Cyber Security & Data
Privacy
Today’s Presenters
Bob DiBella
Director of Product Management
Aclara Technologies
Srinivasalu Ambati
Application Architect, Consumer Engagement
Housekeeping
• You will receive a copy of the slides
– To the email you used to register
• You can ask questions as we go along
– Simply type into the question box, as we will explain or
raise questions during the Q&A
• We will answer all the questions submitted
Questions & Audio
• If this is what you see – Click on the orange arrow to expand your
dashboard.
• In order to ask questions over the phone, please log in with your Audio
Pin
• Click on the + sign to open up the questions box.
• Use the Questions box at any time to type questions.
• You can ask questions as we go along.
• Yes, you will receive the slides after
Agenda
1.
Introduction to Cyber Security & Data Privacy
•
Why the Consumer Conversation is Important
•
Available Materials
2.
An Overview Example (Aclara Technologies)
•
Examples of Customer Data Presentment
•
Security Risks and Best Practices
•
The Aclara Experience
The Consumer Conversation
• Google’s NEST
acquisition, what does it
mean to the industry?
• Prompting more than a
few privacy concerns,
legitimate and otherwise
• Vulnerability of a large,
centralized system and
the potential for hacking
• System will be
Speaker #1
Name Background
Bob DiBella
Director of Product Management – Aclara Technologies • Leads the development and marketing of Aclara’s consumerengagement solutions for web, mobile, email and print channels • Previously directed the development of several transformative
products including the customer dashboard, online billing analysis,
and AMI data presentment
Speaker #2
Name Background
Srinivasalu Ambati
Application Architect, Consumer Engagement – Aclara Technologies • Responsible for technology strategy and non-functionalrequirements for Consumer Engagement business system which is internet based, multi-tenant, multi-layer, multi-tier, 24x7 software system hosted on the .NET platform
• Currently working with Aclara Product Team to focus on big data
analytics and user experience
• More than 20 years of experience in software development, management, and consulting in the space of energy software
©2014 Aclara Technologies LLC
©2014 Aclara Technologies LLC
Overview
11
Speakers
–
Bob DiBella, Director Product Management
–Srini Ambati, Application Architect
About Aclara
Examples of Customer Data Presentment
Security Risks and Best Practices
©2014 Aclara Technologies LLC
About Aclara
12
Division of ESCO
Technologies
Industry leading Intelligent
Infrastructure™ technologies
Device networking, data-value
management, and customer
communications
Serving water, gas, and
electric utilities
Over 500 utilities globally
Providing print and digital
©2014 Aclara Technologies LLC
Consumer Engagement
13
Provide access to electric, gas, and water data
Make the data easy to understand
Provide engaging content and tools
Help consumers manage and control their use
Provide measurable value back to the utility
Common set of objectives and benefits
©2014 Aclara Technologies LLC
Examples of Data Presentment
14 14
Fresh personal information is
available daily
Enables customers that want to be
proactive about bills
Creates recurring engagement
©2014 Aclara Technologies LLC
Examples of Data Presentment
15
Proactive daily/weekly feedback and alerting
Customer alerts program
Bill to date
Cost threshold
Analyze data on customer’s behalf
Identify trends and anomalies
Alert customer before trouble
occurs
©2014 Aclara Technologies LLC
16
Do
YOU
trust computer
systems?
©2014 Aclara Technologies LLC
Cyber Security Principles - CIA
17
Note: In addition, other properties, such as authenticity, non-repudiation, etc. can also be involved.
Confidentiality
• Preventing disclosure of information to unauthorized users
• Security Control(s):
Encryption, access control
Integrity
• Preventing/detecting
unauthorized modification of data, source code and
binaries.
• Security Control(s):
authentication, authorization, digital signatures, HMACs
Availability
• Ensuring information, services, and equipment are available within tolerable response times • Security Control(s): throttling,
timeouts, resource cleanups
©2014 Aclara Technologies LLC
Cyber Security – Important Definitions
18
Weakness
– A deficiency
– The condition or quality of being weak
Threat
– Undesired event or potential occurrence; may or may not be malicious in nature
– Might damage or compromise an asset or objective
Vulnerability
– Weakness is some aspect or feature of a system that makes an exploit possible
– Can exist at the network, host, or application level
Attack (or exploit)
– An action taken that uses one or more vulnerabilities to realize a threat
– Could be someone following through on a threat or exploiting a vulnerability
Countermeasures
– Address vulnerabilities to reduce the probability of attacks or impacts of threats
– Do no directly address threats but address the factors that define the threats
©2014 Aclara Technologies LLC
Sound Familiar?
19
• Architecture Phase –
COMPLETE
• Design Phase –
COMPLETE
• Development –
COMPLETE
• Testing –
COMPLETE
• Security Audit/Review –
Uh..oh!
©2014 Aclara Technologies LLC
Security Traumas at a Glance
20
Business
Loss or Compromise of Data Interruption of Business Processes Loss of Revenue Damage to Reputation Damage to Customer & Investor Confidence Legal ConsequencesGreat features won't
matter unless customers
trust our software
©2014 Aclara Technologies LLC
Securing Applications - Challenges
21
• Attacker needs to understand only one security issue • Defender needs to secure all entry points
• Attacker has unlimited time
• Defender works with time and cost constraints
Attackers vs.
Defenders
• Secure systems are more difficult to use
• Complex and strong passwords are difficult to remember
• Users prefer simple passwords
Security vs.
Usability
• Developers and management think that security does not add any business value
• Cost of addressing security issues only increases as software design lifecycle proceeds
©2014 Aclara Technologies LLC
Securing Applications - Tradeoff
22
Low
Cost
Usable
Secure
©2014 Aclara Technologies LLC
OWASP Top 10 Critical Application
Security Flaws
23
• The Open Web Application Security Project (OWASP) Top 10:
– Injection
– Broken Authentication and Session Management
– Cross-Site Scripting (XSS)
– Insecure Direct Object References
– Security Misconfiguration
– Sensitive Data Exposure
– Missing Function Level Access Control
– Cross-Site Request Forgery (CSRF)
– Using Components with Known Vulnerabilities
– Unvalidated Redirects and Forwards
©2014 Aclara Technologies LLC
Don’t forget Flaws Related To…
24
Host Layer Security
©2014 Aclara Technologies LLC
Secure Software Characteristics
25
Secure by Design
Secure by Default
Secure by Deployment
©2014 Aclara Technologies LLC
Secure Design Principles
26
Use least privilege
Promote privacy
Reduce attack surface
Use defense in depth
Don't trust user input
Fail securely
Use secure defaults
©2014 Aclara Technologies LLC
Finding, Fixing and Preventing
Vulnerabilities
27
Secure at the Source
• Information Security
Standards
• Secure Coding Standards
• Secure Development
Process
• Security Training
Find and Fix
©2014 Aclara Technologies LLC
Aclara Cyber Security Practices
28
•
Cyber Security
– Security Design and Code Reviews as part of SDLC
– Access Control Policies
– Security Awareness Training and Education
– Personnel Security with Background Checks
– Security Model based on NIST 800-53 Standards
•
SSAE 16 (replaced SAS 70)
– SSAE 16 (SOC 2) compliance
– Annual review by third party auditors
•
Third Party Application\Network Security Reviews
– Microsoft code review
©2014 Aclara Technologies LLC
Bob DiBella
Director of Product Management
Aclara Technologies RDibella@aclara.com
Srinivasalu Ambati
Application Architect, Consumer Engagement Aclara Technologies sambati@aclara.comLinks and Resources:
• SGCC’s Data Privacy and Smart Meters Fact Sheet - http://smartgridcc.org/research/sgcc-research/sgccs-data-privacy-and-smart-meters-fact-sheet
• Aclara Technologies homepage - www.aclaratech.com/