Presentation on theme: "Practical Smart Grid Security Skipping “why security is important” The state of smart grid security now Standards set, standards coming General Templates."— Presentation transcript:
Practical Smart Grid Security Skipping “why security is important” The state of smart grid security now Standards set, standards coming General Templates & Helpful Docs Making decisions without standards
The Smart Grid Security Problem Large AMI projects are being prematurely deployed “live” onto the grid without adequate security technologies in place, putting national infrastructure (and consumers) at risk. – Utilities may face liability claims and possibly regulatory fines if inadequate security enables hackers or terrorists to use smart grid vulnerabilities to interrupt service or steal customer data. – Consumers who believe a utility has not secured their information will resist smart grid rollouts politically in the future. Security problems are impacting active deployments (San Diego Gas & Electric 2Q09 missed deadline) The required cryptography expertise is often simply not present in these organizations Mature security standards and best practices (from other disciplines) already exist that could facilitate secure smart grid deployment – but SG designers often unaware of them.
Why Securing the Smart Grid is Hard Problem space is poorly defined – No universally agreed-upon objectives or desired outcomes for security (SG Security Blueprint, currently in version 0.2, is trying to address this) Cutting edge networking technology invading a “slow-tech” industry – Utilities not usually rapid adopters of new technologies – Cultural issues between conservative engineers and “agile” IT/VC types – Technological, best-practices chasms between IP-based IT community and “Babel” of traditional industrial control systems Multiple stakeholders with different agendae – Utilities, regulators, consumers, integrators, IT companies, software co’s, network providers, maintenance co’s, entrenched equipment providers… and security experts.
Individual domains often developed independently without regard for requirements of other layers Source: Enernex
Case in Point: Communications Standards in Different Smart Grid Domains Source: Enernex
Pervasive Enablement Connectivity Arch Rock Digi International Echelon Ember Enfora Garrettcom Lantronix Moxa Opto-22 Ruggedcom Sierra Wireless B&B Electronics Perle IT Infrastructure HP IBM OSIsoft Cisco Oracle EMC Sun Microsystems Google Microsoft Carriers Verizon ATT Orange Sprint/Nextel T Mobile Product/Device OEMs Power Generation GE Energy Siemens Alstom ABB Areva Hitachi Toshiba Mitsubishi Power Gen – Dist Wind: Gamesa GE Energy Vestas Suzlon Enercon Clipper PV: SunPower First Solar Q-Cells Sharp Suntech DG: Smart Fuel Cells Capstone EnerFuel infinia Cummins Power Gen. Rolld-Royce Caterpillar UTC Fuel Cells Whisper Tech Services Energy Services Ameresco EnergySolve Power System Eng’ng Horizon Energy Group Summit Energy Chevron Energy Sol. Constellation Energy NORESCO AECOM Pepco KEMA Integrators Accenture CapGemini EDS / HP Enspiria IBM Logica CMG Energy Traders Sempra Arch/Engineers Black & Veatch Sargent & Lundy Power System Eng’ng URS Corp Jacobs Engineering Flour Electrical Distributors Rexel Sonepar Graybar Electric WESCO Electric Utilities Investor Owned Duke Energy Xcel PG&E Con Edison Sempra Energy FPL AEP Northeast Utilities Exelon Global Enel Hydro One Elektromed Vattenfall Fortum E.ON Software Mocana Cimetrics eMeter Gridagents/Infotility GridLogix/JCI SmartSignal Tendril Tridium Ventyx Optimal Tech Positive Energy BPL Global Networks Arcadian Networks Ambient Networks Tropos SkyTel Managed Services Aeris.net Qualcomm Kore Telematics Home Energy Energate Radio Thermostat Sequentric ONZO Greenbox Tech Powermand 4Home LS Research Premise Equip- Meters Elster GE Energy Itron Sensus Landis & Gyr Tantalus Transdata Power Dist Equip ABB Schneider Elec Eaton GE Hitachi Siemens Cooper EDMI Nova Tech S&C Electric SEL Fuji Batteries End Use Commercial Institutional Industrial Residential AMI Infrastructure Silver Spring Trilliant Current Group Elster Itron Sensus SmartSync Tantalus Cellnet & Hunt Aclara Eka Systems Demand Response Systems Enernoc Comverge Advanced Telemetry GridPoint Cpower DeepStream SmartGrid Segments & Players
SmartGrid Security Now: Dozens of non-interoperable pilot implementations across the country. California – PG&E is on track to deploy nearly 10 million electric and gas meters by end of 2011, currently at 2.3 million installed. GE, Silver Spring Networks. Austin, Texas – Austin Energy to roll out Phase 1 smart-grid project of 500k smart meter devices by July-09. The utility has also installed 86,000 smart thermostats and 2,500 distribution grid sensors across its service territory. GE Energy, IBM, Oracle, GridPoint. Ontario, Canada – The province mandated to install 1.3 million smart meters in every home and small business by 2010. Trilliant to provide communication infrastructure and software applications. Enel of Italy –over 27 million installed smart meters, largest in world at cost of >€2.1b. Enel estimates savings at 500 million Euros/yr, suggesting an astonishingly short 4 year payback time. These projects are very large in scale, typically ~$1b per. EPRI estimates the spend on these projects in the US at ~$8b annually for the next 20 years!
Template: Smart Grid Security Lifecycle Source: Southern California Edison
Security Standards Groups to Keep an Eye On: UCA International Users Group (UCAIug - SG Security Working Group) AMI-SEC Task Force NIST Cyber Security Coordination Task Group Advanced Security Acceleration Project (ASAP-SG) Interim SmartGrid Roadmap published by the National Institute of Standards & Technology (NIST) in Sept’09… covers >100 standards. Already announced: UtilSec Working Group of UCAIug; AMI-SEC System Security Requirements – SECURITY PROFILE BLUEPRINT 0.20 (Dec’09) – Associated, application-specific Security Profile (SP) documents IEC standard for “Information security for power system control operations,” IEEE 1686 “Security for intelligent electronic devices,” North American rd for “Information security for power system control operationsrd for “Information security for power system control” NIST “Cyber security standards and guidelines for federal information systems, including those for the bulk power system.” – OTHERS: OpenHAN, Zigbee, Z-Wave, Homeplug, IEC 62351, OpenADR – IEC 61850, international standard for electric power device communication interoperability.
Security Standards Announced Two Days Ago: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf a conceptual reference model to facilitate design of an architecture for the Smart Grid overall and for its networked domains; an initial set of 75 standards identified as applicable to the Smart Grid; priorities for additional standards – revised or new – to resolve important gaps; action plans under which designated standards-setting organizations will address these priorities; and an initial Smart Grid cyber security strategy and associated requirements. A companion draft document, NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements, also underwent public review. A subsequent draft of the cyber security strategy, will be issued in February. NIST intends to finalize the Smart Grid cyber security stds in late spring (!)
Some Individuals to Watch “Moving the Needle” on SmartGrid Security George Arnold Bobby Brown Kevin Brown Matthew Carpenter Darren Highfill Erfan Ibrahim James Ivers Teja Kuruganti Annabelle Lee Howard Lipson Jim Nutaro Justin Searle Vishant Shah Brian Smith Adrian Turner Andrew Wright
What We’re All Waiting For Smart Grid Security Blueprint 1.0 from UCAIug Associated “Security Profiles” for specific applications. – provide prescriptive, actionable guidance for how to implement security for smart grid functionality. – Vendor agnostic
What to do in the meantime Read the draft blueprint from UCAIug and any security profiles you can get your hands on. Seek out crypto and security expertise for your project (in house or outside), and assign a lead – don’t wing it. Design for the Future = “All IP”. Be especially wary of vendor lock-in at this stage. Design for Flexibility = secure remote updating capabilities – and PKI keying approaches are crucial. Ask lots of questions!! Get a third-party security evaluation when your architecture is defined, and when you’re in Beta.
Other Docs to Reference Electric Power Research Institute (EPRI). 2009, June. Report to NIST on the Smart Grid Interoperability Standards Roadmap. National Institute of Standards and Technology. 2009, September. NISTIR 7628 – Smart Grid Cyber Security Requirements (Draft 1). Department of Homeland Security, National Cyber Security Division. 2009, September. Catalog of Control Systems Security: Recommendations for Standards Developers. National Institute of Standards and Technology. 2007, December. NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems. National Institute of Standards and Technology. 2007, December. NIST SP 800-39 (second public draft) – Managing Risk from Information Systems. National Institute of Standards and Technology. 2007, December. NIST SP 800-53 Rev. 2 - Recommended Security Controls for Federal Information Systems. National Institute of Standards and Technology. 2007, September 28. NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security (2nd DRAFT). The Common Criteria. 2007, September. Common Criteria v3.1 – Part 2: Security Functional Requirements Release 2 and Part 3: Security Assurance Requirements Release 2. The Common Criteria. UCA International Users Group – SG Security Working Group. 2009, October. Security Profile for Advanced Metering Infrastructure (Draft 0.49).
Summary Smart Grid security is a big problem with a big surface area, it’s not limited to a few poorly-implemented products or rollouts. Be mindful that security for embedded environments and sensor networks is its own discipline – can’t directly map traditional PC/IT security over to the Grid. Security expertise isn’t readily available within Utilities or the equipment companies that supply it – you must seek it out. Realize that vendors will try hard to lock you in to proprietary solutions at this stage. are coming, but not fast enough – that means you’ll need to improvise, and try to keep your options open for the future.
Slides or Docs? Send me an email at firstname.lastname@example.org and I’ll send you the current standards blueprint and these slides. email@example.com