Your SlideShare is downloading. ×
  • Like
SGSB Webcast 2 : Smart grid and data security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

SGSB Webcast 2 : Smart grid and data security

  • 2,012 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
2,012
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
44
Comments
1
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Smart Grid Security Blog w ebcast Series Volume 2 : Smart Grid & Data Security Jack Danahy Co-Author : The Smart Grid Security Blog Andy Bochman Co-Author : The Smart Grid Security Blog May 2010
  • 2. Jack Andy Security meets Energy
  • 3. Headlines on Data Loss
  • 4. What is the “Data”?
      • Diagnostic Input from meters
      • Identification from devices
        • Cars
        • Homes
        • Systems
      • Control System Commands
        • To system components
        • To consumer systems
      • Metering data
        • Net metering information
        • Usage volume and time of usage
      • State of systems and components
  • 5. What is “Security”?
      • Secure communications
        • Wireless/Wireline
        • Inter-process
      • Secure storage
        • Long-term
        • Short-term
        • Data Destruction
      • Reliable access to data
  • 6.
    • As part of the "compliance monitoring process" for all CIPS
      • 1.4.1  Data Retention - The Responsible  Entity shall keep all documentation and records from the previous full calendar year  unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.
      • CIP 7 - Systems Security Mgt
        • R1. Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-3, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs … database platforms , or other third-party software or firmware.
        • R7.  Disposal or Redeployment — The Responsible Entity shall establish and implement formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005-3.
        • R7.1.  Prior to the disposal of such assets, the Responsible Entity  shall destroy or erase the data storage media  to prevent unauthorized retrieval of sensitive cyber security or reliability data.
        • R7.2. Prior to redeployment of such assets, the Responsible Entity shall, at a minimum,  erase the data storage media  to prevent unauthorized retrieval of sensitive cyber security or reliability data.
      • * Note the following is always exempted in NERC CIPS:
        • "Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters."
    NERC CIPS & Data
  • 7. Example: Credit Card System Regulation (PCI DSS) http://www.flickr.com/photos/coryschmitz/4592819168/ Section Guidance/Requirement 3.2 Do not store sensitive authentication data (even if encrypted) like CCV 3.3 Mask PAN when displayed 3.4 Render PAN unreadable anywhere it is stored 4.1 Use strong cryptography and security protocols … during transmission over open, public networks 6.3
    • Develop software applications based on industry best practices
      • 6.3.7 Review custom code prior to release to production
    6.5 Develop all web applications based on secure coding guidelines 7.2 Establish a mechanism for systems with multiple users that restricts access 8.5.16 Authenticate all access to any database containing cardholder data 10.2
    • Implement automated audit trails for all system components
      • 10.2.1 All individual user accesses to cardholder data
    10.3
    • Record at least the following audit trail entries
      • 10.3.1 User identification
      • 10.3.2 Type of event
  • 8. What is the Big Deal? Confidentiality Control Integrity Authenticity Availability Utility http://www.flickr.com/photos/egarc2/2432270195/ X Any mishap can doom the infrastructure
  • 9. Welcome to the Parkerian Hexad (That’s a mouthful) Confidentiality Access to data is limited to those intended Control Data is only accessible or changeable by those intended Integrity Data can be relied upon to be accurate and unchanged Authenticity Veracity of data source and provenance can be assured Availability Timely access to data is always ensured Utility Security or insecurity does not inhibit the practical use of data
  • 10. Data Volume will add to the Challenge www.everest-2003.com/route_e.html
    • Smart Grid Data is Expansive
      • More like existing MEGA X Existing Data
      • Many more data elements
      • Much higher frequency
    • Current Data is Limited
      • Simple meter reads
      • Limited diagnostic information
      • Hardline/Physical addressing
  • 11. Do Not Treat Data as a Block DATA is actually Required Beneficial Not Relevant Integrity ? ? ? Privacy ? ? ? Availability ? ? ? Identity ? ? ? Non-Repudiability ? ? ? Timeliness ? ? ?
  • 12. Think about the Logical Cuts on the Data Short-lived Meter Diagnostic Data Power Use Readings Customer Identification Data Meter Location Data
  • 13. Applications Need and Store Different Composites Short-lived Meter Diagnostic Data Power Use Readings Customer Identification Data Meter Location Data Private Long-term Storage Private Mid-term Storage Protected Short-term Storage Bit Bucket What customer owns what meter, and where? How much power, where, this month? Application layer How much power, where, this reading? Is this meter going to fail?
  • 14. A Data Characterization Example http://www.flickr.com/photos/coryschmitz/4592819168/
  • 15. Benefits to Smart Grid Data Security Practices
      • Cost Effectiveness
        • Data loss is expensive
        • Data storage can be expensive
        • Data encryption is vital (but expensive)
        • Segregation maximized efficiency
      • Stronger controls
        • Compartmentalizing data enables compartmentalized access
        • Anomalies are simpler to detect in a well-regulated environment
      • Compliance
        • Regulations exist and are changing, mandating data security
        • Compliance is easier to ensure with a partitioned system
  • 16. Thanks ! The Smart Grid Security Blog smartgridsecurity.blogspot.com