Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Smart Grid Security  Standards & Compliance Mid 2010 Update Andy Bochman Editor : The Smart Grid Security Blog (SGSB) Augu...
 
<ul><li>What needs regulating </li></ul><ul><li>Non-standard standards process </li></ul><ul><li>Asking the impossible of ...
What needs regulation <ul><li>Anything in the grid system we can’t count on being secured for purely financial reasons </l...
<ul><li>Standards developments should be slow and boring, but that’s not the case with Smart Grid security standards … not...
IMHO: Asking the impossible of utilities <ul><li>First, note that there’s often there’s no C-level voice for security </li...
So say you’re a utility security lead <ul><li>Here’s what you face mid 2010: </li></ul><ul><ul><li>Deploying new technolog...
<ul><li>The the Grid Reliability and Infrastructure Defense (GRID) Act. Passed by House in June 2010, hasn’t reached Senat...
NIST Update <ul><li>Smart Grid Interoperability Mandate </li></ul><ul><ul><li>Under the Energy Independence and Security A...
NERC Update <ul><li>More change coming to CIPS </li></ul><ul><ul><li>Version 3 goes live 1 October 2010 (small changes to ...
NIST-referenced standards <ul><li>NIST’s own list of Smart Grid-relevent security standards </li></ul><ul><ul><li>NERC CIP...
What’s next in the SGSB series <ul><li>September </li></ul><ul><ul><li>Securing the Soft Grid  – ensuring adequate securit...
Lastly: new look for SGSB Your reward for making it this far
Thanks! Andy Bochman [email_address] The Smart Grid Security Blog smartgridsecurity.blogspot.com
Upcoming SlideShare
Loading in …5
×

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

3,811 views

Published on

A business-level review of current security standards for the energy and utility school, a look around the corner at what's coming next from the standards bodies, and a discussion of the burdens this amount of change and uncertainty is is placing on executives and security professionals in the electric utilities.

Published in: Business
  • Be the first to comment

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

  1. 1. Smart Grid Security Standards & Compliance Mid 2010 Update Andy Bochman Editor : The Smart Grid Security Blog (SGSB) August 2010 Webcast Series Volume 4
  2. 3. <ul><li>What needs regulating </li></ul><ul><li>Non-standard standards process </li></ul><ul><li>Asking the impossible of utilities </li></ul><ul><li>What’s facing utilities security leaders </li></ul><ul><li>Legislation of note: GRID Act </li></ul><ul><li>NIST and NERC updates </li></ul><ul><li>What’s next in series </li></ul>Overview
  3. 4. What needs regulation <ul><li>Anything in the grid system we can’t count on being secured for purely financial reasons </li></ul><ul><li>… Which for the grid and Smart Grid, includes, across all power regimes from generation through consumption: </li></ul><ul><ul><li>Control Systems (e.g. generation, transmission, distribution, consumption) </li></ul></ul><ul><ul><li>Networks </li></ul></ul><ul><ul><li>IT Systems </li></ul></ul><ul><ul><li>Edge components (e.g. Smart Meters, Electric Vehicles, edge storage) </li></ul></ul><ul><li>What is currently regulated: bulk electric power system (generation and transmission above 300 MWs) identified as “critical” by utilities themselves </li></ul><ul><li>But the grid is a highly interconnected, interdependent </li></ul>FERC/NERC Sidebar NERC – the watchdog group with the responsibility to develop and authority to enforce industry reliability standards. (www.nerc.com) FERC – the regulatory body that governs interstate transmission of electricity, natural gas, and oil. (www.ferc.gov)
  4. 5. <ul><li>Standards developments should be slow and boring, but that’s not the case with Smart Grid security standards … not in the least: </li></ul><ul><ul><li>NIST accelerated stds development </li></ul></ul><ul><ul><li>NERC’s deferment to industry for (not) toughening the CIPS more or faster </li></ul></ul><ul><ul><li>SGIG process weighted security as important but used ambiguous metrics </li></ul></ul><ul><li>Question for you: all matters of economic and national security aside: </li></ul><ul><ul><li>If we paid you for every critical system in your inventory, how many would you find? </li></ul></ul><ul><ul><li>If we required you to demonstrate compliance on every critical system in your inventory, how many would you find? </li></ul></ul>Highly non-standard Standards process
  5. 6. IMHO: Asking the impossible of utilities <ul><li>First, note that there’s often there’s no C-level voice for security </li></ul><ul><ul><li>Hadn’t been needed in the past </li></ul></ul><ul><li>Security not a priority for rate relief </li></ul><ul><ul><li>What’s the ROI for customers … none, right? </li></ul></ul><ul><ul><li>But money can’t be used as excuse for lack of NERC CIP compliance </li></ul></ul><ul><li>Constantly changing regulatory landscape … moving targets </li></ul><ul><ul><li>Congress and FERC want more/tougher cyber security standards implemented faster (see GRID Act) </li></ul></ul><ul><ul><li>NERC committees want to go slower </li></ul></ul>
  6. 7. So say you’re a utility security lead <ul><li>Here’s what you face mid 2010: </li></ul><ul><ul><li>Deploying new technology that’s never been widely fielded (especially SGIG winners) </li></ul></ul><ul><ul><li>Costly compliance reporting tasks that threaten to get much worse </li></ul></ul><ul><ul><li>Just getting up to speed with compliance re: NERC CIPs 002-009 versions 1 & 2 and bracing for more waves of change (3 & 4 are coming, that’s for sure) </li></ul></ul><ul><ul><li>Congress stirring things up with a GRID Act whose requirements cannot be met </li></ul></ul><ul><ul><li>With business models in flux and looming disintermediation </li></ul></ul><ul><ul><li>With aging equipment and work force. Can automation help? Enough? </li></ul></ul><ul><ul><li>While maintining 99.99% reliability as per usual </li></ul></ul>
  7. 8. <ul><li>The the Grid Reliability and Infrastructure Defense (GRID) Act. Passed by House in June 2010, hasn’t reached Senate but will soon </li></ul><ul><li>Will begin to add distribution systems to the mix </li></ul><ul><li>Allows FERC to bypass the NERC standards setting process of Section 215 of the Federal Power Act (2003 update) and issue orders directly concerning: </li></ul><ul><ul><li>Vulnerabilities not addressed by current NERC CIP standards which remain in effect until FERC approves a NERC standards which covers the vulnerability; and </li></ul></ul><ul><ul><li>Imminent cyber threats as determined by the President. FERC jurisdictional authority is extended to energy distribution facilities serving the Presidentially-designated top 100 defense facilities in all fifty United States and its territories. </li></ul></ul><ul><ul><li>FERC is also directed to address mitigation measures for geomagnetic events (including solar flares and non nuclear EMPs) </li></ul></ul>Legislation of note: the GRID Act - HR 5026 BTW: No one can comply with this!
  8. 9. NIST Update <ul><li>Smart Grid Interoperability Mandate </li></ul><ul><ul><li>Under the Energy Independence and Security Act (EISA) of 2007, the National Institute of Standards and Technology (NIST) has &quot;primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…&quot; </li></ul></ul><ul><li>Personnel changes </li></ul><ul><ul><li>Former CSWG lead Annabelle Lee heading to FERC reliability team </li></ul></ul><ul><ul><li>NIST security veteran Maryann Swanson now taking the NISTIR CSWG helm </li></ul></ul><ul><li>NISTIR 7628 update </li></ul><ul><ul><li>NISTIR 7628 v1.0 is just about finalized following two rounds of drafts and comments </li></ul></ul><ul><ul><li>The final version of NISTIR 7628 will address all the comments submitted to date and will include updated chapters of the document </li></ul></ul><ul><ul><li>The new content will contain a security architecture and a section on cryptography and key management </li></ul></ul><ul><ul><li>Question: to what use is all this good work put? </li></ul></ul>
  9. 10. NERC Update <ul><li>More change coming to CIPS </li></ul><ul><ul><li>Version 3 goes live 1 October 2010 (small changes to v. 2) </li></ul></ul><ul><ul><li>Version 4 (CIP 002-4) posted for comment through 7 September 2010 and goes live 1 July 2011 (big changes) </li></ul></ul><ul><ul><li>Version 5 rumor: folding in 7628 </li></ul></ul><ul><li>Storm clouds gathering </li></ul><ul><ul><li>Ummm … look at this </li></ul></ul><ul><ul><li>In short, NERC’s position as security policy setter and enforcer for the BES may not hold </li></ul></ul><ul><ul><li>Related, no doubt, to Grid Act </li></ul></ul><ul><li>Take away from Smart Grid Cyber Security Summit </li></ul><ul><ul><li>Utils say NERC CIPS have made them more secure than they would be w/o them </li></ul></ul>
  10. 11. NIST-referenced standards <ul><li>NIST’s own list of Smart Grid-relevent security standards </li></ul><ul><ul><li>NERC CIP 002, 003-009 </li></ul></ul><ul><ul><li>IEEE 1686-2007, IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities </li></ul></ul><ul><ul><li>Security Profile for Advanced Metering Infrastructure, v 1.0, Advanced Security Acceleration Project – Smart Grid, December 10, 2009 </li></ul></ul><ul><ul><li>UtilityAMI Home Area Network System Requirements Specification, 2008 </li></ul></ul><ul><ul><li>IEC 62351 1-8, Power System Control and Associated Communications – Data and Communication Security </li></ul></ul><ul><li>NIST list of control systems standards </li></ul><ul><ul><li>ANSI/ISA-99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology and Part 2: Establishing a Manufacturing and Control Systems Security Program </li></ul></ul><ul><ul><li>NIST Special Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems, August 2009 </li></ul></ul><ul><ul><li>NIST SP 800-82, DRAFT Guide to Industrial Control Systems (ICS) Security,Sept. 2008 </li></ul></ul><ul><ul><li>Cyber Security Procurement Language for Control Systems, Version 1.8,Department of Homeland Security, National Cyber Security Division, February 2008 </li></ul></ul><ul><ul><li>Catalog of Control Systems Security: Recommendations for Standards Developers, Department of Homeland Security, 2009 </li></ul></ul><ul><ul><li>ISA SP100, Wireless Standards </li></ul></ul>
  11. 12. What’s next in the SGSB series <ul><li>September </li></ul><ul><ul><li>Securing the Soft Grid – ensuring adequate security for the key applications and other software from which the Smart Grid is being constructed </li></ul></ul><ul><li>October </li></ul><ul><ul><li>Securing AMI Systems – looking at current and future security issues for Smart Meters and the old and new infrastructure that supports them </li></ul></ul><ul><li>November </li></ul><ul><ul><li>Smart Grid Security and Privacy from the Customers’ Point of View – putting ourselves in the customers’ shoes on these issues </li></ul></ul><ul><li>December </li></ul><ul><ul><li>Understanding and Empowering a Smart Grid CSO – these guys have a heck of a lot on their plates and we’re all counting on them doing well. Here’s how you can help. </li></ul></ul><ul><li>Already covered: </li></ul><ul><ul><li>Intro to SG Sec </li></ul></ul><ul><ul><li>SG Data Sec </li></ul></ul><ul><ul><li>SG IT Security </li></ul></ul>
  12. 13. Lastly: new look for SGSB Your reward for making it this far
  13. 14. Thanks! Andy Bochman [email_address] The Smart Grid Security Blog smartgridsecurity.blogspot.com

×