Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

First Look at Cyber Security Incentive Ideas, Companion to NIST's Framework Work

I'll oversimplify this to keep it short, but the President kicked all of this off earlier this year in wake of failed cyber security legislation efforts in 2010 (GRID Act) and 2012 (Cybersecurity Act of 2012).

The two primary vectors on this project have included:

1. Having NIST lead the charge to develop a new cyber security framework (i.e., pattern, roadmap, guidance) made up of references to existing guidance that seem to work well. On twitter this effort is tagged #NISTCSF
2. A parallel initiative to develop incentives that might improve the business case for being more proactive on cyber security.

The incentive categories were just made public, and so far include :

• Cybersecurity Insurance
• Grants
• Process Preference
• Liability Limitation
• Streamline Regulations
• Public Recognition
• Rate Recovery
• Cybersecurity Research

Liability and insurance are going to be the thorniest.  And rate recovery help, if workable, sounds promising.

You ran read The Hill's coverage and the original White House text via URLs below, as well as check out the current status and next activities related to the framework.

----

URLs

The Hill

http://thehill.com/blogs/hillicon-valley/technology/315795-white-house-publishes-preliminary-list-of-cybersecurity-incentives

White House

http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework

NIST CSF

http://www.nist.gov/itl/cyberframework.cfm

NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-meeting-poses-major-test-for-obama-cybersecurity-push/menu-id-1075.html

It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:

Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA

I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:

Reading - and in many cases laughing at - #NISTCSF responses

and ...

The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later

I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com

SGSB notes from NIST's Critical Infrastructure Cybersecurity Framework Workshop

Long title, eh?  Cranking this out just before heading back to Beantown from DC/Reagan airport so please be more tolerant than usual of typo's, lack of narrative, lack of clarity, weak grammar, lack of a point, etc. ...

ICS-ISAC Chair Chris Blask, pictured above (long hair on right), waited very patiently at a microphone that seemed like it was for audience use, and ultimately got his turn, in which he asked a long question phrased like a long statement.

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

NIST Critical Infrastructure Cybersecurity Framework RFI and Workshop Details

We're about a month away from the first NIST workshop to help create the new framework described in the recent Executive Order, as well as from the 5 pm, USA ET, April 8 deadline to submit responses to the RFI.

To refresh, here's what they/we are trying to do:

The goals of the Framework development process will be: (i) To identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) to specify high-priority gaps for which new or revised standards are needed; and (iii) to collaboratively develop action plans by which these gaps can be addressed. It is contemplated that the development process will have requisite stages to allow for continuing engagement with the owners and operators of critical infrastructure, and other industry, academic, and government stakeholders.

If you are so moved and have something to say (and NIST and I hope you do), here's how to submit your ideas and recommendations:

Old School

For those who prefer to communicate longhand by dipping your peacock feather quill into the inkwell on your vintage desk, "Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899."

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

NERC and NIST Ramp Up Risk Management Collaboration

There are security-related ISO, IEC and IEEE electric grid standards galore, but these are technical standards. I know it's more complicated than this, but I submit that the easiest way to tell regular folks about grid and Smart Grid security standards is to say there are really only two that matter in 2011, and they are:

• NERC CIPs, version 3
• NISTIR 7628, version 1

The first covers cyber security protections of only the most critical generation and transmission assets in the bulk electric system (BES) and has little to do with protecting new Smart Grid systems, most of which deploy in the distribution network, far from the BES. The second boldly attempts to describe how to secure the whole enchilada, albeit at a high level. In short, there isn't a heck of lot the two standards/guidance documents have in common.

We've described each ad nauseum on this blog, so let's look at something more soothing. With the next version of the above standards still over the horizon, let's consider the nascent collaborative effort between NERC and NIST, confirmed by language pulled from a draft budget document submitted by an SGSB reader:

... NERC is collaborating with DOE and the National Institute of Standards and Technology (NIST) to develop comprehensive cyber security risk management process guidelines for the entire electric grid, including the bulk power and distribution systems. This initiative is particularly important with the increasing availability of smart grid technologies. While the majority of technology associated with the smart grid is found within the distribution system, vulnerabilities realized within the distribution system could potentially impact the bulk power system.

So, it seems that some folks in high places have realized the disconnect, and seek to build a risk management bridge between the CIPs and the NISTIR. This is good news, right? Here's the draft NERC 2012 business plan and budget, if you're into this kind of thing.

DOE, NIST, and NERC Announce a Long Overdue Collaboration on Smart Grid Security

So happy to see this come to fruition. From Tuesday's press release:

Traditional cyber security approaches for electric utilities are segmented, with different approaches for control systems and information systems. This has resulted in cyber security requirements that are overly restrictive in some cases, and not restrictive enough in others. At best, requirements are overlapping, but more often result in gaps in cyber security coverage. A common approach is needed to address the unique cyber security risks that a nation-wide smart grid will pose.

Began as a conversation late last year among two friends trying to figure out how to break through some logjams, one named Dave Dalva, online and then over coffee one morning in DC.

Click HERE for full statement, and recommend you stay tuned on this.

NISTIR 7628 Conference Coming to the University of Maryland

When NIST held its most recent 7628 community outreach session in Boston at few weeks ago, it was snowing (big surprise!) and that made it hard for speakers and participants alike to get there. Nevertheless, for the hardy few who made it, NIST CSWG Vice Chair Alan Greenberg and company made it a thoroughly educational (and even somewhat entertaining) experience.

For those of a more mid-Atlantic persuasion, the show is coming to Baltimore on February 15.  The session is open to anyone, though registration is required.

All the info you need can be found HERE.

Conference Alert: FERC Technical Conference - Taking a Measured Breath Before Resuming Smart Grid Standards March

As a standards development project, NIST and crew have moved with breathtaking speed. The time has come for the community to weigh in, and for FERC to see if "sufficient consensus" exists to begin to formalize these standards. Here are some of the details for you:

Title: Technical Conference on Smart Grid Interoperability Standards

To refresh: the five "foundational" standards and their functions are:

• IEC 61970 and IEC 61968: Providing a Common Information Model (CIM) necessary for exchanges of data between devices and networks, primarily in the transmission (IEC 61970) and distribution (IEC 61968) domains
• IEC 61850: Facilitating substation automation and communication as well as interoperability through a common data format
• IEC 60870-6: Facilitating exchanges of information between control centers
• IEC 62351: Addressing the cyber security of the communication protocols defined by the preceding IEC standards

Click HERE for the original NIST press release on "the five."

Conference Description: The purpose of the technical conference is to obtain further information to aid the Commission’s determination of whether there is “sufficient consensus” that the five families of standards posted by the National Institute of Standards and Technology and included in this proceeding are ready for Commission consideration in a rule making proceeding, as directed by section 1305(d) of the Energy Independence and Security Act of 2007.

Day/Time: Jan 31, 1-5 pm ET

Additional details, including live link: HERE. You're also free to attend in person in DC.

SANS Sounds Off on NIST and NISTIR 7628 1.0

Because it's a little hard to find unless you were already a subscriber to the online newsletter, here's a short piece from SANS NewsBites, Sep 07, 2010 edition re: the announcement that NISTIR 7628 1.0 is final.

For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:

The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. The trade name SANS (deriving from SysAdmin, Audit, Networking, and Security) belongs to the for-profit Escal Institute of Advanced Technologies.

The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitating organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."

Now you get three points of view from NewsBites contributing editors Tom Liston of InGuardians, John Pescatore of Gartner, and SANS own Allan Paller. Note, Pescatore, and, in particular, Paller, slam NIST pretty hard for getting the guidance out bass ackwards (burying the most helpful parts at the end of the report):

Liston: Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models. 

Pescatore: There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point. 

Paller: John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages).

Paller (cont): A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matters most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report.

Here's a LINK to third volume if you want to check out chapter 7. Begins on page 29.

I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.

I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.

This Just In: The NISTIR 7628 Cake is Baked !!!

The final NISTIR 7628, “Guidelines for Smart Grid Cyber Security” is now available for download from the NIST Computer Security Division website. You can grab the three layers volumes:

HERE (Volume 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements)

HERE (Volume 2, Privacy and the Smart Grid)

and HERE (Volume 3, Supportive Analyses and References)

But be forewarned: you'd better take small bites ... it's a big one!  By now, after so many rounds of incremental edits, we pretty much know what's in it. But give us a little time to digest this final version and we'll have some observational slices to share soon.

Photo credit: Kimberly Vardeman at Flickr.com

New Webcast on Security Standards

Here's the latest ...

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

View more webinars from Andy Bochman.

NERC Insights on NIST's Direction

In a piece today at Smart Planet, John Dodge wrote about the new version of Smart Grid cybersecurity guidance from NIST, and pointed back to an earlier piece I had written here, on a view of the first draft of NISTIR 7628, where I had referred to that tome as "dense, but readable". As I continue to review the most recent release, out this month, which lives here, I am still impressed by Annabelle Lee and the NIST-led team's capability to synthesize so much information into a digestible document, but I will admit that there is quite a bit here to get through. There is a sheer printed shelf weight increase in requirement detail of 34% (from 236 to 305 pages), not that I would print it out, but you get the point.

I'm not sure how others will approach the effort to understand the origin and evolution of the new version of requirements, but I thought that one way was to take a look at the comments that were submitted to NIST in response to the initial draft. I figure that the type and urgency of concerns with Draft 1 that find either resolution or rebuttal will give a rough sense for the industry's comfort with the process.

Much to see
NIST provides an open community and process for developing these recommendations, and part of that openness includes the contents and disposition of comments received. You can also take a look at them, (and I recommend it), here. It was in reading through these comments, and the responses to them, that it struck me how far we have yet to go, if we are to deliver a new grid that is flexible, resilient, and informed.

Andy and I have both spent a fair amount of time discussing the disconnects that we have seen between the security experiences and expertise of the Utility sector information technologists, and those of the residents of the more conventional IT and IT-security environments. Most articles you will find in the public arena describe within utilities a perceived unpreparedness for the polymorphic and omnipresent attacks that will arrive from the great unwashed networks as the Smart Grid advances the network underpinnings and interconnectedness of our power infrastructure. Reading through these comments, however, and taking the time to digest some of their meaning, caused me an odd combination of comfort in the level of thoughtfulness and thoroughness of some of the legacy community reviewers (particularly those from NERC), and anxiety that the Grids of present and future are not at different positions along a similar path, but are each seeking progress on very different, if parallel, tracks.

There are three comments that really caught my attention, not so much because they uncovered a new area of weakness that I hadn't considered, but because of the straightforward and conclusive manner in which they were posed. The first is Comment #35, and within it is this recommendation:

In an organized and designed way, NIST and the industry need to develop a focus on response and recovery. While the first goal of a cyber security strategy should be on prevention, it also requires that a response and recovery strategy be developed in the event of a cyber attack on the electric system. More planning and investment is needed to develop response and recovery actions, while continuing to develop a strategy for prevention of a cyber security incident.

Bravo! We have said for some time now that the sheer magnitude of the expansion of connectivity, access, services, companies, and personnel, will necessarily make the grid more susceptible to attack, but that sound design and deployment should nonetheless make it far more resilient. Less happily, the comment and recommendation can't get too far in this venue, given the nature of this document and draft. The response?

The NISTIR is a high level document addressing response, recovery, and prevention. Each organization will need to define the core components of their respective Smart Grid deployments.

Not so Bravo-ish. The response is mainly to a second recommendation in the comment regarding critical components, their reliance on technology, and their role in recovering service. It does not evoke support for the idea of a violable but reliable Smart Grid, engineered, like a Bop Bag, to bounce back every time someone tries to knock it down.

A second comment (#40) that attracted me was related to the context of the NIST risk assessment, and the relatively static way in which the document described the challenge of security the Smart Grid.

NIST’s overall risk assessment is flawed because it does not capture the essential idea that Smart Grid is not a point in time. That is, one specific action cannot be taken regarding cyber security that will protect the system as a whole. Because the Smart Grid will evolve in pieces and parts, every time a new piece or part is integrated into the Smart Grid, new system vulnerabilities and variations on consequences could be introduced. Very rarely will the introduction of a new piece or part take vulnerabilities away. Therefore, when they are integrated into the Smart Grid, that piece or part must be customized to ensure that cyber security is integrated into system architectures.

This is exactly right. This is particularly true in our present state, where Smart Grid investments are already well underway, and where new initiatives are more likely to be funded piecemeal than created from whole cloth. Again, though, this comment did not find a home in the document:

Currently, reporting vulnerabilities for controls systems falls under the responsibility of DHS and DOE. We will consider this recommendation in a future draft of the NISTIR.

I guess that if one considers the mode of the system to be one of deployed infrastructure, then the reliance on external expertise to notify of vulnerabilities makes sense. My view of the comment, however, was more that there is a need to consider the characteristics of any component prior to integration, so that augmentations for security can be made if required.

The last NERC comment I wanted to point out is related to the utility of their own approaches and checklists in the new world. Many in the Smart Grid world are shuddering to think of the possibility that the NIST document, or another, will provide some simple "yes/no" set of questions that will invariably lead to a less secure infrastructure, designed to survive the certification, not necessarily the real world. The comment in question is #41, and it calls into question any primary reliance on NERC's own Critical Infrastructure Protection Standards. In NERC's own words:

While the CIP Reliability Standards are designed to shape the behavior of asset owners and operators, they are not designed to shape the behavior of equipment and system designers, manufacturers and integrators. The CIP Reliability Standards apply to installed equipment and require security controls be applied to manage risk in the operation and maintenance of cyber assets. However, the protection goals of the Smart Grid, on the other hand, are broader, and address component security, integrity of communications, privacy and other cyber security considerations.

This recommendation is accepted into the new draft, and while the NERC CIP requirements remain, they are acknowledged as only partial criteria.

Where From Here?
Clearly the NIST effort is delivering real value in terms of illuminating a portion of the concerns regarding the newest parts of the Smart Grid, particularly AMI, and the IT-security heavy areas of network transmission, authentication, reporting, etc. This is the first arena of discovery and recommendation because so much of the operational iron that is early into the mix will rely on some form of standards, or recommendation, or expected best practices, in terms of security.

The arrival of well-informed and broad-based requests from the NERC team, in the form of comments to the first draft bring to light two important facts that I haven't seen given a lot of press:

• The Smart Grid is not just for Newbies
  The Smart Grid will ultimately only be secured through the cooperative insight and involvement of those most familiar with the existing, putatively "not Smart" grid, who are bringing to the table a realistic view of the less shiny, less novel, aspects of keeping the lights on. From these comments, it seems they are not being dragged into the IT-heavy world of the Smart Grid, but are approaching it aggressively, albeit with understandable compartmentalization and caution
• There is gap in security emphasis between those that are planning, and those that are doing
  While there has been much work done on the content of the most recent draft of NISTIR 7628, it is intended to only describe a portion of the waterfront. While that definition process continues, there are real decisions being made, and real deployments being undertaken, that are outside the scope of the current NIST effort

In the coming months, we hope to see this disparity lessen, as the NIST recommendations begin to impact the product and process decisions that utilities make based on those reports. Hopefully then, other more broad concerns, such as those highlighted in the NERC comments, will rise in importance and urgency to the industry.

images courtesy of:

http://www.flickr.com/photos/sybot/ / CC BY 2.0

http://www.flickr.com/photos/ragnar1984/ / CC BY 2.0

Security Standards Trump all others in Smart Grid Survey

So a bunch of utilities professionals were just polled by a research firm which asked them, of all the different types of Smart Grid-related standards that are being developed/decided right now, which are the most important?

Boy, this is going to make me sound like a total dork, but the results channeled through Jesse Berst's SmartGridNews.com site revealed that Security Wins! Here's a link to the outfit that did the work.

As we stated in a previous post called the Smart Grid Security Confidence Game, the large-scale Smart Grid build-out that waits just beyond the lessons learned in the SGIG pilots isn't going to happen if the utilities, the regulators and the users don't trust the security controls.

All we can say to the good folks at NIST and the multitudinous other orgs charged with arriving at comprehensive security standards for the Smart Grid is: hope you got some rest this week - we need you back on the job stat in 2010.

And FYI: based on emails and other traffic on the cyber security work group community site, they're not actually resting this week either.

Smart Grid: Greener but no Greenfield

It is good to see the attention that the new NIST draft directives for the Smart Grid are getting in the press. Ordinarily, this type of draft release is not interesting enough to the general public to merit any real press, and ends up being a conversational target to the few who arrive interested in the space. Any mainstream attention comes much later in the cycle, as affected parties either applaud or complain.

One impression that I would like to correct is that the Smart Grid itself, and therefore, the challenges of Smart Grid security, is something being developed from scratch.

In Federal Computer Week, Bill Jackson calls out the following:

Deployment of a Smart Grid offers a greenfield opportunity because the existing grid, parts of which are 50 years old or older, was not designed to support alternative energy sources such as wind and solar power, and the two-way flow of energy and data. But this wholesale upgrade also makes it imperative that security be built in now, because the grid lifecycle is measured in decades rather than years, as it is for much of the rest of our information infrastructure. Equipment being designed for deployment now might not be replaced for decades.

There are so many capabilities within the Smart Grid that are new, and there is so much investment going into it, that it is completely understandable to conceive of the Smart Grid as the "new" grid, as opposed to the evolution of the "old" grid. The Smart Grid as a replacement is a misperception that we have seen often in our work on evangelizing smart grid security. The Smart Grid is not a greenfield, not a replacement infrastructure, and most definitely not a new grid. We always have to remember that the Smart Grid is a new way of leveraging, stabilizing, advancing, and enhancing, the OLD Grid.

The billions that have been made available through the Smart Grid Investment Grant Program, the additional billions that are pouring into development of renewables, transmission and distribution advancements, PEV's, and storage, are only a small fraction of the total picture when the nation's power infrastructure is viewed in its eventual entirety. As a result, when we are considering the security of the Smart Grid, we must always consider (as the NIST work does ) the existing grid. Whether we work to create more secure means to connect to it, or to actual revisit the older technologies and improve their protections, those challenges will likely be the most pressing, and the most complicated, that we need to solve.

What's on First: Insights in NIST's 1st Draft

Never will one mistake the complexities of the Smart Grid, and of undertaking the improvement of its protections, for a straightforward task in security and engineering. It presents an Augean stable of issues, and NIST has waded in with a legion of contributors, to first make sense of it all, and then to start handing out shovels.

In the first draft of their analysis, announced during Grid Week, Annabelle Lee and team have created a dense, but readable tome, numbering some 236 pages at present, entitled, Smart Grid Cyber Security Strategy and Requirements. I encourage you to read it, either on its own, or as an adjunct to the more general draft of NIST's Smart Grid guidance on interoperability. In the event that you are interested in some sense of where the emphasis was put, and are more engaged by the higher level issues of focus and risk, I did a bit of data reduction and reached some pretty interesting, if unintended ( and definitely scientifically questionable ) conclusions.

One of the techniques that NIST uses in creating a better means of discussing cyber security for the grid is to categorize the areas of likely risk and their impacts. This is very helpful, as there are myriad instances of connection between systems within the Smart Grid and some higher level abstraction helps to make the issues digestible. These 15 categories are defined within the document, as are the potential impacts to them ( Confidentiality, Integrity, Availablity ), and their levels ( High, Medium, Low ) using established definitions from the venerable FIPS Publication 199. This exercise, and the tables contained within the draft, permits a reader with a spreadsheet (me) to draw two conclusions about priorities in Smart Grid Security.

Conclusion 1: Integrity is the most important attribute

In reviewing the definitions of the categories, and the impact that was most highly rated, the answer was unanimous. Integrity, as opposed to confidentiality or availability, was rated as a "High", in every single instance. (NB: In categories 10-12, there is a range of impact level, but each included "High" for Integrity ) Whether because corrupted data could degrade the operation of the grid, or because it could be used to defraud customers, suppliers, or the market, integrity showed up as the Number 1 concern, with no exceptions, according to the NIST results.

Conclusion 2: B2B and control system connections are Riskiest

There were only two categories which ranked with "Highs" across the board, for Confidentiality, Integrity, and Availability, and both could be described as connections between different kinds of systems. The categories are numbers 6 and 7, relating to B2B and control/non-control systems respectively. This feels right intuitively, but it also represents a potential area of rapid growth in both members and risk for the Smart Grid. It describes the connections that are both most likely to be leveraged by new entrants and which are most likely to use either IP, or actual Internet-based, networking. As we have written about before, the Soft Grid is probably the next big area of investment and expansion, as organizations form to leverage the new infrastructure and public enthusiasm to deliver more interesting and likely complicated applications.

In the remarkable depth and detail of the NIST report, it is very possible to become discouraged by the references to "hundreds of standards" and by the complexity of the diagrams it contains. It is important to have a sense for where to start, as the NIST process will necessarily be a lengthy one, and time ( and Smart Grid Investment Grants ) are waiting for no-one. If, as contributors to the Smart Grid, or as advisors to organizations which seek to connect, we can help them to focus on these few issues from the start, it is possible that they will be far better prepared for the new documents, threats, and requirements that are certain to follow.