SlideShare a Scribd company logo

Energy Sector Security Metrics - June 2013

Download as PPT, PDF
Andy Bochman
Andy Bochman

The US Congress, DHS and the man on the street say the grid is not secure enough. Well how do they know? How does anyone know how secure they are today? And how would one define how secure is secure enough? Unless we can begin to measure, we'll never be able to baseline, and never be able to road map to a demonstrable, more secure future state. So let's get started.

TechnologyBusiness
1 of 12
© 2013 IBM Corporation Energy Sector Security Metrics overview June 2013
© 2012 IBM Corporation You can't manage what you can't measure, right? So what can we work on here:  Security metrics
© 2012 IBM Corporation Security metrics in the news “Governance with Metrics is Risk Management”
© 2012 IBM Corporation IBM Security Systems 4 Risks utilities manage today  Very well indeed: –Economic –Supply chain –Theft –Commodities price –Storms and weather –Regulatory –Arboreal  Less well –Cybersecurity
© 2012 IBM Corporation IBM Security Systems 5 Security Metrics start  For starters: business alignment – Security Measurement Prerequisites/Preliminary Steps • Identify your key / most critical business processes • Understand the threat scenarios to those processes • Identify the key controls for the threats to those processes • Once you have that these things, then you can establish what you to measure – Initial Security Metrics Categories • Organization and People • Data • Applications • Infrastructure • Security Intelligence/Situational Awareness • Resilience 3 Characteristics of Good Metrics: 1.Easy to Get 2.Easy to Understand 3.Easy to Share
© 2012 IBM Corporation IBM Security Systems 6 Metrics start (cont). People and Organization Is there a security governance board? What is highest ranking person in company with security in their title and ... Do they have authority to set and enforce security policy enterprise-wide % completing refresher training course # or % phishing events (how many employees clicked on dangerous links) % of key employees using social media and/or portable media BYOD devices Help Desk stats/measures - Security related tickets called in such as: -- # of locked/forgotten password/malware infection -- # of tickets resolved -- # of tickets still open and under investigation Applications Does the company have a current inventory of all the applications (built and bought) it depends on Access controls: -- # of applications using multi-factor authentication  -- # applications using web security (HTTPS, TLS-SSL) % applications in portfolio scanned for security vulnerabilities in year of apps scanned, avg # of high severity vulnerabilities per million lines of code time between application vulnerability awareness and patching Infrastructure IT/OT downtime for planned security updates IT/OT downtime for unplanned security tasks # of infected PCs, phones, meters, etc. detected and cleansed time between system vulnerability notice and patching or mitigation Data  % critical databases protected  % total databases protected  Data loss related incidents:  -- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives)  -- # of unauthorized data disclosures  -- # of data loss near misses  % of system administrators with access to root or PII information without audit capabilities Security Situational Awareness  % of critical IT/OT systems instrumented ... logs being continuously analyzed  % of network segments protected by firewalls and IDS/IPS  % up-time and availability of network against DDoS and other network attacks  # of ICS/CERT alerts relevant to client Resilience  # of security and / or privacy breach exercises per year  Performance of teams re: incident response, rapid recovery, forensics, etc.  Maturity capability rating of people, processes and technologies performing the key controls for both of the above  # of critical servers/databases with root password and key escrow and without Submitted to NIST March 2013: http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf
© 2012 IBM Corporation 2012 CISO Study
© 2012 IBM Corporation IBM Security Systems 8 – DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) • Metrics for utilities to use to baseline and gauge effectiveness – DOE’s Electricity Subsector Risk Management Process (May 2012) • Help translating cybersecurity into risk management framework – NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update) • Questions utilities will be asked by their state public utility commissions – NIST’s NISTIR 7628 Assessment Guide (Aug 2012) – NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011) A measurement movement is forming
© 2012 IBM Corporation IBM Security Systems 9 Demand for metrics rising US Presidential EO and NIST Crit Infra Cybersecurity Framework working group DOE's Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) California PUC Rest of World Europe Asia Australia
© 2012 IBM Corporation Security Governance guidance for utilities 1. Security as risk management 2. A fully integrated security enterprise 3. Security by design 4. Business-oriented security metrics and measurement 5. Change that begins at the top 6. IBM’s 10 essential security actions 10
© 2012 IBM Corporation Andy Bochman bochman@us.ibm.com +1 781 962 6845 E&U/Crit Infra Security Metrics Team Steve Dougherty sdougherty@us.ibm.com +1 916 467 7052 SWG/Security E&U Services and Cross-brand GBS E&U CoC
© 2012 IBM Corporation ibm.com/energy ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Recommended

Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...CA Technologies
 
Smart Grid for the CSO
Smart Grid for the CSOSmart Grid for the CSO
Smart Grid for the CSOAndy Bochman
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranAhmadreza Ghaznavi
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015Paul F. Roberts
 
Cyber Security in Smart Buildings
Cyber Security in Smart Buildings Cyber Security in Smart Buildings
Cyber Security in Smart Buildings GAURAV. H .TANDON
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart gridsIBM Italia Web Team
 
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...Jim "Brodie" Brazell
 
Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters GAURAV. H .TANDON
 

Recommended

Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...
Case Study: Datotel Extended the Power of Infrastructure Management to the Ph...CA Technologies
 
Smart Grid for the CSO
Smart Grid for the CSOSmart Grid for the CSO
Smart Grid for the CSOAndy Bochman
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranAhmadreza Ghaznavi
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015Paul F. Roberts
 
Cyber Security in Smart Buildings
Cyber Security in Smart Buildings Cyber Security in Smart Buildings
Cyber Security in Smart Buildings GAURAV. H .TANDON
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart gridsIBM Italia Web Team
 
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...
8.27.2014, Robot World: How Cyber Physical Systems are Changing Human-Machine...Jim "Brodie" Brazell
 
Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters Collusion and Fraud Detection on Electronic Energy Meters
Collusion and Fraud Detection on Electronic Energy Meters GAURAV. H .TANDON
 
Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelSchneider Electric
 
Cyber-Physical Systems
Cyber-Physical SystemsCyber-Physical Systems
Cyber-Physical SystemsSinem Coleri Ergen
 
Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challengesSchneider Electric
 
Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider Electric
 
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationCyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationMichael Heiss
 
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsIoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsEurotech
 
Cyber physical systems and robotics
Cyber physical systems and roboticsCyber physical systems and robotics
Cyber physical systems and roboticstrinhanhtuan247
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation ReportSchneider Electric
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric India
 
Getting More Value Out of Your Data
Getting More Value Out of Your DataGetting More Value Out of Your Data
Getting More Value Out of Your DataInnoTech
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energystacybre
 
Process Automation - The Future
Process Automation - The FutureProcess Automation - The Future
Process Automation - The FutureSchneider Electric
 
It Capabilities.2009
It Capabilities.2009It Capabilities.2009
It Capabilities.2009Diontealley
 
The Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsThe Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsArian Razmi Farooji
 
Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Schneider Electric
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2MEurotech
 
Industrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerIndustrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerSchneider Electric
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillTheAnfieldGroup
 
SERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolSERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolHenry Muccini
 
A framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROIA framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROISchneider Electric
 
Connecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDConnecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDOpenEnergyMonitor
 
Heatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringHeatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringOpenEnergyMonitor
 

More Related Content

What's hot

Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelSchneider Electric
 
Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challengesSchneider Electric
 
Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider Electric
 
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationCyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationMichael Heiss
 
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsIoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsEurotech
 
Cyber physical systems and robotics
Cyber physical systems and roboticsCyber physical systems and robotics
Cyber physical systems and roboticstrinhanhtuan247
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation ReportSchneider Electric
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric India
 
Getting More Value Out of Your Data
Getting More Value Out of Your DataGetting More Value Out of Your Data
Getting More Value Out of Your DataInnoTech
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energystacybre
 
Process Automation - The Future
Process Automation - The FutureProcess Automation - The Future
Process Automation - The FutureSchneider Electric
 
It Capabilities.2009
It Capabilities.2009It Capabilities.2009
It Capabilities.2009Diontealley
 
The Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsThe Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsArian Razmi Farooji
 
Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Schneider Electric
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2MEurotech
 
Industrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerIndustrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerSchneider Electric
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillTheAnfieldGroup
 
SERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolSERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolHenry Muccini
 
A framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROIA framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROISchneider Electric
 

What's hot (20)

Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network Model
 
Cyber-Physical Systems
Cyber-Physical SystemsCyber-Physical Systems
Cyber-Physical Systems
 
Efficient security to meet modern day challenges
Efficient security to meet modern day challengesEfficient security to meet modern day challenges
Efficient security to meet modern day challenges
 
Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011Schneider electric home systems solar decathlon 2011
Schneider electric home systems solar decathlon 2011
 
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationCyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovation
 
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility ApplicationsIoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
 
Cyber physical systems and robotics
Cyber physical systems and roboticsCyber physical systems and robotics
Cyber physical systems and robotics
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)
 
Getting More Value Out of Your Data
Getting More Value Out of Your DataGetting More Value Out of Your Data
Getting More Value Out of Your Data
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
 
Process Automation - The Future
Process Automation - The FutureProcess Automation - The Future
Process Automation - The Future
 
It Capabilities.2009
It Capabilities.2009It Capabilities.2009
It Capabilities.2009
 
The Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on ProductsThe Impacts of Cyber Physical Systems on Products
The Impacts of Cyber Physical Systems on Products
 
Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...Using Grid data analytics to protect revenue, reduce network losses and impro...
Using Grid data analytics to protect revenue, reduce network losses and impro...
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2M
 
Industrial sawmill solution Wood Mizer
Industrial sawmill solution Wood MizerIndustrial sawmill solution Wood Mizer
Industrial sawmill solution Wood Mizer
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
 
SERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_schoolSERENE 2014 School: Gabor karsai serene2014_school
SERENE 2014 School: Gabor karsai serene2014_school
 
A framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROIA framework for converting hotel guestroom energy management into ROI
A framework for converting hotel guestroom energy management into ROI
 

Viewers also liked

Connecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDConnecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDOpenEnergyMonitor
 
Heatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringHeatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringOpenEnergyMonitor
 
GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_Stan Dacre
 
Magic Quadrant for On-Premises Application Platforms
Magic Quadrant for On-Premises Application PlatformsMagic Quadrant for On-Premises Application Platforms
Magic Quadrant for On-Premises Application PlatformsHamed Hatami
 
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...Carly Snodgrass
 
It infrastructure management services @ yash
It infrastructure management services @ yashIt infrastructure management services @ yash
It infrastructure management services @ yashYASH Technologies
 
A Report on Managed Services Industry in India
A Report on Managed Services Industry in IndiaA Report on Managed Services Industry in India
A Report on Managed Services Industry in IndiaUniversity of Connecticut
 
Infrastructure management services in india
Infrastructure management services in indiaInfrastructure management services in india
Infrastructure management services in indiaZinnov
 
Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure ManagementPrime Infoserv
 
IDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
IDC Nutanix - Hyperconvergence and the Pulling Forces in the DatacenterIDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
IDC Nutanix - Hyperconvergence and the Pulling Forces in the DatacenterNEXTtour
 
Market Research Report : Facilities management services market in india 2014 ...
Market Research Report : Facilities management services market in india 2014 ...Market Research Report : Facilities management services market in india 2014 ...
Market Research Report : Facilities management services market in india 2014 ...Netscribes, Inc.
 
Final year project on Remote Infrastructure Management
Final year project on Remote Infrastructure ManagementFinal year project on Remote Infrastructure Management
Final year project on Remote Infrastructure Managementjairaman
 
ITS Managed Services Introduction
ITS Managed Services IntroductionITS Managed Services Introduction
ITS Managed Services IntroductionJorge Sebastiao
 

Viewers also liked (15)

Connecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-REDConnecting all the things with MQTT & Node-RED
Connecting all the things with MQTT & Node-RED
 
Heatpumps and Heatpump Monitoring
Heatpumps and Heatpump MonitoringHeatpumps and Heatpump Monitoring
Heatpumps and Heatpump Monitoring
 
GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_GARTNER_top_consumer_trends_
GARTNER_top_consumer_trends_
 
Magic Quadrant for On-Premises Application Platforms
Magic Quadrant for On-Premises Application PlatformsMagic Quadrant for On-Premises Application Platforms
Magic Quadrant for On-Premises Application Platforms
 
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
Take Your Infrastructure To The Next Level Of Agility And Cost Savings–Dynami...
 
It infrastructure management services @ yash
It infrastructure management services @ yashIt infrastructure management services @ yash
It infrastructure management services @ yash
 
Infrastructure Management Services
Infrastructure Management ServicesInfrastructure Management Services
Infrastructure Management Services
 
A Report on Managed Services Industry in India
A Report on Managed Services Industry in IndiaA Report on Managed Services Industry in India
A Report on Managed Services Industry in India
 
Infrastructure management services in india
Infrastructure management services in indiaInfrastructure management services in india
Infrastructure management services in india
 
Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure Management
 
IDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
IDC Nutanix - Hyperconvergence and the Pulling Forces in the DatacenterIDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
IDC Nutanix - Hyperconvergence and the Pulling Forces in the Datacenter
 
Market Research Report : Facilities management services market in india 2014 ...
Market Research Report : Facilities management services market in india 2014 ...Market Research Report : Facilities management services market in india 2014 ...
Market Research Report : Facilities management services market in india 2014 ...
 
Remote Infrastructure Management Services (RIMS)
Remote Infrastructure Management Services (RIMS)Remote Infrastructure Management Services (RIMS)
Remote Infrastructure Management Services (RIMS)
 
Final year project on Remote Infrastructure Management
Final year project on Remote Infrastructure ManagementFinal year project on Remote Infrastructure Management
Final year project on Remote Infrastructure Management
 
ITS Managed Services Introduction
ITS Managed Services IntroductionITS Managed Services Introduction
ITS Managed Services Introduction
 

Similar to Energy Sector Security Metrics - June 2013

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...IBM Security
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_referencesMaarten Werff
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM Sverige
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMMAGILLY
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public versionIBM Sverige
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?IBM Security
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
IBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesIBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesJeff Miller
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsIBM Security
 
Smarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesSmarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesChris Pepin
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOsMorten Bjørklund
 

Similar to Energy Sector Security Metrics - June 2013 (20)

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_references
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM8 Principales Raisons de Passer du MDM à l'EMM
8 Principales Raisons de Passer du MDM à l'EMM
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
IBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesIBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn Series
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control Costs
 
Smarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesSmarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst Services
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOs
 

Recently uploaded

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Energy Sector Security Metrics - June 2013

  • 1. © 2013 IBM Corporation Energy Sector Security Metrics overview June 2013
  • 2. © 2012 IBM Corporation You can't manage what you can't measure, right? So what can we work on here:  Security metrics
  • 3. © 2012 IBM Corporation Security metrics in the news “Governance with Metrics is Risk Management”
  • 4. © 2012 IBM Corporation IBM Security Systems 4 Risks utilities manage today  Very well indeed: –Economic –Supply chain –Theft –Commodities price –Storms and weather –Regulatory –Arboreal  Less well –Cybersecurity
  • 5. © 2012 IBM Corporation IBM Security Systems 5 Security Metrics start  For starters: business alignment – Security Measurement Prerequisites/Preliminary Steps • Identify your key / most critical business processes • Understand the threat scenarios to those processes • Identify the key controls for the threats to those processes • Once you have that these things, then you can establish what you to measure – Initial Security Metrics Categories • Organization and People • Data • Applications • Infrastructure • Security Intelligence/Situational Awareness • Resilience 3 Characteristics of Good Metrics: 1.Easy to Get 2.Easy to Understand 3.Easy to Share
  • 6. © 2012 IBM Corporation IBM Security Systems 6 Metrics start (cont). People and Organization Is there a security governance board? What is highest ranking person in company with security in their title and ... Do they have authority to set and enforce security policy enterprise-wide % completing refresher training course # or % phishing events (how many employees clicked on dangerous links) % of key employees using social media and/or portable media BYOD devices Help Desk stats/measures - Security related tickets called in such as: -- # of locked/forgotten password/malware infection -- # of tickets resolved -- # of tickets still open and under investigation Applications Does the company have a current inventory of all the applications (built and bought) it depends on Access controls: -- # of applications using multi-factor authentication  -- # applications using web security (HTTPS, TLS-SSL) % applications in portfolio scanned for security vulnerabilities in year of apps scanned, avg # of high severity vulnerabilities per million lines of code time between application vulnerability awareness and patching Infrastructure IT/OT downtime for planned security updates IT/OT downtime for unplanned security tasks # of infected PCs, phones, meters, etc. detected and cleansed time between system vulnerability notice and patching or mitigation Data  % critical databases protected  % total databases protected  Data loss related incidents:  -- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives)  -- # of unauthorized data disclosures  -- # of data loss near misses  % of system administrators with access to root or PII information without audit capabilities Security Situational Awareness  % of critical IT/OT systems instrumented ... logs being continuously analyzed  % of network segments protected by firewalls and IDS/IPS  % up-time and availability of network against DDoS and other network attacks  # of ICS/CERT alerts relevant to client Resilience  # of security and / or privacy breach exercises per year  Performance of teams re: incident response, rapid recovery, forensics, etc.  Maturity capability rating of people, processes and technologies performing the key controls for both of the above  # of critical servers/databases with root password and key escrow and without Submitted to NIST March 2013: http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf
  • 7. © 2012 IBM Corporation 2012 CISO Study
  • 8. © 2012 IBM Corporation IBM Security Systems 8 – DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) • Metrics for utilities to use to baseline and gauge effectiveness – DOE’s Electricity Subsector Risk Management Process (May 2012) • Help translating cybersecurity into risk management framework – NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update) • Questions utilities will be asked by their state public utility commissions – NIST’s NISTIR 7628 Assessment Guide (Aug 2012) – NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011) A measurement movement is forming
  • 9. © 2012 IBM Corporation IBM Security Systems 9 Demand for metrics rising US Presidential EO and NIST Crit Infra Cybersecurity Framework working group DOE's Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) California PUC Rest of World Europe Asia Australia
  • 10. © 2012 IBM Corporation Security Governance guidance for utilities 1. Security as risk management 2. A fully integrated security enterprise 3. Security by design 4. Business-oriented security metrics and measurement 5. Change that begins at the top 6. IBM’s 10 essential security actions 10
  • 11. © 2012 IBM Corporation Andy Bochman bochman@us.ibm.com +1 781 962 6845 E&U/Crit Infra Security Metrics Team Steve Dougherty sdougherty@us.ibm.com +1 916 467 7052 SWG/Security E&U Services and Cross-brand GBS E&U CoC
  • 12. © 2012 IBM Corporation ibm.com/energy ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.