Security of the Electric Grid: It's more than just NERC CIP
Upcoming SlideShare
Loading in...5
×
 

Security of the Electric Grid: It's more than just NERC CIP

on

  • 1,399 views

The availability of spectrum for utility communications networks, heightened consumer protection and privacy concerns, cloud computing and its application to the smart grid, supply chain security – ...

The availability of spectrum for utility communications networks, heightened consumer protection and privacy concerns, cloud computing and its application to the smart grid, supply chain security – these are just some of the policy and regulatory issues that could have a significant impact on utilities as they integrate millions of data points for more efficient control of the modernized grid.  Attention has been focused on compliance with NERC-CIP mandates and passing audits, but what is their place in the broader security picture?  Will other policy developments change the landscape of grid security?

Statistics

Views

Total Views
1,399
Views on SlideShare
914
Embed Views
485

Actions

Likes
0
Downloads
9
Comments
0

1 Embed 485

http://www.energysec.org 485

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security of the Electric Grid: It's more than just NERC CIP Security of the Electric Grid: It's more than just NERC CIP Presentation Transcript

  • Security  of  the  Electric  Grid:     It’s  more  than  just  NERC-­‐CIP   Prudence  Parks   Director  of  Government  Affairs  and     Legislave  Counsel   U?li?es  Telecom  Council       EnergySec  Summit   Portland,  Oregon   September  26,  2012  ©  2012  Ulies  Telecom  Council  
  • What’s  on  the  Security  List  Besides  NERC-­‐CIP  •  Spectrum  for  Communicaons  •  Standards  Development  •  Security  of  Cloud  Compung  •  Privacy  &  Civil  Liberes  •  Supply    Chain  •  Jurisdiconal  Authority  Changes  ©  2012  Ulies  Telecom  Council  
  • Spectrum:  It’s  in  Short  Supply  •  Ulies  and  other  CI  rely  on  private  internal   communicaons  networks  to  support  core  services,   including  electric,  gas  &  water  •  Ulies  have  NO  spectrum  dedicated  to  their  exclusive   use  •  Data  generated    by  SG  needs  bigger  pipes  •  Diversity  of  terrain/remote  coverage  makes  lower  bands   preferable-­‐  but  also  eyed  by  commercial  service  providers  •  Ulies  aucon  exempt  BUT  aucon  revenue  aSracve  to   Congress     ©  2012  Ulies  Telecom  Council  
  • Spectrum:  The  Challenges  •  Federal  spectrum:  PCAST  Report   –  Commercial  wireless  compeng  for  access  to  spectrum   –  Federal  incumbents  reluctant  to  share  or  relocate  •  Public  safety  spectrum   –  Sharing  700  MHz  requires  negoaon  and  may  take  considerable  me   before  the  PSBN  is  available   –  4.9  GHz  spectrum  is  subject  to  loose  coordinaon  rules;  pushback  from   public  safety    •  Outsourcing  to  Commercial  Service  Providers   –  Meet  CI  requirements?   –  Non-­‐mission  crical  funcons   –  Mission  crical:  Loss  of  control;  compliance  with  NERC/CIP     ©  2012  Ulies  Telecom  Council  
  • Standards:  Na?onal  v.  Interna?onal  •  Four  different  efforts  in  3  bodies  most  prominent  in  the  space  •  IEC  62443-­‐2-­‐1  –  Industrial  communicaon  networks  -­‐  Network  and  system  security  -­‐   Part  2-­‐1:  (hSp://webstore.iec.ch/webstore/webstore.nsf/Artnum_PK/44613)  •  IEEE  2030-­‐2011  -­‐  IEEE  Guide  for  Smart  Grid  Interoperability  of  Energy  Technology   and  Informaon  Technology  Operaon  with  the  Electric  Power  System  (EPS),  End-­‐ Use  Applicaons,  and  Loads,  2011  (hSp://standards.ieee.org/findstds/standard/2030-­‐2011.html)  •  IEEE  P2030.4  Drai  Guide  for  Control  and  Automaon  Installaons  Applied  to  the   Electric  Power  Infrastructure  (under  development)  ( hSp://standards.ieee.org/develop/project/2030.4.html)    •  ISO/IEC  JTC1  SC27  Study  Period  on  Smart  Grid  Environments  (in  progress)    •  NIST  authorized  to  develop  SG  standards  in  the  US,  so  trumps  internaonal  standards    •  But  ISO  &  IEC  standards  recognized  by  WTO,  can  be  integrated  into  trade  agreements     ©  2012  Ulies  Telecom  Council  
  • Cloud  Compu?ng  &  SG  –  Is  it  Secure?  •  NIST  Publicaon  800-­‐146  by  the  Computer  Security  Division  of  the   Informaon  Technology  Laboratory  ( hSp://www.thecre.com/fisma/wp-­‐content/uploads/2012/05/ sp800-­‐146.pdf)    •  Security  issues  of  communicaons  links  between  user  and  cloud    •  SGIP  considering  whether  security  standard  for  cloud  compung  as  it   pertains  to  SG  should  be  developed    •  Issues  to  be  addressed:   –  What  are  the  properes  of  the  SG  that  could  be  unique  to  cloud    compung?   –  Are  there  issues  that  prevent  cloud  compung  for  SG  applicaons,  such  as  latency?   –  Are  other  cybersecurity  groups  looking  at  SG  cloud  compung?   –  Can  a  shared  cloud  be  created  for  ulity  industry  with  hardened  security?   ©  2012  Ulies  Telecom  Council  
  • Privacy  and  Civil  Liber?es  •  NIST  SGIP  forming  privacy  subgroup  for  next  version  of  NISTR  7628  •  Over  200  bills  in  Congress  dealing  with  privacy    •  Inability  to  arrive  at  compromise  on  cybersecurity  bill  not  just  whether   should  include  CI  protecons,  but  how  protect  privacy  and  civil  liberes  of   consumers    •  Issues:       –  What  can  ulies  do  with  Smart  meter  data   –  Protecon  of  informaon  shared  with  exchanges  and  the  Government   –  Length  of  me  that  the  data  can  be  kept   –  What  type  of  informaon  can  be  collected   –  Noficaon  requirements  if  security  breaches         ©  2012  Ulies  Telecom  Council  
  • Security  of  the  Supply  Chain  •  Definion:    Informaon  and  Communicaon  Technology  (ICT)  products  are   assembled,  built,  and  transported  by  mulple  vendors  around  the  world   before  they  are  acquired  without  the  knowledge  of  the  acquirer  •  Abundant  opportunies  exist  for  malicious  actors  to  tamper  with  and   sabotage  products,  ulmately  compromising  system  integrity  and   operaons    •  Much  publicized  incidents  (counterfeit  hardware  sold  to  government   agencies)  •  Organizaons  acquiring  hardware,  soiware,  and  services  are  not  able  to   fully  understand  and  appropriately  manage  the  security  risks  associated   with  the  use  of  these  products  and  services  •  Challenges  range  from  poor  acquirer  pracces  to  lack  of  transparency  into   the  supply  chain       ©  2012  Ulies  Telecom  Council  
  • This  is  how  Department  of  Defense  Depicts  This  Challenge   Scope  of  Supplier  Expansion  and  Foreign  Involvement”   graphic  in  DACS  www.soiwaretechnews.com  Secure   Soiware  Engineering,  July  2005  arcle  “Soiware   Development  Security:  A  Risk  Management  Perspecve”   synopsis  of  May  2004  GAO-­‐04-­‐678  report  “Defense   Acquision:  Knowledge  of  Soiware  Suppliers  Needed  to   Manage  Risks”     ©  2012  Ulies  Telecom  Council  
  • Who  will  be  in  Charge?  •  Legislaon  puts  DHS  in  charge  of  Naonal  Cybersecurity   Council:  voluntary  or  mandatory  standards  for  CI  protecon?  •  DOE:  Guides  for  ARRA  recepients;  NARUC:  Regulators  guide  •  Execuve  Order:     –  DHS  in  charge  but  cannot  expand  on  exisng  authority   –  Senator  Lieberman  to  WH:  :    “I  urge  you  to  explore  any  means  at  your   disposal  that  would  encourage  regulators  to  make  mandatory  the   standards  developed  by  the  Department  of  Homeland  Security  pursuant   to  your  execuve  order  so  we  can  guarantee  that  our  most  crical   infrastructure  will  be  defended  against  aSacks  from  our  adversaries.”    •  FERC  establishes  Office  of  Energy  Infrastructure  Security   –  To    focus  on  potenal  cyber  and  physical  security  risks  to  energy   facilies  under  its  jurisdicon,  including  EMP   ©  2012  Ulies  Telecom  Council  
  • Conclusions  •  Spectrum  is  key  to  Smart  Grid:  lack  of  spectrum  capacity  causes  patchwork   systems,  push  to  use  commercial  systems  outside  ulity  control  •  Standards  for  the  SG  are  sll  being  developed  to  include    security  issues  •  SG  means  terabytes  of  data  and  may  increase  use  of  cloud  compung,  with   addional  security  issues  •  SG  means  Energy  Management  using  consumer  data  and  added  privacy   protecon  and  data  security  •  SG  means  applicaons  manufactured  without  transparency  of  supplier   security  •  Jurisdicon  over  mandatory    cybersecurity  standards  may  reside  in  mulple   agencies  and  departments  with  mulple  audits     ©  2012  Ulies  Telecom  Council  
  • Thank  you!   For  more  informaon,  contact:     Prudence  Parks,  prudence.parks@utc.org    202-­‐833-­‐6806      ©  2012  Ulies  Telecom  Council