Transcript Slide 1
Practical Smart Grid Security • • • • • Skipping “why security is important” The state of smart grid security now Standards set, standards coming General Templates & Helpful Docs Making decisions without standards The Smart Grid Security Problem • Large AMI projects are being prematurely deployed “live” onto the grid without adequate security technologies in place, putting national infrastructure (and consumers) at risk. – – • • • Utilities may face liability claims and possibly regulatory fines if inadequate security enables hackers or terrorists to use smart grid vulnerabilities to interrupt service or steal customer data. Consumers who believe a utility has not secured their information will resist smart grid rollouts politically in the future. Security problems are impacting active deployments (San Diego Gas & Electric 2Q09 missed deadline) The required cryptography expertise is often simply not present in these organizations Mature security standards and best practices (from other disciplines) already exist that could facilitate secure smart grid deployment – but SG designers often unaware of them. Why Securing the Smart Grid is Hard • Problem space is poorly defined – No universally agreed-upon objectives or desired outcomes for security (SG Security Blueprint, currently in version 0.2, is trying to address this) • Cutting edge networking technology invading a “slow-tech” industry – Utilities not usually rapid adopters of new technologies – Cultural issues between conservative engineers and “agile” IT/VC types – Technological, best-practices chasms between IP-based IT community and “Babel” of traditional industrial control systems • Multiple stakeholders with different agendae – Utilities, regulators, consumers, integrators, IT companies, software co’s, network providers, maintenance co’s, entrenched equipment providers… and security experts. Technologies in the SmartGrid Value Chain Individual domains often developed independently without regard for requirements of other layers Source: Enernex Case in Point: Communications Standards in Different Smart Grid Domains Source: Enernex SmartGrid Segments & Players Pervasive Enablement Connectivity • Arch Rock • Digi International • Echelon • Ember • Enfora • Garrettcom • Lantronix • Moxa • Opto-22 • Ruggedcom • Sierra Wireless • B&B Electronics • Perle IT Infrastructure • HP • IBM • OSIsoft • Cisco • Oracle • EMC • Sun Microsystems • Google • Microsoft Carriers • Verizon • ATT • Orange • Sprint/Nextel • T Mobile Software • Mocana • Cimetrics • eMeter • Gridagents/Infotility • GridLogix/JCI • SmartSignal • Tendril • Tridium • Ventyx • Optimal Tech • Positive Energy • BPL Global Networks • Arcadian Networks • Ambient Networks • Tropos • SkyTel Managed Services • Aeris.net • Qualcomm • Kore Telematics Home Energy • Energate • Radio Thermostat • Sequentric • ONZO • Greenbox Tech • Powermand • 4Home • LS Research Product/Device OEMs AMI Infrastructure • Silver Spring • Trilliant • Current Group • Elster • Itron • Sensus • SmartSync • Tantalus • Cellnet & Hunt • Aclara • Eka Systems Demand Response Systems • Enernoc • Comverge • Advanced Telemetry • GridPoint • Cpower • DeepStream Premise EquipMeters • Elster • GE Energy • Itron • Sensus • Landis & Gyr • Tantalus • Transdata Power Dist Equip • ABB • Schneider Elec • Eaton • GE • Hitachi • Siemens • Cooper • EDMI • Nova Tech • S&C Electric • SEL • Fuji Batteries Power Generation • GE Energy • Siemens • Alstom • ABB • Areva • Hitachi • Toshiba • Mitsubishi Power Gen – Dist Wind: • Gamesa • GE Energy • Vestas • Suzlon • Enercon • Clipper PV: • SunPower • First Solar • Q-Cells • Sharp • Suntech DG: • Smart Fuel Cells • Capstone • EnerFuel • infinia • Cummins Power Gen. • Rolld-Royce • Caterpillar • UTC Fuel Cells • Whisper Tech Services Utilities Energy Services • Ameresco • EnergySolve • Power System Eng’ng • Horizon Energy Group • Summit Energy • Chevron Energy Sol. • Constellation Energy • NORESCO • AECOM • Pepco • KEMA Investor Owned • Duke Energy • Xcel • PG&E • Con Edison • Sempra Energy • FPL • AEP • Northeast Utilities • Exelon Integrators • Accenture • CapGemini • EDS / HP • Enspiria • IBM • Logica CMG Energy Traders • Sempra Arch/Engineers • Black & Veatch • Sargent & Lundy • Power System Eng’ng • URS Corp • Jacobs Engineering • Flour Electrical Distributors • Rexel • Sonepar • Graybar Electric • WESCO Electric Global • Enel • Hydro One • Elektromed • Vattenfall • Fortum • E.ON End Use Commercial Institutional Industrial Residential SmartGrid Security Now: Dozens of non-interoperable pilot implementations across the country. California – PG&E is on track to deploy nearly 10 million electric and gas meters by end of 2011, currently at 2.3 million installed. GE, Silver Spring Networks. Austin, Texas – Austin Energy to roll out Phase 1 smart-grid project of 500k smart meter devices by July-09. The utility has also installed 86,000 smart thermostats and 2,500 distribution grid sensors across its service territory. GE Energy, IBM, Oracle, GridPoint. Ontario, Canada – The province mandated to install 1.3 million smart meters in every home and small business by 2010. Trilliant to provide communication infrastructure and software applications. Enel of Italy –over 27 million installed smart meters, largest in world at cost of >€2.1b. Enel estimates savings at 500 million Euros/yr, suggesting an astonishingly short 4 year payback time. These projects are very large in scale, typically ~$1b per. EPRI estimates the spend on these projects in the US at ~$8b annually for the next 20 years! Security Challenges in AMI Template: Smart Grid Security Lifecycle Source: Southern California Edison Security Standards Groups to Keep an Eye On: UCA International Users Group (UCAIug - SG Security Working Group) AMI-SEC Task Force NIST Cyber Security Coordination Task Group Advanced Security Acceleration Project (ASAP-SG) Interim SmartGrid Roadmap published by the National Institute of Standards & Technology (NIST) in Sept’09… covers >100 standards. Already announced: • UtilSec Working Group of UCAIug; AMI-SEC System Security Requirements – – SECURITY PROFILE BLUEPRINT 0.20 (Dec’09) Associated, application-specific Security Profile (SP) documents • IEC standard for “Information security for power system control operations,” • IEEE 1686 “Security for intelligent electronic devices,” • North American rd for “Information security for power system control operationsrd for “Information security for power system control” • NIST “Cyber security standards and guidelines for federal information systems, including those for the bulk power system.” – OTHERS: OpenHAN, Zigbee, Z-Wave, Homeplug, IEC 62351, OpenADR – IEC 61850, international standard for electric power device communication interoperability. Security Standards Announced Two Days Ago: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf a conceptual reference model to facilitate design of an architecture for the Smart Grid overall and for its networked domains; an initial set of 75 standards identified as applicable to the Smart Grid; priorities for additional standards – revised or new – to resolve important gaps; action plans under which designated standards-setting organizations will address these priorities; and an initial Smart Grid cyber security strategy and associated requirements. A companion draft document, NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements, also underwent public review. A subsequent draft of the cyber security strategy, will be issued in February. NIST intends to finalize the Smart Grid cyber security stds in late spring (!) Some Individuals to Watch “Moving the Needle” on SmartGrid Security George Arnold Jim Nutaro Bobby Brown Justin Searle Kevin Brown Vishant Shah Matthew Carpenter Brian Smith Darren Highfill Adrian Turner Erfan Ibrahim Andrew Wright James Ivers Teja Kuruganti Annabelle Lee Howard Lipson What We’re All Waiting For • Smart Grid Security Blueprint 1.0 from UCAIug • Associated “Security Profiles” for specific applications. – provide prescriptive, actionable guidance for how to implement security for smart grid functionality. – Vendor agnostic What to do in the meantime • Read the draft blueprint from UCAIug and any security profiles you can get your hands on. • Seek out crypto and security expertise for your project (in house or outside), and assign a lead – don’t wing it. • Design for the Future = “All IP”. • Be especially wary of vendor lock-in at this stage. • Design for Flexibility = secure remote updating capabilities – and PKI keying approaches are crucial. • Ask lots of questions!! • Get a third-party security evaluation when your architecture is defined, and when you’re in Beta. Other Docs to Reference • Electric Power Research Institute (EPRI). 2009, June. Report to NIST on the Smart Grid Interoperability Standards Roadmap. • National Institute of Standards and Technology. 2009, September. NISTIR 7628 – Smart Grid Cyber Security Requirements (Draft 1). • Department of Homeland Security, National Cyber Security Division. 2009, September. Catalog of Control Systems Security: Recommendations for Standards Developers. • National Institute of Standards and Technology. 2007, December. NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems. • National Institute of Standards and Technology. 2007, December. NIST SP 800-39 (second public draft) – Managing Risk from Information Systems. • National Institute of Standards and Technology. 2007, December. NIST SP 800-53 Rev. 2 Recommended Security Controls for Federal Information Systems. • National Institute of Standards and Technology. 2007, September 28. NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security (2nd DRAFT). • The Common Criteria. 2007, September. Common Criteria v3.1 – Part 2: Security Functional Requirements Release 2 and Part 3: Security Assurance Requirements Release 2. The Common Criteria. • UCA International Users Group – SG Security Working Group. 2009, October. Security Profile for Advanced Metering Infrastructure (Draft 0.49). Summary • Smart Grid security is a big problem with a big surface area, it’s not limited to a few poorly-implemented products or rollouts. • Be mindful that security for embedded environments and sensor networks is its own discipline – can’t directly map traditional PC/IT security over to the Grid. • Security expertise isn’t readily available within Utilities or the equipment companies that supply it – you must seek it out. • Realize that vendors will try hard to lock you in to proprietary solutions at this stage. • are coming, but not fast enough – that means you’ll need to improvise, and try to keep your options open for the future. Slides or Docs? • Send me an email at [email protected] and I’ll send you the current standards blueprint and these slides.