CyberSecurity Technology Strategy Development for Utilities

Neil Rerup, President, ECSA

Agenda Principles

Architecture Methodology

Creating a Strategy

Determine where you are Strengths / Weaknesses / Opportunities / Threats

Determine the Environmental Variables

Determine where you want to go

Create your Strategy

What are your approach to Strategy?

Principles Architecture Framework

Where you are

Where you want to be

How to get there Strategy

Principles Short, easy to communicate

Indicate how you are going to approach Architecture

Guide your approach and decision making

Examples: We will benchmark against other Utility organizations and be driven

by the Business objectives We will design security solutions with an Enterprise perspective from

the outset, rather than local solutions that are enhanced for “specific idiosyncrasies.”

Keep it to 10 bullets or less

Architecture Frameworks TOGAF Conceptual in nature

Zachmann Document centric

SABSA Security Architecture specific A combination of TOGAF and Zachmann

>60 different Architecture Frameworks

Evolution of Architecture Frameworks

TOGAF Reference Security Architecture

“Open Enterprise Security Architecture” -TOGAF, 2011

Note: I feel that the Reference Security Architecture is not organized properly, so I created my own. Note: It doesn’t give a SCADA slant either.

SGIP’s “Spagetti Diagram”

Reference Security Architecture

IT and OT Convergence

The ECSA Reference Architecture deals with Ideas & Concepts as well as specific technologies

Deal with IT and OT convergence Eg. Intrusion Detection / Intrusion Prevention, SEIM Current IPS technology is specific to IT but can be used in OT

Information Technology

Operational Technology

Where are you now?

How You’re Going to Get there

Where you are

Where you want to be

Resources

Strategy creation requires: - Knowing where you are

- Perform discovery - Strengths, Weaknesses, Opportunities, Threats - Environmental Variables (outside your control) - Political, Economic, Technical, Social, Competitive (PETSC)

Where do you want to be?

Organizationally, not just Security’s view point

Interview Stakeholders, both Business and Dependent Stakeholders

Get their view and replay it back to them

Map to a Reference Security Architecture

How You’re Going to Get there

Where you are

Where you want to be

Resources

Resources

Use the Strengths and Opportunities to build your Road Map

Resources include: Existing Technology in place Existing Projects and Planned Activities Remember, it’s not just about Technology. It’s also about People &

Processes.

How You’re Going to Get there

Where you are

Where you want to be

Resources

Roadmap => Strategy

Use Strengths and Opportunities to layout the Roadmap

Take into consideration: Weaknesses and Threats. Work around them or build them up. Environment Variable. Plan for them as a worse case. You can’t

avoid them.

How You’re Going to Get there

Where you are

Where you want to be

Resources

Contact Information Neil Rerup, President / Chief Security Architect

Phone: 604-345-4630

Email: nrerup@enterprisecybersecurity.com

Web: www.enterprisecybersecurity.com

Q&A