Where Smart = Secure
Showing posts with label NIST 7628. Show all posts
Showing posts with label NIST 7628. Show all posts
Wednesday, March 28, 2012
Tweeting from GridSec conference this week
Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010.
Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.
Tuesday, March 1, 2011
Smart Grid Security East - Underway on Day One with a NISTIR 7628 Progress Report
My but how this conference has grown since its preprocessor in San Jose last year. Hundreds of folks in the hall this morning to hear Erich Gunther's welcome message, and now we've got these folks on stage talking 7628:
- Bill Hunteman, DOE
- Annabelle Lee, EPRI
- Daniel Thanos, GE
- Sandy Bacik, Enernex
- Mike Coop, ThinkSmartGrid (moderator)
Annabelle mentioned she likes Daniel's phrase - thinking about securing the grid from "toasters to turbines." I'm paraphrasing here, but Daniel, hesitant to put all our security eggs in the NISTIR 7628 (or any other regulatory) basket, got the following across:
Security is a very dynamic space. Regulation can actually degrade security. It freezes our approaches to a moment in time, while threats continue to change so quickly. Rather we should seek to help folks think better so they can adapt to threats as they evolve.Then Bill said (my paraphrase again):
I challenge each of you coming to collaborate - let's see if we can reach an agreement, as a community, on what it means to protect the grid. Everyone back in DC still doesn't have a common definition on what this means, and that's really hampering progress.Someone then asked a question on how we are measuring (and therefore demonstrating) progress to leadership in Washington and elsewhere, while noting that the previous point on not having a common definition to work from is a factor. The answer to that wasn't that completely clear, and my bet is it's likely the question on measurement will be asked again before this conference is through.
To be continued ...
Monday, October 4, 2010
New SGSB Webcast is Live
SGSB Webcast 5: Smart Grid Software Security
View more webinars from Andy Bochman.
While it's fun to think of all the great new gadgets and devices that are enabled by the Smart Grid (and that the Smart Grid enables), none of them could even begin to work without the "invisible glue" out of which the entire enterprise is being constructed: software.
As we rush to deploy Smart Meters by the millions, consumer portals, HANs and iPad applications that can communicate with them, meter data management systems (MDMS) to handle the tons of data that's generated, electric vehicles (EVs) to push local electric infrastructures to the limit, and synchrophasers across the continent to give us a better view of "the greatest engineering achievement of the 20th century", it's important to not forget about software just because we often can't see it.
While it's fun to think of all the great new gadgets and devices that are enabled by the Smart Grid (and that the Smart Grid enables), none of them could even begin to work without the "invisible glue" out of which the entire enterprise is being constructed: software.
As we rush to deploy Smart Meters by the millions, consumer portals, HANs and iPad applications that can communicate with them, meter data management systems (MDMS) to handle the tons of data that's generated, electric vehicles (EVs) to push local electric infrastructures to the limit, and synchrophasers across the continent to give us a better view of "the greatest engineering achievement of the 20th century", it's important to not forget about software just because we often can't see it.
Misconfiguration of software assets and (usually unintentional) vulnerabilities in code are the primary pathways hackers use to breach systems, alter their behavior and reach sensitive data. This presentation is more of a "why to" than a "how to" manual. There are plenty of the latter and I'd be happy to point you to some. But the reasons for taking on this challenge are compelling, and IMHO, need to get out.
Enough already, here you go. It's about 17 minutes long, and you'll like it better if you make it bigger (click on "Full" icon in the lower righthand corner).
Thursday, September 9, 2010
SANS Sounds Off on NIST and NISTIR 7628 1.0
Because it's a little hard to find unless you were already a subscriber to the online newsletter, here's a short piece from SANS NewsBites, Sep 07, 2010 edition re: the announcement that NISTIR 7628 1.0 is final.
For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:
I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.
I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.
For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:
The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. The trade name SANS (deriving from SysAdmin, Audit, Networking, and Security) belongs to the for-profit Escal Institute of Advanced Technologies.The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitating organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."
Now you get three points of view from NewsBites contributing editors Tom Liston of InGuardians, John Pescatore of Gartner, and SANS own Allan Paller. Note, Pescatore, and, in particular, Paller, slam NIST pretty hard for getting the guidance out bass ackwards (burying the most helpful parts at the end of the report):
Liston: Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models.
Pescatore: There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point.
Paller: John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages).
Paller (cont): A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matters most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report.Here's a LINK to third volume if you want to check out chapter 7. Begins on page 29.
I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.
I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.
Thursday, September 2, 2010
This Just In: The NISTIR 7628 Cake is Baked !!!
HERE (Volume 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements)
HERE (Volume 2, Privacy and the Smart Grid)
and HERE (Volume 3, Supportive Analyses and References)But be forewarned: you'd better take small bites ... it's a big one! By now, after so many rounds of incremental edits, we pretty much know what's in it. But give us a little time to digest this final version and we'll have some observational slices to share soon.
Photo credit: Kimberly Vardeman at Flickr.com
Wednesday, August 25, 2010
A Simple Roadmap to NISTIR 7628
Don't thank me for this. Instead, thank Dale Peterson, founder of control systems cyber security consulting firm Digital Bond. He breaks the nearly-finished 7628 into bite-sized chunks and tells you how to eat it for maximum nutrition and comprehension. Read his post here and see more about Dale and Digital Bond here.
Monday, August 16, 2010
Monday, February 22, 2010
An Informed Public and an Informed Grid
"Secrecy is the enemy of efficiency, but don't let anyone know it."
Privacy advocates, forward-thinking utility CIO's and all manner of security folk are getting increasingly charged up over the influx of consumer information required to improve the efficiency and flexibility of the grid. Because there has been so much public scrutiny in cases of accidental or malicious revelation of private data in other industries, it's understandable that people are wary about adding yet another place where their privacy can be invaded.
In the case of banking, retail, and health care, the integration of private information was intended to provide personalized access to information, to trinkets, and to better medical care. This included very sensitive personal details about our bodies and behaviors. And the loss of it is always jarring, particularly when we are required to suffer the consequences of credit monitoring, ID theft, or the knowledge that our illnesses or treatments might become known to complete strangers. It has not been a pleasant road. All of these public exposures have left us feeling that our privacy is no longer truly our own, and we have yet to feel that an industry has taken adequate precautions to protect us.
Unfortunately, the Smart Grid requires even more information to make any sense at all. Without usage and identification information, the new grid cannot interact with us meaningfully. It cannot help us to understand and change our consumption behaviors, and it cannot treat us uniquely in our use or production of power. What's more disconcerting is that this consumption information is as intimately woven with every part of our lives as is our use of power, whether we are talking about our cars, our televisions, our homes, or our laundry. So what can be done differently, this time? Here are a few ideas for you.Focus on Action, not just Awareness
The Smart Grid is already happening all around us. Historically, emphasis on security has been on creating an informed public, capable of making informed decisions about whether or not to share their records (HIPAA), to visit a website, or to use a bank's online systems. Because the Smart Grid's evolution is driven by information, and because that evolution is underway as we speak, informing the public is necessary, but it is not nearly enough. A good example of disclosure with little recourse can be found in privacy statements everywhere. Here is an example from an actual energy company website. I have redacted the name of the company in question:
Be Reasonable
While both sides of the privacy debate position very strong arguments either for or against the sharing of data, there is clearly a middle ground to be reached. There is a good description of the potential damages resulting from over-exposure of private data by Rebecca Herrold, at privacyguidance.com. While each of us can consume and understand these issues as raised, they will be most productively considered as scenarios to prevent, than as reasons to avoid the sharing itself. As well, each needs to be tempered with the likelihood and potential impact of occurrence in preparing a plan to prevent it.
Similarly, the Smart Grid does not need to know everything, all the time, and does not need to share everything with everyone involved. While consumers may accept the need to share more, in order to achieve the benefits described, there are many shades of grey when it comes to how much of that information needs to be stored, tagged, transmitted, or aggregated. Nowhere is this more clear than in the NIST 7268 discussion of information sharing. Take a look at this diagram (click to enlarge):
As shown in this figure, there are all kinds of systems, with all kinds of data, and all kinds of likely connections. There must be a construction of a new data-sharing paradigm, much like "least privilege", that relates to "least sharing".
Thinking Smaller to Make Protection Bigger
Because the Smart Grid and its requirements for information are changing so quickly, it will be foolish to think that data privacy can be completely figured out in the next 12 to 24 months. Individual states have varying regulations around ownership of customer data. The final set of information to be gathered or shared has not yet been described, and all of the systems that will be permitted to touch it are far from being designed or even adequately described. As such, draw no conclusions about which data elements can be automatically combined and sent or stored together. The easiest mistake to make in these early days will be to insufficiently separate the data elements. By better understanding and describing security characteristics of individual components, it is much easier to tailor and measure the security necessary to protect that element and it's particular security needs.
Is it so different?
These privacy challenges are not so different than those that could have been envisioned in other industries, but which were overlooked. On this blog, we often write about taking the opportunity to learn from past IT security mistakes in order to improve the future IT world of the Smart Grid, and there are definitely lessons to learn here, about planning, design, and resolution of security concerns early in the cycle.
In the past, when customer profiles or patient records have been treated monolithically, the breach of any accessing system has been enough to expose all. It is not simple to segregate the data, and to assess security policy for all elements. If it is done upfront with consistency, the benefits will definitely outweigh the costs, particularly as these systems and their exposure necessarily become at once more pervasive and more critical in our lives.
Remote Monitoring Information Collected AutomaticallyThis is not a bad privacy policy, nor is it inappropriate. It tells a story that will be repeated over and over again in the new world of the Smart Grid. Unlike traditional website privacy statements, however, the absolute requirement for customer acquiescence to these conditions removes any real ownership of the decision from the client, and places an enormous responsibility on the providers themselves. By requiring this information, they are committing to do what they must to protect it.
The monitoring service itself includes an automated, Internet-based process of receiving transmissions from the XXXXXXX XXXX monitoring equipment about your solar equipment, its output, efficiency, and other variables. This information is recorded and preserved by XXXXXXX XXXX on our company computer storage facilities, and may be accessed by you, if you subscribe to our remote monitoring service, and by us whether or not you subscribe to that Service. The XXXXXXXXXXX Management Unit ("XMU"), once connected to the Internet, immediately begins reporting this information to XXXXXXX XXXX and will continue to do so as long as the XMU is connected to the Internet. By having your XXXXXXX XXXX XMU connected to the Internet, you consent to this automatic information reporting. We retain this information indefinitely, and we may use it for any purpose, in our sole discretion, including but not limited to quality assurance, engineering performance comparisons, and product improvements. If you purchase our remote monitoring service, you may also choose to provide others with access to this information, including the installation company which installed and/or which services your solar energy equipment.
Be Reasonable
While both sides of the privacy debate position very strong arguments either for or against the sharing of data, there is clearly a middle ground to be reached. There is a good description of the potential damages resulting from over-exposure of private data by Rebecca Herrold, at privacyguidance.com. While each of us can consume and understand these issues as raised, they will be most productively considered as scenarios to prevent, than as reasons to avoid the sharing itself. As well, each needs to be tempered with the likelihood and potential impact of occurrence in preparing a plan to prevent it.
Similarly, the Smart Grid does not need to know everything, all the time, and does not need to share everything with everyone involved. While consumers may accept the need to share more, in order to achieve the benefits described, there are many shades of grey when it comes to how much of that information needs to be stored, tagged, transmitted, or aggregated. Nowhere is this more clear than in the NIST 7268 discussion of information sharing. Take a look at this diagram (click to enlarge):
As shown in this figure, there are all kinds of systems, with all kinds of data, and all kinds of likely connections. There must be a construction of a new data-sharing paradigm, much like "least privilege", that relates to "least sharing".
- No data element should be shared, at all, unless necessary to a specific function
- No data element should be tagged with identifying information, unless necessary to a particular function
- No data element should be stored without a compelling reason, it should otherwise be destroyed
- If a data element is stored, the security of that storage should be appropriate to the data's characteristics, and not to some perception of likelihood of attack or compromise
Thinking Smaller to Make Protection BiggerBecause the Smart Grid and its requirements for information are changing so quickly, it will be foolish to think that data privacy can be completely figured out in the next 12 to 24 months. Individual states have varying regulations around ownership of customer data. The final set of information to be gathered or shared has not yet been described, and all of the systems that will be permitted to touch it are far from being designed or even adequately described. As such, draw no conclusions about which data elements can be automatically combined and sent or stored together. The easiest mistake to make in these early days will be to insufficiently separate the data elements. By better understanding and describing security characteristics of individual components, it is much easier to tailor and measure the security necessary to protect that element and it's particular security needs.
Is it so different?
These privacy challenges are not so different than those that could have been envisioned in other industries, but which were overlooked. On this blog, we often write about taking the opportunity to learn from past IT security mistakes in order to improve the future IT world of the Smart Grid, and there are definitely lessons to learn here, about planning, design, and resolution of security concerns early in the cycle.
In the past, when customer profiles or patient records have been treated monolithically, the breach of any accessing system has been enough to expose all. It is not simple to segregate the data, and to assess security policy for all elements. If it is done upfront with consistency, the benefits will definitely outweigh the costs, particularly as these systems and their exposure necessarily become at once more pervasive and more critical in our lives.
Images courtesy of:
Subscribe to:
Posts (Atom)