340 likes | 507 Views
UCAIug : Smart Grid Security OpenSG Face-to-Face (January 2010 – San Francisco, CA) SG Security Working Group AMI-SEC Task Force. SG Security WG Chair: Darren Reece Highfill darren@utilisec.org. SG Security Overview. Chair Darren Highfill, SCE Vice Chair Matt Carpenter, Inguardians
E N D
UCAIug: Smart Grid SecurityOpenSG Face-to-Face (January 2010 – San Francisco, CA)SG Security Working GroupAMI-SEC Task Force SG Security WG Chair: Darren Reece Highfill darren@utilisec.org
SG Security Overview Chair Darren Highfill, SCE Vice Chair Matt Carpenter, Inguardians Secretary Bobby Brown, EnerNex Task Forces: AMI-SEC
Status Updates • Charter • Review • Call for Vote • Security Profile Blueprint • AMI Security Profile v2.0 • Overview of Comments • Scheduling • Comment Classification • Negotiation / Discussion • Action Items • Third Party Data Access (3PDA) • Overview • Q&A • Action Items • ASAP-SG • Review of org / participation • Upcoming profiles • New Work Areas (?) • Joint Sessions • OpenHAN • OpenADE • OpenADR • AMI-ENT • SG Systems • SG Communications
UtiliSec Charter • Chartered with developing detailed security and assurance requirements and security best practices guidance for organizations throughout the lifecycle of smart grid technology • Technology-specific, but vendor-agnostic guidance • Feed and accelerate SDO work (IEC, IEEE, etc.) • http://osgug.ucaiug.org/utilisec/Shared Documents/SG Security WG Charter v0.9-20100126.pdf
Security Profile Blueprint • Status • Mature draft posted Dec. 2009 • http://osgug.ucaiug.org/utilisec/Shared Documents/Security Profile Blueprint/Security Profile Blueprint - v0_20 - 20091214.doc • Revisited after completion of each profile • Profile Creation Method • Establish Profile Scope • Define Logical Architecture • Identify Security-Related Constraints • Recommend Security Controls • Validate Profile
AMI Security Profile Comments Discussion Points: • The use of "must", "shall", and "should" and corresponding definitions, then a group to review the consistency in the document. • No collaborative computing capabilities should be use in an AMI as it is a dedicated system for one function. • AMI is a dedicated system and should not support VoIP capabilities. • Should we add a glossary and acronym section - for example "reasonable", "strongly", "alert", "flaw". • Should "Smart Grid Application" be part of the Smart Grid components? • Should the security profile document be formatted to be used in RFPs?
ASAP-SG: Summary • Project Description: • Utility-driven, public-private collaborative project to develop system-level security requirements for smart grid technology • Needs Addressed: • Utilities: specification in RFP • Vendors: reference in build process • Government: assurance of infrastructure security • Commissions: protection of public interests • Approach: • Architectural team produce material • Usability Analysis team assess effectiveness • NIST, UtiliSec review, approve • Deliverables: • Strategy & Guiding Principles white paper • Security Profile Blueprint • 3 Security Profiles: AMI, ADE, Communications • Usability Analysis Schedule:Jun09 – Dec09 Budget: $3M ($1.5M Utilities + $1.5M DOE) Performers: Utilities, EnerNex, Inguardians, SEI, ORNL Partners: DOE Release Path: NIST, UCAIug Contacts: Bobby Brown bobby@enernex.com Darren Highfill darren@utilisec.org
ASAP-SG: Upcoming Profiles • Distribution Automation • Wide Area Situational Awareness (i.e. Synchrophasors) • Home Area Networks • Substation Automation
Joint Session SG Security & SG Systems SG Security WG Chair: Darren Reece Highfill darren@utilisec.org
Template • Summary of SG Systems group security requirements • Relevant Technological Issues • Artifacts related to above issues • SG Security artifacts: existing and/or needed • Business artifacts from requesting group (e.g. use cases) • Q&A • Collaboration between SG Security and SG Systems group • Statement of Need • Task assignments
SG-Systems • Summary of SG-Systems security requirements (Greg Robinson) • Outstanding Issues (Greg Robinson) • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and SG-Systems • SG-Systems Statement of Need • Task assignments
OpenHAN • Summary of OpenHAN security requirements (Mary Zientara) • Issues (Robby Simpson) • Privacy • Securing one way communications • HAN network admissions • Application level security • Digital Certificate authority (technology, business, security credentials) • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and OpenHAN • OpenHAN Statement of Need • Task assignments
Joint Session SG Security / OpenADE / OpenADR SG Security WG Chair: Darren Reece Highfill darren@utilisec.org
OpenADE • Summary of OpenADE security requirements (Steve Van Ausdall / Dave Mollerstuen) • Third Party Data Access Security Profile (Darren Highfill) • Outstanding Issues (Steve Van Ausdall / Dave Mollerstuen) • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and OpenADE • OpenADE Statement of Need • Task assignments
OpenADR • Summary of OpenADR security requirements (Albert Chiu) • Third Party Data Access Security Profile (Darren Highfill) • Outstanding Issues (Albert Chiu) • Use of public networks such as the internet • NERC CIP • Voluntary DR programs with pricing, weather, special days, etc. over different communications channels • Security lessons learned in current OpenADR deployments • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and OpenADR • OpenADR Statement of Need • Task assignments
Joint Session SG Security / SG Communications SG Security WG Chair: Darren Reece Highfill darren@utilisec.org
SG Communications • Summary of SG Communications group security requirements • Relevant Technological Issues • Artifacts related to above issues • SG Security artifacts: existing and/or needed • Business artifacts from requesting group (e.g. use cases) • Q&A • Collaboration between SG Security and SG Communications group • Statement of Need • Task assignments
Joint Session SG Security / AMI-ENT SG Security WG Chair: Darren Reece Highfill darren@utilisec.org
AMI-ENT • Summary of AMI-ENT security requirements (Mark Ortiz) • Outstanding Issues (Mark Ortiz) • Application level security • XML security considerations & messaging • SG Security artifacts related to above issues • Existing • Needed • Q&A • Collaboration between SG Security and AMI-ENT • AMI-ENT Statement of Need • Task assignments • Interested? Send an email to brian@enernex.com
Wrap-up Session • AMI Security Profile comments • Interest Areas / Lists to be Formed • Prioritization / Action Items / Assignments • Call for Presenters / Topics
AMI Security Profile • The intent of the document is to provide prescriptive, actionable guidance for how to build-in, procure and implement security for AMI smart grid functionality • This guidance is neutral to vendor specific implementations and architectures • Work extends from the meter data management system (MDMS) up to and including the home area network (HAN) interface of the smart meter
What Should Be Logged? • Is there a definition for Security Events, Control Events, System/Device Confirmation changes? (DHS 2.16.2.1) • Log all success / all unsuccessful? (DHS 2.14.4.2, DHS 2.15.24.3) • Message details – (date, time, source, destination, message details) • Do we need a definition for security events, control events, system/device confirmation changes? (DHS 2.14.4.2, DHS 2.16.2.1) • Do we need to define levels of auditing? (DHS 2.16.4.1)
AMI SP Comments - Summary • Use IEEE definitions for shall, should, etc. • Encryption – for supplemental guidance, level of protection needs to be applied to the data • Malicious code protection – use due diligence / care, remove the implementation guidance, general updates • Update document for “reasonable period of time”, “strongly authenticated”, “alert”, “alarm”, “flaw”
AMI SP Comments – Summary (cont) • Review definition of Grid Control Center (4.3.9) • DHS 2.8.13 – Collaborative Computing requirements and verbiage • DHS 2.8.17 – VoIP requirement enhancements • DHS-2.14.2 – Flaw remediation – better definition • DHS 2.15.2.1 – Identification and authentication – more clarifications • Comment resolution team to send an email to the group about why the document is not suitable for an RFP document.
AMI SP Comments Thank you everyone for the comments and contributions, they are greatly appreciated
Closing Plenary SG Security SG Security WG Chair: Darren Reece Highfill darren@utilisec.org
Progress This Week Key accomplishments Approved Charter Strong technical debate/review of AMI SP comments Introduction of 3PDA SP Collaborative sessions OpenHAN, OpenADR: Generate Statement of Need SG Network, AMI-ENT: Action items defined OpenADE: Delivered 3PDA SP
Interest Areas / New Email Lists Third Party Data Access Usability Analysis General Interest (Future Task Force?) OpenHAN Support SG Communications Support AMI-ENT Support Lemnos (Configuration Profiles) Risk Assessment Application Security Requirements
Moving Forward • Define agendas and action plans for next collaborative sessions • Facilitate sub-group formation & activity • Changes to AMI Security Profile • Resolution of comments • Mapping use cases and/or security domains to control requirements • Review / comment / revision of 3PDA SP
SG Communications • Email reflector: • UtiliSec-Announce@SmartGridListServ.org • UtiliSec-Technical@SmartGridListServ.org • AMI-SEC@listserv.enernex.com • Webinar information: • Provided via UtiliSec-Announce list • Webinar times:
Questions? darren@utilisec.org UtiliSec Collaboration Site http://osgug.ucaiug.org/utilisec