Being aware and acknowledging that a data security threat is possible is the first step to securing your information technology assets. In my experience working on data protection issues with companies from many industries, I have seen that failure to protect electronic corporate assets can lead to serious, business-compromising events, sometimes with disastrous consequences. Utilities implementing new smart grid technology, are now collecting large volumes of detailed data about customer behavior and system operation, the responsibilities are many and the potential consequences of a security breach severe. The large data flows begin external to the utility itself (at the customer’s meter), creating unique security vulnerabilities compared to other industries. While sophisticated detailed solutions will be required to secure these networks, this article provides the outline of a tiered approach to effectively securing an operating environment.
Tier 1—Policies, Procedure and Awareness
It is essential that clearly stated security policies and procedures exist and that an effective communication and awareness program is in place. For example, in organizations deficient in policies, procedures and awareness, we often find security weaknesses such as:
- Company employees, vendors and consultants not being aware of regulatory requirements for handling of data;
- Use of thumb drives is uncontrolled without strict policies on their use;
- The storing of credit card and social numbers in clear text;
- Non-compliance to industry standards or regulations, creating the risk of severe fines.
Policies and procedures protect organizations and individuals alike, and unless those policies and procedures are effectively communicated, monitored and enforced, it cannot be assumed that requirements are understood and adhered to.
Tier 2—End Point Security
We live in a world where mobile computing—desktops, laptops, tablets, smart phones, social media and other web-based applications are the norm. So too, unfortunately, are security breaches—and we hear about them daily. It is essential now more than ever that we leverage complete end point protection suites that not only offer anti-virus protection but also anti-malware, host-based intrusion prevention and detection, application control and localized software based firewalls. To be effective these products must always be kept up to date and be tamper resistant. These essential features, along with having a central management console for administrators to actively monitor security events, assist in prevention of the protection being removed or disabled.
Tier 3—Mobile Device Management
Management of mobile devices such as handhelds, smartphone and tablets have become more cumbersome for companies as we have entered the world of Bring Your Own Device (BYOD) where many employees bring their personal devices to work. BYOD creates the need for tools to manage the devices, apply policy and workflow, and restrict the use of the device in the event it gets in to the wrong hands. Key attributes of a Mobile Device Management platform to consider are enterprise application store, LDAP integration for security, cloud deployment, policy engines, user authentication controls, ability to enforce local data rules, secure browsers, API restrictions, control of off-line access, forbidden application alerts, analysis tools and remote wiping of devices.
Tier 4—Data Loss Prevention (DLP)
While Data Loss Prevention is needed at many levels in your information security posture, in its most basic form the emphasis is on network, storage, endpoint and file level forms of DLP. Network based DLP protects data while in motion, storage protects data while at rest, and endpoint protects data while in use. File level DLP protects files containing sensitive information; for example, documents are flagged as proprietary or a file is fingerprinted to prevent distribution and use by unauthorized parties. There is a wide array of DLP tools on the market that compliment security programs and enable you to apply appropriate workflow controls. DLP tools can aid greatly in applying policy, auditability and workflow for compliance in HIPAA, SOX, PCI DSS, PIPEDA, NERC CIP and many others.
There are many methods to achieve Encryption and Decryption of data. Without going in the types of encryption, which are plentiful and complex, I would suggest the following be considered as part of your strategy to achieve success. Where possible have a central management server for your encryption keys, user management and policies. This will enable you to accelerate deployment and reduce cost and complexity. Be sure to select a solution that can integrate with public key infrastructures (PKI), systems management tools, DLP solutions and one that provides status and reporting in order to satisfy compliance reporting requirements you may have. Lastly encrypt everywhere possible to protect the misuse of your data.
Tier 6—Additional Measures to Explore
- Develop a comprehensive strategy towards hardening your IT assets
- Patch early and often—Patching = Prevention + Protection
- Disable any and all unused features on IT assets
- Consider identity access and control, information security and compliance gateways
- Network Access Control/802.1x Authentication
- Multi-factor authentication
- Block USB ports
- Don’t overlook the obvious
- Require regular password changes
- Require complex password with 8 or more characters
- Disable or change IT Administrator accounts
- Web content filters
- Secure Browsers
- Web Application Firewalls
- Network based Intrusion Prevention and Detection Systems
- Centralized Event Log Correlation
- Develop a data classification and governance model—not only will this help to secure your data but also assist in electronic discovery and archival initiatives
- Consider a security audit by a knowledgeable outside party
A tiered approach to information security can embody many different solutions. Security is not a one size fits all approach and must be viewed on an individual basis. Compliance requirements often dictate the depth and breathe of a security posture but not the specific technologies to be used. Organizational requirements also can dictate the need for measures above and beyond what may be required to achieve compliance.
This articles presents a high level overview of what I consider to be some of the more important ways to structure information security practices. In future IssueAlert articles, I will delve into the finer details of specific design details and tradeoffs for creating a secure system in a heavy data flow and high transaction environment such as the one that is emerging in the utility industry.