Monthly Archives: April 2014

A New Approach to Substation Security and NERC Compliance


This entry was posted by on .

Join us for our Webinar: Tuesday April 29, 2014
10:00 am – 11:00 am PT | 1:00 pm – 2:00 pm ET 

Lessons you will learn:
• Why integrating physical and cyber security is key
• How to overcome the challenges of extending security across organizational boundaries
• New techniques that cover upfront risk analysis and automated workflow to simplify onboarding offboarding, anomaly detection and threat correlation

REGISTER HERE

High profile intrusions and physical attacks against substations have spurred a lot of discussion about physical security resulting in a FERC directive, for NERC to propose new physical security standards from NERC. A holistic approach to security has been proven to be more effective and addresses compliance requirements In the Utilities Industry at the same time. It is now essential to monitor and report roles-based physical access to various facilities, control rooms, substations and critical assets. Utilities of all size need to know who has access to specific facilities, critical assets and cyber critical assets and how much area access they should have within those facilities.
Additionally Version 5 of the NERC CIP compliance requirements adds more to physical security requirements in addition to complete background check and criminal history record checks for employees and un-escorted contractors. Additionally, highly critical assets must be housed in secured boundaries and any access to that area recorded and tracked.
Join the experts who are leading this session to discuss why this new approach is the only way to detect and identify complex threats that extend across the boundaries of cyber and physical security. read more

AlertEnterprise Announces 2014 User Group Meeting


This entry was posted by on .

IT-OT Security Convergence Gains Center Stage to Deliver Critical Infrastructure Protection: April 30 – May 2, 2014.

AlertEnterprise customers are arriving to the Bay Area to see why we all love living in the Bay Area. Silicon Valley based AlertEnterprise is hosting the 2014 AEUG – AlertEnterprise User Group Meeting April 30th – May 2nd..

2014-04-26_1744

Determined attackers have a more holistic view of security. They attack the enterprise. They understand that security silos represent vulnerability. Segregation means each silo is real-time blind to breaches in the others. Communications gaps between silos mean time delays. Time delays mean opportunities for attackers. The failure to integrate physical security with IT security and operational technology – regardless of budget – is the moral equivalent of aiding and abetting thieves and saboteurs. read more

AlertEnterprise Wins 2013 GRC Value Award: Identity & Access GRC


This entry was posted by on .
GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity & Access GRC category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation (see exhibit, below).
Value Drivers
Technical Baseline/ Benchmarks
Estimated
Improvements (%)
Estimated
Benefit ($)
Improve compliance and audit FTE efficiency
10 FTEs allocated for 6 months
12%
$150,000
Improve IT FTE efficiencies for enterprise security
(IT + physical + SCADA) = 10 FTE
15%
$200,000
Reduce noncompliance penalties (NERC/CIP)
Avoid reg. fines ($1M max/violation)
10%
$100,000
Reduce O&M costs
(truck rolls, etc.)
$2,000 per incident
10%
$300,000
Reduce incident response costs
10 FTEs allocated
15%
$150,000
Reduced costs due to an integrated platform
Converged security and compliance
15%
$200,000
Total Annual Benefits (Recurring/One-Time)
$1,000,000
Source: AlertEnterprise, Inc. and GRC 20/20, 2013
The main short-term benefits include immediate identification of risk and conformity with regulatory standards. AlertEnterprise helped the utility remain complaint with NERC CIP regulations via automation of various business processes and procedures. Enterprise Guardian leverages IT-OT convergence capabilities by linking SAP and other IT applications with physical access control systems and SCADA/operational systems to deliver critical infrastructure protection by eliminating organizational silos. Industry-specific content packs deliver fast and effective means to meet regulations, automate contractor-employee onboarding/offboarding, identity, access and role lifecycle management, simplify badging process and leverage identity analytics while reducing the complexity of provisioning across all these systems.

Customer challenges

As one of the largest electric utilities in the United States, the company required an all-encompassing enterprise access management system and solution. Primary challenges included:

  • Multiple legacy applications lacking common centralized processes to assign and monitor access
  • Large identify and access management application deployment from major vendor that did not link to internal applications
  • Contractor access to applications tracked manually, lacking documentation and evidence
  • Decentralized process for NERC CIP 004 access management
  • Tracking of certification required for CIP access is manual and time-consuming systems (PACS)
  • read more

    Heartbleed Bug Can Also Affect Personal Devices, What You Can Do


    This entry was posted by on .

    OpenSSL: Are you patched?

    We all heard and read news about the “Heartbleed” bug in OpenSSL on various websites. A common misperception is that the Heartbleed only affects “secure” web servers, and most websites have already been patched. Without many of us even being informed, this bug also affects our personal devices, including networking devices, home automation systems, smart phones, mobile apps, etc.

    When the vendors of the majority of affected devices, services and apps will address this vulnerability is not known. Due to a wide number of devices and services that rely on OpenSSL, it is likely that not all of them will ever be patched. OpenSSL developers have now also received flak for the buggy codebase that is “beyond a fix”. read more