Last week I moderated two panel sessions at the European Smart Grid Cyber Security Forum in London, including “Collaborating on International Standards and Framework.” Once again I was provided with an immensely talented panel:
- Curt Barker, Chief Cyber Security Advisor, NIST
- Ian Collard, Security Practice Manager, Siemens
- Robert Craigie, Chair of the ZigBee Security Working Group
- Saadat Malik, Smart Grid Solutions and Architecture Practice Lead, Cisco
- Dr. Vangelis Ouzounis, Senior Expert IT Security Policies, ENISA
- Johan Rambi, Privacy and Security Officer, Alliander
- Ken Van Meter, Principal, Energy and Cyber Solutions, Lockheed Martin
The session began with each panelist giving a brief description of what they are working on and what standards mattered to them. There was a general consensus that while certain cyber security standards are necessary, they do not by themselves define a security program. Security itself cannot simply be a set of standards because security must reflect business objectives and each business is unique.
Security standards must also be flexible and modular because we do not know what future awaits the standards. NIST felt that a massive catalog of security standards such as the NISTIR 7628 series has shown to be useful but must be treated as a catalog only. They are starting point for a security program.
Security requires the collaboration of all stakeholders but most stakeholders currently have no incentives to collaborate. At an extreme, one panelist expressed the opinion that if there are no security standards for Smart Grid then maybe we should not be deploying Smart Grids yet.
Security performance should be tracked with meaningful and practical metrics that are measurable – not quantitative. Simply tracking regulatory compliance, while often required legally, can also give a false sense of assurance of the security of a Smart Grid. Other industries have experienced this. For example, merchants having charge card data stolen despite being fully PCI DSS compliant.
Several panelists including Cisco and ZigBee stressed the importance of standards-based solutions as a way to ensure interoperability, especially critical in large-scale deployments where competing products may sit side-by-side. Well known standards tend to be more secure because they have been inspected, and possibly attacked, much more often than proprietary standards have been.
Sharing threat and vulnerability information among suppliers and customers can greatly improve the security of Smart Grid technologies. This is especially true for real-time systems such as ICS, where there is often less shared security knowledge of the environments. _blank>Lockheed Martin participates in threat sharing with the Edison Electric Institute, the American Public Power Association (APPA), and the (U.S.) National Rural Electrical Co-operative Association (NRECA). Nearly all utilities believe that they can do a better job of creating their security programs than the government could do, but they look to governments for synchronization and co-ordination.
In Europe it may be a mistake for each nation to develop its own cyber security standards. A number of utilities do business in several European countries so uncoordinated requirements could have a negative impact. Several European representatives in this and other sessions expressed that they look to NIST standards as guidance for their own activities.
Finally, sharing threat information can better ensure that diverse solutions can interact effectively and securely. One analyst likened the alternative to a Smart Grid Tower of Babel. However, threat and vulnerability information need not be shared with the general public, only with those who need the information as part of their daily work. One example cited was the U.S. Information Sharing and Analysis Centers (ISACs), in which competitors share their vulnerabilities and security observations with each other to better protect their entire industry – but through a restricted distribution.
The next blog in this series will deal with approaches to testing Smart Grid systems to validate their security.
Tags: Smart Grid Communications, Smart Grid Infrastructure, Smart Grid Practice, Smart Grid Security
| 2 Comments »