NIST and the Smart Grid

NIST and the Smart Grid NISTIR 7628, Guidelines for Smart Grid Cyber Security National Institute of Standards and Technology U.S. Department of Commerce September 28, 2010 1

Welcome Thank You California Public Utilities Commission for Hosting this Session on the NISTIR 7628, Guidelines for Smart Grid Cyber Security 2

Agenda 10:00 AM SGIP Cyber Security Working Group Welcome Marianne Swanson 10:15 AM NIST Smart Grid Interoperability Panel Overview Marianne Swanson 10:30 AM DOE Threat Briefing Mark Enstrom 11:00 AM CSWG Overview Marianne Swanson The CSWG s focus and role The sub-groups 11:30 AM The NIST Interagency Report 7628 CSWG Staff 12:00 PM Lunch Security Architecture High-level security requirements 3

Agenda 1:00 PM The NIST Interagency Report 7628 (Continued) CSWG Staff Cryptography and Key Management Vulnerability Classes Bottom-Up Security Analysis Research and Development Standards Review 3:30 PM Day 1 Wrap-up 4:00 PM Adjourn 4

Why Are We Here? This meeting provides an opportunity for the California PUC to learn about the guidelines that address cyber security and privacy of the Smart Grid. The evolving Smart Grid ultimately will comprise a vast array of devices and systems with two-way communication and control capabilities, requiring more advanced protocols and other standards. Anticipated Smart Grid benefits include Improvements in the efficiency of energy use and distribution Greater independence of sections of the grid Improved resistance to attack 5

Outreach Going across the country to talk about the NISTIR 7628, Guidelines for Smart Grid Cyber Security NIST is invited to future sessions November 5 th Midwest Region Public Briefing (Illinois, Wisconsin, Iowa, Missouri) Hosted by University of Illinois at Urbana-Champaign November 18-19 Southeast Region Public Briefing (Georgia, Florida, South Carolina, North Carolina, Tennessee, Mississippi, Alabama) Hosted by Georgia Institute of Technology January 18 New England Region Public Briefing Hosted by Northeastern University Future events planned for 2011: Ohio PUC (late January), Metro DC area (mid February), Texas (late February), Colorado (April) 6

Smart Grid Background Information 7

What is the Smart Grid What is the Smart Grid? How will the Smart Grid evolve from today s grid infrastructure? 8

Today s Electric Grid Markets and Operations Generation Transmission Distribution Customer Use One-way flow of electricity Centralized, bulk generation Heavy reliance on coal and oil Limited automation Limited situational awareness Consumers lack data to manage energy usage 9

Smart Grid = Electrical Grid + Intelligence Combining electrical and communication grids requires interoperability 2-way flow of electricity and information Intelligent Infrastructure Interoperability requires reliable standards and validated performance Graphics courtesy of EPRI 10

Smart Grid Drivers and Goals Climate change Energy security Lifestyle dependent on electricity Jobs Reduce energy use overall and increase grid efficiency Increase use of renewables (wind and solar don t produce carbon) Support shift from oil to electric transportation Enhance reliability and security of the electric system 11

How will the Smart Grid evolve? High use of renewables 20% 35% by 2020 Distributed generation and microgrids Net metering selling local power into the grid Distributed storage Smart meters that provide near-real time usage data Time of use and dynamic pricing Ubiquitous smart appliances communicating with the grid Energy management systems in homes as well as commercial and industrial facilities linked to the grid Growing use of plug-in electric vehicles Networked sensors and automated controls throughout grid Increased cyber security infused into all Smart Grid functions 12

NIST s Role 13

Federal Government Roles in Smart Grid Federal Energy Regulatory Commission State Public Utility Commissions 14

Roles for the Smart Grid Department of Energy (DOE) is the lead agency for U.S. Government for Smart Grid $3.4 billion of ARRA-funded Smart Grid Investment Grants Smart Grid Task Force DOE, NIST, FERC, FCC, EPA, ITA, DHS, NIST coordinates and accelerates development of standards by private sector SDOs Federal Energy Regulatory Commission initiates rulemaking when consensus State Public Utilities Commissions (California, Texas, ) 15

Energy Independence and Security Act In the Energy Independence and Security Act (EISA) of 2007 Congress established the development of a Smart Grid as a national policy goal Under EISA, NIST is directed to Coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems Maintain the reliability and security of the electricity infrastructure 16

Energy Independence and Security Act (2) Defines ten national policies for the Smart Grid 1. Use digital technology to improve reliability, security, and efficiency of the electric grid 2. Dynamic optimization of grid operations and resources, with full cyber-security 3. Integration of distributed renewable resources 4. Demand response and demand-side energyefficiency resources 5. Automate metering, grid operations and status, and distribution grid management 17

Energy Independence and Security Act (3) Defines ten national policies for the Smart Grid 6. Integrate smart appliances and consumer devices 7. Integrate electricity storage and peak-shaving technologies, including plug-in electric vehicles 8. Provide consumers timely information and control 9. Interoperability standards for the grid and connected appliances and equipment 10. Lower barriers to adoption of smart grid technologies, practices, and services. 18

The NIST Role Coordinate the interoperability framework by identifying the protocols and model standards necessary to enable the Smart Grid vision as outlined in the 2007 Energy Independence and Security Act (EISA) Title XIII mandate Work with industry stakeholders to achieve a common vision and consensus on the necessary standards Report on progress in the development of the interoperability framework Work with standards bodies/users groups to get standards harmonized/developed & used Visible active federal government leadership and coordination by NIST 19

NIST Framework and Roadmap, Release 1.0 Revised version January 2010 Public comments reviewed and addressed Smart Grid Vision/Model 75 key standards identified IEC, IEEE, 16 Priority Action Plans to fill gaps Includes cyber security strategy Companion document, NISTIR 7628 Guidelines for Smart Grid Cyber Security http://www.nist.gov/smartgrid/ Conceptual Model 20

Conceptual Reference Diagram for Smart Grid Information Networks 21

Interoperability Framework 22

NIST Three Phase Plan PHASE 1 Identify an initial set of existing consensus standards and develop a roadmap to fill gaps PHASE 2 Establish public/private Standards Panel to provide ongoing recommendations for new/revised standards PHASE 3 Testing and Certification Framework 2009 2010 23

NIST Smart Grid Timeline - Highlights 2007 EISA gives NIST responsibility for a Smart Grid Framework 2008 NIST forms Domain Expert Working Groups T&D, Home-to-Grid, Building-to-Grid, Industry-to-Grid, Business and Policy, Cyber 2009 NIST holds large-scale workshops to identify standards Over 1500 participants from a variety of groups 2009 November Smart Grid Interoperability Panel established 2009 December First meeting Governing Board Dec 8-9, 2009 at NIST 2010 January NIST Smart Grid Framework 1.0 2010 August CSWG Guidelines for Smart Grid Cyber Security will be released 24

Smart Grid Interoperability Panel (SGIP) 25

26 SGIP Organization Governing Board SGIP Officers NIST SGIP Administrator Test & Certification Committee (SGTCC) Cyber Security Working Group (CSWG) Architecture Committee (SGAC) Standing Committees & Working Groups Program Mgmt Office (PMO) Comm. Marketing Education (CME) Coordination Functions Bylaws & Operating Procedures (BOP) PAP 1 PAP 2 PAP 3 PAP 4 PAP 5 PAP Priority Action Plan Teams H2G TnD B2G I2G PEV2G BnP Domain Expert Working Groups SGIP Membership

Smart Grid Interoperability Panel Team that comprises of Government, Industry and Academia Over 2,000 members Government from all branches of government Industry Not just traditional power industry Across all of academia 27

SGIP Membership (as of 6/4/10) Total # of Member Organizations: 590 Number of Participating Member Organizations: 524 Number of Observing Member Organizations: 66 Number of Organizations who joined in May 2010: 10 Total # of Individual Members: 1,615 Number of Organizations by Country USA: 536 Canada: 25 International: 29 Number # of Participating Member Organizations by Declared Stakeholder Category Stakeholder Categories 28

SGIP Vision Public-private partnership to support NIST EISA responsibility Open, transparent body Representation from all SG stakeholder groups Over 360 member organizations at founding Membership open to any materially interested stakeholder organizations SGIP does not directly develop or write standards Stakeholders participate in the ongoing coordination, acceleration and harmonization of standards development. Reviews use cases, identifies requirements, coordinates conformance testing, and proposes action plans for achieving these goals. 29

SGIP Vision (2) SGIP Governing Board Approves and prioritizes the work of the SGIP Coordinates necessary resources (in dialog with SDOs, user groups, and others) to carry out finalized action plans in efficient and effective manner. Standing Committees SG Architecture Committee (SGAC) SG Testing and Certification (SGTC) Additional Committees will be created as needed Working Groups Cyber Security Working Group (CSWG) Domain Expert Working Groups (DEWGs) 30

SGIP Standing Committees Smart Grid Architecture Committee (SGAC) Creates and refines SG Conceptual Reference Model Developing Smart Grid Architectural Framework Templates Testing and Certification Committee (SGTCC) Creates and maintains the framework for compliance, interoperability and cyber security testing and certification Develops and implements certification criteria by which compliance can be verified through testing of vendor products and services 31

SGIP PAPs Priority Action Plans (PAPs): created to address gaps in Smart Grid standards # Priority Action Plan # Priority Action Plan 0 Meter Upgradeability Standard 9 Standard DR and DER Signals 1 Role of IP in the Smart Grid 10 Standard Energy Usage Information 2 Wireless Communication for the Smart Grid 11 Common Object Models for Electric Transportation 3 Common Price Communication Model 12 IEC 61850 Objects/DNP3 Mapping 4 Common Scheduling Mechanism 13 Time Synchronization, IEC 62850 Objects/ IEEE C37.118 Harmonization 5 Standard Meter Data Profiles 14 Transmission and Distribution Power Systems Model Mapping 6 Common Semantic Model for Meter Data tables 15 Harmonize Power Line Carrier Standards for Appliance Communications in the Home 7 Electric Storage Interconnection Guidelines 16 Wind Plant Communications 8 CIM for Distribution Grid Management 17 Facility Smart Grid Information Standard 32

PAPs address standards gaps and issues Priority Action Plans Smart meter upgradeability standard (PAP 00, completed by NEMA in 2009) Standard meter data profiles (PAP 05) Develop common specification for price and product definition (PAP 03) Develop common scheduling communication for energy transactions (PAP 04) Standard demand response signals (PAP 09) Customer energy use information (PAP10) Energy storage interconnection guidelines (PAP 07) Interoperability standards to support plug-in electric vehicles (PAP 11) Wind Interconnection Standards (PAP 16) Priority Action Plans Guidelines for use of IP protocol suite in the Smart Grid (PAP 01) Guidelines for the use of wireless communications (PAP 02) Harmonize power line carrier standards for appliance communications in home (PAP15) Develop common information model (CIM) for distribution grid management (PAP 08) DNP3 Mapping to IEC 61850 Objects (PAP12) Transmission and distribution power systems model mapping (PAP 14) Harmonization of IEEE C37.118 with IEC 61850 and Precision Time Synchronization (PAP 13) 33

International Smart Grid Coordination Increasing number of bilateral discussions and interactions with China, Japan, Korea, India, Brazil, France, Germany, Italy US-EU Energy Council Close coordination with International Standards Developing Organizations (SDOs) through NIST process Example: International Electrotechnical Commission (IEC) work coordinated through IEC-Strategic Group 3 Open, transparent process with international participation 34

For More Information The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (January 2010) can be downloaded at: www.nist.gov/smartgrid/ The SGIP website is: www.sgipweb.org Activities of SGIP committees and working groups can be followed at: http://collaborate.nist.gov/twikisggrid/bin/view/smartgrid/sgip 35

U.S Department of Energy and Smart Grid www.oe.energy.gov U.S. Department of Energy 1000 Independence Ave., SW Washington, DC 20585

Roadmap Updated to Include Cyber Security Published in January 2006, updated Roadmap to be released in 2010 Energy Sector s synthesis of critical control system security challenges, R&D needs, and implementation milestones Provides strategic framework to align activities to sector needs coordinate public and private programs stimulate investments in control systems security Roadmap Vision In In 10 10 years, control systems for for critical applications will will be be designed, installed, operated, and and maintained to to survive an an intentional cyber assault with with no no loss loss of of critical function. 37

DOE National SCADA Test Bed (NSTB) Program Key Activities Next Generation Control Systems System Vulnerability Assessments Integrated Risk Analysis Partnership and Outreach Trustworthy Cyber Infrastructure for the Power Grid Precompetitive Technologies Development Industry led Technology Development Smart Grid Test and Evaluation Capability Cyber Assessments for Next Generation Control Systems Modeling and Simulation38 Scenario Analysis Operational Analysis Outreach Information Sharing Advanced Red/Blue Training 38

Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Vision: Architecture for End-to-End Resilient, Trustworthy & Realtime Power Grid Cyber Infrastructure Applets for Schools Recent Papers TCIPG NetAPT Network Access Policy Tool (adopted by utility in Spring 2010) University of Illinois Dartmouth College Cornell University Washington State University 39

Cyber Security ARRA Activities Critical to Smart Grid Success Organized interagency group (DOE, NIST, FERC, DHS, CIA) for development of cyber security requirements for RFP Quality of cyber security plans- major factor in Technical Merit Review Utilized technical merit review team and cyber security SME team to provide independent reviews DOE will work with grantees to ensure cyber security plans are adequate ARRA Cyber Security Website www.arrasmartgridcyber.net 40

National Electric Sector Cyber Organization Financial Assistance Award: $10 million over three years with increasing cost share to establish organization Organization will be self sustaining through energy sector partnership in future years 41

Challenges Timely actionable information sharing Adequate protection of information shared between public and private sectors New Regulatory Model Compliance and risk management balance Safe Harbor" provisions in law and regulation Efficient rate recovery process for cyber security costs Graded Cyber Security Requirements and Risk Management Processes 42

Challenges Supply Chain Risk Management Survivability and Resilience Culture and Communication Consumer education Innovative and adaptive workforce Wide-Area Cyber Situational Awareness Continuous Monitoring Smart Grid cyber threats Realistic analysis and response 43

Collaborate Moving Forward Visit www.oe.energy.gov Contact the Working Group www.controlsystemsroadmap.net/workingroup.aspx 44

Cyber Threat Characterization: Electric Power Grid Information Provided by Sandia National Laboratory and the Boeing Corporation Sandia National Laboratories is a multi program laboratory operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000.

The Cyber Storm 46

Example: Who is the Threat? UK citizen accused of crashing systems at the Port of Houston by DoS attack and hacking on its computer systems on 20 Sep 2001 Attack froze web service, containing vital data for shipping, mooring companies and support firms responsible for helping ships navigate in and out of the harbor Attack traced to a computer at Caffrey's UK home by US police Allegedly aimed at taking a South African chatroom user offline whose comments were attacking the US. Caffrey allegedly took offense at the comments because his girlfriend was American Specific lessons IT systems vital in overall control system Distance is not a factor Damage may be a collateral effect of other hostile acts Port of Houston: 8 th largest in world with $10.9B revenue 47

Maroochy Waste Water Event More than 750,000 gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds Impact Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs Specifics SCADA system had 300 nodes (142 pumping stations) governing sewage and drinking water Used OPC ActiveX controls, DNP3, and ModBus protocols Used packet radio communications to RTUs Boden used commercially available radios and stolen SCADA software to make his laptop appear as a pumping station Causes as many as 46 different incidents over a 3- month period (Feb 9 to April 23) Lessons learned Change log-ons after terminations Investigate anomalous system behavior Use secure radio transmissions Source: US Department of Homeland Security Last accessed: 08 Feb 2010 http://csrc.nist.gov/groups/sma/ispab/documents/minutes/2008-12/icssecurity_ispab-dec2008_spmcgurk.pdf 48

Davis Besse Nuclear Power Plant Event August 20, 2003 Slammer worm infects plant Impact Complete shutdown of digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC) Specifics Worm started at contractors site Worm jumped from corporate plant network and found an unpatched server Patch had been available for 6 months Lessons learned Secure remote (trusted) access channels Defense-in-depth strategies, FWs and IDS Critical patch installation needs to drive trusted agent status Source: US Department of Homeland Security Last accessed: 08 Feb 2010 http://csrc.nist.gov/groups/sma/ispab/documents/minutes/2008-12/icssecurity_ispab-dec2008_spmcgurk.pdf 49

Insider Threat 2 L.A. traffic engineers admit hacking Hours before a 2006 job action by their union, the pair send computer commands that disconnected four signal control boxes at critical intersections Gabriel Murillo and Kartik Patel worked with the city s Automated Traffic Surveillance Center Felony count of illegally accessing a city computer connected to the center Lessons learned Role based access Data/command integrity Source: US Department of Homeland Security Last accessed: 08 Feb 2010 http://csrc.nist.gov/groups/sma/ispab/documents/minutes/2008-12/icssecurity_ispab-dec2008_spmcgurk.pdf 50

Cyber Risk and the Role of Threat

New Risks Greater complexity increases exposure to potential attackers and unintentional errors Linked networks introduce common vulnerabilities Denial of Service type attacks Increased number of entry points and paths Compromise of data confidentiality or customer privacy Disruption of IT equipment by Electro Magnetic Pulse (EMP) and Geomagnetically Induced Currents 52

Threat Characterization Characterizing security threats to process control systems on the electric grid should consider Implication of impending danger (i.e., what may an attacker do?) Source of that danger (i.e., who is the attacker?) Threats Are individuals or groups with the potential to cause harm Can be characterized by their level of access, motivations, and capabilities. Threats can be Hackers or crackers, terrorists, organized crime, and nation states, or Insiders Because of the intimate knowledge of assets and ready access to these assets, insider attacks can do substantial damage. 53

Threats to the Grid Deliberate attacks Disgruntled employees Industrial espionage Unfriendly states Organized crime Inadvertent threats Equipment failures User/Administrator errors Natural phenomena Weather hurricanes, earthquakes Solar activity 54

How Does The Threat Work? Worms, viruses, trojans, backdoors, spear phishing, botnets Openly available tools Exploits within hours of public release of patches Attack functions combined into multi-tools Simpler tools are very mature Open-source control protocol tools Openly available information Open protocols Openly available components 55

Anatomy of Threat Activity Knowledge of SCADA systems Objective Technical Knowledge Organized Attacker Funding Distributed Computing Power Billing Corporate Partners HR Data OUTSIDER THREAT Indirect Threats Exploits a Vulnerability Insider/Outsider Employee Industry Business Network DMS AMI HANs EMS Insider/Outsider INSIDER THREAT Access Control Centers Consumer-side Renewable Systems RTUs SCADA/Smart Grid Operational Network Plants GIS 56

Threat Analysis

Trends Impacting Security Open Protocols Open industry standard protocols are replacing vendor-specific proprietary communication protocols Common Operating Systems Standardized computer platforms increasingly used to support control system applications Interconnected to Other Systems Connections with enterprise networks to obtain productivity improvements and information sharing Reliance on External Communications Increasing use of public telecommunication systems, the Internet, and wireless for control system communications Increased Capability of Field Equipment Smart sensors and controls with enhanced capability and functionality 58

Increased Connectivity Critical Loads Energy Consuming Equipment Non-Critical Loads Housing Electric Vehicles (Charging & Storage) Points of System Entry Distributed Energy Resources (DER) Wind Solar Storage Other Installation Utility Grid Interface Intelligent Sub Station Intelligent Transformer Vault (HTV) Distributed Generators Geothermal Power On-Site Peaker Purchase/Demand Response/ Stability Support Utilities Energy Providers Installation or Regional Networked Energy Operations Center (NEOC) Energy Demand Driving Information Every node on the System represents a Point of System Entry for an attack 59

Trends Causing Increased Risk Increasing interconnections at all levels Adoption of standardized technologies with known vulnerabilities Connectivity of control systems to other networks Insecure connections Widespread availability of technical information about control systems Increasing reliance on automation Utility Communications Dynamic Systems Control Data Management Distribution Operations Internet Consumer Portal & Building EMS Advanced Metering Plug-In Hybrids Distributed Generation & Storage Efficient Building Systems Renewables PV Control Interface Smart End-Use Devices 60

Anecdotes A common misconception is the separation of control system and business networks One facility thought they had two separate networks and pointed to their pair of Cisco routers at the external connection as proof Upon examination, the routers were configured as primary and backup for both the incoming business and control networks Another facility thought they had done a good job of separation Until the assessment team discovered that their safety systems resided on the control network (not all that good an idea in the first place) and the safety engineers programmed the safety systems from their corporate desktops 61

Report Address Cyber-to-Physical Impacts Conclusions on Data Reporting Reported numbers are by choice Understanding incident trends can be beneficial Categorizing incidents by threat aids analysis Extrapolated data can reduce overall risk Useful in business continuity planning and ROI 62

An Integrated Risk Analysis Approach is Important for Cyber Security By systematically documenting and prioritizing known and suspected control system vulnerabilities [threats] and their potential consequences, energy sector asset owners and operators will be better prepared to anticipate and respond to existing and future threats. Roadmap to Secure Control Systems in the Energy Sector, Identifying Strategic Risk (pg.a2) January 2006 Assess Risk: Determine risk by combing potential consequences of a terrorist attack... known vulnerabilities and general or specific threat information. National Infrastructure Protection Plan (NIPP), Risk Management Framework Department of Homeland Security, 2005 63

Characterization of Risk to the Grid Risk in terms of threat, vulnerability, and consequence. Threat is the ability of the entity to do harm, intentionally or unintentionally. Can be a human, a weather event, a mechanical failure, etc. Vulnerability is a weakness that can be exploited. Consequence is the resulting effect when a threat exploits a vulnerability. 64

Risk Analysis for Energy Systems Characterize Facilities Define Threats P A C Determine Consequences P E Identify Safeguards Analyze System Make Changes & Reassess Risk = P A x (1-P E ) x C Compare to System Protection and Performance Goals R Sufficient Protection? N Risk Y End Until Change 65

Generic Threat Matrix Categorizing threat : building and using a generic threat matrix. by Sandia National Laboratories, Albuquerque, NM, Duggan, David Patrick, Thomas, Sherry Reede, Veitch, Cynthia K., Woodard, Laura. Sandia Technical report SAND2007-5791. THREAT PROFILE THREAT LEVEL COMMITMENT INTENSITY STEALTH TIME 1 H H 2 H H 3 H H 4 M H 5 H M 6 M M 7 M M 8 L L Years to Decades Years to Decades Months to Years Weeks to Months Weeks to Months Weeks to Months Months to Years Days to Weeks TECHNICAL PERSONNEL RESOURCES KNOWLEDGE CYBER KINETIC ACCESS Hundreds H H H Tens of Tens M H M Tens of Tens H M M Tens H M M Tens M M M Ones M M L Tens L L L Ones L L L 66

Path Forward- Addressing Smart Grid Risk Smart Grid Enables Dynamic Optimization of Grid Resources and Operations 67

Summary Risk characterization and mitigation requires an understanding of threat Threat can be defined by motivations, commitment, and resources Threat analysis can assist in preparedness and risk reduction Catalogued incident data can be useful, but.the threat is constantly changing! 68

Cyber Security Working Group (CSWG) 69

President s Cyberspace Policy Review as the United States deploys new Smart Grid technology, the Federal government must ensure that security standards are developed and adopted to avoid creating unexpected opportunities for adversaries to penetrate these systems or conduct large-scale attacks. 70

Current Smart Grid Environment Legacy SCADA systems Limited cyber security controls currently in place Specified for specific domains Bulk power distribution Metering Vulnerabilities might allow an attacker to Penetrate a network Gain access to control software Alter load conditions to destabilize the grid in unpredictable ways Even unintentional errors could result in destabilization of the grid 71

Smart Grid an Opportunity Modernization provides an opportunity to improve security of the Grid Integration of new IT and networking technologies Brings new risks as well as an array of security standards, processes, and tools Architecture is key Security must be designed in it cannot be added on later 72

CSWG To address the cross-cutting issue of cyber security NIST established the Cyber Security Coordination Task Group (CSCTG) in March 2009 Moved under the NIST SGIP as a standing working group and was renamed the Cyber Security Working Group (SGIP CSWG) The CSWG now has more than 460 participants Private sector (including vendors and service providers) Academia Regulatory organizations National research laboratories Federal agencies 73

The CSWG Management Team Marianne Swanson NIST Chair Bill Hunteman DOE, Vice Chair Alan Greenberg Boeing, Vice Chair Dave Dalva Cisco Systems, Vice Chair Mark Enstrom Neustar, Secretary Tanya Brewer NIST Victoria Yan Booz Allen Hamilton Sandy Bacik - EnerNex 74

CSWG Liaisons The members of the CSWG participate in the other permanent committees and organizations within the SGIP as follows Liaison to the SGIP Test and Certification Committee (SGTCC) Dave Dalva, Cisco Systems and Mark Enstrom, Neustar Liaison to the SGIP Architecture Committee (SGAC) Sandy Bacik, EnerNex Liaison to the SGIP Program Management Office (PMO) Alan Greenberg, Boeing Liaison to the SGTCC glossary working group Mark Enstrom, Neustar 75

Goals CSWG Goals Develop an overall cyber security strategy for the Smart Grid that includes a risk mitigation strategy to ensure interoperability of solutions across different domains/components of the infrastructure The cyber security strategy needs to address Prevention Detection Response Recovery Strategy includes the development of a risk mitigation strategy Implementation of a cyber security strategy requires Definition and implementation of an overall cyber security risk assessment process for the Smart Grid 76

CSWG Objectives The following objectives address the CSWG s primary goal. These objectives may change as more Smart Grid implementations occur and Smart Grid technologies further develop. 1. Identifying Smart Grid specific problems and issues that currently do not have solutions. 2. Creating a logical reference model of the Smart Grid. 3. Identifying inherent privacy risk areas and feasible ways in which those risks might be mitigated. 4. Developing a conformity assessment program for security requirements in coordination with activities of the SGIP s Smart Grid Testing and Certification Committee (SGTCC). 77

Weekly telecon CSWG Meeting Info Teleconference Day & Time: Mondays, 11am Eastern Time Call-in number:866-745-6097 Participant passcode: 7413006 78

CWSG Subgroups and Leads AMI Security Darren Highfill, Ed Beroset Privacy Group Rebecca Herold Architecture Group Sandy Bacik R & D Group Isaac Ghansah, Daniel Thanos Bottom Up Group Andrew Wright, Daniel Thanos Standards Group Virginia Lee, Frances Cleveland Crypto and Key Management Group Daniel Thanos, Doug Biggs, Tony Metke Testing & Certification Nelson Hastings, Sandy Bacik, Robert Former High Level Requirements Group Dave Dalva, Victoria Yan Vulnerabilities Group Matt Carpenter, Matt Thomson 79

Face to Face Meetings Roadmap - Activities Provide an opportunity for the CSWG members to interact and meet Have technical working sessions on specific areas of the NISTIR 7628 and other documents Review submitted comments and revise the NISTIR 7628 and other documents Plan future activities for the CSWG Coordinate tasks that fall under multiple sub-groups Coordination with other Federal Agencies Goal of inter-agency coordination Promote communication among participants of the various Smart Grid cyber security programs/projects across the federal government Objective is to keep all individuals informed 80

CSWG Proposed Timeline 81

CSWG Proposed Deliverables 82

NISTIR 7628 Guidelines for Smart Grid Cyber Security 83

Guidelines for Smart Grid Cyber Security NIST Interagency Report 7628 v1.0 posted August 2010 Development of the document lead by NIST Represents significant coordination among Federal agencies Private sector Regulators Academics Document includes material that will be used in selecting and modifying security requirements 84

NISTIR 7628 What it IS and IS NOT What it IS A tool for organizations that are researching, designing, developing, and implementing Smart Grid technologies May be used as a guideline to evaluate the overall cyber risks to a Smart Grid system during the design phase and during system implementation and maintenance Guidance for organizations Each organization must develop its own cyber security strategy (including a risk assessment methodology) for the Smart Grid. What it IS NOT It does not prescribe particular solutions It is not mandatory 85

Smart Grid Cyber Security Strategy - Tasks 1. Use Case Analysis Top down analysis (inter component/ domain) Bottom up analysis (vulnerability classes) 2. Risk Assessment Identify assets Vulnerabilities Threats Impacts 3. High Level Security Requirements Privacy Assessment 4a. Security Architecture 4b. Smart Grid Standards Assessment Existing Standards (CIP, IEEE, IEC, etc.) 5. Conformity Assessment 86

NISTIR 7628 Content The NISTIR includes the following Executive Summary Overview and document organization Chapter 1 - Cyber Security Strategy Chapter 2 Logical Architecture and Interfaces of the Smart Grid Chapter 3 High-Level Security Requirements Chapter 4 Cryptography and Key Management 87

NISTIR 7628 Content (2) Chapter 5 Privacy and the Smart Grid Chapter 6 Vulnerability Classes Chapter 7 Bottom-Up Security Analysis of the Smart Grid Chapter 8 Research and Development Themes for Cyber Security in the Smart Grid Chapter 9 Overview of the Standards Review Chapter 10 Key Power System Use Cases for Security Requirements Appendices A - J 88

The Way Forward Activities Outreach and education Universities Private sector organizations Standards bodies Other organizations Coordination with the other organizations within the SGIP SGIP Governing Board (GB) SG Architecture Committee (SGAC) SG Test and Certification Committee (SGTCC) Priority Action Plan (PAP) working groups SGIP Program Management Office (PMO) Participation in the development of a cyber security conformity assessment strategy 89

The Way Forward (2) Future activities Further development of R&D themes Cryptographic and key management issues Participation in the development of a cyber security conformity assessment strategy New subgroups formed: AMI Security and Testing & Certification The overall cyber security strategy for the Smart Grid must address both domain-specific and common risks Understand the threats Identify the missions of the system and impacts Categorize the data and processes to be protected 90

How to Participate in CSWG NIST Smart Grid portal http://nist.gov/smartgrid Cyber Security Working Group Lead: Marianne Swanson (marianne.swanson@nist.gov) NIST Support: Tanya Brewer (tanya.brewer@nist.gov) Cyber Security Twiki site http://collaborate.nist.gov/twikisggrid/bin/view/smartgrid/cybersecurityctg 91

NISTIR 7628, Guidelines to Smart Grid Cyber Security Security Architecture and High Level Security Requirements

CSWG Architecture Subgroup Lead: Sandy Bacik (sandy.bacik@enernex.com) Twiki: http://collaborate.nist.gov/twikisggrid/bin/view/smartgrid/csctgarchi

Security Architecture Top down analysis (inter component/ domain) Bottom up analysis (vulnerability classes) 1. Use Case Analysis 2. Risk Assessment Identify assets Vulnerabilities Threats Impacts Privacy Assessment The security architecture describes where, at a high level, the Smart Grid will provide security. 4a. Security Architecture 3. High Level Security Requirements 4b. Smart Grid Standards Assessment Existing Standards (CIP, IEEE, IEC, etc.) This is a high level logical architecture and does not imply any specific implementation 5. Conformity Assessment 94

Architecture Subgroup Scope/Mission Create a logical reference model Addresses high level technical security requirements based on the logical interface categories Outside of the scope of this sub-group Specifying specific products or protocols Specifying solutions 95

Architecture Chapter Content Architecture subgroup developed a logical reference model of the Smart Grid Logical diagram that identifies the numerous actors and interfaces Includes all 7 domains of the NIST conceptual model Service providers, customer, transmission, distribution, bulk generation, markets, and operations Logical reference model based on 6 Smart Grid application areas 96

Architecture Chapter Content (2) Architecture subgroup developed Diagrams that detail the 22 logical interface categories Key attributes were defined for each logical interface category Logical interfaces with similar security-related characteristics allocated to a single logical interface category Diagrams depicting interactions in each of the 6 Smart Grid application areas Advanced metering infrastructure (AMI) Distribution grid management (DGM) Electric storage (ES) Electric transportation (ET) Demand response (DR) Wide area situational awareness (WASA) 97

Actors within Smart Grid Domains 98

Logical Reference Model 99

Using the Logical Interface Category Diagrams Each diagram consists of 5 elements Logical interface category diagram with relevant actors and logical interfaces Category definition and examples Confidentiality, integrity, and availability (CI&A) levels Applicable unique technical security requirements Actor color key 100

Using the Logical Interface Category Diagrams (2) 101

Using the Logical Interface Category Diagrams (3) Logical interface category name, definition, and examples 102

Using the Logical Interface Category Diagrams (4) Actor color key Actors are needed to transmit, store, edit, and process the information needed within the Smart Grid Shows the specific domain (service providers, customer, transmission, distribution, bulk generation, markets, and operations) 103

Using the Logical Interface Category Diagrams (5) Confidentiality, integrity, and availability (CI&A) impact levels The unauthorized disclosure of information could be expected to have at Low: limited adverse effect on organizational operations, organizational assets, or individuals. Moderate: serious adverse effect on organizational operations, organizational assets, or individuals. High: severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 104

Using the Logical Interface Category Diagrams (6) Unique technical requirements allocated to the logical interface category 105

Using the Logical Interface Category Diagrams (7) Logical Interface Category Diagram Logical interfaces between actors 106

Example

Logical Interface Category 13 Interface between systems that use the AMI network, for example Between meter data management systems (MDMS) and meters Between load management systems/demand response management systems (LMS/DRMS) and Customer energy management systems (EMS) Issues include the following Most customer information must be treated as confidential Integrity of data is important Availability impact is generally low across AMI networks 108

Logical Interface Category 13 (2) 109

Logical Interface Category 18 Interface between metering equipment, for example Between field crew tools and meters Between submeter to meter Between customer EMS and meters Issues include the following Integrity of revenue grading metering data Availability of metering data Key management of millions of meters Multiple (authorized) stakeholders (customers, utilities, third parties) 110

Logical Interface Category 18 (2) 111

Logical Interface Category 22 Interface between security/network/system management console and all other networks and systems, for example: Between a security console and network routers, firewalls, computer systems, and network nodes Key characteristics include the following: Functions performed are not considered real-time activities Some communications may be performed interactively Principle driver for urgency is the need for critical operational/security updates 112

Logical Interface Category 22 (2) 113

CSWG High Level Security Requirements Subgroup Leads: Dave Dalva (ddalva@cisco.com) Victoria Yan (yan_victoria@bah.com) Twiki: http://collaborate.nist.gov/twikisggrid/bin/view/smartgrid/csctghighlevelrequirements

High Level Security Requirements Scope 1. Use Case Analysis Top down analysis (inter component/ domain) 2. Risk Assessment Identify assets Vulnerabilities Threats Impacts Bottom up analysis (vulnerability classes) 3. High Level Security Requirements 4b. Smart Grid 4a. Security Standards Architecture Assessment 5. Conformity Assessment Privacy Assessment Existing Standards (CIP, IEEE, IEC, etc.) The high level security requirements address the goals of the Smart Grid To be used as guidance/starting point for organizations Risk analysis must be performed to determine applicability Additional criteria must be used in determining cyber security requirements Existence of legacy components/devices Organizational structures 115

High Level Requirements Chapter Contents Confidentiality, integrity, and availability (CI&A) impact levels for logical interface categories Selection of security requirements Security requirements example selecting requirements Allocation of security requirements to logical interface categories Recommended security requirements 116

Cyber Security Requirements Each security requirement includes Security requirement identifier and name Category Governance, risk, and compliance, common technical, and unique technical Requirement Supplemental guidance Requirement enhancements Additional consideration Additional statement of security capability that may be used Not intended as security requirements Impact levels 117

Cyber Security Requirements Example Example to illustrate how to select security requirements using the material in the NISTIR 7628 Smart Grid control system ABC includes logical interface 6: interface between control systems in different organizations. Requires: high data accuracy, high availability, and establishment of a chain of trust 118

Cyber Security Requirements Example (2) 119

Cyber Security Requirements Example (3) The organization will need to Review all security requirements for applicability Review all of the GRC and common technical requirements to determine if Modification or augmentation for the ABC control system is needed Review the unique technical requirements that are applicable to the logical interface category to determine if Modification or augmentation is needed 120

Cyber Security Requirements Example (4) Allocation of Smart Grid Security Requirements 121

Cyber Security Requirements Example (5) GRC Requirements SG.AC-1, Access Control Policy and Procedures is applicable to all systems Does not need to be revised because it is applicable at the organization level SG.CM-6, Configuration Settings is also applicable to all systems The organization determines if there are unique settings for the ABC control system 122

Cyber Security Requirements Example (6) Common technical requirements SG.SI-2, Flaw Remediation Organization determines that procedures are already specified applicable to the ABC control system, without modification SG.AC-7, Least Privilege Organization determines that a unique set of access rights and privileges are necessary for ABC control system because the system interconnects with a system in a different organization Unique technical requirement SG.SI-7, Software and Information Integrity Allocated to logical interface category 6 Organization determines if this requirement is important for the ABC control system and is included 123