Workshops

TBA

 

Mariana Hentea earned her PhD and MS in Computer Science, MS in Computer Engineering, and BS in Electrical Engineering. She holds a CISSP certification from ISC2. Her current research is focused on Smart Grid and DER systems, real-time systems security and performance, network security design and architecture, and use of Artificial Intelligence techniques for information security management, security risk management, network management, and process control. As a member of IEEE Standards Association, she promotes Security and Privacy awareness to Engineers, managers, regulators, and consumers. She is a member of IEEE Smart Grid, IEEE Power & Energy Society, IEEE Computer Society, ISC2 and ISSA organizations. Her book Building an Effective Security Program for Distributed Energy Resources and Systems: Understanding Security for Smart Grid and Distributed Energy Resources and Systems was published by Wiley in April 2021.

Assessing Security Posture Using Security Metrics

 

Several reports describe the challenges of security metrics of the electricity sector in US. A comprehensive list includes issues such as:

• Many organizations have a limited ability to measure and assess their cybersecurity posture
• Organizations lack consistent metrics or reliable tools for measuring their risks and vulnerabilities; threats, when known, are often difficult to demonstrate and quantify in terms that are meaningful for decision makers
• Control systems are becoming increasingly interconnected and often operate on open software platforms with known vulnerabilities and risks
• Poorly designed connections between control systems and enterprise networks introduce further security risks.

 

Since the energy sector is facing increasing threats and protection of the power grid against cyber attacks is critical, there are needs for effective security metrics, modeling, and assessment tools that aid organizations to assess their security posture and plan for improvements to reduce the risks.

 

The needs for developing cybersecurity metrics for energy sector and power grid in US are recognized by organizations and DOE has been addressing these issues by promoting recommendations to implement the NIST Cybersecurity Framework and other standards.

 

There is a need for development of strong and consistent metrics, testing guidelines, and certification processes to create measurable successes for control system security. Clear and consistent metrics are needed for both business and control systems, and mandatory baseline security requirements should be established. In the long term, the organizations need to develop systems that automate cybersecurity state monitoring and remediation, similarly to the way in which the electricity sector currently automates and manages energy delivery operations.

 

Information security metrics are an important factor in making sound decisions about various aspects of security, ranging from the design of security architectures and controls to the effectiveness and efficiency of security operations.

 

This tutorial addresses different categories of security metrics and areas of use that could help organizations establish, assess, and maintain secure systems. Also, the tutorial identifies one important area - the collection of security measurements including challenges such as the confidence and uncertainty of derived metrics needed for the analysis of the security posture of an organization or of system implementation and operational environment.

 

Security events are dif?cult to measure in practice due to their inherent existence of uncertainty. The uncertainty can be derived from multiple reasons. First, unknown attack behaviors are hard to be accurately predicted by a defender. Second, uncertainty is often caused by estimation errors in that observed evidence does not necessarily re?ect an actual system state because the observation of the security state is imperfect due to detection errors or inherent noises.

 

Therefore, measurable security involves many areas, at minimum includes software assurance, application security, asset management, supply chain risk management, cyber intelligence threat analysis, cyber threat information sharing, vulnerability management, patch management, configuration management, malware protection, intrusion detection, system assessment, incident coordination, enterprise reporting, remediation.

 

Security metrics can be an effective tool for security management to identify the effectiveness of various components of the security program, system, product or process, and the ability of security team within an organization to address security issues for which they are responsible.

 

Effectiveness/Efficiency metrics are very important because they are used to determine whether program level processes and system level security controls have been implemented correctly, operate as intended, and achieve their expected outcomes. Effectiveness/Efficiency metrics reflect two aspects of the results of security control implementation: the robustness of the result itself and impact to defend an asset (e.g., its effectiveness), and the timeliness of the result (e.g., efficiency).