SGSB Webcast 4: Smart Grid Security Standards in Mid 2010


Published on

A business-level review of current security standards for the energy and utility school, a look around the corner at what's coming next from the standards bodies, and a discussion of the burdens this amount of change and uncertainty is is placing on executives and security professionals in the electric utilities.

Published in: Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

  1. 1. Smart Grid Security Standards & Compliance Mid 2010 Update Andy Bochman Editor : The Smart Grid Security Blog (SGSB) August 2010 Webcast Series Volume 4
  2. 3. <ul><li>What needs regulating </li></ul><ul><li>Non-standard standards process </li></ul><ul><li>Asking the impossible of utilities </li></ul><ul><li>What’s facing utilities security leaders </li></ul><ul><li>Legislation of note: GRID Act </li></ul><ul><li>NIST and NERC updates </li></ul><ul><li>What’s next in series </li></ul>Overview
  3. 4. What needs regulation <ul><li>Anything in the grid system we can’t count on being secured for purely financial reasons </li></ul><ul><li>… Which for the grid and Smart Grid, includes, across all power regimes from generation through consumption: </li></ul><ul><ul><li>Control Systems (e.g. generation, transmission, distribution, consumption) </li></ul></ul><ul><ul><li>Networks </li></ul></ul><ul><ul><li>IT Systems </li></ul></ul><ul><ul><li>Edge components (e.g. Smart Meters, Electric Vehicles, edge storage) </li></ul></ul><ul><li>What is currently regulated: bulk electric power system (generation and transmission above 300 MWs) identified as “critical” by utilities themselves </li></ul><ul><li>But the grid is a highly interconnected, interdependent </li></ul>FERC/NERC Sidebar NERC – the watchdog group with the responsibility to develop and authority to enforce industry reliability standards. ( FERC – the regulatory body that governs interstate transmission of electricity, natural gas, and oil. (
  4. 5. <ul><li>Standards developments should be slow and boring, but that’s not the case with Smart Grid security standards … not in the least: </li></ul><ul><ul><li>NIST accelerated stds development </li></ul></ul><ul><ul><li>NERC’s deferment to industry for (not) toughening the CIPS more or faster </li></ul></ul><ul><ul><li>SGIG process weighted security as important but used ambiguous metrics </li></ul></ul><ul><li>Question for you: all matters of economic and national security aside: </li></ul><ul><ul><li>If we paid you for every critical system in your inventory, how many would you find? </li></ul></ul><ul><ul><li>If we required you to demonstrate compliance on every critical system in your inventory, how many would you find? </li></ul></ul>Highly non-standard Standards process
  5. 6. IMHO: Asking the impossible of utilities <ul><li>First, note that there’s often there’s no C-level voice for security </li></ul><ul><ul><li>Hadn’t been needed in the past </li></ul></ul><ul><li>Security not a priority for rate relief </li></ul><ul><ul><li>What’s the ROI for customers … none, right? </li></ul></ul><ul><ul><li>But money can’t be used as excuse for lack of NERC CIP compliance </li></ul></ul><ul><li>Constantly changing regulatory landscape … moving targets </li></ul><ul><ul><li>Congress and FERC want more/tougher cyber security standards implemented faster (see GRID Act) </li></ul></ul><ul><ul><li>NERC committees want to go slower </li></ul></ul>
  6. 7. So say you’re a utility security lead <ul><li>Here’s what you face mid 2010: </li></ul><ul><ul><li>Deploying new technology that’s never been widely fielded (especially SGIG winners) </li></ul></ul><ul><ul><li>Costly compliance reporting tasks that threaten to get much worse </li></ul></ul><ul><ul><li>Just getting up to speed with compliance re: NERC CIPs 002-009 versions 1 & 2 and bracing for more waves of change (3 & 4 are coming, that’s for sure) </li></ul></ul><ul><ul><li>Congress stirring things up with a GRID Act whose requirements cannot be met </li></ul></ul><ul><ul><li>With business models in flux and looming disintermediation </li></ul></ul><ul><ul><li>With aging equipment and work force. Can automation help? Enough? </li></ul></ul><ul><ul><li>While maintining 99.99% reliability as per usual </li></ul></ul>
  7. 8. <ul><li>The the Grid Reliability and Infrastructure Defense (GRID) Act. Passed by House in June 2010, hasn’t reached Senate but will soon </li></ul><ul><li>Will begin to add distribution systems to the mix </li></ul><ul><li>Allows FERC to bypass the NERC standards setting process of Section 215 of the Federal Power Act (2003 update) and issue orders directly concerning: </li></ul><ul><ul><li>Vulnerabilities not addressed by current NERC CIP standards which remain in effect until FERC approves a NERC standards which covers the vulnerability; and </li></ul></ul><ul><ul><li>Imminent cyber threats as determined by the President. FERC jurisdictional authority is extended to energy distribution facilities serving the Presidentially-designated top 100 defense facilities in all fifty United States and its territories. </li></ul></ul><ul><ul><li>FERC is also directed to address mitigation measures for geomagnetic events (including solar flares and non nuclear EMPs) </li></ul></ul>Legislation of note: the GRID Act - HR 5026 BTW: No one can comply with this!
  8. 9. NIST Update <ul><li>Smart Grid Interoperability Mandate </li></ul><ul><ul><li>Under the Energy Independence and Security Act (EISA) of 2007, the National Institute of Standards and Technology (NIST) has &quot;primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…&quot; </li></ul></ul><ul><li>Personnel changes </li></ul><ul><ul><li>Former CSWG lead Annabelle Lee heading to FERC reliability team </li></ul></ul><ul><ul><li>NIST security veteran Maryann Swanson now taking the NISTIR CSWG helm </li></ul></ul><ul><li>NISTIR 7628 update </li></ul><ul><ul><li>NISTIR 7628 v1.0 is just about finalized following two rounds of drafts and comments </li></ul></ul><ul><ul><li>The final version of NISTIR 7628 will address all the comments submitted to date and will include updated chapters of the document </li></ul></ul><ul><ul><li>The new content will contain a security architecture and a section on cryptography and key management </li></ul></ul><ul><ul><li>Question: to what use is all this good work put? </li></ul></ul>
  9. 10. NERC Update <ul><li>More change coming to CIPS </li></ul><ul><ul><li>Version 3 goes live 1 October 2010 (small changes to v. 2) </li></ul></ul><ul><ul><li>Version 4 (CIP 002-4) posted for comment through 7 September 2010 and goes live 1 July 2011 (big changes) </li></ul></ul><ul><ul><li>Version 5 rumor: folding in 7628 </li></ul></ul><ul><li>Storm clouds gathering </li></ul><ul><ul><li>Ummm … look at this </li></ul></ul><ul><ul><li>In short, NERC’s position as security policy setter and enforcer for the BES may not hold </li></ul></ul><ul><ul><li>Related, no doubt, to Grid Act </li></ul></ul><ul><li>Take away from Smart Grid Cyber Security Summit </li></ul><ul><ul><li>Utils say NERC CIPS have made them more secure than they would be w/o them </li></ul></ul>
  10. 11. NIST-referenced standards <ul><li>NIST’s own list of Smart Grid-relevent security standards </li></ul><ul><ul><li>NERC CIP 002, 003-009 </li></ul></ul><ul><ul><li>IEEE 1686-2007, IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities </li></ul></ul><ul><ul><li>Security Profile for Advanced Metering Infrastructure, v 1.0, Advanced Security Acceleration Project – Smart Grid, December 10, 2009 </li></ul></ul><ul><ul><li>UtilityAMI Home Area Network System Requirements Specification, 2008 </li></ul></ul><ul><ul><li>IEC 62351 1-8, Power System Control and Associated Communications – Data and Communication Security </li></ul></ul><ul><li>NIST list of control systems standards </li></ul><ul><ul><li>ANSI/ISA-99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology and Part 2: Establishing a Manufacturing and Control Systems Security Program </li></ul></ul><ul><ul><li>NIST Special Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems, August 2009 </li></ul></ul><ul><ul><li>NIST SP 800-82, DRAFT Guide to Industrial Control Systems (ICS) Security,Sept. 2008 </li></ul></ul><ul><ul><li>Cyber Security Procurement Language for Control Systems, Version 1.8,Department of Homeland Security, National Cyber Security Division, February 2008 </li></ul></ul><ul><ul><li>Catalog of Control Systems Security: Recommendations for Standards Developers, Department of Homeland Security, 2009 </li></ul></ul><ul><ul><li>ISA SP100, Wireless Standards </li></ul></ul>
  11. 12. What’s next in the SGSB series <ul><li>September </li></ul><ul><ul><li>Securing the Soft Grid – ensuring adequate security for the key applications and other software from which the Smart Grid is being constructed </li></ul></ul><ul><li>October </li></ul><ul><ul><li>Securing AMI Systems – looking at current and future security issues for Smart Meters and the old and new infrastructure that supports them </li></ul></ul><ul><li>November </li></ul><ul><ul><li>Smart Grid Security and Privacy from the Customers’ Point of View – putting ourselves in the customers’ shoes on these issues </li></ul></ul><ul><li>December </li></ul><ul><ul><li>Understanding and Empowering a Smart Grid CSO – these guys have a heck of a lot on their plates and we’re all counting on them doing well. Here’s how you can help. </li></ul></ul><ul><li>Already covered: </li></ul><ul><ul><li>Intro to SG Sec </li></ul></ul><ul><ul><li>SG Data Sec </li></ul></ul><ul><ul><li>SG IT Security </li></ul></ul>
  12. 13. Lastly: new look for SGSB Your reward for making it this far
  13. 14. Thanks! Andy Bochman [email_address] The Smart Grid Security Blog