Work Package 2.4. (Public) Procurement Expert Group on the security and resilience of communication networks and information systems for Smart Grids

Similar documents
How can operators capitalize on outputs?

How the Board Should Take Care of Cyber Security. ICS Conference 2012, October 31 Denmark

ENISA S WORK ON ICS AND SMART GRID SECURITY

European Union Agency for Network and Information Security

ENISA EU Threat Landscape

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

NIS Standardisation ENISA view

Enhancing the cyber security &

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

ENISA Cooperation in the EU / NIS Directive

Call for Expressions of Interest

Package of initiatives on Cybersecurity

Information Sharing and Cooperation

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Between 1981 and 1983, I worked as a research assistant and for the following two years, I ran a Software Development Department.

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Securing Europe's Information Society

Discussion on MS contribution to the WP2018

Cybersecurity & Digital Privacy in the Energy sector

Security and resilience in Information Society: the European approach

Maarten Oosterink for PPA 2010 Delft, Vendor Requirements. Process Control Domain - Security Requirements for Vendors

ENISA s Position on the NIS Directive

The NIS Directive and Cybersecurity in

Cyber Security in Europe

Cybersecurity & Privacy Enhancements

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Securing Europe s IoT Devices and Services

13967/16 MK/mj 1 DG D 2B

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds

National Strategy for CBRNE Standards

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Electronic payments in the Netherlands

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The EuroHPC strategic initiative

CYBER SECURITY OF SMART GRID - CHALLENGES AND POTENTIAL SOLUTIONS FOR TRANSMISSION SYSTEM OPERATORS

ehealth Network ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

Implementing Executive Order and Presidential Policy Directive 21

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

ESFRI Strategic Roadmap & RI Long-term sustainability an EC overview

Policy drivers and regulatory framework to roll out the Smart Grid deployment. Dr. Manuel Sánchez European Commission, DG ENERGY

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Smart Metering industry approach for aligning standardization requirements and national security demands

H2020 WP Cybersecurity PPP topics

In Accountable IoT We Trust

The Africa Utilities Telecom Council Johannesburg CC, South Africa 1 st December, 2015

Joint ENISA European Commission workshop on security certification for smart grid components. Minutes of the workshop [Deliverable ]

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

The Office of Infrastructure Protection

Valérie Andrianavaly European Commission DG INFSO-A3

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Achilles System Certification (ASC) from GE Digital

HEALTH INFORMATION INFRASTRUCTURE PROJECT: PROGRESS REPORT

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

CEF e-invoicing. Presentation to the European Multi- Stakeholder Forum on e-invoicing. DIGIT Directorate-General for Informatics.

Why you should adopt the NIST Cybersecurity Framework

Summary of Cyber Security Issues in the Electric Power Sector

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

REQUEST FOR EXPRESSIONS OF INTEREST

Threat and Vulnerability Assessment Tool

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

ISASecure SSA Certification for DeltaV and DeltaV SIS

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

ENTSO-E working to fulfill the 3 rd Package

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

EISAS Enhanced Roadmap 2012

Comprehensive Study on Cybercrime

Developing a National Emergency Telecommunications Plan. The Samoan Experience November 2012

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Workshop on security of personal data processing

ehealth and DSM, Digital Single Market

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

The European Programme for Energy Efficiency in Data Centres: The Code of Conduct

Towards a European e-competence Framework

RISK MANAGEMENT IBERDROLA S CASE

EC Mandate: Adaptation to climate change use of standards to make key infrastructures more resilient. Ab de Buck/ Caroline van Hoek

Cyber Security Beyond 2020

H2020 & THE FRENCH SECURITY RESEARCH

ISA99 - Industrial Automation and Controls Systems Security

Smart Grid Objective 6.1 in WP2013

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Strategic and operational threat analysis at Europol's EC3

Smart Grid and Cyber Security

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Towards a European Cloud Computing Strategy

The Network and Information Security Directive - ENISA's contribution

Managing SCADA Security. NISTIR 7628 and the NIST/SGIP CSWG. Xanthus. May 25, Frances Cleveland

Media (NEM) Initiative

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Cyber Security Strategy

DIGITIZING INDUSTRY, ICT STANDARDS TO

International Atomic Energy Agency Meeting the Challenge of the Safety- Security Interface

Transcription:

15 March 2012 Work Package 2.4 (Public) Procurement Expert Group on the security and resilience of communication networks and information systems for Smart Grids Version 1.0

ƒ Ž ˆ 1. Introduction 3 1.1. Mission, vision and goals 3 1.2. Strategy 3 1.3. Scope 4 1.4. Current status 4 1.5. Team 5 2. Statement of Work 7

1. Introduction 1.1. Mission, vision and goals The mission of this Team is to contribute to a coherent and increased effort to improve the cyber security for smart grids, by providing (public) procurement standards. The goal is to establish a common procurement language and/or standard for a base level of security in smart grid components and services in collaboration with private and public asset owners, vendors and regulators. Procurement for components (like control systems) in the smart grids is even more important since a lot of these components are not easy to replace or to update, once they are installed. They have typical life cycles between 15 and 30 years. Therefore, security should be built in from the beginning and not thought of at the end. Procurement of third party services for Smart Grids, such as maintenance of (sets of) smart grid components and of integrated parts of the smart grid, requires a common base level in Europe on minimal security requirements with respect to these services, (ICT) tools to be used, personnel as well as the protection of the physical environment of smart grid component(s), e.g. protection against theft and unauthorised access. 1.2. Strategy The team identified the good practices that are already available and has discussed with some of the smart grid stakeholders if these good practices are applicable to all the smart grid components. More extensive validation work, outside the scope of this task, still has to be done. If these are indeed European-wide recognised good practices, they will be actively pushed into the network. The team developed a set of recommendations to the EC making use of existing standards and guidance documents, like: The IEC 62443-2-4 draft standard, which is intended to serve as a set of baseline security requirements for vendors of IACS. The IEC 62443-2-4 standard project has recently emerged as a significant milestone in the development of cyber security standards for Smart Grids. In the US, the Cyber Security Working Group of the Smart Grid Interoperability Panel of NIST has created a IEC 62443-2-4 Task Force 1 to work on this. Future European activities on public procurement for Smart Grid components should closely work together with this group. In the side-line this Expert Group looked at the possible use of certification programs (as e.g. developed by Wurldtech) that came out of the original WIB-standard. Another relevant document is The Cyber Security Procurement Language for Control Systems that is released in September 2009 by the US Department of Homeland Security. This was the joint effort of the public and private sectors focused on the development of common procurement language for use by all control systems stakeholders. The goal is for federal, state, and local asset owners and regulators to obtain a common control systems security understanding; using these procurement guidelines will help foster this understanding and lead to integration of security into control systems. It will be important to explore if and how this document is applicable to (parts of) the Smart Grid in Europe. 1 http://collaborate.nist.gov/twiki-sggrid/bin/view/smartgrid/iec6244324taskforce Page 3 of 7

1.3. Scope The scope of this team is on the procurement of components and services in the smart grids. In order to push the development of secure components and enhance the security awareness within the vendor community (public) procurement standards which regard base-level security for the start on need to be developed for: Procurement of Smart Grid components; Procurement of system integration services for Smart Grid components; Procurement of third party services for Smart Grid components and integrated systems, e.g. 3 rd party maintenance. The other reason that these procurement standards with security in mind need to be developed is that the asset owners which buy the systems, need guidance for good commissioning, operations, and decommissioning of these kind of systems. 1.4. Current status Currently, utilities are left hoping that the Smart Grid system components they are deploying are adequately addressing current and emerging cyber security threats, with little more than faith in the security claims their vendors provide as initial evidence. Utilities are then forced to dedicate significant resources to test the security claims their vendors make, and many utilities simply do not have the resources to expend on such testing (regardless of the size of the utility). This is a similar challenge that other critical infrastructure sectors face and have faced. The plan security workgroup of the WIB 2, The International Instrument Users' Association created a set of baseline security requirements for vendors, driven by the security needs of end users. This workgroup was lead by Royal Dutch Shell, one of the largest energy companies 3 in the world. Shell has mandated third party certification against the WIB security requirements for all of their vendors that operate in the Process Control Domain. Following this line, Southern Company, a big utility in North America, followed suit by mandating the same for their vendors. It worked together with Wurldtech, the first company to create a certification program for the WIB requirements. This certification program is known as Achilles Practices Certification 4 (APC). The first Advanced Metering Infrastructure (AMI) vendor, under the mandate from Southern Company, to achieve APC certification was SENSUS 5. The WIB 2.0 requirements, which were developed to address Electric Industry security requirements lacking in version WIB 1.0, are well-aligned with the NISTIR 7628 requirements. This led to the submission of the WIB 2.0 requirements to IEC as part of the IEC 62443 series of cyber security standards for industrial automation control systems (IACS), and was approved as a project within IEC in the summer of 2011. IEC 62443-2-4 is about security requirements for vendor of IACS; smart grid devices being a sub-case. 2 www.wib.nl 3 https://www.pfcenergy.com/~/media/files/public%20files/pfc%20energy%2050/final_pfc_energy_50_2 012.pdf 4 http://www.wurldtech.com/achilles-certification/achilles-certified-practices/program-summary.aspx 5 http://www.sensus.com Page 4 of 7

It will still take some years before the IEC62443 series are finished and adopted. It is important to bridge the gap and already agree on a standardised set of cyber security requirements throughout the Smart Grid industry. This team will give advice to the European smart grid community how to bridge this period and how to establish a baseline set of security requirements that everyone in the smart grid industry can adopt. 1.5. Team Team leader: Auke Huistra, CPNI.NL, Netherlands Project manager for the Cybercrime Information Exchange and the National Roadmap for Secure Process Control Systems within CPNI.NL, the Dutch public-private platform for Cyber security. Main objective of CPNI.NL is to raise the resilience of the critical (information) infrastructure in the Netherlands. Auke is member of the EuroSCSIE, MPCSIE, EU-US Working Group on Cyber-Security and Cyber-Crime, Expert Team on Public-Private Partnership, ERNCIP Thematic Area on ICS and Smart Grids and the European FI-ISAC. He works in the field of (public) security for more than 15 years now. Before his assignment at CPNI.NL, he was amongst others cluster leader Public Security at a big international consultancy firm and CIO at a regional police force in the Netherlands. Team members: Jos Menting, Laborelec, Belgium: Jos holds an engineering degree in Technical Physics and a postgraduate degree in industrial automation. His I&C career started in The Netherlands on a coal fired power plant with an assignment on industrial automation projects before stepping over to the engineering department. A large variety of I&C related projects like retrofits, upgrades and large green field projects followed by an I&C life time extension study for the entire Dutch fleet in the group. Page 5 of 7

International experience came by a feasibility study in India and some multiyear experiences in the Mid Americas. In 2005 he started working at Laborelec, the R&D entity for power in the GDF Suez group near Brussels. Working as the group senior he is responsible for the section Conventional Power. The combination between research and operational services is currently the ideal environment to put the gathered knowledge into praxis. Besides advanced control subjects topics like cyber security, alarm management and automation life time issues are important. Currently business development in the Middle East and Latin America are on the agenda. smembership of the European Commission ERNCIP program, the EuroSCSIE, Executive board member of the WIB end user organization and the recently obtained chair of the German VGB-Powertech I&C Working Panel are some of the important international involvements. Eric Luiijf, TNO, The Netherlands: M.Sc. in Mathematics at the Technical University Delft in 1975. Officer in the Royal Netherlands Navy for his duties. He joined the TNO end of 1977. Since 1995, he works as Principal Consultant Information Operations and Critical (Information) Infrastructure Protection (C(I)IP). He supports the Dutch Government on policy and technology related issues regarding C(I)IP, Cyber Operations and National Risk Assessment. He has been involved in many national and EU studies on C(I)IP including VITA, IRRIIS, DIESIS, EURACOM, and RECIPE. Eric maintains a unique database on CI disruptions, cascading effects and consequences based upon public sources. Eric is part-time employed by the Dutch Centre for Protection of National Infrastructure (CPNI.NL) as ICS and Smart Grid security expert. His SCADA Good Practices book has been translated into English, Japanese and Italian. Eric has been interviewed many times by national and international press, radio and TV, and has published many popular articles, reports, and scientific publications. Page 6 of 7

2. Statement of Work Activities in this WP should be: Producing a stock taking report with an overview of existing standards and guidelines that can be used in procuring components of smart grids. Producing a white paper with recommendations to the smart grids community and the EU policy makers how to handle procurement of components of the smart grids. This should include: o Answer the question if smart grid operators should use these procurement standards or not (mandatory or recommendation). Should the EC and Member States make regulation about this? o Will certification being made obligatory for vendors within the smart grid domain? Relevant stakeholders should be consulted when writing these documents. An important group to include in these activities is the group that is working on the IEC-62443-2-4 standard. Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback