Cyber Security working Group November 2010

1
Cyber Security working GroupNovember 2010

• Marianne Swanson
• Marianne.swanson_at_nist.gov
• November 30, 2010

2
Agenda

• Industry Update NESCO (Rhonda Dunfee)
• Subgroup Updates (Subgroup Leads)

November 30-December 3, 2010
2
3
The NESCO Group EnergySec EPRI

• Rhonda Dunfee
• Rhonda.Dunfee_at_hq.doe.gov

November 30-December 3, 2010
3
4
Roadmap Updated to Include Smart Grid

• Published in January 2006, updated Roadmap in
  development
• Energy Sectors synthesis of critical control
  system security challenges, RD needs, and
  implementation milestones
• Provides strategic framework to
• align activities to sector needs
• coordinate public and private programs
• stimulate investments in control systems security

Roadmap Vision In 10 years, control systems for
critical applications will be designed,
installed, operated, and maintained to survive an
intentional cyber assault with no loss of
critical function.
5
The NESCO Group

• Mission Lead a broad-based, public-private
  partnership to improve electric sector energy
  systems cyber security
• Vision An industry owned and operated group that
  supports electric sector response efforts to
  address cyber events
• Goals
• Identify and disseminate cyber security best
  practices to the sector
• Analyze, monitor and relay infrastructure
  weakness and threat information
• Work with federal agencies to improve electric
  sector cyber security
• Encourage key electric sector supplier and vendor
  support / interaction

6
The NESCO Group Funding

• 16.2M Cost-sharing award (10M Federal)
• EnergySec NESCO (Total 9,752,730)
• EPRI NESCOR a research and analysis resource
  for NESCO (Total 6,662,500)

7
Activities To Date

• Sep 30 Completed
• Internal DOE meeting to discuss expectations and
  roles
• Meetings with EnergySec and EPRI discussing
  roles/responsibilities
• Definitized EnergySec agreement awarded (eff. Oct
  1)
• Undefinitized EPRI agreement awarded (expected
  definitization Dec 31)
• Nov 2-3 Visit with ICS-CERT at Idaho National
  Laboratory
• Nov 3-4 Participation in the TCIPG Industry
  Workshop
• Nov 17 Kickoff Meeting for NESCO/NESCOR
• Identify key milestones and deliverables
• Discuss expectations
• Nov 18 Informational Briefing for Federal
  Partners in DC
• Dec 1 Participation in the CIP Congress at the
  National Harbor
• Dec 8-9 Participation in CIPC in Tampa

8
NESCO - EnergySec
9
EnergySec

• 501(c)(3) non-profit organization
• 401 active portal users from 108 unique
  organizations
• Organizations represent 54.92 U.S. generation
  and 66.79 electric distribution
• Current board of directors and advisory team
  consist of industry professionals in information
  security, physical security, engineering, plant
  operations, disaster recover, telecommunications,
  etc.
• First deliverable complete Closed mailing list
  to replace the general EnergySec Forum and enable
  participants to more easily interact

10
Strengthen the Cyber Security Posture of the
Electric Sector

• Establish a broad-based public-private
  partnership for collaboration and cooperation
• Develop NESCO membership
• Conduct Town Hall Meetings
• Improve collaboration with government
• Reach out to other industry groups, academia and
  organizations
• For example, ES-ISAC, ICSJWG, NERC
• Encourage vendor and manufacturer involvement in
  collaboration

11
EnergySec Portal
12
Enhance Electric Infrastructure Reliability and
Cyber Security Solutions Development

• Coordinate end user testing opportunities for
  projects and research requiring broad industry
  adoption for success
• Create code and best practices repository
• Create working groups to evaluate incidents and
  best practices

13
Provide a Path for Rapid Information Dissemination

• Establish a rapid notification system
• Develop situational awareness information
  dissemination system for threat and vulnerability
  information
• Enhance collaboration web portal
• Institute the capability to share information,
  best practices, resources, and solutions to and
  from domestic and international electric sector
  participants

14
Provide Data Analysis and Forensics Capabilities
to Assess Cyber-Related Threats and Events

• Provide on-demand service to conduct forensics
  for cyber security breaches through external
  organizations who are forensics leaders
• Design and implement a data analysis program

15
Additional Tasks

• Project management
• Assist in developing strategies to protect the
  energy infrastructure
• Stimulate support and interaction with key
  electric sector suppliers and vendors

16
NESCOR - EPRI
17
Electric Power Research Institute

• Independent nonprofit organization
• Conducts RD relating to the generation, delivery
  and use of electricity
• Members represent more than 90 of the
  electricity generated and delivered in the U.S.
• International partnership includes 40 countries

18
Collaborate and provide input to NESCO

• Support NESCO in enhancing collection and
  dissemination of threat and vulnerability
  information to industry
• Assist NESCO and others in developing strategies
  to identify and prepare for immediate and future
  challenges to grid reliability, resiliency, and
  security
• Review and assess existing cyber security
  standards to meet requirements and identify gaps
  in cyber security capabilities
• Conduct cost-benefit analyses of graded risk
  management approach
• Develop testing methodologies and facilitate
  testing

19
Discussion
20
Information Sharing Approach

• Building on EnergySecs past successes
• Keys have been proficiency, familiarity and trust
• Built relationships at the operations,
  management, and executive levels among companies
  within the energy sector
• Provided trusted and effective forums for
  obtaining mutual assistance on issues related to
  critical infrastructure protection
• Developed trust within the industry in order to
  develop, promote, and support new information
  sharing technologies that provide both
  confidentiality and impartiality
• Focused on the industry
• Emphasized timeliness as demanded by the current
  threat and risk landscape

21
Issues/Concerns

• Constraints to NESCO
• Staged Cost-sharing leading to
  self-sustainability in 3 years
• Large sector size
• Diverse stakeholders (asset owners/operators
  generation, transmission and distribution end
  users, vendors)
• Collaboration with Federal agencies and Industry
  organizations
• Avoiding duplication of effort and establishing
  roles/responsibilities
• Information sharing
• Government ? NESCO
• Industry ? NESCO

22
Rhonda Dunfee Infrastructure Security Energy
Restoration Division Office of Electricity
Delivery Energy Reliability DOE Rhonda.Dunfee_at_hq
.doe.gov
23
CSWG Subgroup Updates

• Subgroup Leads

November 30-December 3, 2010
23
24
Subgroup Updates

• AMI Security (Darren Highfill)
• Design Principles (Daniel Thanos)
• Privacy (Tanya Brewer)
• Testing Certification (Sandy Bacik)

November 30-December 3, 2010
24
25
AMI Sec

• Twiki http//collaborate.nist.gov/twiki-sggrid/bi
  n/view/SmartGrid/CsCTGAMI
• Meetings Tuesdays at 1300 Eastern
• Dial-in Information 866-793-6322 X3836162
• Mailing list csctgami_at_nist.gov
• To join the mailing list contact
  tanya.brewer_at_nist.gov
• Co-Chair contact information
• Darren Highfill (darren_at_utilisec.org)
• Ed Beroset (edward.j.beroset_at_us.elster.com)

November 30-December 3, 2010
25
26
AMI Security Subgroup Scope

• Back-office components that have metering as
  primary focus
• E.g. MDMS is in scope, CIS is not
• Through the electric meter or utility-owned/operat
  ed gateway
• Water meters, gas meters, and customer-owned/opera
  ted devices are not explicitly in scope
• Interface-Oriented Projection of Requirements
  Devices wishing to communicate using AMI must
  meet certain capabilities and follow certain
  behavior to be allowed on the network
• May develop classes of device requirements to
  account for highly heterogeneous resource
  constraints (i.e. home EMS vs. gas meter)
• All layers of communications stack
• Challenge in finding appropriate SDO to work with
• Consensus from St. Louis benefits of unified
  document addressing AMI in the manner it is
  procured outweigh challenges

27
AMI Security Subgroup PAP Proposal

• Consensus Propose a Priority Action Plan to
  standardize a set of requirements for AMI
  security
• Proposal is stronger if we know which SDO/SSO we
  want to work with
• Current draft http//collaborate.nist.gov/twiki-s
  ggrid/bin/view/SmartGrid/AMISecurityRequirements
• Linked on CSCTGAMI and Priority Action Plans
  pages
• Criteria for selecting SDO/SSO
• Industry acceptance
• Expertise in power systems, especially advanced
  metering
• Expertise in communications, networking, and
  security
• Openness to interaction with AMI Security
  Subgroup and the SGIP
• Ability to work quickly
• Cost of final product (i.e. purchase price of
  standard)
• Nominated SDOs/SSOs
• ANSI, IEC, IEEE, IETF, ISA, and NEMA
• AMI Security Subgroup to produce and distribute
  RFI

28
Design Principles

• Twiki http//collaborate.nist.gov/twiki-sggrid/bi
  n/view/SmartGrid/CSWGDesignPrinciples
• Meetings Fridays 1530 Eastern
• Dial-in Information 800-728-9607 X4570752
• Mailing list cswgdesign_at_nist.gov
• To join the mailing list contact
  tanya.brewer_at_nist.gov
• Chair contact information
• Daniel Thanos (daniel.thanos_at_ge.com)

November 30-December 3, 2010
28
29
Privacy

• Twiki http//collaborate.nist.gov/twiki-sggrid/bi
  n/view/SmartGrid/CSCTGPrivacy
• Meetings Thursdays, 1100 Eastern
• Dial-in Information 866-802-3515 X2817109
• Mailing list csctgprivacy_at_nist.gov
• To join the mailing list contact
  tanya.brewer_at_nist.gov
• Chair contact information
• Rebecca Herold (rebeccaherold_at_rebeccaherold.com)

November 30-December 3, 2010
29
30
Smart Grid Privacy Group Scope/Mission

• To identify and clearly describe privacy concerns
  within the Smart Grid and opportunities for their
  mitigation. In addition, the group strives to
  clarify privacy expectations, practices, and
  rights with regard to the Smart Grid by
• Identifying potential privacy problems and
  encouraging the use of relevant existing fair
  information practices
• Seeking the input of and educating Smart Grid
  entities, subject matter experts, and the public
  on options for protecting privacy of, and
  avoiding misuse of, personal information used
  within the Smart Grid
• Providing recommendations for coordinating
  activities of relevant local, state, and federal
  agencies regarding Smart Grid privacy related
  issues
• Making recommendations and providing information
  to organizations developing privacy policies and
  practices that promote and protect the interest
  of Smart Grid consumers and organizations

31
Smart Grid Privacy Group Scope/Mission

• Try to answer questions such as those received
  informally
• How will information about my energy consumption
  (days, times, amounts, and other use profile
  information) be used shared with business
  partners?
• Will there be any public way to verify addresses
  or names of clients of the grid?
• Any and all PII will be considered private and
  confidential I hope. Or will they make the
  mistakes of so many others in the past of doing
  reverse lookups based on meter numbers or
  neighborhood consumption reports?
• Do the Fair Information Practice principles
  (FIPs) provide a sound and adaptable framework
  for addressing consumer privacy concerns or are
  they just the baseline?
• How secure are the meters, HAN and other
  communication devices (secure in the means of
  protecting customer information)?
• What types of "click and consent" models will be
  used?
• How will information be shared and used, and how
  will it be protected?
• What kind privacy protections will be in place
  prior to allowing third party access?

32
Group Demographics

• The NIST Smart Grid Privacy Subgroup currently
  includes
• Energy and Utilities Industry Experts
• State Public Utilities Commission Representatives
• Information Security Experts
• Privacy Experts
• Attorneys and Legal Experts
• University Professors and Students
• Other technical, operational and privacy experts,
  from all regions, are welcome to join the group!

33
Work Going Forward

• Address privacy issues for businesses
  (commercial, institutional, industrial)
• Expand upon PEV issues
• Discuss National Strategy for Trusted IDs in
  Cyber Space (NSTIC) impact on privacy in the
  Smart Grid
• Address privacy issues related to energy
  generation
• Add more privacy use cases to what is in NISTIR
  7628
• Add more discussion of opt-in versus opt-out
  what real choices are possible to allow Smart
  Grid functioning and what is not?
• Expand upon data collection endpoints/paths
  (e.g., private internetworks, storage media
  devices, etc.) that will be part of the Smart
  Grid
• Expand upon Internet- and wireless-related issues

34
Work Going Forward
Smart Grid Categories with Potential Privacy Issues Consumers (expanding Upon Version 1 of NISTIR 7628) Consumers (expanding Upon Version 1 of NISTIR 7628) Consumers (expanding Upon Version 1 of NISTIR 7628) Consumers (expanding Upon Version 1 of NISTIR 7628) Commercial / Institutional (apartments, hospitals, dormitories, etc.) Commercial / Institutional (apartments, hospitals, dormitories, etc.) Commercial / Institutional (apartments, hospitals, dormitories, etc.) Commercial / Institutional (apartments, hospitals, dormitories, etc.) Commercial/Non-Institutional (office buildings, retail stores, data centers, car rentals, etc.) Commercial/Non-Institutional (office buildings, retail stores, data centers, car rentals, etc.) Commercial/Non-Institutional (office buildings, retail stores, data centers, car rentals, etc.) Commercial/Non-Institutional (office buildings, retail stores, data centers, car rentals, etc.)
Smart Grid Categories with Potential Privacy Issues Physical Admini-strative Technical Privacy Impacting Data Physical Admini-strative Technical Privacy Impacting Data Physical Admini-strative Technical Privacy Impacting Data
Smart Meters                        
- energy usage  X X  X   X X  X X  X - P P P
- pricing data X X  X  X X X  X  X - P P P
- smart device data X X  X  X X X  X  X - P P P
                         
PEVs (NOTE Requested by PAP11)                      
- private charging station X X X X X X X X - P P P
energy usage X X X X X X X X - P P P
pricing data X X X X X X X X - P P P
PEV related data X X X X X X X X - P P P
- public charging station P P P P P P - P - P P P
PEV related data P P P P P P - P - P P P
- servicing X X X X P P P P - P P P
35
Wrap-up

• Thank you to everyone for your contributions and
  support
• On Wednesday,
• Annabelle Lee, FERC, will provide us with an
  update on the FERC standards review
• CSWG PAP liaisons and their involvement in the
  PAPs will be discussed
• CSWG Standards subgroup lead will provide a
  review of what the standards subgroup has
  accomplished and the standard template the CSWG
  uses for the standard review process
• Preview of the CSWG 3-year plan
• Twiki http//collaborate.nist.gov/twiki-sggrid/bi
  n/view/SmartGrid/CyberSecurityCTG

November 30-December 3, 2010
35