2013

q
q
q
q


NIST 7628
IETF RFC6272
NIST SP800-53
IEC 62351
q
q

CNSRL
 End-to-End Communication
q The Key to Smart Grid Architecture

CNSRL Originated from IEEE 2030-2011



CNSRL sonomainnovation.com

q
(Confidentiality)
(Integrity)
/
(Authenticity/Non-repudiation)
(Availability)
q

CNSRL
 (2)
q



q

CNSRL


q
q

q (DHS)(DOE)

q
q Do not rely on proprietary protocols to protect your system

21 Steps to Improve Cyber Security of SCADA Network, U.S. Department of Energy

CNSRL


CNSRL


q Threat of Denial-of-Service
Dispatcher accessing power
substation control
Customer accessing his bank
account

CNSRL

q Limited Resources
Narrowband communication

Not enough computation power
q Geographical location
Wide-spread, remote sites
Difficult to conduct /implement security measures

Key managements, certificate revocation

CNSRL SGIP Summer Meeting 2011


q How often does a given customer eat microwave
dinners as opposed to cooking three-pot meals?
q How many hours of TV does a resident watch?
What kind of TV is it?
q When does a resident normally shower ?

CNSRL


q



q


q

CNSRL


CNSRL

q ANSI - American National Standards Institute
q CIGRE International Council on Large Energy Systems
q FERC Federal Energy Regulatory Commission
q IEEE Institute of Electrical and Electronics Engineers
q IEC International Electro-technical Commission
q IETF - Internet Engineering Task Force
q ISA International Society of Automation
q ISO - International Organization for Standardization
q NERC - North American Electric Reliability Corporation
q NIST National Institute of Standards and Technology
q PSRCPower Systems Reliability Committee

CNSRL

National Institute of Standards and Technology
(NIST)
q
q
q 2009/4
16


Phase 1 Roadmap and Smart Grid Release 1
Phase 2 Public-Private Partnership for Longer-Evolution
Phase 3 Testing and Certification Framework
(April, May, August)

CNSRL

q 20122NIST Smart
Grid Interoperability Standard Release 2.0

CNSRL
 Critical Infrastructure
q Cyber Security
Coordination Task Group (CSCTG)

(NIST)

CNSRL
 IEC
q 175
q TC57

(Supervisor Control And Data
Acquisition, SCADA)


57
q TC
WG 3 IEC 60870-5
WG 10 IED IEC 61850
WG 13 - IEC 61970
WG 14 - IEC 61968
WG 15 IEC 62351
WG 16 IEC 62325
WG 17 IEC 61850-7-420
WG 18 IEC 61850-7-410
WG 19 TC 57 CIM SCL
WG 20 PLC IEC 60495, IEC 60663

CNSRL
 Cyber Security Documents
q DHS Catalog
q NIST SP 800-53
q NERC CIPs (1-9)

CNSRL


n
n

CNSRL

q Access Control
q Awareness and Training
q Audit and Accountability
q Security Assessment and Authorization
q Configuration Management
q Contingency Planning
q Identification and Authentication
q Incident Response
q Maintenance
q Media Protection
q Physical and Environmental Protection
q Planning
q Personnel Security
q Risk Assessment
q System and Service Acquisition
q System and Communication Protection
q System and Information Integrity
CNSRL q Program Management
 NISTIR 7628
q NIST












CNSRL
 NIST SP 800-53

CNSRL
 NIST SP 800-53
q
q

(Federal Information Security Management Act, FISMA)

(Risk Management Framework)


(Categorize)(Select)
(Implement)(Assess)
(Authorize)(Monitor)

CNSRL
 RFC 6272
q
(Internet Protocol Suite, IPS)


RFC 627225


(Request for Comments, RFC)

CNSRL
 IEC 61850
q A popular standard for communication in Energy/
Substation automation
q The successor of
IEC60870-4-104
DNP3
q Addressing
Standardized data format/model
Interoperability of devices from different
manufacturers

CNSRL
 IEC 62351
q



q IEC 62351
IEC 61850DNP3.0IEC 60870-5IEC 60870-6

CNSRL
 IEC 62351 Scope
q Developed for different profiles of the three
communication protocols:
IEC 60870-6 (ICCP, TASE.2)
IEC 60870-5 and its derivatives
IEC 61850

CNSRL
 IEC 62351 Scope
q Developed for different profiles of the three communication
protocols:
IEC 60870-6 (ICCP, TASE.2)
IEC 60870-5 and its derivatives

IEC 61850

CNSRL
 IEC 62351 Scope
q Developed for different profiles of the three communication
protocols:
IEC 60870-6 (ICCP, TASE.2)
IEC 60870-5 and its derivatives
IEC 61850

CNSRL
 Mapping of IEC TC 57
Communication Standards to
IEC 62351 Parts 7-11

CNSRL


CNSRL
 q IEC 62351
addresses the substation
automation systems
q ISA 99, IEEE P1686
directly address industrial
automation systems.
CNSRL
q NERC-CIP
generally for energy operators
q ISO 27000, NIST 800-53
mainly targeted to IT
environments
q NIST SP800-82, NIST
SP800-53
explicitly for industrial control
systems

q NIST 7628

q ISO-27001
1.

(Risk Assessment)
2.

(Risk Analysis)







3. (Ex:CIPIEEE
IEC , etc)

q NERC CIP
4a. 4b.


5.

CNSRL


CNSRL

q



q








CNSRL
 TLS
q


q




q

q

CNSRL

(Public Key Infrastructure, PKI)
q

CNSRL
 (2)
q
q PKI

q

CNSRL
 PKI

q
Certificate Trust List PKI Trust Model
q
Hierarchical PKI Trust Model
q
Mesh PKI Trust Model
q
Bridged CA PKI Trust Model

Radia Perlman, An Overview of PKI Trust Models, IEEE Network 1999

CNSRL
 (3)
q NISTIR 7628



q

CNSRL
 PKI
q (Safety)
q (High Availability)
q (Real-Time Operation)
q (Legacy Support)
q (Scalability)
q (Upgradeability)
q (Policy Enforcement)
q (Flexibility)
q (Interoperability)
q (Existing Structure Integration)
q (Virtual Borders)
q (Naming Convention)
q (External Equipment)
CNSRL
 Conclusions
q Many Existing Proposals & Solutions
q Many Challenges
q How can we make sure its safe & secure?
q Security Expert Proves Hacking the Smart Grid Is a Snap
by Ariel SchwartzWed Sep 2, 2009
http://www.fastcompany.com

rdist.root.org/category/hardware/

CNSRL


CNSRL