darren reece highfill, cissp enernex corporation darren@enernex

19
AMI-SEC Task Force AMI-SEC Task Force October 23 October 23 rd rd Face-To-Face Meeting – Knoxville, TN Face-To-Face Meeting – Knoxville, TN Roadmap, ASAP Deliverables, & Outreach Roadmap, ASAP Deliverables, & Outreach Darren Reece Highfill, CISSP Darren Reece Highfill, CISSP EnerNex Corporation EnerNex Corporation [email protected] [email protected]

Upload: carl

Post on 07-Jan-2016

43 views

Category:

Documents


0 download

DESCRIPTION

AMI-SEC Task Force October 23 rd Face-To-Face Meeting – Knoxville, TN  R oadmap, ASAP Deliverables, & Outreach. Darren Reece Highfill, CISSP EnerNex Corporation [email protected]. Agenda. Introductions Roadmap Review of comments Update of Scope, Charter System Security Requirements - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

AMI-SEC Task ForceAMI-SEC Task ForceOctober 23October 23rdrd Face-To-Face Meeting – Knoxville, TN Face-To-Face Meeting – Knoxville, TN

Roadmap, ASAP Deliverables, & OutreachRoadmap, ASAP Deliverables, & Outreach

Darren Reece Highfill, CISSPDarren Reece Highfill, CISSP

EnerNex CorporationEnerNex Corporation

[email protected]@enernex.com

Page 2: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

AgendaAgenda

• IntroductionsIntroductions• RoadmapRoadmap

– Review of commentsReview of comments– Update of Scope, CharterUpdate of Scope, Charter

• System Security RequirementsSystem Security Requirements– OverviewOverview– Detail discussionDetail discussion

• Component CatalogComponent Catalog• Architectural DescriptionArchitectural Description

– Review / approvalReview / approval• Deliverable suite usageDeliverable suite usage• OutreachOutreach

– SmartGridiPediaSmartGridiPedia– NISTNIST– ASAPASAP

• Meeting Schedule for 2009Meeting Schedule for 2009

Page 3: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

SSR – Requirements HierarchySSR – Requirements Hierarchy

Page 4: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

SSR – Primary Security ServicesSSR – Primary Security Services

• Confidentiality and Privacy (FCP)Confidentiality and Privacy (FCP)• Integrity (FIN)Integrity (FIN)• Availability (FAV)Availability (FAV)• Identification (FID)Identification (FID)• Authentication (FAT)Authentication (FAT)• Authorization (FAZ)Authorization (FAZ)• Non-Repudiation (FNR)Non-Repudiation (FNR)• Auditing (FAU)Auditing (FAU)

Page 5: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

SSR – Supporting Security ServicesSSR – Supporting Security Services

• Anomaly Detection Services (FAS)Anomaly Detection Services (FAS)• Boundary Services (FBS)Boundary Services (FBS)• Cryptographic Services (FCS)Cryptographic Services (FCS)• Notification and Signaling Services (FNS)Notification and Signaling Services (FNS)• Resource Management Services (FRS)Resource Management Services (FRS)• Trust and Certificate Services (FTS)Trust and Certificate Services (FTS)

Page 6: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

SSR – AssuranceSSR – Assurance

• Development Rigor (ADR)Development Rigor (ADR)• Organizational Rigor (AOR)Organizational Rigor (AOR)• Handling/Operating Rigor (AHR)Handling/Operating Rigor (AHR)• Accountability (AAY)Accountability (AAY)• Access Control (AAC)Access Control (AAC)

Page 7: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

AgendaAgenda

• IntroductionsIntroductions• RoadmapRoadmap

– Review of commentsReview of comments– Update of Scope, CharterUpdate of Scope, Charter

• System Security RequirementsSystem Security Requirements– OverviewOverview– Detail discussionDetail discussion

• Component CatalogComponent Catalog• Architectural DescriptionArchitectural Description

– Review / approvalReview / approval• Deliverable suite usageDeliverable suite usage• OutreachOutreach

– SmartGridiPediaSmartGridiPedia– NISTNIST– ASAPASAP

• Meeting Schedule for 2009Meeting Schedule for 2009

Page 8: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

What is an AMI Security Component?What is an AMI Security Component?

Hardware and/or Software that meet the following Hardware and/or Software that meet the following criteria: criteria: – Must cover at least one requirements (SSR) category Must cover at least one requirements (SSR) category

and at least one security domainand at least one security domain– Must enable relevant security policyMust enable relevant security policy– Must not be a policyMust not be a policy– Can be an algorithmCan be an algorithm– Cannot be a productCannot be a product– Assures business value or system functionAssures business value or system function– Must be available in the marketMust be available in the market

Page 9: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

SSR – Component Catalog MappingSSR – Component Catalog Mapping

Co

mm

un

ica

tio

n S

erv

ice

s

ManagedNetworkServices

UtilityEnterpriseServices

AutomatedNetworkServices

UtilityEdge

Services

PremiseEdge

Services

ComponentComponent

Page 10: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

Example ComponentsExample Components

• AES Encryption AES Encryption StrategyStrategy

• A5 Encryption A5 Encryption StrategyStrategy

• CAVE Encryption CAVE Encryption StrategyStrategy

• RSA Encryption RSA Encryption StrategyStrategy

• DSA Encryption DSA Encryption StrategyStrategy

• RC4 Stream RC4 Stream Encryption StrategyEncryption Strategy

• Blowfish Block Blowfish Block Encryption StrategyEncryption Strategy

• 3DES Block 3DES Block Encryption StrategyEncryption Strategy

• IDEA Block IDEA Block Encryption StrategyEncryption Strategy

• Stream Encryption Stream Encryption StrategyStrategy

• Block Encryption Block Encryption StrategyStrategy

• Encrypted StorageEncrypted Storage• Storage Encryption Storage Encryption

ModeMode• Storage Encryption Storage Encryption

StrategyStrategy• Authenticating Authenticating

Encryption ModeEncryption Mode• Network Packet Network Packet

FilterFilter• ProxyProxy• Network Application Network Application

Reverse ProxyReverse Proxy• Application Layer Application Layer

GatewayGateway

• Host Packet Host Packet FilterFilter

• Hardware Hardware Encryption Encryption ManagerManager

• Software Software Encryption Encryption ManagerManager

• RADIUS RADIUS ServerServer

• RADIUS RADIUS ProtocolProtocol

• TACACS+ TACACS+ ServerServer

• TACACS+ TACACS+ ProtocolProtocol

• LDAP ServerLDAP Server• LDAPLDAP

• Identity ServerIdentity Server• Authentication Authentication

ServerServer• Authorization Authorization

ServerServer• Policy Enforcement Policy Enforcement

ManagerManager• Intrusion Detection Intrusion Detection

SystemSystem• Network IDSNetwork IDS• Host IDSHost IDS• Network IPSNetwork IPS• Network IDSNetwork IDS• Wireless IDSWireless IDS• IEEE 802.11iIEEE 802.11i• IEEE 802.11aeIEEE 802.11ae• IEEE 802.11afIEEE 802.11af

Are each of these components? Where do they map?

π

Page 11: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

Example Component CatalogExample Component Catalog

Comp ID

Comp Name

Comp Descr

FCP … AAC Prim Edge

… Util Entps

Notes

1 Abc … Y . N Y . Y …

2 Def … N . N Y . Y …

3 Hij … Y . N Y . N …

4 Klm … N . Y N . N …

5 Nop … Y . N Y . N …

6 Qrs … N . Y N . N …

7 Tuv … Y . N Y . Y …

Page 12: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

AgendaAgenda

• IntroductionsIntroductions• RoadmapRoadmap

– Review of commentsReview of comments– Update of Scope, CharterUpdate of Scope, Charter

• System Security RequirementsSystem Security Requirements– OverviewOverview– Detail discussionDetail discussion

• Component CatalogComponent Catalog• Architectural DescriptionArchitectural Description

– Review / approvalReview / approval• Deliverable suite usageDeliverable suite usage• OutreachOutreach

– SmartGridiPediaSmartGridiPedia– NISTNIST– ASAPASAP

• Meeting Schedule for 2009Meeting Schedule for 2009

Page 13: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

Deliverable Suite UsageDeliverable Suite Usage

Page 14: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

2009 Transformation2009 Transformation

Page 15: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

AgendaAgenda

• IntroductionsIntroductions• RoadmapRoadmap

– Review of commentsReview of comments– Update of Scope, CharterUpdate of Scope, Charter

• System Security RequirementsSystem Security Requirements– OverviewOverview– Detail discussionDetail discussion

• Component CatalogComponent Catalog• Architectural DescriptionArchitectural Description

– Review / approvalReview / approval• Deliverable suite usageDeliverable suite usage• OutreachOutreach

– SmartGridiPediaSmartGridiPedia– NISTNIST– ASAPASAP

• Meeting Schedule for 2009Meeting Schedule for 2009

Page 16: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

Outreach – Washington, DCOutreach – Washington, DC

• Objective:Objective: Increase awareness in Washington, DC Increase awareness in Washington, DC that the electric power industry is proactively addressing that the electric power industry is proactively addressing this important issue in a productive mannerthis important issue in a productive manner

• Inform policy-makers:Inform policy-makers:1.1. Security for AMI is importantSecurity for AMI is important

2.2. Utilities are proactively and collaboratively addressing the Utilities are proactively and collaboratively addressing the issueissue

3.3. We have produced the first round of guidance for AMI and are We have produced the first round of guidance for AMI and are working on expansion for the Smart Gridworking on expansion for the Smart Grid

Page 17: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

Outreach – Washington, DCOutreach – Washington, DC

Page 18: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

AgendaAgenda

• IntroductionsIntroductions• RoadmapRoadmap

– Review of commentsReview of comments– Update of Scope, CharterUpdate of Scope, Charter

• System Security RequirementsSystem Security Requirements– OverviewOverview– Detail discussionDetail discussion

• Component CatalogComponent Catalog• Architectural DescriptionArchitectural Description

– Review / approvalReview / approval• Deliverable suite usageDeliverable suite usage• OutreachOutreach

– SmartGridiPediaSmartGridiPedia– NISTNIST– ASAPASAP

• Meeting Schedule for 2009Meeting Schedule for 2009

Page 19: Darren Reece Highfill, CISSP EnerNex Corporation darren@enernex

Planning / LogisticsPlanning / Logistics