Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smart The Grid Track C Security Session 1 10:50 AM 1.

Similar presentations


Presentation on theme: "Smart The Grid Track C Security Session 1 10:50 AM 1."— Presentation transcript:

1 Smart The Grid Track C Security Session 1 10:50 AM 1

2 Smart The Grid Smart Grid Interim Roadmap Document Review Session One Document Review April 28, 2009 2

3 Smart The Grid Guidelines and Info for Sessions Nominate scribe Time is precious – keep on schedule; avoid getting lost in weeds News Media is present in sessions No electronic recording of sessions Note: This workshop is a draft in progress Key findings will be posted outside the room 3

4 Smart The Grid Session One Objectives Build consensus on the vision of the Smart Grid Build consensus on the partitioning of the Smart Grid Review the Draft Smart Grid Roadmap Summary of events 4

5 Smart The Grid Introductions Chair: Annabelle Lee – Senior Cyber Security Strategist for NIST Computer Security Division and Chair of NIST Cyber Security Coordination Task Group Co-chair: Matt Carpenter – Senior Security Analyst for InGuardians Security Testing of Smart Grid and SCADA; SANS Instructor; Red Team Lead 5

6 Smart The Grid Defining Terms Cyber Security Security Framework Architecture 6

7 Smart The Grid External Corporations Corporate Utility Market participants IntelliGrid Environments 7

8 Smart The Grid Utility Structure vs. Smart Grid Interfaces Market / Regulatory Corporate Transmission Distribution Consumer/Load Field Area (FAN) Home or Premise Area (HAN) Wide Area (WAN) Enterprise (ESB) Extranet Note: Energy sources can be found in T, D, or C 8

9 Smart The Grid Roadmap Outline (DRAFT) – Top Level (Discussion and Comments on Overall Roadmap Structure) EXECUTIVE SUMMARY 1.PURPOSE AND SCOPE 2.SMART GRID VISION 3.SMART GRID HIGH-LEVEL ARCHITECTURE 4.SMART GRID APPLICATIONS AND USER REQUIREMENTS 5.SMART GRID ARCHITECTURE REQUIREMENTS AND INTERFACES 6.SMART GRID STANDARDS DESCRIPTION AND ASSESSMENT 7.PRIORITIZED ACTIONS AND TIMELINES TO ADDRESS IDENTIFIED ISSUES 8.DEFINITIONS 9.REFERENCES 9

10 Smart The Grid Roadmap Document Review Chapter 1 Purpose and Scope –1.1 Background –1.2 Context of This Document –1.3 NIST Roles and Plans 10

11 Smart The Grid Roadmap Document Review Chapter 2 Smart Grid Vision –2.1 What is the Smart Grid –2.2 Smart Grid Characteristics: Drivers and Opportunities –2.3 Smart Grid Challenges 11

12 Smart The Grid Roadmap Document Review Chapter 3 The Smart Grid High Level Architecture –3.1 Architecture Definition –3.2 Architecture Scope –3.3 Cyber Security Architecture Concepts –3.4 Architecture Destinations and Metrics –3.5 Smart Grid Development Governance –3.6 Smart Grid Interfaces –3.7 Smart Grid Infrastructure Methods and Tools –3.8 Architectural Principles –3.9 Analysis Process Methodology 12

13 Smart The Grid Section 3.3: Smart Grid Security Framework and Methodology April 28, 2009 link 13

14 Smart The Grid Security Management and Security Controls The security management for the Information Infrastructure consists of a cycle of: –Risk Assessment of the information and development of the security requirements –Security Policy establishment and selection of security controls necessary to meet the security requirements –Deployment of the selected Security Controls –Training in and enforcement of security policies and control –Auditing of the security activities –Re-assessment of the risks, vulnerabilities, and thus the revising of the security requirements and controls. NIST SP 800-39 & SP800-53 14

15 Smart The Grid Security Methodology Security methodology for Risk Assessment: –Identify Vulnerabilities in the Information Infrastructure –Assess the Impacts of security compromises With this approach, the probability of security threats actually occurring, which would be nearly impossible to quantify, is not included in the risk assessment except as an assumption that indeed these threats are real and likely in some form or another. NIST SP800-82 identifies and categorizes certain Industrial Control Systems (ICS) vulnerabilities into: –Policy and Procedure Vulnerabilities –Platform Vulnerabilities –Network Vulnerabilities –Communication Vulnerabilities Impacts are specific to particular assets and the roles they play in the Information Infrastructure 15

16 Smart The Grid Security Controls NIST SP800-53 identifies 17 types of security controls, categorized into 3 areas: –Security Management Planning Risk Assessment System and Services Acquisition Security Assessment and Authorization –Operational Security Awareness and Training Contingency Planning Configuration Management Media Protection Physical and Environmental Protection System and Information Integrity Personnel Security (and Safety) Maintenance Incidence Response –Technical Security Identification and Authentication Access Control System and Communications Protection Audit and Accountability 16

17 Smart The Grid Track C Security Session 4 8:30 AM 17

18 Smart The Grid Release 1 Standards - Low Hanging Fruit April 28 – 29 Smart Grid Interim Roadmap Workshop 18

19 Smart The Grid A Continuum of Standards 19

20 Smart The Grid The Smart Grid Interface Cube Information Model Application Services Security Network Management Time Synch Networking Connectivity E-Commerce Enterprise Customer (H2G, B2G, I2G) Distribution Transmission Wide-Area Situational Awareness Demand Response Electric Storage Electric Transportation Markets Distributed Generation Etc… 20

21 Smart The Grid Interoperability Occurs When Boxes Join Information Model Application Services Security Network Management Time Synch Networking Connectivity Enterprise Customer (H2G, B2G, I2G) Distribution Transmission Wide-Area Situational Awareness Demand Response Electric Storage Electric Transportation Markets Distributed Generation Etc… E-Commerce 21

22 Smart The Grid Relevant Standards Process Review strawman lists of Standards that cover the domain (and relationship to others) Group Members can add to the list of standards that need to be included Outcome: a refined initial list of standards that need to be considered for smart grid. Discussion of these standards can lead to discussion of Architecture issues relative to these standards 22

23 Smart The Grid Questions Are there any Candidate standards that have 100% agreement – no brainers? Are there standards that are reasonably close, but may need caveats, additions, updates, constraints, or other qualifications? What are those qualifications? Are there standards that should not be in Release 1? Are there standards not in the Candidate list that should be? 23

24 Smart The Grid Relevant Standards Release 1 Standards - low hanging fruit, covering assessments, interoperability issues, and gaps, including –NERC CIP 002, 003-009 –IEC 62351 –AMI-SEC System Security Requirements –OpenHAN SRS –FIPS 140-2 – Deals with Crypto –NIST SP800-53 (-82 “Guidance” not standard) –ISA SP99 –DHS Procurement Language for Control Systems –ISO 27000 series –Development Security Standards? (OWASP) –ANSI C12.22 / Zigbee Smart Energy Profile –IEEE 802.11i –XMPP 24

25 Smart The Grid Initial Candidate List Low Hanging Fruit Standards ANSI C12.19 / IEEE 1377 / MC1219 IEEE C37.118 IEC 61968/61970 (CIM) MultiSpeak IEEE 1547 BACnet – ASHRAE/ANSI 135, ISO 16484-5 IEC 61850 IEC 60870-6 TASE.2 DNP3 IEC 62351 NERC CIP 002-009 NIST Security Standards – FIPS 140-1, NIST SP800-53, NIST SP800-82, etc. IEEE 802 family IETF Internet Standards – TCP/IP, VPNs, TLS, SNMP, etc. IEC PAS 62559 25

26 Smart The Grid Group Discussion Are there any Candidate standards that have 100% agreement – no brainers? Are there standards that are reasonably close, but may need caveats, additions, updates, constraints, or other qualifications? What are those qualifications? Are there standards that should not be in Release 1? Are there standards not in the Candidate list that should be? 26

27 Smart The Grid Track C Security Session 3 1:00 PM 27

28 Smart The Grid Smart Grid Security Frameworks, Methodologies and Architecture April 28 – 29 Smart Grid Interim Roadmap Workshop 28

29 Smart The Grid Security Approach Security Frameworks Security Methodologies Security Architecture 29

30 Smart The Grid Scope of Session 2 Discussion of security methodologies and security frameworks –NIST SP800-82 – Industrial Control Systems –NIST SP800-53 – Federal Systems Security Controls –NIST SP800-39 – Risk Management Security Architecture documents 30

31 Smart The Grid Questions What aspects of the documents presented are good/useful/adequate for security of the Smart Grid? What aspects are not adequate? Are there other documents that address them? What should the security framework for the Smart Grid include? What should the methodology be for Risk Assessment, e.g. assessing only the vulnerabilities and the impacts, rather than the likelihood of any threats? What should security management of the Smart Grid entail, particularly as new, often untrusted Stakeholders interconnect? 31

32 Smart The Grid Considerations Legacy Systems Evolving Standards Others? 32

33 Smart The Grid Track C Security Session 4 8:30 PM 33

34 Smart The Grid Smart Grid Vulnerabilities and Impacts April 28 – 29 Smart Grid Interim Roadmap Workshop 34

35 Smart The Grid Session 3: Architecture Requirements Identifying vulnerabilities and impacts to the Smart Grid, which are critical to moving forward on the security architecture 35

36 Smart The Grid External Corporations Corporate Utility Market participants IntelliGrid Environments 36

37 Smart The Grid Vulnerability Goals: * Plan to move forward with Roadmap Document * Volunteers * Identify Vulnerabilities and Impacts * Incomplete and/or Inappropriate Policy and Mutual Dis-trust and Defense-in-depth Procedures * Configuration Management * Testing/Assessment * Logging and Monitoring * Incident Response Procedures and Training 37

38 Smart The Grid Identity Entity (Actor) Authentication –Devices to devices –Users to devices –Device to network –Host to device –User to Service/Application –Etc., etc. Authorization Configuration 38

39 Smart The Grid * Platform Misconfiguration * IDS/IPS not installed, configured or updating * Firewall * Default Configuration * Unecessary Services Running * Incomplete or Inappropriate Patch Management * Incomplete or No patching process * Patching process not followed regularly 39

40 Smart The Grid Platform Hardware Vulnerabilities * Underlying Architecture Flaws * Underlying Design Flaws * Hardware Failure * Inadaquate Physical Protections (Physical Vulnerability as a primary heading?) * Loss of Environmental Control 40

41 Smart The Grid * Platform Software Vulnerabilities * Design Flaws * Race Conditions * Weak Authentication * Weak Authorizations * Implementation Flaws (Programmer Error) * Buffer Overflows * Integer over/underruns * Misconfiguration * AV 41

42 Smart The Grid * Network Vulnerabilities * Weak Network Security Architecture * Network Configuration * Lack of, or Inappropriate Access-Controls * Network Hardware * Network Perimeter * Communication * Clear-text Communications * Proprietary Protocols * Wireless Connection 42

43 Smart The Grid Questions Can a security architecture be developed based on the general or well-known requirements or are the detailed security requirements in the critical path? What are the general or well-known security requirements? What are the key vulnerabilities? What are the key impacts? What additional requirements are needed beyond vulnerabilities and impacts? 43

44 Smart The Grid Track C Security Session 5 10:20 AM 44

45 Smart The Grid Identified Issues, Prioritized Actions and Timelines April 28 – 29 Smart Grid Interim Roadmap Workshop 45

46 Smart The Grid Session 5 – Prioritized Actions and Timelines Objective: Identify Areas of follow-on work necessary to include in the roadmap 46

47 Smart The Grid Process Define Areas of work that need to get done to further the development of the smart grid for the domain. This includes the processes to develop a set of “National Level Architecture Requirements” The following are examples of follow on work that could seed domain discussions on the topic. –Use Cases/Application requirements to be developed –Analyses necessary including Architecture Requirements, Actor and nomenclature normalization –Integration and Harmonization of Standards that need to take place –Reference Designs and Implementations that are needed to assist the development and integration of the standards –RD&D topics and projects that need to be developed. 47

48 Smart The Grid Questions What are the issues that should be included in the list of actions? What actions should be taken on each of these issues? What is the proposed timeline for these actions, given the need to involve SDOs, additional Stakeholders, and the constraints of the up-coming May Workshop? 48


Download ppt "Smart The Grid Track C Security Session 1 10:50 AM 1."

Similar presentations


Ads by Google