1 / 34

SG Security WG Chair: Darren Reece Highfill darren@utilisec

UCAIug : Smart Grid Security OpenSG Face-to-Face (January 2010 – San Francisco, CA)  SG Security Working Group  AMI-SEC Task Force. SG Security WG Chair: Darren Reece Highfill darren@utilisec.org. SG Security Overview. Chair Darren Highfill, SCE Vice Chair Matt Carpenter, Inguardians

favian
Download Presentation

SG Security WG Chair: Darren Reece Highfill darren@utilisec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UCAIug: Smart Grid SecurityOpenSG Face-to-Face (January 2010 – San Francisco, CA)SG Security Working GroupAMI-SEC Task Force SG Security WG Chair: Darren Reece Highfill darren@utilisec.org

  2. SG Security Overview Chair Darren Highfill, SCE Vice Chair Matt Carpenter, Inguardians Secretary Bobby Brown, EnerNex Task Forces: AMI-SEC

  3. Agenda

  4. Status Updates • Charter • Review • Call for Vote • Security Profile Blueprint • AMI Security Profile v2.0 • Overview of Comments • Scheduling • Comment Classification • Negotiation / Discussion • Action Items • Third Party Data Access (3PDA) • Overview • Q&A • Action Items • ASAP-SG • Review of org / participation • Upcoming profiles • New Work Areas (?) • Joint Sessions • OpenHAN • OpenADE • OpenADR • AMI-ENT • SG Systems • SG Communications

  5. UtiliSec Charter • Chartered with developing detailed security and assurance requirements and security best practices guidance for organizations throughout the lifecycle of smart grid technology • Technology-specific, but vendor-agnostic guidance • Feed and accelerate SDO work (IEC, IEEE, etc.) • http://osgug.ucaiug.org/utilisec/Shared Documents/SG Security WG Charter v0.9-20100126.pdf

  6. Security Profile Blueprint • Status • Mature draft posted Dec. 2009 • http://osgug.ucaiug.org/utilisec/Shared Documents/Security Profile Blueprint/Security Profile Blueprint - v0_20 - 20091214.doc • Revisited after completion of each profile • Profile Creation Method • Establish Profile Scope • Define Logical Architecture • Identify Security-Related Constraints • Recommend Security Controls • Validate Profile

  7. AMI Security Profile Comments Discussion Points: • The use of "must", "shall", and "should" and corresponding definitions, then a group to review the consistency in the document. • No collaborative computing capabilities should be use in an AMI as it is a dedicated system for one function. • AMI is a dedicated system and should not support VoIP capabilities. • Should we add a glossary and acronym section - for example "reasonable", "strongly", "alert", "flaw". • Should "Smart Grid Application" be part of the Smart Grid components? • Should the security profile document be formatted to be used in RFPs?

  8. ASAP-SG: Summary • Project Description: • Utility-driven, public-private collaborative project to develop system-level security requirements for smart grid technology • Needs Addressed: • Utilities: specification in RFP • Vendors: reference in build process • Government: assurance of infrastructure security • Commissions: protection of public interests • Approach: • Architectural team  produce material • Usability Analysis team  assess effectiveness • NIST, UtiliSec  review, approve • Deliverables: • Strategy & Guiding Principles white paper • Security Profile Blueprint • 3 Security Profiles: AMI, ADE, Communications • Usability Analysis Schedule:Jun09 – Dec09 Budget: $3M ($1.5M Utilities + $1.5M DOE) Performers: Utilities, EnerNex, Inguardians, SEI, ORNL Partners: DOE Release Path: NIST, UCAIug Contacts: Bobby Brown bobby@enernex.com Darren Highfill darren@utilisec.org

  9. ASAP-SG: Upcoming Profiles • Distribution Automation • Wide Area Situational Awareness (i.e. Synchrophasors) • Home Area Networks • Substation Automation

  10. Joint Session SG Security & SG Systems SG Security WG Chair: Darren Reece Highfill darren@utilisec.org

  11. Template • Summary of SG Systems group security requirements • Relevant Technological Issues • Artifacts related to above issues • SG Security artifacts: existing and/or needed • Business artifacts from requesting group (e.g. use cases) • Q&A • Collaboration between SG Security and SG Systems group • Statement of Need • Task assignments

  12. SG-Systems • Summary of SG-Systems security requirements (Greg Robinson) • Outstanding Issues (Greg Robinson) • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and SG-Systems • SG-Systems Statement of Need • Task assignments

  13. OpenHAN • Summary of OpenHAN security requirements (Mary Zientara) • Issues (Robby Simpson) • Privacy • Securing one way communications • HAN network admissions • Application level security • Digital Certificate authority (technology, business, security credentials) • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and OpenHAN • OpenHAN Statement of Need • Task assignments

  14. Joint Session SG Security / OpenADE / OpenADR SG Security WG Chair: Darren Reece Highfill darren@utilisec.org

  15. OpenADE • Summary of OpenADE security requirements (Steve Van Ausdall / Dave Mollerstuen) • Third Party Data Access Security Profile (Darren Highfill) • Outstanding Issues (Steve Van Ausdall / Dave Mollerstuen) • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and OpenADE • OpenADE Statement of Need • Task assignments

  16. OpenADR • Summary of OpenADR security requirements (Albert Chiu) • Third Party Data Access Security Profile (Darren Highfill) • Outstanding Issues (Albert Chiu) • Use of public networks such as the internet • NERC CIP • Voluntary DR programs with pricing, weather, special days, etc. over different communications channels • Security lessons learned in current OpenADR deployments • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and OpenADR • OpenADR Statement of Need • Task assignments

  17. Joint Session SG Security / SG Communications SG Security WG Chair: Darren Reece Highfill darren@utilisec.org

  18. SG Communications • Summary of SG Communications group security requirements • Relevant Technological Issues • Artifacts related to above issues • SG Security artifacts: existing and/or needed • Business artifacts from requesting group (e.g. use cases) • Q&A • Collaboration between SG Security and SG Communications group • Statement of Need • Task assignments

  19. Joint Session SG Security / AMI-ENT SG Security WG Chair: Darren Reece Highfill darren@utilisec.org

  20. AMI-ENT • Summary of AMI-ENT security requirements (Mark Ortiz) • Outstanding Issues (Mark Ortiz) • Application level security • XML security considerations & messaging • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and AMI-ENT • AMI-ENT Statement of Need • Task assignments • Interested? Send an email to brian@enernex.com

  21. Wrap-up Session • AMI Security Profile comments • Interest Areas / Lists to be Formed • Prioritization / Action Items / Assignments • Call for Presenters / Topics

  22. AMI Security Profile • The intent of the document is to provide prescriptive, actionable guidance for how to build-in, procure and implement security for AMI smart grid functionality • This guidance is neutral to vendor specific implementations and architectures • Work extends from the meter data management system (MDMS) up to and including the home area network (HAN) interface of the smart meter

  23. What Should Be Logged? • Is there a definition for Security Events, Control Events, System/Device Confirmation changes? (DHS 2.16.2.1) • Log all success / all unsuccessful? (DHS 2.14.4.2, DHS 2.15.24.3) • Message details – (date, time, source, destination, message details) • Do we need a definition for security events, control events, system/device confirmation changes? (DHS 2.14.4.2, DHS 2.16.2.1) • Do we need to define levels of auditing? (DHS 2.16.4.1)

  24. AMI SP Comments - Summary • Use IEEE definitions for shall, should, etc. • Encryption – for supplemental guidance, level of protection needs to be applied to the data • Malicious code protection – use due diligence / care, remove the implementation guidance, general updates • Update document for “reasonable period of time”, “strongly authenticated”, “alert”, “alarm”, “flaw”

  25. AMI SP Comments – Summary (cont) • Review definition of Grid Control Center (4.3.9) • DHS 2.8.13 – Collaborative Computing requirements and verbiage • DHS 2.8.17 – VoIP requirement enhancements • DHS-2.14.2 – Flaw remediation – better definition • DHS 2.15.2.1 – Identification and authentication – more clarifications • Comment resolution team to send an email to the group about why the document is not suitable for an RFP document.

  26. AMI SP Comments Thank you everyone for the comments and contributions, they are greatly appreciated

  27. OpenSG Group Mappings – Comm View

  28. Closing Plenary SG Security SG Security WG Chair: Darren Reece Highfill darren@utilisec.org

  29. Progress This Week Key accomplishments Approved Charter Strong technical debate/review of AMI SP comments Introduction of 3PDA SP Collaborative sessions OpenHAN, OpenADR: Generate Statement of Need SG Network, AMI-ENT: Action items defined OpenADE: Delivered 3PDA SP

  30. Interest Areas / New Email Lists Third Party Data Access Usability Analysis General Interest (Future Task Force?) OpenHAN Support SG Communications Support AMI-ENT Support Lemnos (Configuration Profiles) Risk Assessment Application Security Requirements

  31. Moving Forward • Define agendas and action plans for next collaborative sessions • Facilitate sub-group formation & activity • Changes to AMI Security Profile • Resolution of comments • Mapping use cases and/or security domains to control requirements • Review / comment / revision of 3PDA SP

  32. SG Communications • Email reflector: • UtiliSec-Announce@SmartGridListServ.org • UtiliSec-Technical@SmartGridListServ.org • AMI-SEC@listserv.enernex.com • Webinar information: • Provided via UtiliSec-Announce list • Webinar times:

  33. Questions? darren@utilisec.org UtiliSec Collaboration Site http://osgug.ucaiug.org/utilisec

More Related