Cyber Security Perspective from Grid-Interop

by Sandy Bacik, Principal Consultant

The Cyber Security Solutions & Practices Panel, led by Patrick Miller, NESCO, spoke about different practices that utilities need to incorporate into their practices.  Russ Silva, Telcordia, spoke about their products on monitoring and intrusion detection and how monitoring and reporting needs to be included in the utility security practice.  Efrain Gonzalez, SCE, spoke about their practical implementation of cybersecurity into all aspects of the organization and continued to remind people that we cannot give up on integrating cybersecurity into enterprise processes and products.  Mike Ahmadi, GraniteKey, spoke about the need for security testing of products prior to implementation. Bruce Barnet, GE Global Research, brought a new concept to the security arena by discussing a semantic model for looking at threats and risks within the physical and network environments.  Sandy Bacik, EnerNex, ended the panel discussion by bring all of the topics together and walking through what we need to keep in the forefront of our minds when we are developing and integrating cybersecurity into the utility environment.  Before we can proceed we need to ensure the executive management commitment to ensure cybersecurity is included, and we need to ensure that cybersecurity requirements and architecture are in our baseline before we start adding security services and products into the utility environments.

The CSWG session was an exciting session of updates and the anticipation of an Assessment Guide for the NISTIR 7628.  The session started with an update on the NESCOR project and the most recent whitepaper on Technical White Paper on SEP 1.x Summary and Analysis and the whitepaper was to clarify alternative migration strategies and to clarify what is within scope and outside scope.  Darren Highfill updated the group on the ASAP-SG status and the upcoming HAN Security Profile when funding has been secured.  Sandy Bacik updated the group on the status of the Guide for Assessing the High-Level Security Requirements in the NISTIR 7628, which will help auditors, regulators, and assessors to customize an assessment program based on the NISTIR 7628 high level security requirements.  The Assessment Guide will be going out for additional public comments in the very near future.  You can contact Sandy Bacik for additional information on the Assessment Guide and companion spreadsheet.

The Cyber Security Requirements in Standards Panel led by Darren Highfill, Utilisec, discussed how standards affect end-to-end interoperability with regards to security, how does the standardization development (and acceptance) process affect security, and how do we incorporate security into a specification and standard.  Many of the panelists discussed current market software and processes they have implemented.  Sandy Bacik brought together all of their ideas of using open source, ubiquitous messaging, architecture, and trust, and related these concepts to the difference between operational technology and information technology, defining message types and relating them to security services within a standard to allow a utility to select the technology to match their environment.  Sandy also talked about using roles and separation of duties and other simple security services that should be included in all standards.  Then becoming part of a standards development organization’s process for developing and updating standards, we need to work together to share information on who is doing what, and, while we are spread thin, we need to use each other as resources to ensure that security requirements are included in standards where appropriate.  We need to understand the services needed to get the messages and information from end to end, rather than from point to point.


Other Blog Entries

Career Blog Entries
Conference Recap Blog Entries
Cyber Security Blog Entries
Power Systems Blog Entries
Smart Grid Blog Entries