Page 1

US Cyber Security Efforts The Good, The Bad, The Ugly

Presented By: Bobby Brown EnerNex Corporation Š 2010 EnerNex Corporation. All Rights Reserved.


About myself • Director of IT & Communication Security • Former CIO, 15+ years IT, 10 years Cyber Security & Related • Co-author of NIST Framework & Roadmap for Smart Grid Interoperability Standards, Security Profiles (AMI, 3PDA, Distribution Mgt.) • Project Manager, Advanced Security Acceleration Project for Smart Grid (ASAP-SG) • National Electric Sector Cyber Organization Resource Team • Chair of SG Security Conformity and Vice-chair of SG Security in UCAIug OpenSG

2© 2010 EnerNex Corporation. All Rights Reserved.


NIST SGIP – The Good • EnerNex awarded to manage and technical facilitation • Smart Grid Interoperability Panel – Supports NIST in fulfilling responsibilities under the 2007 Energy Independence and Security Act – Identifies, prioritizes and addresses new and emerging requirements for Smart Grid standards – Developed the initial NIST Framework & Roadmap for Smart Grid Interoperability Standards (v1.0 January 2010)

• National public-private collaborative

3© 2010 EnerNex Corporation. All Rights Reserved.


NIST SGIP – The Good • • • • • •

Smart Grid Standards Priority Action Plans Testing and Certification of Standards Smart Grid Conceptual Model Smart Grid Cyber Security The Interoperability Knowledge Base (IKB)

4© 2010 EnerNex Corporation. All Rights Reserved.


SGIP CSWG – The Good • Addresses cyber Smart Grid security aspects • Provides overall cyber security strategy for Smart Grid • Defense in-depth controls: – Prevention – Detection – Response – Recovery

• 400+ member participation 5© 2010 EnerNex Corporation. All Rights Reserved.


Strategy Process

6Š 2010 EnerNex Corporation. All Rights Reserved.


SGIP CSWG – The Bad • Risk mitigation strategy is confusing: – Logical Interface Categories (LICs) – Requirements mapped to LICs (not data)

• Interoperability strategy is still under development • Weak in utility representation

7© 2010 EnerNex Corporation. All Rights Reserved.


The Ugly The process is good, but… • Not actionable • Reference architecture is not representative of real world systems • How to implement?

8© 2010 EnerNex Corporation. All Rights Reserved.


Lessons Learned – What’s Next? • Validate high-level reference architecture • More utility involvement • ‘Actionable’ & ‘implementable’ guidance – Implementation Sub-group

• Interoperability and Rigor – Standards & Crypto Sub-groups – Testing & Certification Sub-group

• Updated NIST-IR 7628 (after 12 months)

9© 2010 EnerNex Corporation. All Rights Reserved.


NERC CIP - Good • Forces utilities to address security • Allows utilities to self-regulate

10© 2010 EnerNex Corporation. All Rights Reserved.


NERC CIP – Bad & Ugly • Immature regulation – too many revisions • Discretion of auditors; too much variance • Only addresses bulk power, many aggregated threats not covered: – Distribution, – AMI – Automated demand response – Electric vehicles – Etc., etc.

• Utilities become reactive 11© 2010 EnerNex Corporation. All Rights Reserved.


NERC CIP – What’s Next? • CIP 10 and 11 – CIP 10 replaces CIP 2 – CIP 11 replaces CIP 3 through 9

12© 2010 EnerNex Corporation. All Rights Reserved.


ASAP-SG - Good • Private-Public Collaborative • Vetted by utilities and vendors • Good adoption of controls: – Utilities using in request for proposal (RFP) requirements – Vendors using in product development requirements – States (California Public Utility Commission) using in development of regulations

13© 2010 EnerNex Corporation. All Rights Reserved.


ASAP-SG Funding & Workflow

14Š 2010 EnerNex Corporation. All Rights Reserved.


ASAP-SG Blueprint

15Š 2010 EnerNex Corporation. All Rights Reserved.


ASAP-SG – Bad & Ugly • Too Academic • Too many steps

16© 2010 EnerNex Corporation. All Rights Reserved.


ASAP-SG - What’s Next • Wide Area Monitoring, Protection and Control Security Profile – Synchrophasors

• Premise Area Network Security Profile – Home Area Network – Business Area Network – Industrial Network

• Update Security Profile Blueprint

17© 2010 EnerNex Corporation. All Rights Reserved.


Summary – Understand Attackers Defense in-depth > Break the Kill Chain Kill Chain • Recon • Weaponization • Delivery • Exploit • Installation • Command & Control (C2) – Elevate privilege – Maintain presence

• Actions of Intent

18© 2010 EnerNex Corporation. All Rights Reserved.

Break points • Min attack surface (Deter) • Block attacks (Prevent) • Monitor/Report (Detect) • Business Continuity (Respond) • Forensics & Incidence Handling (Recovery) – Lessons learned


Summary – Methodology • Collaboration! • Business Driven • Regulation & Standards • Use Cases • Holistic system of • Process systems approach • Risk Management • Security components • Engineering Principles • Interfaces • Loose Coupling • Subsystems • Layered • Configuration • Scalable • SDLC

19© 2010 EnerNex Corporation. All Rights Reserved.


Thank you! Bobby Brown bobby@enernex.com

Director, Cyber Security EnerNex

20Š 2010 EnerNex Corporation. All Rights Reserved.


Bobbi Brown - presentation 5- Security Presentation B2  

Presented By: Bobby Brown EnerNex Corporation © 2010 EnerNex Corporation. All Rights Reserved.

Advertisement
Read more
Read more
Similar to
Popular now
Just for you