Smart grid in the Critical National Infrastructure

Ollie Whitehouse, Technical Director - NCC Group

NCC Group Technical Security Consulting

NCC Group Risk Management & Governance

Agenda

Managing the interface with government

Regulatory bodies – what are they doing?

Interoperability and standardisation

Managing the security of interconnections

Before we begin

-v-

Why interface with government?

Get guidance early on

Gain situational awareness

Gain insight from peers

Provide feedback and insight

Ensure ongoing operational preparedness

Interfaces with government

Managing the interface with government

https://www.cert.gov.uk/

https://www.cert.gov.uk/cisp/

https://www.cpni.gov.uk

SCADA andControlSystemInformationExchange

Managing the interface with government

https://www.cpni.gov.uk/advice/cyber/scada/

primarily developed 2008 - 2011

Managing the interface with government

https://www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/Security-Characteristics.aspx

Regulatory bodies – what are they doing?

Department of Energy & Climate Change (DECC) sets policy and legislative framework for UK networks.

- including Energy Emergencies Executive Committee (E3C)

OFGEM benefits from UK Regulators Network

- including cyber

Both sit in Smart Grid Forum

https://www.ofgem.gov.uk/press-releases/uk-regulators-launch-new-network-bring-cross-sector-regulation-closer-together

ENA Energy Network Cyber Security Forum (ENCSF)

Regulatory bodies – what are they doing?

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/386626/E3C_Annual_Report_2014.pdf

December 2014 report

Regulatory bodies – what are they doing?

http://www.parliament.uk/documents/lords-committees/science-technology/Resilienceofelectricityinfrasrtucture/CfEResilienceofElectricityInfrastructure.pdf

Launched July 2014

Regulatory bodies – what are they doing?

http://www.parliament.uk/documents/lords-committees/science-technology/Resilienceofelectricityinfrasrtucture/Resilienceofelectricityinfrastructureevidence.pdf

Over 600 pages and cyber mentioned 68 times

Regulatory bodies – what are they doing?

http://www.energynetworks.org/modx/assets/files/news/consultation-responses/Consultation%20responses%202014/House%20of%20Lords%20Committee%20Inquiry%20into%20Electricity%20Network%20Resilience%20-%20ENA%20Submission_2014.pdf

Interoperability and standardization

CEN = European Committee for Standardization

CENELEC = European Committee for Electro-technical Standardization

ESTI = European Telecommunications Standards Institute

http://www.smartgrids.eu/CEN-CENELEC-ETSI

Interoperability and standardization

http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf

over 90 pages

Interoperability and standardization

http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf

Interoperability and standardization

http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf

Interoperability and standardization

http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf

Interoperability and standardization

http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf

Managing the Security of Interconnections

Prevent: design, build, test, sustain

Detect: changes in posture and active attacks

Respond: monitor and/or mitigate

Managing the Security of Interconnections

http://www.amazon.co.uk/Software-Security-Austerity-security-development-ebook/dp/B007H76ABC

Managing the Security of Interconnections

http://www.amazon.co.uk/Software-Security-Austerity-security-development-ebook/dp/B007H76ABC

Managing the Security of Interconnections

Contractual terms

Vendors/suppliers and their supply chains

- ability to receive vulnerability data

- set expectation that it will be pushed to you

Interconnect partners

- can’t be trusted all the time – avenue of attack

- information sharing agreements and/or forums

Managing the Security of Interconnections

Conclusions

We have only scratched the surface

Focus on:

• Considering cyber from the outset

• Building relationships

• Consuming the vast amount of information already available

• Sharing experiences

• Sharing intelligence

• Accept that cyber is a shared problem

…

Europe

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

Amsterdam

Copenhagen

Munich

Zurich

North America

Atlanta

Austin

Chicago

Mountain View

New York

San Francisco

Seattle

Australia

Sydney

Thanks! Questions?

Ollie Whitehouseollie.whitehouse@nccgroup.trust