Smart Grid Security: Current and Future Issues

Transcription

1 Smart Grid Security: Current and Future Issues ISGT Panel on Smart Grid Security February 21 st 2014, Washington DC, USA Florian Skopik Senior Project Manager, ICT Security Safety & Security Department AIT Austrian Institute of Technology Vienna, Austria

2 Panellists Robert W. Griffin, Chief Security Architect, RSA - the Security Division of EMC, UK Lisa M. Kaiser, ICS-CERT s Chief of Control Systems Standards and Tools, Department of Homeland Security, USA Paul Murdock, Director of Software Technology and Chief Software Architect, Landis & Gyr, Switzerland Victoria Yan Pillitteri, Advisor for Information System Security, National Institute of Standards and Technology, USA Johannes Reichl, Project Manager, Energy Institute Linz, Austria Henrik Sandberg, Associate Professor, KTH Royal Institute of Technology, Sweden

3 The Smart Grid Energy Network Privacy Smart Meter Hacking Centralized Generation Private Consumers New attack vectors New smart Prosumers Heterogenious ICT systems Reliability Insider Threat Identity Management New market roles Transmission Network Distribution Network Storage Cyberwar / Cyberterrorism Many new interfaces ICT Network Industrial Consumers Distributed Generation 3

4 The Secure Smart Grid Energy Network Centralized Generation Privacy Private Consumers Smart Meter Hacking New attack vectors New smart Prosumers Heterogenious ICT systems New market roles Reliability Transmission Network Cyberwar / Cyberterrorism Insider Threat Distribution Network Many new interfaces Identity Management Storage ICT Network Industrial Consumers Distributed Generation 4

5 So what? x (x SmartGrid): lim n (Cn(x),In(x),An(x)) à very high Confidentiality, Integrity, Availability 5

6 A lot of aspects to consider Just some examples: Organizational Measures and Security Processes Secure Development and Impl. of Components Security of Communication Technology Secure Operation, Situational Awareness Physical Security Incident Management, Information Sharing Recovery from Failure Business Continuity Taken from existing Standards und Guidelines, such as ISO 27002, ENISA Appropriate security measures for Smart Grids, NIST Guidelines for Smart Grid Cyber Security, NERC CIP, IEC 62443, etc. 6

7 Appropriate solutions are needed Don t reinvent the wheel But: specific requirements Risk vs. Security vs. Cost Safety & Security Lifecycle Automation vs. Internet Adequate security level New security concepts required 7

8 Security is a shared responsibility The Smart Grid is a System of Systems Creating a secure component is not enough Secure implementation and operation is key Inappropriate trust in security of specific components Responsibility for specific security aspects needs to be defined Private vs. Industrial vs. Virtual Participants XKCD 8

9 Prevention, detection and reaction Prevention is useless without detection and reaction! System complexity Responsibility vs. Competence Securing devices in hostile environments Situational awareness Information sharing & reporting 9

10 The weakest link is the human Effort to break a system!= Effort to reach the goal If technical obstacles are too challenging à Social Engineering See Kevin Mitnick Microsoft Security Intelligence Report 2011: Almost half of all infections with malware required manual user interaction! XKCD 10

11 Smart Grid Security AIT Research Topics: Operator-independent resilient Smart Grid ICT architecture models Security analysis of core technical components of Smart Grids Risk assessment and cyber attack impact analysis for Smart Grids Security and compliance lifecycle tools, e.g., incident response, etc. Big data analysis technologies for situational awareness in Smart Grids Selected Reference Projects: SG2 national (coord) Smart Grid Security Guidance PRECYSE EU FP7 SEC Prevention, protection and reaction to cyberattacks to critical infrastructures SPARKS FP7 SEC (coord) Smart Grid Protection against Cyber Attacks HYRIM FP7 SEC (coord) Hybrid Risk-Management for Utility Providers Selected research partners: 11

12 Security is the foundation for innovation The Smart Grid is the next big innovation step in the energy infrastructure. But: Adequate security is a requirement and enabler for new technology to be implemented and accepted! Important aspects to consider: New security concepts with adequate security levels! Holistic approach with shared responsibilities! Not only prevention, but also detection and reaction! 12

13 Let s discuss! Florian Skopik Senior Project Manager, ICT Security Safety & Security Department AIT Austrian Institute of Technology florian.skopik@ait.ac.at