tag:blogger.com,1999:blog-1975210780854152434.post5298548526147972318..comments2024-03-12T03:35:20.328-04:00Comments on The Smart Grid Security Blog: So Far, it Seems WAMPAC Systems are Insecure by (Lack of) DesignAndy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-1975210780854152434.post-77360067006257854682012-12-06T11:29:43.956-05:002012-12-06T11:29:43.956-05:00I fully agree with Ralph. Security was on the requ...I fully agree with Ralph. Security was on the requirement list for IEC 61850-90-5 from the beginning. This is a crucial precondition for robust security. IEC 61850-90-5 contains protocol security, a security model in depth as well as key management. Maik G. Seewaldnoreply@blogger.comtag:blogger.com,1999:blog-1975210780854152434.post-3661733497579531082012-12-06T11:14:09.748-05:002012-12-06T11:14:09.748-05:00Why is it that executive summaries only mention pr...Why is it that executive summaries only mention problems and ignore any improvements that are being made? While the NESCOR-EPRI paper has some useful information about WAMPAC, the executive summary on which this blog entry is based, is not an accurate reflection of what is happening in the industry related to cyber security standards for WAMPAC. Users would be well advised to ignore much of the seemingly authoritative assertions made by the authors as it pertains to some of these standards.<br /><br />For instance, the authors are completely hung-up on SGIP as some kind of absolute authority on the efficacy of standards. Review and approval of standards by SGIP is good. Declaring that there is some kind of serious industry problem if SGIP hasn't approved something yet is way over the top. For instance, this is from the paper:<br /><br />"IEC 61850-90-5 was approved by SGIP for inclusion in CoS. The standard makes a reference to standards that have NOT been considered and approved by SGIP. This “alert” is important for the users since the conclusions may be valid only when all normative (i.e. mandatory) references are also approved."<br /><br />There are other places where SGIP standards review declarations are provided as prima facie evidence of misleading assertions. Having participated in one of these reviews I believe that such reliance is not warranted. In several cases misunderstandings about the purpose, application and structure of the standards drives some of the conclusions made. <br /><br />Although I might argue numerous other points in that report, the point of my objection here is that users should NOT ignore the most up to date and security oriented standard that has been developed for WAMPAC applications simply because SGIP has not approved it yet or because the result is not invulnerable to every possible (e.g. attacks on the configuratin files of PMUs which are being addresses in other standards). <br /><br />The reports should have described how IEC TR 61850-90-5 represents a sea change in the way that protocols for power systems are being developed. The IEC technical committee responsible for the IEC TR 61850-90-5 standard (IEC TC 57 WG 10) specified a standard that has practical and useful communications security built-in right from the start. This was done because the wide area (WA) aspects of the WAMPAC use cases demanded it. NERC has even taken the unprecedented step of publicly lauding the IEC TR 61850-90-5 standard (even without SGIP approval: <a href="http://www.nerc.com/fileUploads/File/News/A_IEC%2018MAY12.pdf" rel="nofollow">NERC Release</a>). My company, SISCO, and Cisco Systems have jointly donated an open-source implementation of the IEC TR 61850-90-5 standards to help promote adaption of this important secure protocol.<br /><br />I would exercise caution with the conclusions made by this executive summary.Ralph Mackiewiczhttps://www.blogger.com/profile/13293155618526041199noreply@blogger.com