SMART GRID DEVICES SECURITY CERTIFICATION

Slides:



Advertisements
Similar presentations
WP8 – Innovation Support Kelly Vavasi General Secretariat for Research and Technology (GSRT) SP meeting Becici, 11 November 2010.
Advertisements

A strategy for a Secure Information Society –
December 2005 EuP Directive : A Framework for setting eco-design requirements for energy-using products European Commission.
APEC Air Cargo Security Workshop Bangkok, Thailand June 2008.
Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.
CEN WS/BII2 1 Spreading interoperability in eProcurement processes across Europe Open Seminar Brussels December 6, 2012.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Budapest May, 2001 Anne Lehouck European Commission, DG ENTERPRISE 1 ELECTRONIC SIGNATURE LEGAL FRAMEWORK & STANDARDISATION.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
NIS Directive and NIS Platform
Geneva, Switzerland, September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.
ENISA and Cloud Security
European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
The European Railway Agency in development
RETHINKING THE ELECTRICITY GRID RETHINKING THE ELECTRICITY GRID 14 May 2012 Presented by: PATRICIA DE SUZZONI ADVISOR TO THE CHAIR OF CRE (French Energy.
FAST-LAIN (Further Action on Sustainable Tourism – Learning Area Innovation Networks) Project Overview ACTION N °: /CIP/10/B/N04S00 T ITLE : Knowledge.
Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.
1 ENISA’s contribution to the development of Network and Information Security within the Community By Andrea PIROTTI Executive Director ENISA Cyprus, 28.
Laboratory Biorisk Management Standard CWA 15793:2008
1 THE THIRD ENERGY PACKAGE – THE ENERGY COMMUNITY APPROACH Energy Community Secretariat 20 th Forum of the Croatian Energy Association and WEC National.
Cloud services security Prof. Manel Medina Head of Unit CERT Operations support ENISA
A complementary view from the DIGOIDUNA study Paolo Bouquet, University of Trento, Italy SMART 2010/0054.
Time to act on the Future of Europe …
Towards a European network for digital preservation Ideas for a proposal Mariella Guercio, University of Urbino.
WORKSHOP, Nicosia 2-3rd July 2008 “Extension of SAFETY & QUALITY Common Requirements to the EMAC States” Item 3 : Regulatory Context Peter Stastny EUROCONTROL.
JOINING UP GOVERNMENTS EUROPEAN COMMISSION Establishing a European Union Location Framework.
Geneva, Switzerland, April 2012 Introduction to session 7 - “Advancing e-health standards: Roles and responsibilities of stakeholders” ​ Marco Carugi.
First ARGOS Workshop First ARGOS WORKSHOP (Barcelona, March 15, 2010) EHR Certification in EU Georges De Moor This project is funded.
JRC - IRMM – 17/18 June 2008 – EAQC-WISE project workshop – Held1 The EAQC-WISE blueprint: Recommendations for a quality control system for chemical monitoring.
Recommendation 2001/331/EC: Review and relation to sectoral inspection requirements Miroslav Angelov European Commission DG Environment, Unit A 1 Enforcement,
ENISA efforts for securing European Internet Infrastructure
HTA Benefits and Risks Dr Bernard Merkel European Commission.
The added value of the Wind Energy Roadmap Christian Nath – TPWind Executive Committee.
European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.
Geneva, Switzerland, 14 November 2014 ENISA and Cloud Certification Dimitra Liveri Security and Resilience of Communication Networks Officer ENISA ITU.
ITU Regional Standardization Forum for Asia-Pacific (Jakarta, Indonesia, October 2015) TTA’s activities on bridging standardization gap Kihun Kim.
19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.
EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final} Digital Enlightenment.
Improving NIS in the EU Dr
LSEC H2020-DS - & CIP Ulrich Seldeslachts, Brussels, January 27th, 2016.
3rd Helix Nebula Workshop on Interoperability among e-Infrastructures and Commercial Clouds Carmela ASERO, EGI.eu 17 September 2013, Madrid
Community for Risk Management & Assessment Kick-off January 20 th Brussels N. van Os Veiligheids Regio Zuid-Holland Zuid (Safety Region South-Holland South)
URBACT IMPLEMENTATION NETWORKS. URBACT in a nutshell  European Territorial Cooperation programme (ETC) co- financed by ERDF  All 28 Member States as.
EU context (networks & initiatives) and expectations EU context (networks & initiatives) and expectations Michel Viaud and/or Ingrid Weiss EPIA, Brussels,
The activities of civil society organisations in the European Year of Volunteering (EYV 2011) & the role of the EYV2011 Alliance.
Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,
Prevention & Protection SAME ENDS DIFFERENT MEANS? THE FUTURE STRUCTURE AND PURPOSE OF CFOA’ s PREVENTION AND PROTECTION ACTIVITIES.
Jeju, 13 – 16 May 2013Standards for Shared ICT Smart Grids activities in ETSI Presenter: Adrian Scrase ETSI Chief Technical Officer (CTO) Document No:
ANSI – ESOs meeting Washington February 2017
NCP_WIDE.NET NCP_Academy_Synergies
Strategic Initiative for Resource Efficient Biomass Policies
TRANSPORT SCIENCE: INNOVATIVE BUSINESS SOLUTIONS
About the NIS directive
HIS Smart Grid – Summary (1)
EU Cybersecurity Act Towards a reformed
The Role of European Standards in Support of the Cybersecurity Act
Presentation to TRAN Committee
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
The ERA.Net instrument Aims and benefits
Trust and Security Unit
Smart Grids activities in ETSI
CYRAIL Final Conference ERA on cybersecurity
The European Union response to cyber threats
Community of Users.
"Financing Natura 2000 Guidance and Workshops”
Update on progress since last WG meeting (13-14 June 2002)
Juan Gonzalez eGovernment & CIP operations
ETSI Standardization Activities on Smart Grids
Energy efficiency in buildings
LNG Workshop Bilbao, March 13th 2009 GLE.
Presentation transcript:

SMART GRID DEVICES SECURITY CERTIFICATION ESMIG meeting, Brussels, 26 March 2015 SMART GRID DEVICES SECURITY CERTIFICATION Konstantinos Moulinos Information Security Expert ENISA

ENISA activities Mobilising Communities Policy Implementation Recommendations Mobilising Communities Think Tank Recommendations// deliverables.. Link to the enisa website Community Building Art 14 Requests Financial ISACs NIS Platform Cyber Security Coordination Group Legislation Hands on Cyber exercises CERT training Hands on

Workshop on certification of smart grid components 27th of June 2012, Brussels. In cooperation with EC-DG CONNECT. Around 60 participants from different domains. ENISA Study on SG security, 2012. 10 Recommendations “Both the EC and the MS competent authorities should promote the development of security certification schemes for components, products and organisational security.”

Aim and Objectives of the workshop Follow up the recommendation of the study. Support the MS in better understanding the challenges of the security certification process. Contribute in the harmonization of different certification policies. Invite MS to present their national certification schemes and private sector to present their views on the matter. Debate about the possible steps to take, at national and EU level, to speed up the secure introduction of Smart Grids.

Key findings (1/2) Need for a certification scheme for SG security personnel. Need a certification scheme for the whole grid, not only for the components. Development of minimum security requirements (protection profiles) for other than Smart meters SG devices. New SG security certification schemes are on the way.

Key findings (2/2) Need to assess the criticality of the different SG parts and apply different assurance techniques based on the criticality. M490: a promising initiative towards market harmonization and interoperability. Focus on the whole life-cycle not only on the product itself Product development process Expected security quality level Functionality Implementation and deployment of the systems Operational process.

Characteristics of the future certification scheme Mandatory. Harmonization. One unified security profile. Not a single certifying authority. Easy to be adopted by the MS. Deal with the patch management problem. Once certified not extra certification needed across Europe. Take into account the existing technologies. In line with the standardization efforts in the SG area.

Not focus only on the smart meters Conclusions (1/2) Certification is only a part of the process for secure systems development. Not focus only on the smart meters Protection profiles for the rest elements of SG Only a part of the SG i.e windmills, e-cars etc. A single interoperable standard Geographically: European Cross sector: SG are parts of CII and there is a need for such a standard Competition: One standard does not mean one technical solution.

More information sharing on vulnerabilities. Incentives for Conclusions (2/2) More information sharing on vulnerabilities. Incentives for A more reasonable legal framework Doing more than is needed. If one standard is developed then the throughput must be satisfactory enough to keep all vendors capable of competing at the same level. Compliance does not mean security.

Actions Create a SG Certification WG in existing European structures. Maintain the Security testers / certifiers/certification frameworks database up to date. Create protection profiles for all SG components.

Report on Certification of components (2014) Objectives Perform a desktop research. Identify the gaps between different certification schemes. Produce technical advice, recommendations and good practices for certification in smart grid security. Provide recommendations on how to develop new or improve existing approaches to a pan European harmonised smart grid security certification. In collaboration with EC

Working method Desk research regarding cyber security certification Existing standards National approaches Qualitative analysis of cyber security certification schemes Requirements by a future approach Gaps and lessons learnt Recommendations and roadmap development Discussion of approach with stakeholders Draft report for comments Addressing of comments with stakeholders Workshop for discussion of main topics Final report

Desk research Separation between certification schemes and other information Articles and investigations Security and/or smart grid standards and schemes Smart grid related security services Current stocktaking lists the following additional sources and initiatives eligible for investigation Further analysis to select schemes for qualitative analysis: 8 out of 19 certification schemes were selected

Certification meta-scheme Based on ISO 17067

Detailed scheme analysis

Discussions with stakeholders Stakeholders included: SISEC members ESMIG is represented Selected members of the ENISA contact list Certification authorities: ANSSI, BSI, CESG, FMV, … Associations: EURELECTRIC, ESMIG, T&D Europe Standardization initiatives: M/490 SG –CG/SGISWG, DKE VDE DIN Private sector: Alstom, ULL, EDF R&D DKE Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN und VDE

How is it currently applied in EU France – CSPN and common criteria, ISO 27002 Germany – common criteria EAL4+, DIN 27001 Netherlands – common criteria EAL2, ISO27001 United Kingdom – CPA, ISO27001, IASME SOG-IS MRA and EA (European cooperation for Accreditation ) No legislation, only Germany is going to mandate ISO27001 Different requirements and designs per country No public-private participation in half of the countries Conclusion: there is no harmonisation, different methods, schemes and different levels of security per country

Key findings Only a few member states defined security requirements Not clear view of the amount of publicly known cyber incidents Focus on HAN and Grid end applications Diversity in the production process of the requirements Public private collaboration CC de facto standard Lack of harmonisation

The supply chain view of the smart grid

What to certify: SGAM, lifecycle and chain of trust

What is available: SG-AM/SG-IS usage

Scheme implementation

Roadmap

What is this report about? -A proposal for a steering working group/ task force -A proposal for a certification framework (chain of trust) -A proposal for using an existing reference model (SGAM) -A mapping between different certification standards and the SGAM layers -A recommendation to reuse existing mechanisms -Roadmap to implement the framework IS NOT -A proposal for a new certification scheme -A recommendation for the use of any particular standard

Key recommendations Appoint a EU steering committee to coordinate smart grid certification activities (EC)* Provide guidance and a reference model to implement a chain of trust (SC) Use of the currently available standards and schemes, and accommodating, better coordinating and harmonising national approaches (SC) Promote international recognition of schemes (EC) Promote validation that is commensurate with the risk appetite involved in each use case (SC) Use national profiles as detailed specifications of international standards to cover the specific national use cases and nationally supported test and certification methods (MS) Use technical committees in collaboration with the European energy associations to create European profiles (EC) *EC: European Commission, SC: Steering Committee, MS: Member States

Open issues – Next Steps Assessment of financial costs of the min security measures Identification of incentives for investments on security Identification of good practices for ICS-SCADA/Smart Grids incident reporting Certification of smart grid components and systems Definition of EU baseline security requirements A roadmap for more harmonized national certification approaches Certification of smart grid cyber security skills Incident response capability for smart grids and relationships to existing national ICS-CERT/Gov CERTs Inject smart grids into NIS platform Bring competent authorities on board

DRAFT

Thank you! Konstantinos.Moulinos@enisa.europa.eu