Smart Grid - Cyber Security
Small Rural Electric
George Gamble
Black & Veatch
February 4, 2010
Smart Grid Cyber Security
Best Practice Approach to Cyber Security for the Small
Rural Electric
• Smart Grid Cyber Security Plan require a technical
approach to cyber security.
• Cyber security must be addressed in every phase of the engineering lifecycle of
the project, including design and procurement, installation and commissioning,
and the ability to provide ongoing maintenance and support.
– Cyber security solutions are comprehensive and capable of being extended or
upgraded in response to changes to the threat or technological environment.
• The technical approach to cyber security must include:
– Cyber Security risks and how they will be mitigated at each stage of the lifecycle
(focusing on vulnerabilities and impact).
– Cyber Security criteria utilized for vendor and device selection.
– Cyber Security Standards and/or best practices that will be followed. (NIST, ISO,
COBiT, ITIL)
– Support of emerging smart grid cyber security standards.
Enterprise Security Architecture
• Enterprise security architecture provides the
conceptual design of network security infrastructure,
related security mechanisms, and related security
policies and procedures
• Enterprise security architecture link components of
the security infrastructure as a cohesive unit
• The goal of this cohesive unit is to protect
organizational information including smart grid
Risk Management
Managing risk requires a defined Risk Management lifecycle
• The Smart Grid environment must be defined, criteria
established to protect the environment, and monitoring and
checks must be put into place to ensure that as the
environment is challenged, appropriate indicators provide
new considerations to adjust protective mechanisms to
ensure stability to the Smart Grid environment.
• Assessment, mitigation, and evaluation represent a basic
framework for a risk management approach.
– Example - Risk Assessment process is consistent with the
NIST Special Publication 800-30, “Risk Management Guide
for Information Technology Systems” risk management
recommendations.
Defensive Strategy
• To support the development of a defensive strategy The Small Rural
Electric has to implement a defense strategy with measures for the
following components:
•
•
•
•
•
•
•
•
Threat
Threat Agents
Threat Environment
Cyber Attack
Vulnerability and Exploitation
Attack Trees
Defensive Model
Defense-In-Depth Strategies
Layered Defense Framework
Layered Defense Framework
(Defense in Depth)
Definitions:
Corporate Perimeter - Defines the separation
between the public and corporate domains.
Remote Access – Methods and controls used to
manage access to assets located within the
corporate perimeter from locations external to that
perimeter.
Corporate Network – Equipment and topology
used to provide the general employee population
access to corporate computer resources.
Electronic Security Perimeter – Device(s) used
to control data flow between two security zones.
1
2
3
4
5
6
7
8
9
Host Device Security – Operating Systems, access
accounts, network services, community strings and
removable media capabilities.
Applications – All non-operating system software.
Communications – Technology and protocols
used to communicate outside of a security
perimeter.
AMI – Contains Head-End system, Meter Data
Management Systems
Security Controls
• Security controls are key elements supporting the overall
defensive strategy and are implemented through the
mechanisms and methods described within the defense-indepth protective strategies.
• Security controls, as discussed in detail in NIST Special
Publications 800-53 Rev 3 and 800-82, “Guide to Industrial
Control Systems (ICS) Security
Implemented three types of controls:
1. Management Controls
2. Operational Controls
3. Technical Controls
Development Lifecycle
• It is recommended that organizations utilize a good
lifecycle approach to incorporate cyber security into
your infrastructure (NIST 800-64 Revision 2,
• The following components represent some of the
stages of such an approach:
–
–
–
–
–
–
–
–
–
Concept
Requirements
Design
Implementation
Test
Installation, Checkout, and Acceptance testing
Operation
Maintenance
Retirement
Policies & Procedures
Topical areas to be addressed by site-specific cyber security policies include, but are not limited to:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Use of Cyber Defensive Model, defensive strategies, and a cyber security plan;
Cyber Security Assessments of systems and networks;
Roles and Responsibilities;
Compartmentalization and Separation of Duties;
Identification and Protection of Cyber Sensitive Information;
Determination and Delineation of Critical Assets, Systems, and Networks;
Design and Management Practices for Systems and Networks;
Implementation, Design, and Management of Cyber Security Defense-In-Depth Protective
measures;
Cyber Security Requirements for Software and Hardware Procurement;
Software Quality Assurance;
Controlling Access to Systems and Networks;
Monitoring of Systems and Networks;
Virus/Malware Protection;
Use of Wireless and Portable Computing Devices;
Use of Encryption;
Remote Access;
Incident Response and Disaster Recovery;
Response to Department of Homeland Security Threat Level Advisories;
Reporting/Notification Requirements; and
Cyber Security Awareness, Training, and Education of Personnel
Cyber Security Program
• Roles & Responsibilities
– Cyber security program establishes clear and unambiguous roles,
responsibilities, authorities, delegations, and interfaces within the
organization responsible for implementing and maintaining their
company’s cyber security program.