Transcript SGIP Update Meetings
CYBER SECURITY WORKING GROUP NOVEMBER 2010 Marianne Swanson
November 30, 2010
A
GENDA
•
Industry Update: NESCO (Rhonda Dunfee)
•
Subgroup Updates (Subgroup Leads) November 30-December 3, 2010 2
THE NESCO GROUP: ENERGYSEC + EPRI Rhonda Dunfee
November 30-December 3, 2010 3
R
OADMAP
U
PDATED TO
I
NCLUDE
S
MART
G
RID
• Published in January 2006,
updated Roadmap in development
•
Energy Sector’s
synthesis of critical control system security challenges, R&D needs, and implementation milestones • Provides strategic framework to – align activities to sector needs – – coordinate public and private programs stimulate investments in control systems security Roadmap Vision In 10 years, control systems for critical applications will be designed, installed, operated, and maintained to
survive
an intentional cyber assault with no loss of critical function.
T
HE
NESCO G
ROUP
• •
Mission: Lead a broad-based, public-private partnership to improve electric sector energy systems cyber security
•
Vision: An industry owned and operated group that supports electric sector response efforts to address cyber events Goals: • Identify and disseminate cyber security best practices to the sector • Analyze, monitor and relay infrastructure weakness and threat information • Work with federal agencies to improve electric sector cyber security • Encourage key electric sector supplier and vendor support / interaction
T
HE
NESCO G
ROUP
F
UNDING
• $16.2M Cost-sharing award ($10M Federal) – – EnergySec – NESCO (Total $9,752,730) EPRI – NESCOR a research and analysis resource for NESCO (Total $6,662,500)
A
CTIVITIES
T
O
D
ATE
• • • • • • • Sep 30: Completed • • • • Internal DOE meeting to discuss expectations and roles Meetings with EnergySec and EPRI discussing roles/responsibilities Definitized EnergySec agreement awarded (eff. Oct 1) Undefinitized EPRI agreement awarded (expected definitization Dec 31) Nov 2-3: Visit with ICS-CERT at Idaho National Laboratory Nov 3-4: Participation in the TCIPG Industry Workshop Nov 17: Kickoff Meeting for NESCO/NESCOR • • Identify key milestones and deliverables Discuss expectations Nov 18: Informational Briefing for Federal Partners in DC Dec 1: Participation in the CIP Congress at the National Harbor Dec 8-9: Participation in CIPC in Tampa
NESCO - ENERGYSEC
SGIP GridInterOp, November 30-December 3, 2010
E
NERGY
S
EC
• • • • •
501(c)(3) non-profit organization 401 active portal users from 108 unique organizations Organizations represent 54.92% U.S. generation and 66.79% electric distribution Current board of directors and advisory team consist of industry professionals in information security, physical security, engineering, plant operations, disaster recover, telecommunications, etc.
First deliverable complete: Closed mailing list to replace the general EnergySec Forum and enable participants to more easily interact
S
TRENGTHEN THE
C
YBER
S
ECTOR
S
ECURITY
P
OSTURE OF THE
E
LECTRIC
•
Establish a broad-based public-private partnership for collaboration and cooperation
•
Develop NESCO membership
•
Conduct Town Hall Meetings
•
Improve collaboration with government
•
Reach out to other industry groups, academia and organizations
• For example, ES-ISAC, ICSJWG, NERC •
Encourage vendor and manufacturer involvement in collaboration
11
E
NERGY
S
EC
P
ORTAL
E
NHANCE
S
ECURITY
E
LECTRIC
I S
OLUTIONS NFRASTRUCTURE
D
EVELOPMENT
R
ELIABILITY AND
C
YBER
• • •
Coordinate “end user” testing opportunities for projects and research requiring broad industry adoption for success Create code and best practices repository Create working groups to evaluate incidents and best practices
P
ROVIDE A
P
ATH FOR
R
APID
I
NFORMATION
D
ISSEMINATION
• • • •
Establish a rapid notification system Develop situational awareness information dissemination system for threat and vulnerability information Enhance collaboration web portal Institute the capability to share information, best practices, resources, and solutions to and from domestic and international electric sector participants
P ROVIDE A SSESS D ATA A NALYSIS AND C YBER -R ELATED T F ORENSICS HREATS AND E C APABILITIES TO VENTS
• •
Provide on-demand service to conduct forensics for cyber security breaches through external organizations who are forensics leaders Design and implement a data analysis program
A
DDITIONAL
T
ASKS
• • •
Project management Assist in developing strategies to protect the energy infrastructure Stimulate support and interaction with key electric sector suppliers and vendors
NESCOR - EPRI
SGIP GridInterOp, November 30-December 3, 2010
• • • •
E
LECTRIC
P
OWER
R
ESEARCH
I
NSTITUTE
Independent nonprofit organization Conducts R&D relating to the generation, delivery and use of electricity Members represent more than 90% of the electricity generated and delivered in the U.S.
International partnership includes 40 countries
C
OLLABORATE AND PROVIDE INPUT TO
NESCO
• • • • •
Support NESCO in enhancing collection and dissemination of threat and vulnerability information to industry Assist NESCO and others in developing strategies to identify and prepare for immediate and future challenges to grid reliability, resiliency, and security Review and assess existing cyber security standards to meet requirements and identify gaps in cyber security capabilities Conduct cost-benefit analyses of graded risk management approach Develop testing methodologies and facilitate testing
DISCUSSION
SGIP GridInterOp, November 30-December 3, 2010
• • • • • • •
I
NFORMATION
S
HARING
A
PPROACH
Building on EnergySec’s past successes Keys have been proficiency, familiarity and trust Built relationships at the operations, management, and executive levels among companies within the energy sector Provided trusted and effective forums for obtaining mutual assistance on issues related to critical infrastructure protection Developed trust within the industry in order to develop, promote, and support new information sharing technologies that provide both confidentiality and impartiality Focused on the industry Emphasized timeliness as demanded by the current threat and risk landscape
• • • •
I
SSUES
/C
ONCERNS
Constraints to NESCO • • • Staged Cost-sharing leading to self-sustainability in 3 years Large sector size Diverse stakeholders (asset owners/operators; generation, transmission and distribution; end users, vendors) Collaboration with Federal agencies and Industry organizations Avoiding duplication of effort and establishing roles/responsibilities Information sharing • • Government NESCO Industry NESCO
Rhonda Dunfee
Infrastructure Security & Energy Restoration Division Office of Electricity Delivery & Energy Reliability DOE [email protected]
CSWG SUBGROUP UPDATES Subgroup Leads
November 30-December 3, 2010 23
S
UBGROUP
U
PDATES
•
AMI Security (Darren Highfill)
•
Design Principles (Daniel Thanos)
•
Privacy (Tanya Brewer)
•
Testing & Certification (Sandy Bacik) November 30-December 3, 2010 24
AMI S
EC
• • • • • •
Twiki: http://collaborate.nist.gov/twiki sggrid/bin/view/SmartGrid/CsCTGAMI Meetings: Tuesdays at 13:00 Eastern Dial-in Information: 866-793-6322 X3836162# Mailing list: [email protected]
To join the mailing list contact [email protected]
Co-Chair contact information
–
Darren Highfill ( [email protected]
)
–
Ed Beroset ( [email protected]
) November 30-December 3, 2010 25
AMI S
ECURITY
S
UBGROUP
– S
COPE
• • • Back-office components that have metering as primary focus • E.g.: MDMS is in scope, CIS is not Through the electric meter or utility-owned/operated gateway • Water meters, gas meters, and customer-owned/operated devices are not explicitly in scope • Interface-Oriented Projection of Requirements: Devices wishing to communicate using AMI must meet certain capabilities and follow certain behavior to be allowed on the network • May develop
“classes” of device requirements
to account for highly heterogeneous resource constraints (i.e.: home EMS vs. gas meter) All layers of communications stack • Challenge in finding appropriate SDO to work with • Consensus from St. Louis: benefits of unified document addressing AMI in the manner it is procured outweigh challenges
26
AMI S
ECURITY
S
UBGROUP
– PAP P
ROPOSAL
• • • Consensus: Propose a Priority Action Plan to standardize a set of requirements for AMI security • Proposal is stronger if we know which SDO/SSO we want to work with • Current draft: http://collaborate.nist.gov/twiki sggrid/bin/view/SmartGrid/AMISecurityRequirements • Linked on CSCTGAMI and Priority Action Plans pages Criteria for selecting SDO/SSO • Industry acceptance • Expertise in power systems, especially advanced metering • Expertise in communications, networking, and security • Openness to interaction with AMI Security Subgroup and the SGIP • Ability to work quickly • Cost of final product (i.e. purchase price of standard) Nominated SDOs/SSOs • ANSI, IEC, IEEE, IETF, ISA, and NEMA • AMI Security Subgroup to produce and distribute RFI
27
D
ESIGN
P
RINCIPLES
•
Twiki: http://collaborate.nist.gov/twiki sggrid/bin/view/SmartGrid/CSWGDesignPrinciples
•
Meetings: Fridays 15:30 Eastern
•
Dial-in Information: 800-728-9607 X4570752#
•
Mailing list: [email protected]
•
To join the mailing list contact [email protected]
•
Chair contact information
•
Daniel Thanos ( [email protected]
) November 30-December 3, 2010 28
P
RIVACY
•
Twiki: http://collaborate.nist.gov/twiki sggrid/bin/view/SmartGrid/CSCTGPrivacy
•
Meetings: Thursdays, 11:00 Eastern
•
Dial-in Information: 866-802-3515 X2817109#
•
Mailing list: [email protected]
•
To join the mailing list contact [email protected]
•
Chair contact information
•
Rebecca Herold ( [email protected]
) November 30-December 3, 2010 29
Smart Grid Privacy Group Scope/Mission
To identify and clearly describe privacy concerns within the Smart Grid and opportunities for their mitigation. In addition, the group strives to clarify privacy expectations, practices, and rights with regard to the Smart Grid by:
•
Identifying potential privacy problems and encouraging the use of relevant existing fair information practices
•
Seeking the input of and educating Smart Grid entities, subject matter experts, and the public on options for protecting privacy of, and avoiding misuse of, personal information used within the Smart Grid
•
Providing recommendations for coordinating activities of relevant local, state, and federal agencies regarding Smart Grid privacy related issues
•
Making recommendations and providing information to organizations developing privacy policies and practices that promote and protect the interest of Smart Grid consumers and organizations
Smart Grid Privacy Group Scope/Mission
• • • • • • • •
Try to answer questions such as those received informally:
“How will information about my energy consumption (days, times, amounts, and other use profile information) be used shared with business partners?” “Will there be any public way to verify addresses or names of clients of the grid?” “Any and all PII will be considered private and confidential I hope. Or will they make the mistakes of so many others in the past of doing reverse lookups based on meter numbers or neighborhood consumption reports?” “Do the Fair Information Practice principles (“FIPs”) provide a sound and adaptable framework for addressing consumer privacy concerns or are they just the baseline?” “How secure are the meters, HAN and other communication devices (secure in the means of protecting customer information)?” “What types of "click and consent" models will be used?” “How will information be shared and used, and how will it be protected?” “What kind privacy protections will be in place prior to allowing third party access?”
Group Demographics
The NIST Smart Grid Privacy Subgroup currently includes:
• • • • • •
Energy and Utilities Industry Experts State Public Utilities Commission Representatives Information Security Experts Privacy Experts Attorneys and Legal Experts University Professors and Students
Other technical, operational and privacy experts, from all regions, are welcome to join the group!
Work Going Forward
• • • • • • • •
Address privacy issues for businesses (commercial, institutional, industrial) Expand upon PEV issues Discuss National Strategy for Trusted IDs in Cyber Space (NSTIC) impact on privacy in the Smart Grid Address privacy issues related to energy generation Add more privacy use cases to what is in NISTIR 7628 Add more discussion of opt-in versus opt-out: what real choices are possible to allow Smart Grid functioning and what is not?
Expand upon data collection endpoints/paths (e.g., private internetworks, storage media devices, etc.) that will be part of the Smart Grid Expand upon Internet- and wireless-related issues
Work Going Forward
Smart Grid Categories with Potential Privacy Issues Consumers (expanding Upon Version 1 of NISTIR 7628) Commercial / Institutional (apartments, hospitals, dormitories, etc.) Commercial/Non-Institutional (office buildings, retail stores, data centers, car rentals, etc.) Physical Admini strative Technical Privacy Impacting Data Physical Admini strative Technical Privacy Impacting Data Physical Admini strative Technical Privacy Impacting Data
Smart Meters - energy usage - pricing data - smart device data PEVs (NOTE: Requested by
PAP11)
- private charging station * energy usage * pricing data * PEV related data - public charging station * PEV related data - servicing X X X X X X X P P X X X X X X X X P P X X X X X X X X P P X X X X X X X X P P X X X X X X X X P P P X X X X X X X P P P X X X X X X X P X X X X X X X P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P
W
RAP
-
UP
•
Thank you to everyone for your contributions and support
•
On Wednesday,
•
Annabelle Lee, FERC, will provide us with an update on the FERC standards review
•
CSWG PAP liaisons and their involvement in the PAPs will be discussed
•
CSWG Standards subgroup lead will provide a review of what the standards subgroup has accomplished and the standard template the CSWG uses for the standard review process
•
Preview of the CSWG 3-year plan
•
Twiki: http://collaborate.nist.gov/twiki sggrid/bin/view/SmartGrid/CyberSecurityCTG November 30-December 3, 2010 35