Smart grid cyber security certification



Similar documents
Smart grid security certification in Europe Challenges and recommendations

ENISA workshop on Security Certification of ICT products in Europe

EFFECTS+ Clustering of Trust and Security Research Projects, Identifying Results, Impact and Future Research Roadmap Topics

Cyber Security in EU: ENISA approach

DATA, THE GATE TO A SMART ENERGY SYSTEM - views from the electricity industry

Volker Jacumeit, DIN e. V. ILNAS Workshop CSCG Presentation June 4, 2015

Cyber Security in EU: ENISA approach

Radio Spectrum and Technical Standards Advisory Committee

Preparing yourself for ISO/IEC

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL

COMMITTEE ON STANDARDS AND TECHNICAL REGULATIONS (98/34 COMMITTEE)

D01.1 Project Management Plan

Transaction Security. Training Academy

6. The partners share the intention to work together via regular meetings/working groups to solve open issues.

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

Appropriate security measures for smart grids

Dr. Vangelis OUZOUNIS Senior Expert Security Policies ENISA.

ISO/IEC/IEEE The New International Software Testing Standards

Implementation progress of the EASEE-gas Common Business Practices (CBP's)

Cyber Security Health Test

Contact address: Global Food Safety Initiative Foundation c/o The Consumer Goods Forum 22/24 rue du Gouverneur Général Eboué Issy-les-Moulineaux

Implementation of eidas through Member States Supervisory Bodies

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

JTEMS - a technical community for the evaluation of payment terminals. Sandro Amendola, SRC Ingo Hahlen, BSI 11 th ICCC, Turkey

BSI - Federal Office for Information Security. Evaluation and Certification of IT Security Technology in Germany

of2o July of Transmission System Operators for Electricity

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

What is ATEX? The European Regulatory Framework for Manufacture, Installation and Use of Equipment in Explosive Atmospheres

WHAT MAKES YOUR OCCUPATIONAL HEALTH AND SAFETY SYSTEMS STANDARD BEST-IN-CLASS?

COMMISSION STAFF WORKING DOCUMENT. Report on the Implementation of the Communication 'Unleashing the Potential of Cloud Computing in Europe'

NSW Data & Information Custodianship Policy. June 2013 v1.0

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. Space, Security and GMES Security Research and Development

Digital Signatures and Interoperability

NSW Government Standard Approach to Information Architecture. December 2013 v.1.0

20-21 May 2015, Lisbon, Portugal. Highlights. Speakers:

FIRST ANNOUNCEMENT AND CALL FOR ABSTRACTS. 7th International Conference on Energy Efficiency in Domestic Appliances and Lighting (EEDAL 13)

SEPA DATA MODEL. Reason for Issue Approved by the EPC Plenary on 13 December 2006

Enhancing Cyber Security in Europe Dr. Cédric LÉVY-BENCHETON NIS Expert Cyber Security Summit 2015 Milan 16 April 2015

Focal points for expanded practical cooperation among standards organizations. The Business Requirement

Standardizing contactless communication between ticketing equipment and fare media Transport Ticketing 2014

Council of the European Union Brussels, 4 July 2014 (OR. en) Mr Uwe CORSEPIUS, Secretary-General of the Council of the European Union

Quality Label and Certification Processes Education Material on ehealth Interoperability. Karima Bourquard Director of Interoperability IHE-Europe

A New Framework for the EU EMC Directive

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

Rolling out eidas Regulation (EU) 910/2014. Boosting trust & security in the Digital Single Market

IEEE Standards Association (IEEE-SA)

Flexible Plug & Play Smart grid cyber security design and framework. Tim Manandhar

LEGAL FRAMEWORK FOR E-SIGNATURE IN LITHUANIA AND ENVISAGED CHANGES OF THE NEW EU REGULATION

Smart Grid Information Security

International standards and guidance that address Medical Device Software

Call for Expression of Interest Consultant

ISO 9000 FOR SOFIYifrARE QUALITY SYSTEMS

Standards and accreditation. Tools for delivering better regulation

ISO/IEC 27001:2013 Your implementation guide

INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT

Navigating ISO 14001:2015

Network Certification Body

ETIP Wind Steering Committee meeting Monday 7th March :00 16:45 EWEA office, Rue d Arlon 80 6th floor Bruxelles AGENDA

Biometrics for Public Sector Applications

NSF Workshop: High Priority Research Areas on Integrated Sensor, Control and Platform Modeling for Smart Manufacturing

FACOGAZ Association of European Gas Meter Manufacturers

ISO Revisions Whitepaper

NIS Direktive und Europäische sicherheitsrelevante Projekte Udo Helmbrecht Executive Director, ENISA

EPC SEPA CARDS STANDARDISATION (SCS) VOLUME

Medical Device Training Program 2015

ICS-SCADA testing and patching: Recommendations for Europe

CEN and CENELEC response to the EC Consultation on Standards in the Digital Single Market: setting priorities and ensuring delivery January 2016

Establishing and Operating a Quality Management System Experiences of the EUROSAI Training Committee Seminar in Budapest

The Role of Information Technology Studies in Software Product Quality Improvement

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

EU CUSTOMS BUSINESS PROCESS MODELLING POLICY

Terms of Reference of the SEPA Cards Certification Management Body (SCCMB)

A7-0365/133

The European Commission s strategy on Corporate Social Responsibility (CSR) : achievements, shortcomings and future challenges

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013

TÜV UK Ltd Guidance & Self Evaluation Checklist

Best Solutions for Biometrics and eid

Project Execution Guidelines for SESAR 2020 Exploratory Research

An ERGEG Public Consultation Paper on Draft Guidelines of Good Practice on Regulatory Aspects of Smart Metering for Electricity and Gas

COMMISSION OF THE EUROPEAN COMMUNITIES

Los Angeles Regional Collaborative For Climate Action & Sustainability CHARTER PREAMBLE

How To Discuss Cybersecurity In European Parliament

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

How To Understand And Understand The European Priorities In Information Security

PROCUREMENT & LOGISTICS DEPARTMENT

CEN-CENELEC reply to the European Commission's Public Consultation on demand-side policies to spur European industrial innovations in a global market

BCS, The Chartered Institute for IT Consultation Response to:

Certification as a model of recognising and improving personnel s competences in OSH

Communication between contactless readers and fare media

How To Write An Article On The European Cyberspace Policy And Security Strategy

Future of Electricity Storage

ISO 9001: 2008 Boosting quality to differentiate yourself from the competition. xxxx November 2008

esignature building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

The Scottish Wide Area Network Programme

JTEMS A Community for the Evaluation and Certification of Payment Terminals

Medical Device Software Standards for Safety and Regulatory Compliance

Working Group 5 Identity Management and Privacy Technologies within ISO/IEC JTC 1/SC 27 IT Security Techniques

Transcription:

Smart grid cyber security certification 1 Introduction On 30th September 2014 ENISA organised a workshop where the results of the report on Smart grid security certification (to be published by end of 2014 at ENISA web site) were presented. The aim of this workshop was to share and discuss the most relevant conclusions of the report, including the proposed recommendations, with the experts that participated in the study. For this reason, an open dialog among the attendees was also planned. This dialog allowed ENISA to pulse the impression of the audience on the recommendations, to discuss on several hot topics related to smart grid security certification, and to gather the different opinions on what could be the next steps in the field. All those experts who participated in the study were invited to the workshop, and around 50 finally attended the event. The report has been circulated amongst the participants of the workshop a few days in advance for their information. They were representatives of all the stakeholders types considered for the study: manufacturers, DSOs, TSOs, and security services providers, smart grid services providers, academia/research, public bodies, and standardisation bodies. 2 Agenda Date, Location Venue Contact Person 30th September 2014, Heidelberg, GERMANY Print Media Academy, Kurfürsten-Anlage 52-60, 69115 Heidelberg, Germany www.print-media-academy.com Konstantinos Moulinos resilience@enisa.europa.eu 13:15-13:30 13:30 14:15 14:15-14:30 14:30-14:45 14:45-15:30 Session: Smart Grid Component Certification Keynote Speaker The German IT security certification scheme-bernd Kowalski, BSI -Short introduction of the report: - Focus on: - the comparison criteria - the challenges of Smart Grid Component Certification identified in the Report - Overview of the Challenges - Coffee Break Keynote Speaker Results of a recent survey on smart meter certification, Willem Strabbing, ESMIG Discussion & comments on the Recommendations presented in the ENISA report Page 1

15:30 15:45 15:45 16:00 Collection of Feedback and Identification of Next Steps Plenary Discussion, Next Steps, Closing Remarks 3 Observations 3.1 Keynote Speaker: The German IT security certification scheme Mr. Bernd Kowalski of BSI was the keynote speaker and provided insight regarding the German IT security certification scheme. He explained that in Germany there is a growing importance regarding IT-Security Certification. The main aspects regarding the importance were; Economy & Society depend on availability and integrity of IT-Systems Lack of Privacy and Trustworthiness in mainstream products Public and national security affected Governments under pressure to set guidelines for appropriate The German certification system is based on certification of products according to common criteria and technical guidelines conformity. Additionally, there is ISO27001 certification to certify certain ITsecurity processes. All labs involved in security evaluation need recognition such as ISO/IEC 17025. The BSI offers the following certification services; Product Certificates on the basis of Common Criteria/PP Smartcard hardware & software Digital Tachograph components Operating systems, firewalls, signature applications Biometric verification systems eid and electronic passport Smart Meter Gateway Product Certificates acc. to Technical Guidelines Conformity and compatibility of IT security components Certificates for IT-infrastructures are according to ISO 27001 on the basis of IT-Grundschutz, and the BSI-CC-Scheme has been approved under the European Accreditation System. The presentation also provided some comments regarding the report for smart grid security certification. It was noted that privacy was not explicitly mentioned, while it is an important market driver for the smart meter in Germany. Another message taken out of this was; The report should put emphasis on proposals on how to start European harmonisation of interoperability and then conclude to second step on security and risk assessment harmonisation which feedback that can be taken into account regarding the focus of the report. 3.1.1 Q&A Question: Is the German approach a good approach for all of Europe; Answer: It is currently specific for the German market, and would need to be adapted to be successfully integrated in other Member States. Page 2

3.2 Short introduction of the smart grid cyber security certification report Konstantinos Moulinos and Robin Massink held a joined presentation regarding the investigation into cyber security certification of smart grid. The report provided an outline on how to approach a pan European method of harmonising cyber security in the Member States. 3.2.1 The approach The objectives of the investigation into cyber security certification of smart grid were as follows: Perform a desktop research regarding cyber security certification Qualitative analysis of cyber security certification schemes Identify the gaps between different certification schemes Produce technical advice, recommendations and good practices for certification in smart grid security. Provide recommendations on how to develop new or improve existing approaches to a pan European harmonised smart grid security certification. Discussion of approach with stakeholders Draft report for comments Addressing of comments with stakeholders Workshop for discussion of main topics Final report In the desk research, a separation was made between certification schemes and other information. In the list of information consider were articles and investigations, security and/or smart grid standards and schemes and smart grid related security services. With further analysis to select schemes for qualitative analysis, in the end 8 out of 19 cyber security certification schemes were selected that related to the smart grid. After the desk research a preliminary draft document was made based on the findings of the desk research and the identification of the desired situation, gaps, challenges and proposed recommendations. The draft report has been disseminated to the stakeholders for discussion. The list of stakeholders included: SISEC members Selected members of the ENISA contact list o Certification authorities: ANSSI, BSI, CESG, FMV, o Associations: EURELECTRIC, ESMIG, T&D Europe o Standardization initiatives: M/490 SG CG/SGISWG, DKE VDE DIN o Private sector: Alstom, ULL, EDF R&D In total the stakeholders came back with 123 comments, and the possibility for comments will be open until the 10 th of October 2014. In summary; 88 comments could be processed or revised in the document 18 comments needed further discussion 17 comments were rejected (mainly due to conflicts with other comments made) The updated made to the documents based on the contents of the comments is summarised as follows; Page 3

Processed comments Updated minor details and facts Removed unnecessary statements Removed statements that distract from the main topics Included latest findings Discussed comments More complex issues Unclear issues Rejected comments Opinions Misinterpretations It should be noted that all comments have been consolidated in a document depicting the classification and methods of addressing. The current workshop is the next step in the validation of the report, and after the collection of all comments during the workshop and any additional comments provided and stakeholder discussions, a final version of the report will be made public. 3.2.2 The report contents The presentation regarding the report contents was also a joined effort between Konstantinos Moulinos and Robin Massink. It provided insight in the topics the report addresses in sequence to build up to the recommendations and the proposed roadmap. Main topics in the report Introduction Why to certify? What to certify: Smart grid lifecycle What is available: SG-AM/SG-IS usage How it is applied in the EU The desired situation: Harmonization Gaps and challenges Recommendations Roadmap Before going into detail regarding the topics, it should be noted what the report aims to be, and what it does not aim to be; It is not A proposal for a new certification scheme A recommendation for the use of any particular standard However it is A proposal for creation of a steering working group/ task force A proposal for a certification framework (chain of trust) Page 4

A proposal for using an existing reference model (SGAM) A mapping between different certification standards and the SGAM layers A recommendation to reuse existing mechanisms Roadmap to implement the framework Then a short overview of the contents of the report including the approach to smart grid security certification together with gaps and challenges towards a harmonised certification in Europe were delivered. After this the recommendations and roadmap was provided. But there was first a change for question and discussion about the research done and conclusions made. 3.2.3 Questions There was a short question if we propose a European level of cyber security for all member states, and the answer was that we propose a European definition of security levels, but the level of security to adopt is depending on the national situation Jean Piere Menella, Alstom, mentioned that the reference of the SGIS toolbox should be aligned with the framework instead. This is recognised and will be reflected in the latest version of the report. 3.2.4 Other remarks One expert referenced to the IECEE/ CB scheme by IEC and he said that it is very similar with what we propose. It should be investigated further. There was a general comment outside of the presentation regarding the proposed approach, and how the responsibility of the member states would fit in. The delegated responsibility is something that could be met with resistance, as they would like the European Union to provide the initial approach. 3.3 Keynote Speaker: Results of a recent survey on smart meter certification Mr. Willem Strabbing was the keynote speaker regarding the research ESMIG had done on smart meter certification. As an introduction, the main objectives of ESMIG are; EC Standardization mandate M/441 on Smart Metering To improve customer awareness of actual consumption in order to allow timely adaptation to their demands By means of: European standards allowing interoperability of utility meters (for electricity, gas, water and heat) Fully integrated solutions, modular and multi-part solutions Architecture must be scalable and adaptable to future communications media Secure data exchange The research was mainly about recommendations regarding smart meter certification. It has been based around a qualitative analysis of Common Criteria(CC), Commercial Product Assurance(CPA) and Certification de Sécurité de Premier Niveau(CSPN). Common Criteria: International standard (ISO/IEC 15408) for security certification. Certification requirements for products and organizations (development & manufacturing environments) are defined in Protection Profiles. Agreements for Mutual Recognition of certificates and Protection Profiles by many countries at international level. Page 5

Commercial Product Assurance: National scheme for security certification defined in the UK and maintained by CESG. Certification requirements for products are defined in Security Characteristics and for organizations (development & manufacturing environments) are defined in Build Standards. Certification de Sécurité de Premier Niveau: National scheme for security certification defined in France and maintained by ANSSI. Certification requirements The main conclusions from this research can be seen in the following table; Finally, ESMIG provided the following future steps they intend to take in 2014 and beyond: Finish report part III in October o Results from ENISA workshops o Recommendations for approaches regarding Smart Metering Follow standards developments (security aspects) Take output from Task Force Smart Grids and apply for Smart Metering Work with ENISA on certification approach? 3.4 Discussion & comments on the Recommendations presented in the ENISA report The presentation of the report continued with the presentation of the recommendations that were made in the report by Konstantinos Moulinos and Robin Massink; After the recommendations, the roadmap was presented. There a small discussion regarding the recommendations made, but the audience seemed not opposed to the general proposed methodology and recommendations. It should be noted that in the final report, the recommendations should be consolidated, as they are now too many, which caused a limited time to discuss all of them. 3.4.1 Questions There was a comment about privacy, and the importance of it for the smart meter, but it was unclear how it directly was related to the report. Privacy will be mentioned in the next version of the report and there it will be explained why it is considered to be out of the scope of this. Page 6

4 Conclusions Some conclusions could be drawn regarding the presented report and the discussions during the workshop. Below are the most important ones; The topic is deep and technical, making it difficult for a large group to have a deep discussion without understanding all the variables. There have been no comments regarding the proposed approach to have an EU body for guiding the process of smart grid certification. There have been no comments regarding the chain of trust concept. There is some opposition regarding the inclusion of other methodologies, it was proposed to instead align with them as opposed to directly include. We have to consolidate the recommendations; they are too many some of them might be merged. The issue of privacy, it needs to be addressed in the report, and its position regarding the topic of smart grid certification. The ENISA report should be updated regarding the following aspects; We should emphasize that the report proposes not a specific scheme, but an approach to harmonise smart grid security certification in Europe The Comments of BSI should be addressed as much as possible Privacy should be mentioned in the document The recommendations should be consolidated as there are too many The SG-IS toolbox should be updated to be aligned the framework instead We should investigate the IECEE/ CB scheme by IEC 5 Future steps Participants were notified that the deadline for receiving their written comments has been extended to 10 th of October. After that, comments form both the workshop and the online cosultation, will be compiled in a list and then the final report will be drafted. The approved, by ENISA internal quality review process, report is expected to be published at the ENISA web site by the end of 2014. Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information