security architecture & smart meters
DESCRIPTION
An introduction to security architecture including a description of the environment and security challenges for Smart Meters in the UK and some possible solutions.TRANSCRIPT
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
04/08/23 1
Security Architecture and Smart Meters
44con 2012
Phil Huggins
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
204/08/23
Agenda
• What is security architecture?• Smart meter systems• Smart meter concerns• Approaches to the problems• Security architecture responses
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
304/08/23
What is security architecture?
The security principles or maxims
And
The security model of the system
And
The security requirements
And
The security relevant design decisions
And
The security controls
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
404/08/23
A (very simple) smart meter system
Customer
Customer Device
Smart Meter/s
Head-end
Meter DataManagementSystem
Website
CustomerRelationshipManagement
AssetManagement
Data Warehouse
Internet
WANHAN
CommsHub
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
504/08/23
Who are the likely attackers?
• Organised crime• Nation states• Competitors• Customers• Security researchers• Hacktivists • Hobbyists• Terrorists?
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
604/08/23
What do we have that they want?
• Personal data• Credit card data• Revenue• Usage profiles• Availability of power supply• Network bandwidth• Hardware
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
704/08/23
Smart meter concerns
• Smart meters will continue to be attacked• Embedded device hacking skills are mature and widespread
• Successful sophisticated attacks have been publicised
• There are significant rewards available to attackers
• Vulnerabilities will continue to exist• Security is new to many vendors
• Devices are complex and have long lifecycles (15 years)
• End to end infrastructure is as important as the meters• Back office IT systems often assumed to be islands
• Wide area comms are punching through boundaries into core networks
• Customer trust not yet earned• Brands are at risk
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
804/08/23
Approaches to the problems
• Threat and asset focus• Identify and understand your threats
• Identify and value your assets
• Model the attack paths
• Risk-based prioritisation• Investment must make business sense
• Spend the money where the problems are
• Continuous reruns to identify changes
• Scope must include controls across• Supply chain
• Design and build
• Operations
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
904/08/23
Security architecture responses
• Industry standards• Zoning model• Public Key Infrastructure• Increased operational visibility• Aggregation of security services
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
1004/08/23
Top takeaways
• New cyber threats have changed business risk landscape• Not a question of if, but when Smart Meter Systems will be compromised• Attackers will invest the time and resources developing new attack methods• Advanced attack methods won’t be detected by current IT security controls
• Key to success of Smart meter systems is consumer confidence• Brand reputation is central to business success• There is no second chance when securing customer data
• Ensure business concerns are embedded in security decision making• Focus on risk not on coverage of compliance• Pragmatism rather than purism
• Assure the End to End solution• The meters are not where all the risk is
© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
04/08/23 11
Contact detailsBAE Systems Detica5th Floor2 Arundel StreetLondonWC2R 3AZUnited Kingdom
Tel: +44 (0)20 7812 4000Fax: +44 (0)20 7812 4100
Copyright© BAE Systems plc (2012). All Rights reserved.
BAE Systems and DETICA are trade marks of BAE Systems plc.
Other company names, trade marks or products referenced herein are the property of their respective owners and are used only to describe such companies, trade marks or products.
Detica Limited, trading as ‘BAE Systems Detica’, is registered in England & Wales under company number 01337451 and has its registered office at Surrey Research Park, Guildford, England, GU2 7YP.