© 2010 EnerNex Corporation. All Rights Reserved.

US Cyber Security EffortsThe Good, The Bad, The Ugly

Presented By:Bobby Brown

EnerNex Corporation

© 2010 EnerNex Corporation. All Rights Reserved.2

About myself• Director of IT & Communication Security• Former CIO, 15+ years IT, 10 years Cyber

Security & Related• Co-author of NIST Framework & Roadmap for

Smart Grid Interoperability Standards, Security Profiles (AMI, 3PDA, Distribution Mgt.)

• Project Manager, Advanced Security Acceleration Project for Smart Grid (ASAP-SG)

• National Electric Sector Cyber Organization Resource Team

• Chair of SG Security Conformity and Vice-chair of SG Security in UCAIug OpenSG

© 2010 EnerNex Corporation. All Rights Reserved.3

NIST SGIP – The Good• EnerNex awarded to manage and technical

facilitation• Smart Grid Interoperability Panel

– Supports NIST in fulfilling responsibilities under the 2007 Energy Independence and Security Act

– Identifies, prioritizes and addresses new and emerging requirements for Smart Grid standards

– Developed the initial NIST Framework & Roadmap for Smart Grid Interoperability Standards (v1.0 January 2010)

• National public-private collaborative

© 2010 EnerNex Corporation. All Rights Reserved.4

NIST SGIP – The Good• Smart Grid Standards • Priority Action Plans • Testing and Certification of Standards • Smart Grid Conceptual Model • Smart Grid Cyber Security • The Interoperability Knowledge Base (IKB)

© 2010 EnerNex Corporation. All Rights Reserved.5

SGIP CSWG – The Good• Addresses cyber Smart Grid security

aspects• Provides overall cyber security strategy for

Smart Grid• Defense in-depth controls:

– Prevention– Detection– Response– Recovery

• 400+ member participation

© 2010 EnerNex Corporation. All Rights Reserved.6

Strategy Process

© 2010 EnerNex Corporation. All Rights Reserved.7

SGIP CSWG – The Bad• Risk mitigation strategy is confusing:

– Logical Interface Categories (LICs)– Requirements mapped to LICs (not data)

• Interoperability strategy is still under development

• Weak in utility representation

© 2010 EnerNex Corporation. All Rights Reserved.8

The UglyThe process is good, but…• Not actionable• Reference architecture is not

representative of real world systems• How to implement?

© 2010 EnerNex Corporation. All Rights Reserved.9

Lessons Learned – What’s Next?• Validate high-level reference architecture• More utility involvement• ‘Actionable’ & ‘implementable’ guidance

– Implementation Sub-group• Interoperability and Rigor

– Standards & Crypto Sub-groups– Testing & Certification Sub-group

• Updated NIST-IR 7628 (after 12 months)

© 2010 EnerNex Corporation. All Rights Reserved.10

NERC CIP - Good• Forces utilities to address security• Allows utilities to self-regulate

© 2010 EnerNex Corporation. All Rights Reserved.11

NERC CIP – Bad & Ugly• Immature regulation – too many revisions• Discretion of auditors; too much variance• Only addresses bulk power, many

aggregated threats not covered:– Distribution, – AMI– Automated demand response– Electric vehicles– Etc., etc.

• Utilities become reactive

© 2010 EnerNex Corporation. All Rights Reserved.12

NERC CIP – What’s Next?• CIP 10 and 11

– CIP 10 replaces CIP 2– CIP 11 replaces CIP 3 through 9

© 2010 EnerNex Corporation. All Rights Reserved.13

ASAP-SG - Good• Private-Public Collaborative• Vetted by utilities and vendors• Good adoption of controls:

– Utilities using in request for proposal (RFP) requirements

– Vendors using in product development requirements

– States (California Public Utility Commission) using in development of regulations

© 2010 EnerNex Corporation. All Rights Reserved.14

ASAP-SG Funding & Workflow

© 2010 EnerNex Corporation. All Rights Reserved.15

ASAP-SG Blueprint

© 2010 EnerNex Corporation. All Rights Reserved.16

ASAP-SG – Bad & Ugly• Too Academic• Too many steps

© 2010 EnerNex Corporation. All Rights Reserved.17

ASAP-SG - What’s Next• Wide Area Monitoring, Protection and

Control Security Profile– Synchrophasors

• Premise Area Network Security Profile– Home Area Network– Business Area Network– Industrial Network

• Update Security Profile Blueprint

© 2010 EnerNex Corporation. All Rights Reserved.18

Summary – Understand Attackers

Kill Chain• Recon• Weaponization• Delivery• Exploit• Installation• Command & Control (C2)

– Elevate privilege– Maintain presence

• Actions of Intent

Break points• Min attack surface (Deter)• Block attacks (Prevent)• Monitor/Report (Detect)• Business Continuity

(Respond)• Forensics & Incidence

Handling (Recovery)– Lessons learned

Defense in-depth > Break the Kill Chain

© 2010 EnerNex Corporation. All Rights Reserved.19

• Collaboration!• Regulation & Standards• Holistic system of

systems approach• Security components• Interfaces• Subsystems• Configuration

• Business Driven• Use Cases• Process• Risk Management

• Engineering Principles• Loose Coupling• Layered• Scalable• SDLC

Summary – Methodology

© 2010 EnerNex Corporation. All Rights Reserved.20

Thank you!

Bobby Brownbobby@enernex.com

Director, Cyber SecurityEnerNex