August 2010

Smart Grid Security

Standards & Compliance

Mid 2010 Update

Andy BochmanEditor : The Smart Grid Security Blog (SGSB)

Webcast Series Volume 4

2A. Bochman 2010

3A. Bochman 2010

What needs regulating

Non-standard standards process

Asking the impossible of utilities

What’s facing utilities security leaders

Legislation of note: GRID Act

NIST and NERC updates

What’s next in series

Overview

4A. Bochman 2010

What needs regulation

Anything in the grid system we can’t count on being secured for purely financial reasons

… Which for the grid and Smart Grid, includes, across all power regimes from generation through consumption:

– Control Systems (e.g. generation, transmission, distribution, consumption)

– Networks

– IT Systems

– Edge components (e.g. Smart Meters, Electric Vehicles, edge storage)

What is currently regulated: bulk electric power system (generation and transmission above 300 MWs) identified as “critical” by utilities themselves

But the grid is a highly interconnected, interdependent

FERC/NERC Sidebar

NERC – the watchdog group with the responsibility to develop and authority to enforce industry reliability standards. (www.nerc.com)

FERC – the regulatory body that governs interstate transmission of electricity, natural gas, and oil. (www.ferc.gov)

5A. Bochman 2010

Standards developments should be slow and boring, but that’s not the case with Smart Grid security standards … not in the least:

– NIST accelerated stds development

– NERC’s deferment to industry for (not) toughening the CIPS more or faster

– SGIG process weighted security as important but used ambiguous metrics

Question for you: all matters of economic and national security aside:

– If we paid you for every critical system in your inventory, how many would you find?

– If we required you to demonstrate compliance on every critical system in your inventory, how many would you find?

Highly non-standard Standards process

6A. Bochman 2010

IMHO: Asking the impossible of utilities

First, note that there’s often there’s no C-level voice for security

– Hadn’t been needed in the past

Security not a priority for rate relief

– What’s the ROI for customers … none, right?

– But money can’t be used as excuse for lack of NERC CIP compliance

Constantly changing regulatory landscape … moving targets

– Congress and FERC want more/tougher cyber security standards implemented faster (see GRID Act)

– NERC committees want to go slower

7A. Bochman 2010

So say you’re a utility security lead

Here’s what you face mid 2010:

– Deploying new technology that’s never been widely fielded (especially SGIG winners)

– Costly compliance reporting tasks that threaten to get much worse

– Just getting up to speed with compliance re: NERC CIPs 002-009 versions 1 & 2 and bracing for more waves of change (3 & 4 are coming, that’s for sure)

– Congress stirring things up with a GRID Act whose requirements cannot be met

– With business models in flux and looming disintermediation

– With aging equipment and work force. Can automation help? Enough?

– While maintining 99.99% reliability as per usual

8A. Bochman 2010

The the Grid Reliability and Infrastructure Defense (GRID) Act. Passed by House in June 2010, hasn’t reached Senate but will soon

Will begin to add distribution systems to the mix

Allows FERC to bypass the NERC standards setting process of Section 215 of the Federal Power Act (2003 update) and issue orders directly concerning:

1. Vulnerabilities not addressed by current NERC CIP standards which remain in effect until FERC approves a NERC standards which covers the vulnerability; and

2. Imminent cyber threats as determined by the President. FERC jurisdictional authority is extended to energy distribution facilities serving the Presidentially-designated top 100 defense facilities in all fifty United States and its territories.

3. FERC is also directed to address mitigation measures for geomagnetic events (including solar flares and non nuclear EMPs)

Legislation of note: the GRID Act - HR 5026

BTW: No one can comply with this!

9A. Bochman 2010

NIST Update

Smart Grid Interoperability Mandate

– Under the Energy Independence and Security Act (EISA) of 2007, the National Institute of Standards and Technology (NIST) has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…"

Personnel changes

– Former CSWG lead Annabelle Lee heading to FERC reliability team

– NIST security veteran Maryann Swanson now taking the NISTIR CSWG helm

NISTIR 7628 update

– NISTIR 7628 v1.0 is just about finalized following two rounds of drafts and comments

– The final version of NISTIR 7628 will address all the comments submitted to date and will include updated chapters of the document

– The new content will contain a security architecture and a section on cryptography and key management

– Question: to what use is all this good work put?

10A. Bochman 2010

NERC Update

More change coming to CIPS

– Version 3 goes live 1 October 2010 (small changes to v. 2)

– Version 4 (CIP 002-4) posted for comment through 7 September 2010 and goes live 1 July 2011 (big changes)

– Version 5 rumor: folding in 7628

Storm clouds gathering

– Ummm … look at this

– In short, NERC’s position as security policy setter and enforcer for the BES may not hold

– Related, no doubt, to Grid Act

Take away from Smart Grid Cyber Security Summit

– Utils say NERC CIPS have made them more secure than they would be w/o them

11A. Bochman 2010

NIST-referenced standards

NIST’s own list of Smart Grid-relevent security standards

– NERC CIP 002, 003-009

– IEEE 1686-2007, IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities

– Security Profile for Advanced Metering Infrastructure, v 1.0, Advanced Security Acceleration Project – Smart Grid, December 10, 2009

– UtilityAMI Home Area Network System Requirements Specification, 2008

– IEC 62351 1-8, Power System Control and Associated Communications – Data and Communication Security

NIST list of control systems standards– ANSI/ISA-99, Manufacturing and Control

Systems Security, Part 1: Concepts, Models and Terminology and Part 2: Establishing a Manufacturing and Control Systems Security Program

– NIST Special Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems, August 2009

– NIST SP 800-82, DRAFT Guide to Industrial Control Systems (ICS) Security,Sept. 2008

– Cyber Security Procurement Language for Control Systems, Version 1.8,Department of Homeland Security, National Cyber Security Division, February 2008

– Catalog of Control Systems Security: Recommendations for Standards Developers, Department of Homeland Security, 2009

– ISA SP100, Wireless Standards

12A. Bochman 2010

What’s next in the SGSB series

September– Securing the Soft Grid – ensuring adequate security for the key applications and other

software from which the Smart Grid is being constructed

October– Securing AMI Systems – looking at current and future security issues for Smart Meters and

the old and new infrastructure that supports them

November– Smart Grid Security and Privacy from the Customers’ Point of View – putting ourselves in

the customers’ shoes on these issues

December– Understanding and Empowering a Smart Grid CSO – these guys have a heck of a lot on

their plates and we’re all counting on them doing well. Here’s how you can help.

Already covered:

•Intro to SG Sec

•SG Data Sec

•SG IT Security

13A. Bochman 2010

Lastly: new look for SGSB

Your reward for making it this far

Thanks!

Andy Bochmanandybochman@gmail.com

The Smart Grid Security Blogsmartgridsecurity.blogspot.com