Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

2. Smart Grid - Cyber SecuritySmall Rural ElectricGeorge GambleBlack & Veatch February 4, 2010

3. Smart Grid Cyber Security Best Practice Approach to Cyber Security for the Small Rural Electric • Smart Grid Cyber Security Plan require a technical approach to cyber security. • Cyber security must be addressed in every phase of the engineering lifecycle of the project, including design and procurement, installation and commissioning, and the ability to provide ongoing maintenance and support. • Cyber security solutions are comprehensive and capable of being extended or upgraded in response to changes to the threat or technological environment. • The technical approach to cyber security must include: • Cyber Security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact). • Cyber Security criteria utilized for vendor and device selection. • Cyber Security Standards and/or best practices that will be followed. (NIST, ISO, COBiT, ITIL) • Support of emerging smart grid cyber security standards.

4. Enterprise Security Architecture • Enterprisesecurityarchitecture provides the conceptual designof network security infrastructure, related security mechanisms, and related security policies and procedures • Enterprisesecurityarchitecture link components of the security infrastructure as a cohesive unit • The goal of this cohesive unit is to protect organizational information including smart grid

5. Risk Management Managing risk requires a defined Risk Management lifecycle • The Smart Grid environment must be defined, criteria established to protect the environment, and monitoring and checks must be put into place to ensure that as the environment is challenged, appropriate indicators provide new considerations to adjust protective mechanisms to ensure stability to the Smart Grid environment. • Assessment, mitigation, and evaluation represent a basic framework for a risk management approach. • Example - Risk Assessment process is consistent with the NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems” risk management recommendations.

6. Defensive Strategy • To support the development of a defensive strategy The Small Rural Electric has to implement a defense strategy with measures for the following components: • Threat • Threat Agents • Threat Environment • Cyber Attack • Vulnerability and Exploitation • Attack Trees • Defensive Model • Defense-In-Depth Strategies

7. Corporate Perimeter Remote Access Layered Defense Framework (Defense in Depth) Definitions: Corporate Network Electronic Security Perimeter Corporate Perimeter - Defines the separation between the public and corporate domains. Host Device Security Remote Access – Methods and controls used to manage access to assets located within the corporate perimeter from locations external to that perimeter. Energy Management System Electronic Security Perimeter Corporate Network – Equipment and topology used to provide the general employee population access to corporate computer resources. Communications Electronic Security Perimeter Electronic Security Perimeter – Device(s) used to control data flow between two security zones. AMI Systems 9 2 3 4 6 7 5 1 8 Host Device Security – Operating Systems, access accounts, network services, community strings and removable media capabilities. Communications Energy Management System Applications Applications – All non-operating system software. Communications – Technology and protocols used to communicate outside of a security perimeter. Network Architecture Electronic Security Perimeter AMI – Contains Head-End system, Meter Data Management Systems Dial-up or VPN Corporate Perimeter Layered Defense Framework

8. Security Controls • Security controls are key elements supporting the overall defensive strategy and are implemented through the mechanisms and methods described within the defense-in-depth protective strategies.  • Security controls, as discussed in detail in NIST Special Publications 800-53 Rev 3 and 800-82, “Guide to Industrial Control Systems (ICS) Security Implemented three types of controls: • Management Controls • Operational Controls • Technical Controls

9. Development Lifecycle • It is recommended that organizations utilize a good lifecycle approach to incorporate cyber security into your infrastructure (NIST 800-64 Revision 2, • The following components represent some of the stages of such an approach: • Concept • Requirements • Design • Implementation • Test • Installation, Checkout, and Acceptance testing • Operation • Maintenance • Retirement

10. Policies & Procedures Topical areas to be addressed by site-specific cyber security policies include, but are not limited to: • Use of Cyber Defensive Model, defensive strategies, and a cyber security plan; • Cyber Security Assessments of systems and networks; • Roles and Responsibilities; • Compartmentalization and Separation of Duties; • Identification and Protection of Cyber Sensitive Information; • Determination and Delineation of Critical Assets, Systems, and Networks; • Design and Management Practices for Systems and Networks; • Implementation, Design, and Management of Cyber Security Defense-In-Depth Protective measures; • Cyber Security Requirements for Software and Hardware Procurement; • Software Quality Assurance; • Controlling Access to Systems and Networks; • Monitoring of Systems and Networks; • Virus/Malware Protection; • Use of Wireless and Portable Computing Devices; • Use of Encryption; • Remote Access; • Incident Response and Disaster Recovery; • Response to Department of Homeland Security Threat Level Advisories; • Reporting/Notification Requirements; and • Cyber Security Awareness, Training, and Education of Personnel

11. Cyber Security Program • Roles & Responsibilities • Cyber security program establishes clear and unambiguous roles, responsibilities, authorities, delegations, and interfaces within the organization responsible for implementing and maintaining their company’s cyber security program.