1 / 18

Practical Smart Grid Security

Practical Smart Grid Security. Skipping “why security is important”  The state of smart grid security now Standards set, standards coming General Templates & Helpful Docs Making decisions without standards. The Smart Grid Security Problem.

sandra_john
Download Presentation

Practical Smart Grid Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Smart Grid Security • Skipping “why security is important”  • The state of smart grid security now • Standards set, standards coming • General Templates & Helpful Docs • Making decisions without standards

  2. The Smart Grid Security Problem Large AMI projects are being prematurely deployed “live” onto the grid without adequate security technologies in place, putting national infrastructure (and consumers) at risk. Utilities may face liability claims and possibly regulatory fines if inadequate security enables hackers or terrorists to use smart grid vulnerabilities to interrupt service or steal customer data. Consumers who believe a utility has not secured their information will resist smart grid rollouts politically in the future. Security problems are impacting active deployments (San Diego Gas & Electric 2Q09 missed deadline) The required cryptography expertise is often simply not present in these organizations Mature security standards and best practices (from other disciplines) already exist that could facilitate secure smart grid deployment – but SG designers often unaware of them.

  3. Why Securing the Smart Grid is Hard Problem space is poorly defined No universally agreed-upon objectives or desired outcomes for security (SG Security Blueprint, currently in version 0.2, is trying to address this) Cutting edge networking technology invading a “slow-tech” industry Utilities not usually rapid adopters of new technologies Cultural issues between conservative engineers and “agile” IT/VC types Technological, best-practices chasms between IP-based IT community and “Babel” of traditional industrial control systems Multiple stakeholders with different agendae Utilities, regulators, consumers, integrators, IT companies, software co’s, network providers, maintenance co’s, entrenched equipment providers… and security experts.

  4. Technologies in the SmartGrid Value Chain

  5. Individual domains often developed independently without regard for requirements of other layers Source: Enernex

  6. Case in Point: Communications Standards in Different Smart Grid Domains Source: Enernex

  7. SmartGrid Segments & Players Pervasive Enablement Product/Device OEMs Services Utilities End Use • Energy Services • Ameresco • EnergySolve • Power System Eng’ng • Horizon Energy Group • Summit Energy • Chevron Energy Sol. • Constellation Energy • NORESCO • AECOM • Pepco • KEMA • Integrators • Accenture • CapGemini • EDS / HP • Enspiria • IBM • Logica CMG • Energy Traders • Sempra • Arch/Engineers • Black & Veatch • Sargent & Lundy • Power System Eng’ng • URS Corp • Jacobs Engineering • Flour • Electrical Distributors • Rexel • Sonepar • Graybar Electric • WESCO Electric • Investor Owned • Duke Energy • Xcel • PG&E • Con Edison • Sempra Energy • FPL • AEP • Northeast Utilities • Exelon • Global • Enel • Hydro One • Elektromed • Vattenfall • Fortum • E.ON • Power Generation • GE Energy • Siemens • Alstom • ABB • Areva • Hitachi • Toshiba • Mitsubishi • Power Gen – Dist Wind: • Gamesa • GE Energy • Vestas • Suzlon • Enercon • Clipper • PV: • SunPower • First Solar • Q-Cells • Sharp • Suntech • DG: • Smart Fuel Cells • Capstone • EnerFuel • infinia • Cummins Power Gen. • Rolld-Royce • Caterpillar • UTC Fuel Cells • Whisper Tech • Premise Equip- Meters • Elster • GE Energy • Itron • Sensus • Landis & Gyr • Tantalus • Transdata • Power Dist Equip • ABB • Schneider Elec • Eaton • GE • Hitachi • Siemens • Cooper • EDMI • Nova Tech • S&C Electric • SEL • Fuji • Batteries Commercial Institutional Industrial Residential • Software • Mocana • Cimetrics • eMeter • Gridagents/Infotility • GridLogix/JCI • SmartSignal • Tendril • Tridium • Ventyx • Optimal Tech • Positive Energy • BPL Global • Networks • Arcadian Networks • Ambient Networks • Tropos • SkyTel • Managed Services • Aeris.net • Qualcomm • Kore Telematics • Home Energy • Energate • Radio Thermostat • Sequentric • ONZO • Greenbox Tech • Powermand • 4Home • LS Research • Connectivity • Arch Rock • Digi International • Echelon • Ember • Enfora • Garrettcom • Lantronix • Moxa • Opto-22 • Ruggedcom • Sierra Wireless • B&B Electronics • Perle • IT Infrastructure • HP • IBM • OSIsoft • Cisco • Oracle • EMC • Sun Microsystems • Google • Microsoft • Carriers • Verizon • ATT • Orange • Sprint/Nextel • T Mobile • AMI Infrastructure • Silver Spring • Trilliant • Current Group • Elster • Itron • Sensus • SmartSync • Tantalus • Cellnet & Hunt • Aclara • Eka Systems • Demand Response Systems • Enernoc • Comverge • Advanced Telemetry • GridPoint • Cpower • DeepStream

  8. SmartGrid Security Now: Dozens of non-interoperable pilot implementations across the country. California – PG&E is on track to deploy nearly 10 million electric and gas meters by end of 2011, currently at 2.3 million installed. GE, Silver Spring Networks. Austin, Texas – Austin Energy to roll out Phase 1 smart-grid project of 500k smart meter devices by July-09. The utility has also installed 86,000 smart thermostats and 2,500 distribution grid sensors across its service territory. GE Energy, IBM, Oracle, GridPoint. Ontario, Canada – The province mandated to install 1.3 million smart meters in every home and small business by 2010. Trilliantto provide communication infrastructure and software applications. Enel of Italy –over 27 million installed smart meters, largest in world at cost of >€2.1b. Enelestimates savings at 500 million Euros/yr, suggesting an astonishingly short 4 year payback time. These projects are very large in scale, typically ~$1b per. EPRI estimates the spend on these projects in the US at ~$8b annually for the next 20 years!

  9. Security Challenges in AMI

  10. Template: Smart Grid Security Lifecycle Source: Southern California Edison

  11. Security Standards Groups to Keep an Eye On: UCA International Users Group (UCAIug - SG Security Working Group) AMI-SEC Task Force NIST Cyber Security Coordination Task Group Advanced Security Acceleration Project (ASAP-SG) Interim SmartGrid Roadmap published by the National Institute of Standards & Technology (NIST) in Sept’09… covers >100 standards. Already announced: UtilSec Working Group of UCAIug; AMI-SEC System Security Requirements SECURITY PROFILE BLUEPRINT 0.20 (Dec’09) Associated, application-specific Security Profile (SP) documents IEC standard for “Information security for power system control operations,” IEEE 1686 “Security for intelligent electronic devices,” North American rd for “Information security for power system control operationsrd for “Information security for power system control” NIST “Cyber security standards and guidelines for federal information systems, including those for the bulk power system.” OTHERS: OpenHAN, Zigbee, Z-Wave, Homeplug, IEC 62351, OpenADR IEC 61850, international standard for electric power device communication interoperability.

  12. Security Standards Announced Two Days Ago: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf a conceptual reference model to facilitate design of an architecture for the Smart Grid overall and for its networked domains; an initial set of 75 standards identified as applicable to the Smart Grid; priorities for additional standards – revised or new – to resolve important gaps; action plans under which designated standards-setting organizations will address these priorities; and an initial Smart Grid cyber security strategy and associated requirements. A companion draft document, NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements, also underwent public review. A subsequent draft of the cyber security strategy, will be issued in February. NIST intends to finalize the Smart Grid cyber security stds in late spring (!)

  13. Some Individuals to Watch“Moving the Needle” on SmartGrid Security George Arnold Bobby Brown Kevin Brown Matthew Carpenter Darren Highfill Erfan Ibrahim James Ivers TejaKuruganti Annabelle Lee Howard Lipson Jim Nutaro Justin Searle Vishant Shah Brian Smith Adrian Turner Andrew Wright

  14. What We’re All Waiting For • Smart Grid Security Blueprint 1.0 from UCAIug • Associated “Security Profiles” for specific applications. • provide prescriptive, actionable guidance for how to implement security for smart grid functionality. • Vendor agnostic

  15. What to do in the meantime • Read the draft blueprint from UCAIug and any security profiles you can get your hands on. • Seek out crypto and security expertise for your project (in house or outside), and assign a lead – don’t wing it. • Design for the Future = “All IP”. • Be especially wary of vendor lock-in at this stage. • Design for Flexibility = secure remote updating capabilities – and PKI keying approaches are crucial. • Ask lots of questions!! • Get a third-party security evaluation when your architecture is defined, and when you’re in Beta.

  16. Other Docs to Reference • Electric Power Research Institute (EPRI). 2009, June. Report to NIST on the Smart Grid Interoperability Standards Roadmap. • National Institute of Standards and Technology. 2009, September. NISTIR 7628 – Smart Grid Cyber Security Requirements (Draft 1). • Department of Homeland Security, National Cyber Security Division. 2009, September. Catalog of Control Systems Security: Recommendations for Standards Developers. • National Institute of Standards and Technology. 2007, December. NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems. • National Institute of Standards and Technology. 2007, December. NIST SP 800-39 (second public draft) – Managing Risk from Information Systems. • National Institute of Standards and Technology. 2007, December. NIST SP 800-53 Rev. 2 - Recommended Security Controls for Federal Information Systems. • National Institute of Standards and Technology. 2007, September 28. NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security (2nd DRAFT). • The Common Criteria. 2007, September. Common Criteria v3.1 – Part 2: Security Functional Requirements Release 2 and Part 3: Security Assurance Requirements Release 2. The Common Criteria. • UCA International Users Group – SG Security Working Group. 2009, October. Security Profile for Advanced Metering Infrastructure (Draft 0.49).

  17. Summary Smart Grid security is a big problem with a big surface area, it’s not limited to a few poorly-implemented products or rollouts. Be mindful that security for embedded environments and sensor networks is its own discipline – can’t directly map traditional PC/IT security over to the Grid. Security expertise isn’t readily available within Utilities or the equipment companies that supply it – you must seek it out. Realize that vendors will try hard to lock you into proprietary solutions at this stage. are coming, but not fast enough – that means you’ll need to improvise, and try to keep your options open for the future.

  18. Slides or Docs? Send me an email at kurt@mocana.com and I’ll send you the current standards blueprint and these slides.

More Related