Work Package 2.4. (Public) Procurement Expert Group on the security and resilience of communication networks and information systems for Smart Grids

Transcription

1 15 March 2012 Work Package 2.4 (Public) Procurement Expert Group on the security and resilience of communication networks and information systems for Smart Grids Version 1.0

2 ƒ Ž ˆ 1. Introduction Mission, vision and goals Strategy Scope Current status Team 5 2. Statement of Work 7

3 1. Introduction 1.1. Mission, vision and goals The mission of this Team is to contribute to a coherent and increased effort to improve the cyber security for smart grids, by providing (public) procurement standards. The goal is to establish a common procurement language and/or standard for a base level of security in smart grid components and services in collaboration with private and public asset owners, vendors and regulators. Procurement for components (like control systems) in the smart grids is even more important since a lot of these components are not easy to replace or to update, once they are installed. They have typical life cycles between 15 and 30 years. Therefore, security should be built in from the beginning and not thought of at the end. Procurement of third party services for Smart Grids, such as maintenance of (sets of) smart grid components and of integrated parts of the smart grid, requires a common base level in Europe on minimal security requirements with respect to these services, (ICT) tools to be used, personnel as well as the protection of the physical environment of smart grid component(s), e.g. protection against theft and unauthorised access Strategy The team identified the good practices that are already available and has discussed with some of the smart grid stakeholders if these good practices are applicable to all the smart grid components. More extensive validation work, outside the scope of this task, still has to be done. If these are indeed European-wide recognised good practices, they will be actively pushed into the network. The team developed a set of recommendations to the EC making use of existing standards and guidance documents, like: The IEC draft standard, which is intended to serve as a set of baseline security requirements for vendors of IACS. The IEC standard project has recently emerged as a significant milestone in the development of cyber security standards for Smart Grids. In the US, the Cyber Security Working Group of the Smart Grid Interoperability Panel of NIST has created a IEC Task Force 1 to work on this. Future European activities on public procurement for Smart Grid components should closely work together with this group. In the side-line this Expert Group looked at the possible use of certification programs (as e.g. developed by Wurldtech) that came out of the original WIB-standard. Another relevant document is The Cyber Security Procurement Language for Control Systems that is released in September 2009 by the US Department of Homeland Security. This was the joint effort of the public and private sectors focused on the development of common procurement language for use by all control systems stakeholders. The goal is for federal, state, and local asset owners and regulators to obtain a common control systems security understanding; using these procurement guidelines will help foster this understanding and lead to integration of security into control systems. It will be important to explore if and how this document is applicable to (parts of) the Smart Grid in Europe. 1 Page 3 of 7

4 1.3. Scope The scope of this team is on the procurement of components and services in the smart grids. In order to push the development of secure components and enhance the security awareness within the vendor community (public) procurement standards which regard base-level security for the start on need to be developed for: Procurement of Smart Grid components; Procurement of system integration services for Smart Grid components; Procurement of third party services for Smart Grid components and integrated systems, e.g. 3 rd party maintenance. The other reason that these procurement standards with security in mind need to be developed is that the asset owners which buy the systems, need guidance for good commissioning, operations, and decommissioning of these kind of systems Current status Currently, utilities are left hoping that the Smart Grid system components they are deploying are adequately addressing current and emerging cyber security threats, with little more than faith in the security claims their vendors provide as initial evidence. Utilities are then forced to dedicate significant resources to test the security claims their vendors make, and many utilities simply do not have the resources to expend on such testing (regardless of the size of the utility). This is a similar challenge that other critical infrastructure sectors face and have faced. The plan security workgroup of the WIB 2, The International Instrument Users' Association created a set of baseline security requirements for vendors, driven by the security needs of end users. This workgroup was lead by Royal Dutch Shell, one of the largest energy companies 3 in the world. Shell has mandated third party certification against the WIB security requirements for all of their vendors that operate in the Process Control Domain. Following this line, Southern Company, a big utility in North America, followed suit by mandating the same for their vendors. It worked together with Wurldtech, the first company to create a certification program for the WIB requirements. This certification program is known as Achilles Practices Certification 4 (APC). The first Advanced Metering Infrastructure (AMI) vendor, under the mandate from Southern Company, to achieve APC certification was SENSUS 5. The WIB 2.0 requirements, which were developed to address Electric Industry security requirements lacking in version WIB 1.0, are well-aligned with the NISTIR 7628 requirements. This led to the submission of the WIB 2.0 requirements to IEC as part of the IEC series of cyber security standards for industrial automation control systems (IACS), and was approved as a project within IEC in the summer of IEC is about security requirements for vendor of IACS; smart grid devices being a sub-case pdf Page 4 of 7

5 It will still take some years before the IEC62443 series are finished and adopted. It is important to bridge the gap and already agree on a standardised set of cyber security requirements throughout the Smart Grid industry. This team will give advice to the European smart grid community how to bridge this period and how to establish a baseline set of security requirements that everyone in the smart grid industry can adopt Team Team leader: Auke Huistra, CPNI.NL, Netherlands Project manager for the Cybercrime Information Exchange and the National Roadmap for Secure Process Control Systems within CPNI.NL, the Dutch public-private platform for Cyber security. Main objective of CPNI.NL is to raise the resilience of the critical (information) infrastructure in the Netherlands. Auke is member of the EuroSCSIE, MPCSIE, EU-US Working Group on Cyber-Security and Cyber-Crime, Expert Team on Public-Private Partnership, ERNCIP Thematic Area on ICS and Smart Grids and the European FI-ISAC. He works in the field of (public) security for more than 15 years now. Before his assignment at CPNI.NL, he was amongst others cluster leader Public Security at a big international consultancy firm and CIO at a regional police force in the Netherlands. Team members: Jos Menting, Laborelec, Belgium: Jos holds an engineering degree in Technical Physics and a postgraduate degree in industrial automation. His I&C career started in The Netherlands on a coal fired power plant with an assignment on industrial automation projects before stepping over to the engineering department. A large variety of I&C related projects like retrofits, upgrades and large green field projects followed by an I&C life time extension study for the entire Dutch fleet in the group. Page 5 of 7

6 International experience came by a feasibility study in India and some multiyear experiences in the Mid Americas. In 2005 he started working at Laborelec, the R&D entity for power in the GDF Suez group near Brussels. Working as the group senior he is responsible for the section Conventional Power. The combination between research and operational services is currently the ideal environment to put the gathered knowledge into praxis. Besides advanced control subjects topics like cyber security, alarm management and automation life time issues are important. Currently business development in the Middle East and Latin America are on the agenda. smembership of the European Commission ERNCIP program, the EuroSCSIE, Executive board member of the WIB end user organization and the recently obtained chair of the German VGB-Powertech I&C Working Panel are some of the important international involvements. Eric Luiijf, TNO, The Netherlands: M.Sc. in Mathematics at the Technical University Delft in Officer in the Royal Netherlands Navy for his duties. He joined the TNO end of Since 1995, he works as Principal Consultant Information Operations and Critical (Information) Infrastructure Protection (C(I)IP). He supports the Dutch Government on policy and technology related issues regarding C(I)IP, Cyber Operations and National Risk Assessment. He has been involved in many national and EU studies on C(I)IP including VITA, IRRIIS, DIESIS, EURACOM, and RECIPE. Eric maintains a unique database on CI disruptions, cascading effects and consequences based upon public sources. Eric is part-time employed by the Dutch Centre for Protection of National Infrastructure (CPNI.NL) as ICS and Smart Grid security expert. His SCADA Good Practices book has been translated into English, Japanese and Italian. Eric has been interviewed many times by national and international press, radio and TV, and has published many popular articles, reports, and scientific publications. Page 6 of 7

7 2. Statement of Work Activities in this WP should be: Producing a stock taking report with an overview of existing standards and guidelines that can be used in procuring components of smart grids. Producing a white paper with recommendations to the smart grids community and the EU policy makers how to handle procurement of components of the smart grids. This should include: o Answer the question if smart grid operators should use these procurement standards or not (mandatory or recommendation). Should the EC and Member States make regulation about this? o Will certification being made obligatory for vendors within the smart grid domain? Relevant stakeholders should be consulted when writing these documents. An important group to include in these activities is the group that is working on the IEC standard. Page 7 of 7