security architecture & smart meters

11
© BAE Systems plc (2012). All Rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 08/29/22 1 Security Architecture and Smart Meters 44con 2012 Phil Huggins

Upload: phil-huggins

Post on 18-Nov-2014

416 views

Category:

Technology


1 download

DESCRIPTION

An introduction to security architecture including a description of the environment and security challenges for Smart Meters in the UK and some possible solutions.

TRANSCRIPT

Page 1: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

04/08/23 1

Security Architecture and Smart Meters

44con 2012

Phil Huggins

Page 2: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

204/08/23

Agenda

• What is security architecture?• Smart meter systems• Smart meter concerns• Approaches to the problems• Security architecture responses

Page 3: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

304/08/23

What is security architecture?

The security principles or maxims

And

The security model of the system

And

The security requirements

And

The security relevant design decisions

And

The security controls

Page 4: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

404/08/23

A (very simple) smart meter system

Customer

Customer Device

Smart Meter/s

Head-end

Meter DataManagementSystem

Website

CustomerRelationshipManagement

AssetManagement

Data Warehouse

Internet

WANHAN

CommsHub

Page 5: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

504/08/23

Who are the likely attackers?

• Organised crime• Nation states• Competitors• Customers• Security researchers• Hacktivists • Hobbyists• Terrorists?

Page 6: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

604/08/23

What do we have that they want?

• Personal data• Credit card data• Revenue• Usage profiles• Availability of power supply• Network bandwidth• Hardware

Page 7: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

704/08/23

Smart meter concerns

• Smart meters will continue to be attacked• Embedded device hacking skills are mature and widespread

• Successful sophisticated attacks have been publicised

• There are significant rewards available to attackers

• Vulnerabilities will continue to exist• Security is new to many vendors

• Devices are complex and have long lifecycles (15 years)

• End to end infrastructure is as important as the meters• Back office IT systems often assumed to be islands

• Wide area comms are punching through boundaries into core networks

• Customer trust not yet earned• Brands are at risk

Page 8: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

804/08/23

Approaches to the problems

• Threat and asset focus• Identify and understand your threats

• Identify and value your assets

• Model the attack paths

• Risk-based prioritisation• Investment must make business sense

• Spend the money where the problems are

• Continuous reruns to identify changes

• Scope must include controls across• Supply chain

• Design and build

• Operations

Page 9: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

904/08/23

Security architecture responses

• Industry standards• Zoning model• Public Key Infrastructure• Increased operational visibility• Aggregation of security services

Page 10: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

1004/08/23

Top takeaways

• New cyber threats have changed business risk landscape• Not a question of if, but when Smart Meter Systems will be compromised• Attackers will invest the time and resources developing new attack methods• Advanced attack methods won’t be detected by current IT security controls

• Key to success of Smart meter systems is consumer confidence• Brand reputation is central to business success• There is no second chance when securing customer data

• Ensure business concerns are embedded in security decision making• Focus on risk not on coverage of compliance• Pragmatism rather than purism

• Assure the End to End solution• The meters are not where all the risk is

Page 11: Security Architecture & Smart Meters

© BAE Systems plc (2012). All Rights reserved.BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

04/08/23 11

Contact detailsBAE Systems Detica5th Floor2 Arundel StreetLondonWC2R 3AZUnited Kingdom

Tel: +44 (0)20 7812 4000Fax: +44 (0)20 7812 4100

Copyright© BAE Systems plc (2012). All Rights reserved.

BAE Systems and DETICA are trade marks of BAE Systems plc.

Other company names, trade marks or products referenced herein are the property of their respective owners and are used only to describe such companies, trade marks or products.

Detica Limited, trading as ‘BAE Systems Detica’, is registered in England & Wales under company number 01337451 and has its registered office at Surrey Research Park, Guildford, England, GU2 7YP.