Cyber Security & Data Privacy. January 22, 2014

(1)

Cyber Security & Data

Privacy

(2)

Today’s Presenters

Bob DiBella

Director of Product Management

Aclara Technologies

Srinivasalu Ambati

Application Architect, Consumer Engagement

(3)

Housekeeping

• You will receive a copy of the slides

– To the email you used to register

• You can ask questions as we go along

– Simply type into the question box, as we will explain or

raise questions during the Q&A

• We will answer all the questions submitted

(4)

Questions & Audio

• If this is what you see – Click on the orange arrow to expand your

dashboard.

• In order to ask questions over the phone, please log in with your Audio

Pin

• Click on the + sign to open up the questions box.

• Use the Questions box at any time to type questions.

• You can ask questions as we go along.

• Yes, you will receive the slides after

(5)

Agenda

1. Introduction to Cyber Security & Data Privacy

• Why the Consumer Conversation is Important

• Available Materials

2. An Overview Example (Aclara Technologies)

• Examples of Customer Data Presentment

• Security Risks and Best Practices

• The Aclara Experience

(6)

The Consumer Conversation

• Google’s NEST

acquisition, what does it

mean to the industry?

• Prompting more than a

few privacy concerns,

legitimate and otherwise

• Vulnerability of a large,

centralized system and

the potential for hacking

• System will be

(7)

(8)

Speaker #1

Name Background

Bob DiBella

Director of Product Management – Aclara Technologies • Leads the development and marketing of Aclara’s consumer

engagement solutions for web, mobile, email and print channels • Previously directed the development of several transformative

products including the customer dashboard, online billing analysis,

and AMI data presentment

(9)

Speaker #2

Name Background

Srinivasalu Ambati

Application Architect, Consumer Engagement – Aclara Technologies • Responsible for technology strategy and non-functional

requirements for Consumer Engagement business system which is internet based, multi-tenant, multi-layer, multi-tier, 24x7 software system hosted on the .NET platform

• Currently working with Aclara Product Team to focus on big data

analytics and user experience

• _{More than 20 years of experience in software development,} management, and consulting in the space of energy software

(10)

(11)

Overview

11

 Speakers

–

Bob DiBella, Director Product Management

–

Srini Ambati, Application Architect

 About Aclara

 Examples of Customer Data Presentment

 Security Risks and Best Practices

(12)

About Aclara

12



Division of ESCO

Technologies



Industry leading Intelligent

Infrastructure™ technologies



Device networking, data-value

management, and customer

communications



Serving water, gas, and

electric utilities



Over 500 utilities globally



Providing print and digital

(13)

Consumer Engagement

13



Provide access to electric, gas, and water data



Make the data easy to understand



Provide engaging content and tools



Help consumers manage and control their use



Provide measurable value back to the utility

Common set of objectives and benefits

(14)

Examples of Data Presentment

14 14

 Fresh personal information is

available daily

 Enables customers that want to be

proactive about bills

 Creates recurring engagement

(15)

Examples of Data Presentment

15

Proactive daily/weekly feedback and alerting



Customer alerts program



Bill to date



Cost threshold

 Analyze data on customer’s behalf

 Identify trends and anomalies

 Alert customer before trouble

occurs

(16)

16

Do

YOU

trust computer

systems?

(17)

Cyber Security Principles - CIA

17

Note: In addition, other properties, such as authenticity, non-repudiation, etc. can also be involved.

Confidentiality

• Preventing disclosure of information to unauthorized users

• Security Control(s):

Encryption, access control

Integrity

• Preventing/detecting

unauthorized modification of data, source code and

binaries.

• Security Control(s):

authentication, authorization, digital signatures, HMACs

Availability

• Ensuring information, services, and equipment are available within tolerable response times • Security Control(s): throttling,

timeouts, resource cleanups

(18)

Cyber Security – Important Definitions

18



Weakness

– A deficiency

– The condition or quality of being weak



Threat

– Undesired event or potential occurrence; may or may not be malicious in nature

– Might damage or compromise an asset or objective



Vulnerability

– Weakness is some aspect or feature of a system that makes an exploit possible

– Can exist at the network, host, or application level



Attack (or exploit)

– An action taken that uses one or more vulnerabilities to realize a threat

– Could be someone following through on a threat or exploiting a vulnerability



Countermeasures

– Address vulnerabilities to reduce the probability of attacks or impacts of threats

– Do no directly address threats but address the factors that define the threats

(19)

Sound Familiar?

19

• Architecture Phase –

COMPLETE

• Design Phase –

COMPLETE

• Development –

COMPLETE

• Testing –

COMPLETE

• Security Audit/Review –

Uh..oh!

(20)

Security Traumas at a Glance

20

Business

Loss or Compromise of Data Interruption of Business Processes Loss of Revenue Damage to Reputation Damage to Customer & Investor Confidence Legal Consequences

Great features won't

matter unless customers

trust our software

(21)

Securing Applications - Challenges

21

• Attacker needs to understand only one security issue • Defender needs to secure all entry points

• Attacker has unlimited time

• Defender works with time and cost constraints

Attackers vs.

Defenders

• Secure systems are more difficult to use

• Complex and strong passwords are difficult to remember

• Users prefer simple passwords

Security vs.

Usability

• Developers and management think that security does not add any business value

• Cost of addressing security issues only increases as software design lifecycle proceeds

(22)

Securing Applications - Tradeoff

22

Low

Cost

Usable

Secure

(23)

OWASP Top 10 Critical Application

Security Flaws

23

• The Open Web Application Security Project (OWASP) Top 10:

– Injection

– Broken Authentication and Session Management

– Cross-Site Scripting (XSS)

– Insecure Direct Object References

– Security Misconfiguration

– Sensitive Data Exposure

– Missing Function Level Access Control

– Cross-Site Request Forgery (CSRF)

– Using Components with Known Vulnerabilities

– Unvalidated Redirects and Forwards

(24)

Don’t forget Flaws Related To…

24

Host Layer Security

(25)

Secure Software Characteristics

25

Secure by Design

Secure by Default

Secure by Deployment

(26)

Secure Design Principles

26

Use least privilege

Promote privacy

Reduce attack surface

Use defense in depth

Don't trust user input

Fail securely

Use secure defaults

(27)

Finding, Fixing and Preventing

Vulnerabilities

27

Secure at the Source

• Information Security

Standards

• Secure Coding Standards

• Secure Development

Process

• Security Training

Find and Fix

(28)

Aclara Cyber Security Practices

28

• Cyber Security

– Security Design and Code Reviews as part of SDLC

– Access Control Policies

– Security Awareness Training and Education

– Personnel Security with Background Checks

– Security Model based on NIST 800-53 Standards

• SSAE 16 (replaced SAS 70)

– SSAE 16 (SOC 2) compliance

– Annual review by third party auditors

• Third Party Application\Network Security Reviews

– Microsoft code review

(29)

(30)

(31)

Bob DiBella

Director of Product Management

Aclara Technologies RDibella@aclara.com

Srinivasalu Ambati

Application Architect, Consumer Engagement Aclara Technologies sambati@aclara.com

Links and Resources:

• SGCC’s Data Privacy and Smart Meters Fact Sheet - http://smartgridcc.org/research/sgcc-research/sgccs-data-privacy-and-smart-meters-fact-sheet

• Aclara Technologies homepage - www.aclaratech.com/