1 smart grid cyber security annabelle lee senior cyber security strategist computer security...
TRANSCRIPT
1
Smart GridCyber Security
Annabelle LeeSenior Cyber Security Strategist
Computer Security DivisionNational Institute of Standards and
TechnologyJune 17, 2009
2
President’s Cyberspace Policy Review
…as the United States deploys new Smart Grid technology, the Federal government must ensure that security standards are developed and adopted to avoid creating unexpected opportunities for adversaries to penetrate these systems or conduct large-scale attacks.
2
33
Customer LAN
Customer LAN
Metering
NetworkMetering
Network
Wide Area NetworkWide Area Network
What Interoperability Standards are Needed?
Bulk Power Generation Operations
TransmissionOperations
Retail DeliveryOperations Consumers
Back OfficeCustomer Operations
Wholesale MarketOperations
DistributedEnergy Resources
Electricity Information Data Communication
Metering
DistributionOperations
Standards are needed for each of the interfaces shown to support many different smart grid applications. Standards are also needed for data networking and cyber security
44
Current Grid Environment…
Limited cyber security controls currently in place Specified for specific domains – bulk power distribution,
metering
Vulnerabilities might allow an attacker to Penetrate a network, Gain access to control software, or Alter load conditions to destabilize the grid in
unpredictable ways
Even unintentional errors could result in destabilization of the grid
55
Current Grid Environment…(2)
Cyber security must address Deliberate attacks such as from
Disgruntled employees, Industrial espionage, and Terrorists
Inadvertent compromises of the information infrastructure due to
User errors, Equipment failure, and Natural disasters
6
Potential Cyber Security Issues
Increasing complexity can introduce vulnerabilities and increase exposure to potential attackers
Interconnected networks can introduce common vulnerabilities
Increasing vulnerability to communication and software disruptions could result in
Denial of service or Compromise of the integrity of software and systems
6
7
Potential Cyber Security Issues (2)
Increased number of entry points and paths for adversaries to exploit
Potential for compromise of data confidentiality, including the breach of customer privacy
7
88
The Way Forward…
The overall cyber security strategy for the Smart Grid must
Address both domain-specific and common risks Ensure interoperability among the proposed cyber
security solutions
With the adoption and implementation of the Smart Grid
The IT and telecommunication sectors will be more directly involved
9
Smart Grid Cyber Security Strategy
Establishment of a cyber security coordination task group (CSCTG)
Over 130 participants Have established several sub-working groups
Vulnerability Class analysis Bottom-Up assessment Use Case analysis Standards/requirements assessment
Weekly telecon Separate page on the Smart Grid Twiki
9
10
The strategy… Selection of use cases with cyber security considerations Performance of a risk assessment of the Smart Grid,
including assessing vulnerabilities, threats and impacts Development of a security architecture linked to the
Smart Grid conceptual architecture Identification of cyber security requirements and risk
mitigation measures to provide adequate protection
The final product A set of recommended cyber security requirements
Smart Grid Cyber Security Strategy (2)
10
11
Low Hanging Fruit Standards
Could have security requirements relevant to one or more aspects of the smart grid
Directly Relevant to Smart Grid NERC CIP 002-009, Cyber Security IEEE 1686, IEEE Standard for Substation Intelligent
Electronic Devices (IEDs) Cyber Security Capabilities AMI-SEC System Security Requirements OpenHAN SRS IEC 62351, Power System Control and Associated
Communications - Data and Communication Security, Parts 1-8
11
12
Low Hanging Fruit Standards (2)
Could have security requirements relevant to one or more aspects of the smart grid (cont.)
Control Systems and close corollary ANSI/ISA-99, Manufacturing and Control Systems Security,
Parts 1 and 2 NIST SP800-53, Recommended Security Controls for
Federal Information Systems NIST SP800-82, DRAFT Guide to Industrial Control Systems
(ICS) Security DHS Procurement Language for Control Systems ISA SP100, Wireless Standards
13
Preliminary List of Requirements Identification and authentication
To provide unambiguous reference to system entities Access control to protect critical information Integrity
To ensure that the modification of data or commands is detected
Confidentiality to protect sensitive information, including
Personally identifiable information (PII) Business identifiable information (BII)
Availability to ensure that Intentional attacks, unintentional events, and natural
disasters do not disrupt the entire Smart Grid or result in cascading effects
14
Preliminary List of Requirements (2)
Techniques and technologies for isolating and repairing compromised components of the Smart Grid.
Auditing to monitor changes to the Smart Grid
1515
Contacts
URL for the CSCTG Twiki site: http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/CyberSecurityCTG
Lead: Annabelle Lee Phone: 301.975.8897 Email: [email protected] BB: 240.364.4931