SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

Smart Grid Security Standards & Compliance Mid 2010 Update Andy Bochman Editor : The Smart Grid Security Blog (SGSB) August 2010 Webcast Series Volume 4

What needs regulating Non-standard standards process Asking the impossible of utilities What’s facing utilities security leaders Legislation of note: GRID Act NIST and NERC updates What’s next in series Overview

What needs regulation Anything in the grid system we can’t count on being secured for purely financial reasons … Which for the grid and Smart Grid, includes, across all power regimes from generation through consumption: Control Systems (e.g. generation, transmission, distribution, consumption) Networks IT Systems Edge components (e.g. Smart Meters, Electric Vehicles, edge storage) What is currently regulated: bulk electric power system (generation and transmission above 300 MWs) identified as “critical” by utilities themselves But the grid is a highly interconnected, interdependent FERC/NERC Sidebar NERC – the watchdog group with the responsibility to develop and authority to enforce industry reliability standards. (www.nerc.com) FERC – the regulatory body that governs interstate transmission of electricity, natural gas, and oil. (www.ferc.gov)

Standards developments should be slow and boring, but that’s not the case with Smart Grid security standards … not in the least: NIST accelerated stds development NERC’s deferment to industry for (not) toughening the CIPS more or faster SGIG process weighted security as important but used ambiguous metrics Question for you: all matters of economic and national security aside: If we paid you for every critical system in your inventory, how many would you find? If we required you to demonstrate compliance on every critical system in your inventory, how many would you find? Highly non-standard Standards process

IMHO: Asking the impossible of utilities First, note that there’s often there’s no C-level voice for security Hadn’t been needed in the past Security not a priority for rate relief What’s the ROI for customers … none, right? But money can’t be used as excuse for lack of NERC CIP compliance Constantly changing regulatory landscape … moving targets Congress and FERC want more/tougher cyber security standards implemented faster (see GRID Act) NERC committees want to go slower

So say you’re a utility security lead Here’s what you face mid 2010: Deploying new technology that’s never been widely fielded (especially SGIG winners) Costly compliance reporting tasks that threaten to get much worse Just getting up to speed with compliance re: NERC CIPs 002-009 versions 1 & 2 and bracing for more waves of change (3 & 4 are coming, that’s for sure) Congress stirring things up with a GRID Act whose requirements cannot be met With business models in flux and looming disintermediation With aging equipment and work force. Can automation help? Enough? While maintining 99.99% reliability as per usual

The the Grid Reliability and Infrastructure Defense (GRID) Act. Passed by House in June 2010, hasn’t reached Senate but will soon Will begin to add distribution systems to the mix Allows FERC to bypass the NERC standards setting process of Section 215 of the Federal Power Act (2003 update) and issue orders directly concerning: Vulnerabilities not addressed by current NERC CIP standards which remain in effect until FERC approves a NERC standards which covers the vulnerability; and Imminent cyber threats as determined by the President. FERC jurisdictional authority is extended to energy distribution facilities serving the Presidentially-designated top 100 defense facilities in all fifty United States and its territories. FERC is also directed to address mitigation measures for geomagnetic events (including solar flares and non nuclear EMPs) Legislation of note: the GRID Act - HR 5026 BTW: No one can comply with this!

NIST Update Smart Grid Interoperability Mandate Under the Energy Independence and Security Act (EISA) of 2007, the National Institute of Standards and Technology (NIST) has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…" Personnel changes Former CSWG lead Annabelle Lee heading to FERC reliability team NIST security veteran Maryann Swanson now taking the NISTIR CSWG helm NISTIR 7628 update NISTIR 7628 v1.0 is just about finalized following two rounds of drafts and comments The final version of NISTIR 7628 will address all the comments submitted to date and will include updated chapters of the document The new content will contain a security architecture and a section on cryptography and key management Question: to what use is all this good work put?

NERC Update More change coming to CIPS Version 3 goes live 1 October 2010 (small changes to v. 2) Version 4 (CIP 002-4) posted for comment through 7 September 2010 and goes live 1 July 2011 (big changes) Version 5 rumor: folding in 7628 Storm clouds gathering Ummm … look at this In short, NERC’s position as security policy setter and enforcer for the BES may not hold Related, no doubt, to Grid Act Take away from Smart Grid Cyber Security Summit Utils say NERC CIPS have made them more secure than they would be w/o them

NIST-referenced standards NIST’s own list of Smart Grid-relevent security standards NERC CIP 002, 003-009 IEEE 1686-2007, IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities Security Profile for Advanced Metering Infrastructure, v 1.0, Advanced Security Acceleration Project – Smart Grid, December 10, 2009 UtilityAMI Home Area Network System Requirements Specification, 2008 IEC 62351 1-8, Power System Control and Associated Communications – Data and Communication Security NIST list of control systems standards ANSI/ISA-99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology and Part 2: Establishing a Manufacturing and Control Systems Security Program NIST Special Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems, August 2009 NIST SP 800-82, DRAFT Guide to Industrial Control Systems (ICS) Security,Sept. 2008 Cyber Security Procurement Language for Control Systems, Version 1.8,Department of Homeland Security, National Cyber Security Division, February 2008 Catalog of Control Systems Security: Recommendations for Standards Developers, Department of Homeland Security, 2009 ISA SP100, Wireless Standards

What’s next in the SGSB series September Securing the Soft Grid – ensuring adequate security for the key applications and other software from which the Smart Grid is being constructed October Securing AMI Systems – looking at current and future security issues for Smart Meters and the old and new infrastructure that supports them November Smart Grid Security and Privacy from the Customers’ Point of View – putting ourselves in the customers’ shoes on these issues December Understanding and Empowering a Smart Grid CSO – these guys have a heck of a lot on their plates and we’re all counting on them doing well. Here’s how you can help. Already covered: Intro to SG Sec SG Data Sec SG IT Security

Lastly: new look for SGSB Your reward for making it this far

Thanks! Andy Bochman [email_address] The Smart Grid Security Blog smartgridsecurity.blogspot.com

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

More Related Content

What's hot (20)

Similar to SGSB Webcast 4: Smart Grid Security Standards in Mid 2010 (20)

Recently uploaded (20)

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010