfor your attention!
ISO/IEC 27001:2005 ISO/IEC 27002:2005 . ISMS Standards ISO/IEC 27001, 27002 . 23 / VSE-Gruppe 2013 . Standardization under ISO/IEC 27000 Standards Series in Cooperation with Additional Consortia . ISO/IEC 27001: Information Security Management System (ISMS) ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 Con
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Glossary of Social Security Terms (Vietnamese) Term. Thuật ngữ. Giải thích. Application for a Social Security Card. Đơn xin cấp Thẻ Social Security. Mẫu đơn quý vị cần điền để xin số Social Security hoặc thẻ thay thế. Baptismal Certificate. Giấy chứng nhận rửa tội
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
