Using Architecture to Guide Cybersecurity Improvements for the Smart Grid



Similar documents
Consulting International

National Institute of Standards and Technology Smart Grid Cybersecurity

Chair Mays, Co-Vice Chair Fox, Co-Vice Chair Whitfield and Members of the Committee:

Introduction to the Cyber Security Working Group

Cyber Security and Privacy - Program 183

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

Cyber Security for DER Systems

Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

Cyber Security Working Group

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Privacy Management Standards: What They Are and Why They Are Needed Now

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Risk Management in Practice A Guide for the Electric Sector

Hawaii s Phased Plan for Alignment and Implementa7on of NGA s A Call to Ac-on for Cybersecurity

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

Information Bulletin

C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance

SCADA Security Training

Threat Intelligence: STIX and Stones Will Break Your Foes

Third Party Assurance

future data and infrastructure

Cyber Security Working Group

Cybersecurity Risk Assessment in Smart Grids

Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements

Critical Controls for Cyber Security.

POSTAL REGULATORY COMMISSION

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Communication Security Measures for SCADA Systems

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

NERC CIP VERSION 5 COMPLIANCE

N-Dimension Solutions Cyber Security for Utilities

NERC CIP Tools and Techniques

What is the LTO Program?

Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security

Robert Malmgren. Smart Grid. Security Challenges - Legacy and Infrastructure Burdens

Big Data, Big Risk, Big Rewards. Hussein Syed

Smart Grid Security: A Look to the Future

Cybersecurity The role of Internal Audit

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

IoT & SCADA Cyber Security Services

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

Data Breach Response Planning: Laying the Right Foundation

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities

NISTIR 7628 User's Guide

Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security & Data Privacy. January 22, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

Personal Security Practices of the CAO

Law Firm Cyber Security & Compliance Risks

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Concept for a cryptographic infrastructure for measurement components in smart grids

Business Continuity for Cyber Threat

Security Event Monitoring (SEM) Working Group

Working Group on. First Working Group Meeting

Guide to Developing a Cyber Security and Risk Mitigation Plan

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

NISTIR 7359 Information Security Guide For Government Executives

Bridging the Security Governance Divide in Utilities

Applying IBM Security solutions to the NIST Cybersecurity Framework

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Optimizing the Value of SOA Through API Management! Perry Krol! Sr. Solutions Consultant, EMEA! Event Processing and API Management!

Cybersecurity: What CFO s Need to Know

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

PRIVACY IMPACT ASSESSMENT

The Changing Threat Surface in. Embedded Computing. Riley Repko. Vice President, Global Cyber Security Strategy

Identifying Architectural Modularity in the Smart Grid An Application of the Design Structure Matrix Methodology

Lessons from Defending Cyberspace

Defending Against Data Beaches: Internal Controls for Cybersecurity

NEIAF June 18, IS Auditing 101

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Appropriate security measures for smart grids

RETHINKING CYBER SECURITY Changing the Business Conversation

The Bureau of the Fiscal Service. Privacy Impact Assessment

Tutorial on Service Level Management in e- Infrastructures State of the Art and Future Challenges. The FedSMProject Thomas Schaaf & Owen Appleton

National Initiative for Cyber Security Education

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

IEEE-Northwest Energy Systems Symposium (NWESS)

Looking at the SANS 20 Critical Security Controls

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Smithsonian Enterprises

How To Audit The Mint'S Information Technology

Cyber Security Seminar KTH

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

GAO Information Security Issues

Cybersecurity. Cloud. and the. 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013

HIPAA: Compliance Essentials

Privacy and Security in Healthcare

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

Transcription:

Using Architecture to Guide Cybersecurity Improvements for the Smart Grid Elizabeth Sisley, Ph.D. 1

Agenda Context US Smart Grid 7 Domains Logical Reference Model Cybersecurity requirements ConfidenCality, Integrity, Availability (CIA) Logical Interface Categories Risk- ranked User s Guide Process Architecture s role 2

Hypothesis: Architecture- based cybersecurity improvement process can help in other industries, too. 3

Sources Smart Grid Cybersecurity CommiVee (formerly Cyber Security Working Group) NISTIR 7628 Guidelines for Smart Grid Cyber Security, August 2010 (3 volumes) csrc.nist.gov/publica:ons/nis:r/ir7628/nis:r- 7628_vol1.pdf Logical Reference Model SGCC Architecture sub- team NISTIR 7628 User s Guide (30+ pages) SGCC User s Guide sub- team Dra$: collaborate.nist.gov/twiki- sggrid/bin/view/smartgrid/ NISTIR7628UsersGuide 4

US Smart Grid A complex system- of- systems Real- Cme control systems in power grid Some mechanical automacon, some computerized Transforming into an advanced, digital infrastructure Adding two- way capabilices for communicacng informacon, controlling equipment, and distribucng energy This transformacon adds Cybersecurity requirements 5

6

Logical Reference Model Source: NISTIR 7628 7

Cybersecurity Requirements Availability (most important) Hard and so` real Cme Wide- area situaconal awareness monitoring, etc. Integrity Demand Response (DR) data used to drive energy generacon Stuxnet masked unauthorized operacons from being detected by the operators ConfidenCality Privacy of customer informacon Electric market informacon General corporate informacon Payroll, internal strategic planning, etc. 8

Security Requirements 19 Categories are documented Each category has a number of specific requirements IDs SG.AC- 1, 21 SG.AT- 1, 7 SG.AU- 1, 16 Category Access Control Awareness and Training Audit and Accountability SG.IR- 1, 11 Incident Response 9

Example of Actors, Interfaces, CIA, and HL Security Requirements: LIC1 Interface between control systems and equipment with high availability, and with compute and/or bandwidth constraints Source: NISTIR 7628 Figure 2-4 Logical Interface Category 1 10

Logical Interface Categories NISTIR 7628 has 22 categories For example: Interface between control systems and equipment has 4 categories: Computa=on and/or Bandwidth High availability Low availability Constrained LIC 1 LIC 2 Unconstrained LIC 3 LIC 4 Analyze interfaces to understand variacons, categorize them 11

User s Guide Process 1. IdenCfy Smart Grid OrganizaConal Business FuncCons 2. IdenCfy Smart Grid Mission and Business processes for the PrioriCzed OrganizaConal Business FuncCons 3. IdenCfy Systems and Assets that support the Mission and Business Processes 4. Map Systems to Logical Interface Categories 5. IdenCfy High- Level Security Requirements 6. Perform a Smart Grid High- Level Security Requirement Gap Analysis 7. Create a Plan to Remediate the Gaps and Implement the Necessary High- Level Security Requirements 8. Monitor and maintain High- Level Security Requirements 12

Map Systems to Logical Interface Categories Actor refers to the Logical Reference Model systems, which needs to be validated for a specific organizacon Are we missing something, do we do something differently? Why? Logical Interfaces also need to be validated Categories are then specified 13

High- Level Security Requirements HL Security Requirements are mapped to LICs VariaCon exists, so organizacons scll need to review and verify applicability Requirements are evaluated as High, Medium, Low 14

IdenCfy HL Security Requirements For each prioriczed system/asset: Verify your organizacon s CIA levels from the NISTIR 7628 Document the security requirements 15

Gap Analysis Verify that each system/asset s HLRs are addressed Each RaCng is either S=Sa:sfied or O=Other Each Gap needs to be addressed by a MiCgaCon, such as Audit Log or Penetra:on Test 16

ApplicaCons in Other Industries The 7628 User s Guide documents an easy- to- understand process in 30+ pages Your business processes will differ Your systems and assets will differ Your Interface Categories will differ The process scll works 17

Thanks and Contacts Contacts: Many thanks to the User s Guide sub- team! SGIP 2.0 website: sgip.org Marianne Swanson, NIST SGIP Smart Grid Cybersecurity CommiWee (SGCC) Chair Mark Ellison, DTE Energy SGCC NISTIR 7628 User s Guide sub- team lead Elizabeth Sisley SGCC Architecture sub- team lead sisley@cs.umn.edu 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information