Embed Size (px)
Citation preview
CyberSecurity Technology Strategy Development for Utilities
Neil Rerup, President, ECSA
Agenda Principles
Architecture Methodology
Creating a Strategy
Determine where you are Strengths / Weaknesses / Opportunities / Threats
Determine the Environmental Variables
Determine where you want to go
Create your Strategy
What are your approach to Strategy?
Principles Architecture Framework
Where you are
Where you want to be
How to get there Strategy
Principles Short, easy to communicate
Indicate how you are going to approach Architecture
Guide your approach and decision making
Examples: We will benchmark against other Utility organizations and be driven
by the Business objectives We will design security solutions with an Enterprise perspective from
the outset, rather than local solutions that are enhanced for “specific idiosyncrasies.”
Keep it to 10 bullets or less
Architecture Frameworks TOGAF Conceptual in nature
Zachmann Document centric
SABSA Security Architecture specific A combination of TOGAF and Zachmann
>60 different Architecture Frameworks
Evolution of Architecture Frameworks
TOGAF Reference Security Architecture
“Open Enterprise Security Architecture” -TOGAF, 2011
Note: I feel that the Reference Security Architecture is not organized properly, so I created my own. Note: It doesn’t give a SCADA slant either.
SGIP’s “Spagetti Diagram”
Reference Security Architecture
IT and OT Convergence
The ECSA Reference Architecture deals with Ideas & Concepts as well as specific technologies
Deal with IT and OT convergence Eg. Intrusion Detection / Intrusion Prevention, SEIM Current IPS technology is specific to IT but can be used in OT
Information Technology
Operational Technology
Where are you now?
How You’re Going to Get there
Where you are
Where you want to be
Resources
Strategy creation requires: - Knowing where you are
- Perform discovery - Strengths, Weaknesses, Opportunities, Threats - Environmental Variables (outside your control) - Political, Economic, Technical, Social, Competitive (PETSC)
Where do you want to be?
Organizationally, not just Security’s view point
Interview Stakeholders, both Business and Dependent Stakeholders
Get their view and replay it back to them
Map to a Reference Security Architecture
How You’re Going to Get there
Where you are
Where you want to be
Resources
Resources
Use the Strengths and Opportunities to build your Road Map
Resources include: Existing Technology in place Existing Projects and Planned Activities Remember, it’s not just about Technology. It’s also about People &
Processes.
How You’re Going to Get there
Where you are
Where you want to be
Resources
Roadmap => Strategy
Use Strengths and Opportunities to layout the Roadmap
Take into consideration: Weaknesses and Threats. Work around them or build them up. Environment Variable. Plan for them as a worse case. You can’t
avoid them.
How You’re Going to Get there
Where you are
Where you want to be
Resources
Contact Information Neil Rerup, President / Chief Security Architect
Phone: 604-345-4630
Email: [email protected]
Web: www.enterprisecybersecurity.com
Q&A
