IPT - Mid-America Regulatory Conference

Download Report

Transcript IPT - Mid-America Regulatory Conference

Smart Grid Cyber Security

Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology

June 17, 2009 1

2

President’s Cyberspace Policy Review

…as the United States deploys new Smart Grid technology, the Federal government must ensure that security standards are developed and adopted to avoid creating unexpected opportunities for adversaries to penetrate these systems or conduct large-scale attacks.

2

What Interoperability Standards are Needed?

Standards are needed for each of the interfaces shown to support many different smart grid applications. Standards are also needed for data networking and

cyber security

Electricity Information Data Communication Wholesale Market Operations Wide Area Network Back Office Customer Operations 3 Bulk Power Generation Operations Transmission Operations Metering Distributed Energy Resources Distribution Operations Retail Delivery Operations Customer LAN Consumers

3

4 Current Grid Environment…  Limited cyber security controls currently in place  Specified for specific domains – bulk power distribution, metering  Vulnerabilities might allow an attacker to  Penetrate a network,  Gain access to control software, or  Alter load conditions to destabilize the grid in unpredictable ways  Even unintentional errors could result in destabilization of the grid

4

5 Current Grid Environment…(2)  Cyber security must address  Deliberate attacks such as from    Disgruntled employees, Industrial espionage, and Terrorists  Inadvertent compromises of the information infrastructure due to    User errors, Equipment failure, and Natural disasters

5

6

Potential Cyber Security Issues

 Increasing complexity can introduce vulnerabilities and increase exposure to potential attackers  Interconnected networks can introduce common vulnerabilities  Increasing vulnerability to communication and software disruptions could result in  Denial of service or  Compromise of the integrity of software and systems

6

7 Potential Cyber Security Issues (2)  Increased number of entry points and paths for adversaries to exploit  Potential for compromise of data confidentiality, including the breach of customer privacy

7

8 The Way Forward…  The overall cyber security strategy for the Smart Grid must  Address both domain-specific and common risks  Ensure interoperability among the proposed cyber security solutions  With the adoption and implementation of the Smart Grid  The IT and telecommunication sectors will be more directly involved

8

Smart Grid Cyber Security Strategy

 Establishment of a cyber security coordination task group (CSCTG)  Over 130 participants  Have established several sub-working groups     Vulnerability Class analysis Bottom-Up assessment Use Case analysis Standards/requirements assessment  Weekly telecon  Separate page on the Smart Grid Twiki 9

9

Smart Grid Cyber Security Strategy (2)

 The strategy…  Selection of use cases with cyber security considerations  Performance of a risk assessment of the Smart Grid, including assessing vulnerabilities, threats and impacts  Development of a security architecture linked to the Smart Grid conceptual architecture  Identification of cyber security requirements and risk mitigation measures to provide adequate protection  The final product  A set of recommended cyber security requirements 10

10

Low Hanging Fruit Standards

 Could have security requirements relevant to one or more aspects of the smart grid  Directly Relevant to Smart Grid  NERC CIP 002-009,

Cyber Security

 IEEE 1686,

IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities

   AMI-SEC

System Security Requirements

OpenHAN SRS IEC 62351,

Power System Control and Associated Communications - Data and Communication Security

, Parts 1-8

11

11

Low Hanging Fruit Standards (2)

 Could have security requirements relevant to one or more aspects of the smart grid (cont.)  Control Systems and close corollary  ANSI/ISA-99,

Manufacturing and Control Systems Security

, Parts 1 and 2  NIST SP800-53,

Recommended Security Controls for Federal Information Systems

 NIST SP800-82,

DRAFT Guide to Industrial Control Systems (ICS) Security

 DHS Procurement Language for Control Systems  ISA SP100,

Wireless Standards

12

Preliminary List of Requirements

 Identification and authentication  To provide unambiguous reference to system entities   Access control to protect critical information Integrity  To ensure that the modification of data or commands is detected  Confidentiality to protect sensitive information, including   Personally identifiable information (PII) Business identifiable information (BII)  Availability to ensure that  Intentional attacks, unintentional events, and natural disasters do not disrupt the entire Smart Grid or result in cascading effects

13

Preliminary List of Requirements (2)

 Techniques and technologies for isolating and repairing compromised components of the Smart Grid.

 Auditing to monitor changes to the Smart Grid

14

15

Contacts

 URL for the CSCTG Twiki site: http://collaborate.nist.gov/twiki sggrid/bin/view/SmartGrid/CyberSecurityCTG  Lead: Annabelle Lee 

Phone: 301.975.8897

Email: [email protected]

BB: 240.364.4931

15