[] IPT

advertisement
Smart Grid
Cyber Security
Annabelle Lee
Senior Cyber Security Strategist
Computer Security Division
National Institute of Standards and
Technology
June 17, 2009
1
President’s Cyberspace Policy Review
…as the United States deploys
new Smart Grid technology, the
Federal government must
ensure that security standards
are developed and adopted to
avoid creating unexpected
opportunities for adversaries to
penetrate these systems or
conduct large-scale attacks.
2
2
What Interoperability Standards are
Needed?
Standards are needed for each of the interfaces shown to support many different smart grid
applications. Standards are also needed for data networking and cyber security
Electricity
Information
Wholesale Market
Operations
Data Communication
Back Office
Customer Operations
Wide Area Network
Metering
Bulk Power
Generation
Operations
3
Distributed
Energy Resources
Transmission
Operations
Distribution
Operations
Retail Delivery
Operations
Customer
LAN
Consumers
3
Current Grid Environment…
 Limited cyber security controls currently in place
 Specified for specific domains – bulk power
distribution, metering
 Vulnerabilities might allow an attacker to
 Penetrate a network,
 Gain access to control software, or
 Alter load conditions to destabilize the grid in
unpredictable ways
 Even unintentional errors could result in
destabilization of the grid
4
4
Current Grid Environment…(2)
 Cyber security must address
 Deliberate attacks such as from
 Disgruntled employees,
 Industrial espionage, and
 Terrorists
 Inadvertent compromises of the information
infrastructure due to
 User errors,
 Equipment failure, and
 Natural disasters
5
5
Potential Cyber Security Issues
 Increasing complexity can introduce vulnerabilities
and increase exposure to potential attackers
 Interconnected networks can introduce common
vulnerabilities
 Increasing vulnerability to communication and
software disruptions could result in
 Denial of service or
 Compromise of the integrity of software and systems
6
6
Potential Cyber Security Issues (2)
 Increased number of entry points and paths for
adversaries to exploit
 Potential for compromise of data confidentiality,
including the breach of customer privacy
7
7
The Way Forward…
 The overall cyber security strategy for the Smart
Grid must
 Address both domain-specific and common risks
 Ensure interoperability among the proposed cyber
security solutions
 With the adoption and implementation of the
Smart Grid
 The IT and telecommunication sectors will be more
directly involved
8
8
Smart Grid Cyber Security Strategy
 Establishment of a cyber security coordination task
group (CSCTG)
 Over 130 participants
 Have established several sub-working groups




Vulnerability Class analysis
Bottom-Up assessment
Use Case analysis
Standards/requirements assessment
 Weekly telecon
 Separate page on the Smart Grid Twiki
9
9
Smart Grid Cyber Security Strategy (2)
 The strategy…
 Selection of use cases with cyber security considerations
 Performance of a risk assessment of the Smart Grid,
including assessing vulnerabilities, threats and impacts
 Development of a security architecture linked to the
Smart Grid conceptual architecture
 Identification of cyber security requirements and risk
mitigation measures to provide adequate protection
 The final product
 A set of recommended cyber security requirements
10
10
Low Hanging Fruit Standards
 Could have security requirements relevant to
one or more aspects of the smart grid
 Directly Relevant to Smart Grid
 NERC CIP 002-009, Cyber Security
 IEEE 1686, IEEE Standard for Substation Intelligent
Electronic Devices (IEDs) Cyber Security Capabilities
 AMI-SEC System Security Requirements
 OpenHAN SRS
 IEC 62351, Power System Control and Associated
Communications - Data and Communication Security,
Parts 1-8
11
11
Low Hanging Fruit Standards (2)
 Could have security requirements relevant to
one or more aspects of the smart grid (cont.)
 Control Systems and close corollary
 ANSI/ISA-99, Manufacturing and Control Systems Security,
Parts 1 and 2
 NIST SP800-53, Recommended Security Controls for
Federal Information Systems
 NIST SP800-82, DRAFT Guide to Industrial Control Systems
(ICS) Security
 DHS Procurement Language for Control Systems
 ISA SP100, Wireless Standards
12
Preliminary List of Requirements
 Identification and authentication
 To provide unambiguous reference to system entities
 Access control to protect critical information
 Integrity
 To ensure that the modification of data or commands is
detected
 Confidentiality to protect sensitive information,
including
 Personally identifiable information (PII)
 Business identifiable information (BII)
 Availability to ensure that
 Intentional attacks, unintentional events, and natural
disasters do not disrupt the entire Smart Grid or result
in cascading effects
13
Preliminary List of Requirements (2)
 Techniques and technologies for isolating and
repairing compromised components of the Smart
Grid.
 Auditing to monitor changes to the Smart Grid
14
Contacts
 URL for the CSCTG Twiki site:
http://collaborate.nist.gov/twikisggrid/bin/view/SmartGrid/CyberSecurityCTG
 Lead: Annabelle Lee
 Phone: 301.975.8897
 Email: annabelle.lee@nist.gov
 BB: 240.364.4931
15
15
Download