Top Banner
May 2010 The Smart Grid Security Blog webcast Series Volume 2 : Smart Grid & Data Security Jack Danahy Co-Author : The Smart Grid Security Blog Andy Bochman Co-Author : The Smart Grid Security Blog
16

SGSB Webcast 2 : Smart grid and data security

Dec 17, 2014

Download

Documents

Andy Bochman

 
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SGSB Webcast 2 : Smart grid and data security

May 2010

The Smart Grid Security Blog webcast Series Volume 2 :

Smart Grid & Data Security

Jack DanahyCo-Author : The Smart Grid Security Blog

Andy BochmanCo-Author : The Smart Grid Security Blog

Page 2: SGSB Webcast 2 : Smart grid and data security

Jack Andy

Security meets Energy

Page 3: SGSB Webcast 2 : Smart grid and data security

Headlines on Data Loss

Page 4: SGSB Webcast 2 : Smart grid and data security

What is the “Data”?• Diagnostic Input from meters• Identification from devices

o Carso Homeso Systems

• Control System Commandso To system componentso To consumer systems

• Metering datao Net metering informationo Usage volume and time of

usage• State of systems and

components

Page 5: SGSB Webcast 2 : Smart grid and data security

What is “Security”?• Secure communications

o Wireless/Wirelineo Inter-process

• Secure storageo Long-termo Short-termo Data Destruction

• Reliable access to data

Page 6: SGSB Webcast 2 : Smart grid and data security

As part of the "compliance monitoring process" for all CIPS• 1.4.1  Data Retention - The Responsible Entity shall keep all documentation and records from the previous

full calendar year unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.

• CIP 7 - Systems Security Mgto R1. Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to

existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-3, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs … database platforms, or other third-party software or firmware.

o R7.  Disposal or Redeployment — The Responsible Entity shall establish and implement formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005-3.

o R7.1.  Prior to the disposal of such assets, the Responsible Entity shall destroy or erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.

o R7.2. Prior to redeployment of such assets, the Responsible Entity shall, at a minimum, erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.

• * Note the following is always exempted in NERC CIPS:o "Cyber Assets associated with communication networks and data communication links between discrete

Electronic Security Perimeters."

NERC CIPS & Data

Page 7: SGSB Webcast 2 : Smart grid and data security

Example: Credit Card System Regulation (PCI DSS)

Section Guidance/Requirement

3.2 Do not store sensitive authentication data (even if encrypted) like CCV

3.3 Mask PAN when displayed

3.4 Render PAN unreadable anywhere it is stored

4.1 Use strong cryptography and security protocols … during transmission over open, public networks

6.3 Develop software applications based on industry best practices 6.3.7 Review custom code prior to release to production

6.5 Develop all web applications based on secure coding guidelines

7.2 Establish a mechanism for systems with multiple users that restricts access

8.5.16 Authenticate all access to any database containing cardholder data

10.2 Implement automated audit trails for all system components 10.2.1 All individual user accesses to cardholder data

10.3 Record at least the following audit trail entries 10.3.1 User identification 10.3.2 Type of event

http://www.flickr.com/photos/coryschmitz/4592819168/

Page 8: SGSB Webcast 2 : Smart grid and data security

What is the Big Deal?

Confidentiality

Control

Integrity

Authenticity

Availability

Utility

http://www.flickr.com/photos/egarc2/2432270195/

X

Any mishap can doom the infrastructure

Page 9: SGSB Webcast 2 : Smart grid and data security

Welcome to the Parkerian Hexad (That’s a mouthful)

Confidentiality Access to data is limited to those intended

Control Data is only accessible or changeable by those intended

Integrity Data can be relied upon to be accurate and unchanged

Authenticity Veracity of data source and provenance can be assured

Availability Timely access to data is always ensured

Utility Security or insecurity does not inhibit the practical use of data

Page 10: SGSB Webcast 2 : Smart grid and data security

Data Volume will add to the Challenge

www.everest-2003.com/route_e.html

Smart Grid Data is Expansive• More like existing MEGA X Existing Data• Many more data elements• Much higher frequency

Current Data is Limited• Simple meter reads• Limited diagnostic information• Hardline/Physical addressing

Page 11: SGSB Webcast 2 : Smart grid and data security

Do Not Treat Data as a Block

Required Beneficial Not Relevant

Integrity ? ? ?

Privacy ? ? ?

Availability ? ? ?

Identity ? ? ?

Non-Repudiability ? ? ?

Timeliness ? ? ?

DATA is actually

Page 12: SGSB Webcast 2 : Smart grid and data security

Think about the Logical Cuts on the Data

Short-lived MeterDiagnostic Data

Power UseReadings

Customer Identification Data

MeterLocation Data

Page 13: SGSB Webcast 2 : Smart grid and data security

Applications Need and Store Different Composites

Short-lived MeterDiagnostic Data

Power UseReadings

Customer Identification Data

MeterLocation Data

Private Long-term

Storage

Private Mid-termStorage

Protected Short-term

Storage

BitBucket

What customer owns what meter,

and where?

How muchpower,

where, this month?

Application layer

How muchpower,

where, this reading?

Is this meter going to fail?

Page 14: SGSB Webcast 2 : Smart grid and data security

A Data Characterization Example

http://www.flickr.com/photos/coryschmitz/4592819168/

Page 15: SGSB Webcast 2 : Smart grid and data security

Benefits to Smart Grid Data Security Practices

• Cost Effectivenesso Data loss is expensiveo Data storage can be expensiveo Data encryption is vital (but expensive)o Segregation maximized efficiency

• Stronger controlso Compartmentalizing data enables compartmentalized accesso Anomalies are simpler to detect in a well-regulated environment

• Complianceo Regulations exist and are changing, mandating data securityo Compliance is easier to ensure with a partitioned system

Page 16: SGSB Webcast 2 : Smart grid and data security

Thanks !

The Smart Grid Security Blogsmartgridsecurity.blogspot.com