Smart The Grid Track C Security Session 1 10:50 AM 1.

Slides:



Advertisements
Similar presentations
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Advertisements

UCAIug HAN SRS v2.0 Summary August 12, Scope of HAN SRS in the NIST conceptual model.
May 2010 Slide 1 SG Communications Boot Camp Matt Gillmore 03/07/11.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
September 30, 2011 OASIS Open Smart Grid Reference Model: Standards Landscape Analysis.
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Session 4 – Release One Standards – Low Hanging Fruit
Smart The Grid Plenary Panel: Smart Grid Interim Roadmap Draft and Processes Joe Hughes, EPRI Erich Gunther, Enernex Frances Cleveland, Xanthus Consulting.
Security Controls – What Works
Information Security Policies and Standards
Smart Grid Security Architecture Development based on IntelliGrid Methodologies Authors Joe Hughes Technical Manager Madhava Sushilendra.
Smart The Grid Session 1 Draft roadmap document review: Sections 1-3 Track E - Distribution System and DER Management 10:50 AM – 12:00 PM.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Session 3 – Information Security Policies
TIA/ANSI Presentation on New and Novel Topic (NNT) Agenda Item 7 “Smart Grid” David Su DOCUMENT #:GSC14-PLEN-013 R1 FOR:Presentation SOURCE:TIA/ANSI/NIST.
Jerry FitzPatrick, NIST Chair Wednesday, May 26. Introduction - IKB PAP8 PAP14 DEWG Charter What should the T&D DEWG be doing? T&D DEWG or T and D DEWGs?
Smart Grid Standards Bill Moroney President & Chief Executive Utilities Telecom Council.
1 Connectivity Week 2010 How Can Standards Be Regulated? Thursday May 27 10:30AM-Noon Zahra Makoui.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Smart Grid Interoperability Standards George W. Arnold, Eng.Sc.D. National Coordinator for Smart Grid Interoperability National Institute of Standards.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Evolving IT Framework Standards (Compliance and IT)
Lessons Learned in Smart Grid Cyber Security
Information Systems Security Computer System Life Cycle Security.
Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Using Business Scenarios for Active Loss Prevention Terry Blevins t
Doc.: IEEE /0047r1 Submission SGIP Liaison Report to IEEE Following the SGIP (2.0) Inaugural Conference Nov 5-7, 2013 Date:
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Lecture 7: Requirements Engineering
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.
Interoperability Standards and Next Generation Interconnectivity Pankaj Batra Chief (Engineering) CERC.
Introduction to Information Security
ISPE Cyber Security S99 Update December 08, 2009.
IEC TC57 Smart Grid Activities Scott Neumann USNC TA IEC TC57 November 6, 2009.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
ISA99 - Industrial Automation and Controls Systems Security
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
State of Georgia Release Management Training
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
May 2010 Slide 1 SG Communications Boot Camp Matt Gillmore 11/1/2010.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Business Continuity Planning 101
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Integrated Management System and Certification
Smart Grid Interoperability Standards
Cyber-security and IEC International Standards
Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Smart Grid Overview] Date Submitted: [13.
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IEC TC57 Smart Grid Activities
Group Meeting Ming Hong Tsai Date :
Cyber Security in a Risk Management Framework
Presentation transcript:

Smart The Grid Track C Security Session 1 10:50 AM 1

Smart The Grid Smart Grid Interim Roadmap Document Review Session One Document Review April 28,

Smart The Grid Guidelines and Info for Sessions Nominate scribe Time is precious – keep on schedule; avoid getting lost in weeds News Media is present in sessions No electronic recording of sessions Note: This workshop is a draft in progress Key findings will be posted outside the room 3

Smart The Grid Session One Objectives Build consensus on the vision of the Smart Grid Build consensus on the partitioning of the Smart Grid Review the Draft Smart Grid Roadmap Summary of events 4

Smart The Grid Introductions Chair: Annabelle Lee – Senior Cyber Security Strategist for NIST Computer Security Division and Chair of NIST Cyber Security Coordination Task Group Co-chair: Matt Carpenter – Senior Security Analyst for InGuardians Security Testing of Smart Grid and SCADA; SANS Instructor; Red Team Lead 5

Smart The Grid Defining Terms Cyber Security Security Framework Architecture 6

Smart The Grid External Corporations Corporate Utility Market participants IntelliGrid Environments 7

Smart The Grid Utility Structure vs. Smart Grid Interfaces Market / Regulatory Corporate Transmission Distribution Consumer/Load Field Area (FAN) Home or Premise Area (HAN) Wide Area (WAN) Enterprise (ESB) Extranet Note: Energy sources can be found in T, D, or C 8

Smart The Grid Roadmap Outline (DRAFT) – Top Level (Discussion and Comments on Overall Roadmap Structure) EXECUTIVE SUMMARY 1.PURPOSE AND SCOPE 2.SMART GRID VISION 3.SMART GRID HIGH-LEVEL ARCHITECTURE 4.SMART GRID APPLICATIONS AND USER REQUIREMENTS 5.SMART GRID ARCHITECTURE REQUIREMENTS AND INTERFACES 6.SMART GRID STANDARDS DESCRIPTION AND ASSESSMENT 7.PRIORITIZED ACTIONS AND TIMELINES TO ADDRESS IDENTIFIED ISSUES 8.DEFINITIONS 9.REFERENCES 9

Smart The Grid Roadmap Document Review Chapter 1 Purpose and Scope –1.1 Background –1.2 Context of This Document –1.3 NIST Roles and Plans 10

Smart The Grid Roadmap Document Review Chapter 2 Smart Grid Vision –2.1 What is the Smart Grid –2.2 Smart Grid Characteristics: Drivers and Opportunities –2.3 Smart Grid Challenges 11

Smart The Grid Roadmap Document Review Chapter 3 The Smart Grid High Level Architecture –3.1 Architecture Definition –3.2 Architecture Scope –3.3 Cyber Security Architecture Concepts –3.4 Architecture Destinations and Metrics –3.5 Smart Grid Development Governance –3.6 Smart Grid Interfaces –3.7 Smart Grid Infrastructure Methods and Tools –3.8 Architectural Principles –3.9 Analysis Process Methodology 12

Smart The Grid Section 3.3: Smart Grid Security Framework and Methodology April 28, 2009 link 13

Smart The Grid Security Management and Security Controls The security management for the Information Infrastructure consists of a cycle of: –Risk Assessment of the information and development of the security requirements –Security Policy establishment and selection of security controls necessary to meet the security requirements –Deployment of the selected Security Controls –Training in and enforcement of security policies and control –Auditing of the security activities –Re-assessment of the risks, vulnerabilities, and thus the revising of the security requirements and controls. NIST SP & SP

Smart The Grid Security Methodology Security methodology for Risk Assessment: –Identify Vulnerabilities in the Information Infrastructure –Assess the Impacts of security compromises With this approach, the probability of security threats actually occurring, which would be nearly impossible to quantify, is not included in the risk assessment except as an assumption that indeed these threats are real and likely in some form or another. NIST SP identifies and categorizes certain Industrial Control Systems (ICS) vulnerabilities into: –Policy and Procedure Vulnerabilities –Platform Vulnerabilities –Network Vulnerabilities –Communication Vulnerabilities Impacts are specific to particular assets and the roles they play in the Information Infrastructure 15

Smart The Grid Security Controls NIST SP identifies 17 types of security controls, categorized into 3 areas: –Security Management Planning Risk Assessment System and Services Acquisition Security Assessment and Authorization –Operational Security Awareness and Training Contingency Planning Configuration Management Media Protection Physical and Environmental Protection System and Information Integrity Personnel Security (and Safety) Maintenance Incidence Response –Technical Security Identification and Authentication Access Control System and Communications Protection Audit and Accountability 16

Smart The Grid Track C Security Session 4 8:30 AM 17

Smart The Grid Release 1 Standards - Low Hanging Fruit April 28 – 29 Smart Grid Interim Roadmap Workshop 18

Smart The Grid A Continuum of Standards 19

Smart The Grid The Smart Grid Interface Cube Information Model Application Services Security Network Management Time Synch Networking Connectivity E-Commerce Enterprise Customer (H2G, B2G, I2G) Distribution Transmission Wide-Area Situational Awareness Demand Response Electric Storage Electric Transportation Markets Distributed Generation Etc… 20

Smart The Grid Interoperability Occurs When Boxes Join Information Model Application Services Security Network Management Time Synch Networking Connectivity Enterprise Customer (H2G, B2G, I2G) Distribution Transmission Wide-Area Situational Awareness Demand Response Electric Storage Electric Transportation Markets Distributed Generation Etc… E-Commerce 21

Smart The Grid Relevant Standards Process Review strawman lists of Standards that cover the domain (and relationship to others) Group Members can add to the list of standards that need to be included Outcome: a refined initial list of standards that need to be considered for smart grid. Discussion of these standards can lead to discussion of Architecture issues relative to these standards 22

Smart The Grid Questions Are there any Candidate standards that have 100% agreement – no brainers? Are there standards that are reasonably close, but may need caveats, additions, updates, constraints, or other qualifications? What are those qualifications? Are there standards that should not be in Release 1? Are there standards not in the Candidate list that should be? 23

Smart The Grid Relevant Standards Release 1 Standards - low hanging fruit, covering assessments, interoperability issues, and gaps, including –NERC CIP 002, –IEC –AMI-SEC System Security Requirements –OpenHAN SRS –FIPS – Deals with Crypto –NIST SP (-82 “Guidance” not standard) –ISA SP99 –DHS Procurement Language for Control Systems –ISO series –Development Security Standards? (OWASP) –ANSI C12.22 / Zigbee Smart Energy Profile –IEEE i –XMPP 24

Smart The Grid Initial Candidate List Low Hanging Fruit Standards ANSI C12.19 / IEEE 1377 / MC1219 IEEE C IEC 61968/61970 (CIM) MultiSpeak IEEE 1547 BACnet – ASHRAE/ANSI 135, ISO IEC IEC TASE.2 DNP3 IEC NERC CIP NIST Security Standards – FIPS 140-1, NIST SP800-53, NIST SP800-82, etc. IEEE 802 family IETF Internet Standards – TCP/IP, VPNs, TLS, SNMP, etc. IEC PAS

Smart The Grid Group Discussion Are there any Candidate standards that have 100% agreement – no brainers? Are there standards that are reasonably close, but may need caveats, additions, updates, constraints, or other qualifications? What are those qualifications? Are there standards that should not be in Release 1? Are there standards not in the Candidate list that should be? 26

Smart The Grid Track C Security Session 3 1:00 PM 27

Smart The Grid Smart Grid Security Frameworks, Methodologies and Architecture April 28 – 29 Smart Grid Interim Roadmap Workshop 28

Smart The Grid Security Approach Security Frameworks Security Methodologies Security Architecture 29

Smart The Grid Scope of Session 2 Discussion of security methodologies and security frameworks –NIST SP – Industrial Control Systems –NIST SP – Federal Systems Security Controls –NIST SP – Risk Management Security Architecture documents 30

Smart The Grid Questions What aspects of the documents presented are good/useful/adequate for security of the Smart Grid? What aspects are not adequate? Are there other documents that address them? What should the security framework for the Smart Grid include? What should the methodology be for Risk Assessment, e.g. assessing only the vulnerabilities and the impacts, rather than the likelihood of any threats? What should security management of the Smart Grid entail, particularly as new, often untrusted Stakeholders interconnect? 31

Smart The Grid Considerations Legacy Systems Evolving Standards Others? 32

Smart The Grid Track C Security Session 4 8:30 PM 33

Smart The Grid Smart Grid Vulnerabilities and Impacts April 28 – 29 Smart Grid Interim Roadmap Workshop 34

Smart The Grid Session 3: Architecture Requirements Identifying vulnerabilities and impacts to the Smart Grid, which are critical to moving forward on the security architecture 35

Smart The Grid External Corporations Corporate Utility Market participants IntelliGrid Environments 36

Smart The Grid Vulnerability Goals: * Plan to move forward with Roadmap Document * Volunteers * Identify Vulnerabilities and Impacts * Incomplete and/or Inappropriate Policy and Mutual Dis-trust and Defense-in-depth Procedures * Configuration Management * Testing/Assessment * Logging and Monitoring * Incident Response Procedures and Training 37

Smart The Grid Identity Entity (Actor) Authentication –Devices to devices –Users to devices –Device to network –Host to device –User to Service/Application –Etc., etc. Authorization Configuration 38

Smart The Grid * Platform Misconfiguration * IDS/IPS not installed, configured or updating * Firewall * Default Configuration * Unecessary Services Running * Incomplete or Inappropriate Patch Management * Incomplete or No patching process * Patching process not followed regularly 39

Smart The Grid Platform Hardware Vulnerabilities * Underlying Architecture Flaws * Underlying Design Flaws * Hardware Failure * Inadaquate Physical Protections (Physical Vulnerability as a primary heading?) * Loss of Environmental Control 40

Smart The Grid * Platform Software Vulnerabilities * Design Flaws * Race Conditions * Weak Authentication * Weak Authorizations * Implementation Flaws (Programmer Error) * Buffer Overflows * Integer over/underruns * Misconfiguration * AV 41

Smart The Grid * Network Vulnerabilities * Weak Network Security Architecture * Network Configuration * Lack of, or Inappropriate Access-Controls * Network Hardware * Network Perimeter * Communication * Clear-text Communications * Proprietary Protocols * Wireless Connection 42

Smart The Grid Questions Can a security architecture be developed based on the general or well-known requirements or are the detailed security requirements in the critical path? What are the general or well-known security requirements? What are the key vulnerabilities? What are the key impacts? What additional requirements are needed beyond vulnerabilities and impacts? 43

Smart The Grid Track C Security Session 5 10:20 AM 44

Smart The Grid Identified Issues, Prioritized Actions and Timelines April 28 – 29 Smart Grid Interim Roadmap Workshop 45

Smart The Grid Session 5 – Prioritized Actions and Timelines Objective: Identify Areas of follow-on work necessary to include in the roadmap 46

Smart The Grid Process Define Areas of work that need to get done to further the development of the smart grid for the domain. This includes the processes to develop a set of “National Level Architecture Requirements” The following are examples of follow on work that could seed domain discussions on the topic. –Use Cases/Application requirements to be developed –Analyses necessary including Architecture Requirements, Actor and nomenclature normalization –Integration and Harmonization of Standards that need to take place –Reference Designs and Implementations that are needed to assist the development and integration of the standards –RD&D topics and projects that need to be developed. 47

Smart The Grid Questions What are the issues that should be included in the list of actions? What actions should be taken on each of these issues? What is the proposed timeline for these actions, given the need to involve SDOs, additional Stakeholders, and the constraints of the up-coming May Workshop? 48

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.