Smart Grid Standards and Certification

Similar documents
Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Ad Hoc Smart Grid Executive Committee. February 10, 2011 New Orleans, LA

Managing SCADA Security. NISTIR 7628 and the NIST/SGIP CSWG. Xanthus. May 25, Frances Cleveland

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Physical Security Reliability Standard Implementation

NW NATURAL CYBER SECURITY 2016.JUNE.16

136 FERC 61,039 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. [Docket No. RM ] Smart Grid Interoperability Standards

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Smart Grid Cyber Security Strategy and Requirements

Critical Cyber Asset Identification Security Management Controls

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Cyber Security Reliability Standards CIP V5 Transition Guidance:

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

The NIST Cybersecurity Framework

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Cyber Security Standards Drafting Team Update

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

NIST Smart Grid Activities

Smart Grid and Cyber Security

Electric Sector Security & Privacy Plans for 2011

CIP Standards Development Overview

Implementing Executive Order and Presidential Policy Directive 21

Standard Development Timeline

Standard Development Timeline

Summary of FERC Order No. 791

NIST SmartGrid Update. Paul Myrda Technical Executive Power Systems Engineering Research Center August 10, 2009

ISA99 - Industrial Automation and Controls Systems Security

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cybersecurity for the Electric Grid

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

FDA & Medical Device Cybersecurity

The NIS Directive and Cybersecurity in

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

NIST Smart Grid Interoperability Framework

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Framework for Improving Critical Infrastructure Cybersecurity

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Security Requirements for Supply Chain. June 17, 2015

History of NERC December 2012

Medical Device Cybersecurity: FDA Perspective

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Proposed Clean and Redline for Version 2 Implementation Plan

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Risk and Options Considered by IMO

Grid Security & NERC

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Cyber Security Supply Chain Risk Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Summary of Cyber Security Issues in the Electric Power Sector

Cyber Threats? How to Stop?

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) ) )

Why you should adopt the NIST Cybersecurity Framework

CIP Cyber Security Personnel & Training

CCISO Blueprint v1. EC-Council

FERC's Revised Critical Infrastructure Protection Demands Active Vigilance

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

The North American Electric Reliability Corporation ( NERC ) hereby submits

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

NCSF Foundation Certification

Standard CIP Cyber Security Critical Cyber As s et Identification

Cyber Security Incident Report

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Security in grid control centers: Spectrum Power TM Cyber Security

CIP Cyber Security Configuration Management and Vulnerability Assessments

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Frame 6 Users Group Conference. Cincinnati, OH. June 8-11 WELCOME USERS

Time Synchronization and Standards for the Smart Grid

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

History of NERC August 2013

ERO Enterprise Strategic Planning Redesign

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP Information Protection

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

151 FERC 61,066 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION ORDER DENYING REHEARING. (Issued April 23, 2015)

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) ) ) COMMENTS OF THE LARGE PUBLIC POWER COUNCIL

History of NERC January 2018

European Union Agency for Network and Information Security

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Transcription:

Smart Grid Standards and Certification June 27, 2012 Annabelle Lee Technical Executive Cyber Security alee@epri.com

Current Environment 2

Current Grid Environment Legacy SCADA systems Limited cyber security controls currently in place Specified for specific domains bulk power distribution, metering Vulnerabilities might allow an attacker to Penetrate a network, Gain access to control software, or Alter load conditions to destabilize the grid in unpredictable ways Even unintentional errors could result in destabilization of the grid 3

Threats to the Grid Deliberate attacks Disgruntled employees Industrial espionage Unfriendly states Organized crime Terrorists Inadvertent threats Equipment failures User/Administrator errors Natural phenomena Weather hurricanes, earthquakes Solar activity 4

Interconnectedness of the Grid 5

Trends Impacting Security Open protocols Replacing vendor-specific proprietary communication protocols Connections with enterprise networks to obtain productivity improvements and information sharing Reliance on external communications Increasing use of public telecommunication systems, the Internet, and wireless for control system communications Increased capability of field equipment Smart sensors and controls with enhanced capability and functionality 6

IT and Control Systems Differences For IT systems, confidentiality and integrity are the major objectives For control systems, availability and integrity are the major objectives Limited bandwidth and processing capability Potential loss of life impact if there is a major compromise IT system life cycle varies from 6 months to 2 years Control systems life cycle varies from 15 to 40 years Availability Delays usually accepted in IT systems Control systems typically run 24/7/365 7

Regulatory Environment 8

Some Regulatory History September 11, 2001 Prevent radiological risk to public Nuclear Regulatory Commission (NRC) Orders (EA-02-026, etc.) (2002) Nuclear Energy Institute (NEI) NEI-04-04 (2006) 10CFR73.54 (2009) Regulatory Guide (RG) 5.71 (2010) NEI-08-09, Revision 6 (2010) Cyber-security controls & standards National Institute for Standards & Technology (NIST) Standards SP800-53, SP800-82 Draft EPRI 1019187 (2010) for new systems August 14, 2003 Continuity / reliability of bulk electric system December 19, 2007 Energy Independence and Security Act (EISA) Federal Energy Regulatory Commission (FERC) Orders 706 & 706B US Department of Energy NIST NISTIR 7628 9 North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards National Electric Cyber Security Organization NESCO & NESCOR?

Federal Energy Regulatory Commission (FERC) Technical Conference EISA directed FERC to: "institute a rulemaking to adopt such standards as may be necessary to ensure Smart Grid functionality and interoperability, after NIST's work has led to consensus in the Commission's judgment. NIST identified five families of standards as ready for consideration by regulators Standards fundamental to Smart Grid interoperability And to priorities identified in the Commission's July 16, 2009 Smart Grid Policy Statement 10

FERC Technical Conference (2) Technical conference held January 31, 2011 Unanimous agreement among speakers that the standards are not ready for adoption Additional questions posted on the website after the technical conference http://www.ferc.gov/docs-filing/elibrary.asp Under docket search, enter RM-11-2 11

FERC Decision On July 19, 2011 FERC issued an order related to the five families of standards: we [FERC] find insufficient consensus to institute a rulemaking proceeding at this time to adopt the five families of standards. At some future time, FERC could open a new docket and initiative rulemaking This is based on the inclusion of the phrase at this time FERC focused on stakeholder participation in the NIST interoperability framework process 12

NERC Critical Infrastructure Protection (CIP) Version 4 FERC Notice of Proposed Rulemaking Docket No. RM11-11-000: Version 4 Critical Infrastructure Protection Reliability Standards Posted September 15, 2011 FERC proposes to approve eight modified Critical Infrastructure Protection (CIP) Reliability Standards, CIP- 002-4 through CIP-009-4 Version 4 CIP Reliability Standards propose to modify CIP-002-4 to include bright line criteria for the identification of Critical Assets 17 uniform bright line criteria 13

NERC Critical Infrastructure Protection (CIP) Version 4 (2) The proposed Version 4 CIP Reliability Standards would replace the currently effective Version 3 CIP Reliability Standards We (FERC) recognize that: The Version 4 CIP Standards represent an interim step to addressing all of the outstanding directives set forth in Order No. 706 14

Cyber Security Strategies 15

NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security Version 1.0 published August 2010 http://csrc.nist.gov/publications/ PubsNISTIRs.html#NIST-IR-7628 What it IS A tool for organizations that are researching, designing, developing, and implementing Smart Grid technologies May be used as a guideline to evaluate the overall cyber risks to a Smart Grid system during the design phase and during system implementation and maintenance Guidance for organizations Each organization must develop its own cyber security strategy (including a risk assessment methodology) for the Smart Grid What it IS NOT It does not prescribe particular solutions It is not mandatory 16

NISTIR 7628 Smart Grid Cyber Security Strategy Tasks Top-down Analysis (Inter-component/ Domain) Bottom-up Analysis (Vulnerability Classes) 1. Use Case Analysis 2. Risk Assessment Vulnerabilities Threats Impacts 3. High Level Security Requirements Privacy Assessment 4a. Security Architecture 4b. Smart Grid Standards Assessment Existing Standards (CIP, IEEE, IEC, etc.) 5. Conformity Assessment 17

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) 18

Initiative Background and Overview Challenge: Develop capabilities to manage dynamic threats and understand cybersecurity posture of the grid Approach: Develop a maturity model and self-evaluation survey to develop and measure cybersecurity capabilities Results: A scalable, sectorspecific model created in partnership with industry 19 ES-C2M2 Objectives Strengthen cybersecurity capabilities Enable consistent evaluation and benchmarking of cybersecurity capabilities Share knowledge and best practices Enable prioritized actions and cybersecurity investments

ES-C2M2 Timeline 2012 JAN FEB MAR APR MAY JUN Jan 5 Kickoff Meeting May 24 Debrief Phase 1: Model Development, including self-evaluation survey Four Advisory Group Meetings Phase 2: Model Assessment (17 Pilots) Phase 3: Finalize Model 20

Maturity Indicator Levels Model Overview Reserved 1 Maturity Indicator Level that is reserved for future use Managed Each cell contains the defining characteristics for the domain at that maturity indicator level Performed Initiated Not Performed Elements: Model, Survey, Facilitation, Summary Report Feedback from 40 utilities used to refine model Model Domains 21

Moving Forward Cyber security supports both the reliability and privacy of the Smart Grid Address interconnected systems both IT and control systems Cyber security needs to be addressed in all systems, not just critical assets Augment existing reliability controls, as applicable Consider the lifecycle of IT/telecomm systems versus control systems Patch management/update cycles Product life cycle Develop new models/paradigms for the two communities Continuously assess the security status 22

Moving Forward (2) Acknowledge will be some security breaches Focus on response and recovery For example, isolate/quarantine infected devices Fail secure Address both safety and security Build security in! Confidentiality, integrity and availability implement best practices Apply IT/telecomm security lessons-learned from the past 40 years Train and educate Address advanced persistent threats (APTs) Compliance DOES NOT equal security 23

Discussion alee@epri.com 202.293.6345 24

Together Shaping the Future of Electricity 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback