Emerging technologies: Is this your company's biggest challenge?

CSO Movers & Shakers: An interview with Ian Appleby - Endeavour Energy

If the number of devices talking to your network was about to increase from 50 to 850,000, you might be a little daunted. One person facing precisely this nightmare is Ian Appleby, corporate IT security manager for NSW energy distributor, Endeavour Energy. He sums up his greatest challenge in three words: New emerging technologies.

“From a pure IT perspective, there are tablets, smart devices and PDAs. Then on the energy side of the network there’s smart grid devices, wireless-enabled reclosers on top of power poles, mesh radio connected smart meters. It’s the speed of some of these technologies that are hitting us,” says Appleby.

The move towards smart grids will bring sweeping changes to security management for energy distributors. Besides the potential for Stuxnet-like malware to target industrial control (SCADA) systems, smart grid operators will be faced with a host of other, perhaps less dramatic but no less important threats. For example, the ‘points of access’ into Endeavour’s network will rise from 50 to 850,000 after it fits households with smart meters and retrofits sub-stations.

“That’s going to pose a greater risk, which means we have to get the security framework around the devices correct before we deploy,” explains Appleby.

Traditionally, Endeavour would physically control access to its premises by way of security tokens. “Now people have easy physical access to our devices in the field because they’re on the side of the house,” says Appleby. Meanwhile, Appleby is facing increasing pressure from corporate network users who demand the enterprise technology meets consumer technology experiences.

“The speed that some of the new technologies are heading now makes it difficult to meet everyone’s expectations and apply due diligence across the security aspects of all the different devices,” says Appleby.

The acceleration has unhinged itself from more methodical corporate processes, employed for control. “Now, people come up and ask us to set up all these new corporate applications that work on an Apple device while they’re sitting in meeting rooms.”

But, asks Appleby, “How do you secure this variety of devices in the first place and do the benefits outweigh the risk?” Endeavour will meet some of those demands via a dual trial of Apple’s iPhone, iPad and Research In Motion’s BlackBerry. Android is yet to be tested, says Appleby.

“So yes, people can have better technologies, but only when we’ve worked out a way to secure them and control their access and control security through a central console.”

Technically adept engineers on the “network side of the business” present an entirely different challenge. Appleby’s expertise in corporate IT network security may lend itself to design considerations for the security of the smart grid, but it hasn’t always meant a free seat at the table.

“I have to work strongly and do some convincing to implement security on the engineering side of the business.” But he adds that “they [network engineers]have been doing a good job here.”

He insists the same principles behind corporate network security still apply in the engineering environment and should be considered prior to Endeavour’s smart grid deployment.

“We’re looking at segregated data paths, defence in depth. For example, in the smart meter, you’re looking at protecting the meter, the in-home device, the various communications channels and uses, then your backhaul cables and points of presence, right back in with both active and passive measures,” he explains.

“You go back to the very basics of IT security and the ability to switch out the network and time based security. Time of detection, time of lock down and response determines the amount of damage that can be done to your network.”

Adding value to the business: Seeing and hearing.An oft-forgotten element of a successful security strategy is communications. If the executive level is unable to understand the value of security in business terms, how can it determine where and how to take action?

Endeavour Energy has achieved positive results by moving away from incident-led security management towards a risk management or “business approach”,according to Appleby.

“It’s about delivering a reliable network. One of the key aspects in security is availability, and if you’re experiencing a security incident across your network — a virus — it’s affecting your availability,” he says.

Endeavour has also implemented a reporting structure designed to mitigate potential conflicts of interest between security responsibilities and business system deployments.

“You still need IT security doing hands on work within the IT department, but from a governance perspective security management should have a more direct reporting structure that does not report to the part of the business responsible for deploying all the IT systems,” says Appleby.

As I always say, in God we trust, in all else we audit.And I live by that,says Appleby

Endeavour is now aiming to streamline audits, which are critical to ensure a quality reporting function.

“We’re trying to automate a lot of the auditing and reporting systems,” says Appleby. “So you can detect a variety of activity that by itself wouldn’t look out of place, but when taken into context with other access levels and access to the other systems, would show as anomalous traffic.”

That technology may prove useful when the organisation faces change.

Follow CSO Australia on Twitter: @CSO_Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags security tokensrisk managementiPhonetabletssmart-gridsHandhelds / PDAsiPadauditsaccess controlnetwork security

More about BlackBerryetworkMotionResearch In Motion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CSO staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts