Monday, February 8, 2010

NERC Insights on NIST's Direction

In a piece today at Smart Planet, John Dodge wrote about the new version of Smart Grid cybersecurity guidance from NIST, and pointed back to an earlier piece I had written here, on a view of the first draft of NISTIR 7628, where I had referred to that tome as "dense, but readable". As I continue to review the most recent release, out this month, which lives here, I am still impressed by Annabelle Lee and the NIST-led team's capability to synthesize so much information into a digestible document, but I will admit that there is quite a bit here to get through. There is a sheer printed shelf weight increase in requirement detail of 34% (from 236 to 305 pages), not that I would print it out, but you get the point.

I'm not sure how others will approach the effort to understand the origin and evolution of the new version of requirements, but I thought that one way was to take a look at the comments that were submitted to NIST in response to the initial draft. I figure that the type and urgency of concerns with Draft 1 that find either resolution or rebuttal will give a rough sense for the industry's comfort with the process.

Much to see
NIST provides an open community and process for developing these recommendations, and part of that openness includes the contents and disposition of comments received. You can also take a look at them, (and I recommend it), here. It was in reading through these comments, and the responses to them, that it struck me how far we have yet to go, if we are to deliver a new grid that is flexible, resilient, and informed.

Andy and I have both spent a fair amount of time discussing the disconnects that we have seen between the security experiences and expertise of the Utility sector information technologists, and those of the residents of the more conventional IT and IT-security environments. Most articles you will find in the public arena describe within utilities a perceived unpreparedness for the polymorphic and omnipresent attacks that will arrive from the great unwashed networks as the Smart Grid advances the network underpinnings and interconnectedness of our power infrastructure. Reading through these comments, however, and taking the time to digest some of their meaning, caused me an odd combination of comfort in the level of thoughtfulness and thoroughness of some of the legacy community reviewers (particularly those from NERC), and anxiety that the Grids of present and future are not at different positions along a similar path, but are each seeking progress on very different, if parallel, tracks.

There are three comments that really caught my attention, not so much because they uncovered a new area of weakness that I hadn't considered, but because of the straightforward and conclusive manner in which they were posed. The first is Comment #35, and within it is this recommendation:
In an organized and designed way, NIST and the industry need to develop a focus on response and recovery. While the first goal of a cyber security strategy should be on prevention, it also requires that a response and recovery strategy be developed in the event of a cyber attack on the electric system. More planning and investment is needed to develop response and recovery actions, while continuing to develop a strategy for prevention of a cyber security incident.
Bravo! We have said for some time now that the sheer magnitude of the expansion of connectivity, access, services, companies, and personnel, will necessarily make the grid more susceptible to attack, but that sound design and deployment should nonetheless make it far more resilient. Less happily, the comment and recommendation can't get too far in this venue, given the nature of this document and draft. The response?
The NISTIR is a high level document addressing response, recovery, and prevention. Each organization will need to define the core components of their respective Smart Grid deployments.
Not so Bravo-ish. The response is mainly to a second recommendation in the comment regarding critical components, their reliance on technology, and their role in recovering service. It does not evoke support for the idea of a violable but reliable Smart Grid, engineered, like a Bop Bag, to bounce back every time someone tries to knock it down.

A second comment (#40) that attracted me was related to the context of the NIST risk assessment, and the relatively static way in which the document described the challenge of security the Smart Grid.
NIST’s overall risk assessment is flawed because it does not capture the essential idea that Smart Grid is not a point in time. That is, one specific action cannot be taken regarding cyber security that will protect the system as a whole. Because the Smart Grid will evolve in pieces and parts, every time a new piece or part is integrated into the Smart Grid, new system vulnerabilities and variations on consequences could be introduced. Very rarely will the introduction of a new piece or part take vulnerabilities away. Therefore, when they are integrated into the Smart Grid, that piece or part must be customized to ensure that cyber security is integrated into system architectures.
This is exactly right. This is particularly true in our present state, where Smart Grid investments are already well underway, and where new initiatives are more likely to be funded piecemeal than created from whole cloth. Again, though, this comment did not find a home in the document:
Currently, reporting vulnerabilities for controls systems falls under the responsibility of DHS and DOE. We will consider this recommendation in a future draft of the NISTIR.
I guess that if one considers the mode of the system to be one of deployed infrastructure, then the reliance on external expertise to notify of vulnerabilities makes sense. My view of the comment, however, was more that there is a need to consider the characteristics of any component prior to integration, so that augmentations for security can be made if required.

The last NERC comment I wanted to point out is related to the utility of their own approaches and checklists in the new world. Many in the Smart Grid world are shuddering to think of the possibility that the NIST document, or another, will provide some simple "yes/no" set of questions that will invariably lead to a less secure infrastructure, designed to survive the certification, not necessarily the real world. The comment in question is #41, and it calls into question any primary reliance on NERC's own Critical Infrastructure Protection Standards. In NERC's own words:
While the CIP Reliability Standards are designed to shape the behavior of asset owners and operators, they are not designed to shape the behavior of equipment and system designers, manufacturers and integrators. The CIP Reliability Standards apply to installed equipment and require security controls be applied to manage risk in the operation and maintenance of cyber assets. However, the protection goals of the Smart Grid, on the other hand, are broader, and address component security, integrity of communications, privacy and other cyber security considerations.
This recommendation is accepted into the new draft, and while the NERC CIP requirements remain, they are acknowledged as only partial criteria.

Where From Here?
Clearly the NIST effort is delivering real value in terms of illuminating a portion of the concerns regarding the newest parts of the Smart Grid, particularly AMI, and the IT-security heavy areas of network transmission, authentication, reporting, etc. This is the first arena of discovery and recommendation because so much of the operational iron that is early into the mix will rely on some form of standards, or recommendation, or expected best practices, in terms of security.

The arrival of well-informed and broad-based requests from the NERC team, in the form of comments to the first draft bring to light two important facts that I haven't seen given a lot of press:
  • The Smart Grid is not just for Newbies
    The Smart Grid will ultimately only be secured through the cooperative insight and involvement of those most familiar with the existing, putatively "not Smart" grid, who are bringing to the table a realistic view of the less shiny, less novel, aspects of keeping the lights on. From these comments, it seems they are not being dragged into the IT-heavy world of the Smart Grid, but are approaching it aggressively, albeit with understandable compartmentalization and caution
  • There is gap in security emphasis between those that are planning, and those that are doing
    While there has been much work done on the content of the most recent draft of NISTIR 7628, it is intended to only describe a portion of the waterfront. While that definition process continues, there are real decisions being made, and real deployments being undertaken, that are outside the scope of the current NIST effort
In the coming months, we hope to see this disparity lessen, as the NIST recommendations begin to impact the product and process decisions that utilities make based on those reports. Hopefully then, other more broad concerns, such as those highlighted in the NERC comments, will rise in importance and urgency to the industry.

images courtesy of:

No comments: