Upload
ollie-whitehouse
View
220
Download
2
Embed Size (px)
Citation preview
Smart grid in the Critical National Infrastructure
Ollie Whitehouse, Technical Director - NCC Group
NCC Group Technical Security Consulting
NCC Group Risk Management & Governance
Agenda
Managing the interface with government
Regulatory bodies – what are they doing?
Interoperability and standardisation
Managing the security of interconnections
Before we begin
-v-
Why interface with government?
Get guidance early on
Gain situational awareness
Gain insight from peers
Provide feedback and insight
Ensure ongoing operational preparedness
Interfaces with government
Managing the interface with government
https://www.cert.gov.uk/
https://www.cert.gov.uk/cisp/
https://www.cpni.gov.uk
SCADA andControlSystemInformationExchange
Managing the interface with government
https://www.cpni.gov.uk/advice/cyber/scada/
primarily developed 2008 - 2011
Managing the interface with government
https://www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/Security-Characteristics.aspx
Regulatory bodies – what are they doing?
Department of Energy & Climate Change (DECC) sets policy and legislative framework for UK networks.
- including Energy Emergencies Executive Committee (E3C)
OFGEM benefits from UK Regulators Network
- including cyber
Both sit in Smart Grid Forum
https://www.ofgem.gov.uk/press-releases/uk-regulators-launch-new-network-bring-cross-sector-regulation-closer-together
ENA Energy Network Cyber Security Forum (ENCSF)
Regulatory bodies – what are they doing?
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/386626/E3C_Annual_Report_2014.pdf
December 2014 report
Regulatory bodies – what are they doing?
http://www.parliament.uk/documents/lords-committees/science-technology/Resilienceofelectricityinfrasrtucture/CfEResilienceofElectricityInfrastructure.pdf
Launched July 2014
Regulatory bodies – what are they doing?
http://www.parliament.uk/documents/lords-committees/science-technology/Resilienceofelectricityinfrasrtucture/Resilienceofelectricityinfrastructureevidence.pdf
Over 600 pages and cyber mentioned 68 times
Regulatory bodies – what are they doing?
http://www.energynetworks.org/modx/assets/files/news/consultation-responses/Consultation%20responses%202014/House%20of%20Lords%20Committee%20Inquiry%20into%20Electricity%20Network%20Resilience%20-%20ENA%20Submission_2014.pdf
Interoperability and standardization
CEN = European Committee for Standardization
CENELEC = European Committee for Electro-technical Standardization
ESTI = European Telecommunications Standards Institute
http://www.smartgrids.eu/CEN-CENELEC-ETSI
Interoperability and standardization
http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf
over 90 pages
Interoperability and standardization
http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf
Interoperability and standardization
http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf
Interoperability and standardization
http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf
Interoperability and standardization
http://www.energynetworks.org/modx/assets/files/electricity/engineering/Standards/SGCG%20Reports%20071014/SGCG_WGSGIS_Sec0078_INF_ReportforComments.pdf
Managing the Security of Interconnections
Prevent: design, build, test, sustain
Detect: changes in posture and active attacks
Respond: monitor and/or mitigate
Managing the Security of Interconnections
http://www.amazon.co.uk/Software-Security-Austerity-security-development-ebook/dp/B007H76ABC
Managing the Security of Interconnections
http://www.amazon.co.uk/Software-Security-Austerity-security-development-ebook/dp/B007H76ABC
Managing the Security of Interconnections
Contractual terms
Vendors/suppliers and their supply chains
- ability to receive vulnerability data
- set expectation that it will be pushed to you
Interconnect partners
- can’t be trusted all the time – avenue of attack
- information sharing agreements and/or forums
Managing the Security of Interconnections
Conclusions
We have only scratched the surface
Focus on:
• Considering cyber from the outset
• Building relationships
• Consuming the vast amount of information already available
• Sharing experiences
• Sharing intelligence
• Accept that cyber is a shared problem
…
Europe
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
Amsterdam
Copenhagen
Munich
Zurich
North America
Atlanta
Austin
Chicago
Mountain View
New York
San Francisco
Seattle
Australia
Sydney
Thanks! Questions?
Ollie [email protected]