Interoperability, Standards and Cybersecurity: A Business Perspective
1. Interoperability, Standards and
Cyber-Security: A Business
Perspective
Patrick C Miller, President and CEO
April 21 2011
Innotech Smart Grid Oregon Pacific NW
Smart Grid Trade Show and Conference
2. Interoperability
• Goal: “electron flocking” (e-flocking)
• Current approach may be too prescriptive
• $10K per seat may be a barrier
• No real consensus at this time
• Potentially unbalanced voting process
• EEI feels the industry is being “marginalized”
• Not ready for adoption at this time; but when?
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 1
3. Standards
• FERC/PUC lines are not clear
• NARUC wants backward compatibility
• Many state commissions do not have expertise
or sufficient staff to deal with the smart grid wave
• California PUC is not waiting for Federal
standards
• Utilities are moving forward, but inconsistently
• Suffering from standard fatigue
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 2
4. Cybersecurity Landscape
• Security approaches favor new installations,
legacy environments are still vulnerable
• Very difficult to replace/patch in-service devices
• Isolation has diminishing security value
• Security products vs. buying secure products
• Engineering (N-1) and Security are different
– Nature may be sophisticated, but it isn’t malicious
• Hackers don’t use a compliance checklist
– Following a compliance checklist won’t make you
secure
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 3
5. Cybersecurity Landscape
• Mixing legacy and bleeding edge tech is difficult
• Logical distance between kinetic endpoint and
HMI is exponentially increasing;
“hyperembeddedness”
• Many vendors are forced to put features ahead
of security due to market conditions
• Privacy and security will be dominant forces in
the smart grid market
• Sufficient motive, means and opportunity exist to
take the threat seriously
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 4
7. Research and Disclosure
46 zero-day SCADA vulnerabilities issued a two-week
span
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 6
8. Smart Grid Development
• Security Considerations
– Get off of the innovation treadmill (see: Apple)
– Code review: meters, aggregators, upstream
– Crypto: transit, rest, key management
– Message authentication: learn from EAI models
– Patching
– Supply chain: hardware, software, people
– Physical access
– Vulnerability management
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 7
9. Smart Grid Development
• Privacy Considerations
– Legal implications
– Tin foil hat club
– Must have vs. nice to have
– Opt in vs. opt out vs. no option
– Information is a commodity; ethics matter
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 8
10. Questions?
Non-profit. Independent. Trusted.
Patrick C Miller, President and CEO
patrick@energysec.org
503-446-1212
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 9