This presentation reports on a complex system of systems, the U.S. Smart Grid, and provides advice on how to improve the cyber-security maturity of various organizations involved in different aspects of the U.S. energy grid. Specifically, we discuss how a reference architecture can be used as a focal point to improve the maturity of an organization's cyber-security efforts.
The National Institute of Standards and Technology (NIST) Interagency Report (IR) 7628, Guidelines for Smart Grid Cyber Security, objectives state, "The transformation of today's electricity system into a Smart Grid is both revolutionary and evolutionary. Persistence, diligence, and, most important, sustained public and private partnerships will be required to progress from today's one-way, electromechanical power grid to a far more efficient digitized 'system of systems' that is flexible in operations, responsive to consumers, and capable of integrating diverse energy resources and emerging technologies."
The NISTIR 7628 documents both high-level security requirements and the logical reference architecture (commonly called the "spaghetti diagram"), and both are fundamental to planning for improved cyber security. The spaghetti diagram includes all actors from the NIST Framework and Roadmap document and identifies logical communication interfaces between actors. These logical interfaces are grouped into logical interface categories, based on their security-related characteristics, which simplify the identification of security requirements. These LICs provide an interesting categorization of types of interfaces, such as those with requirements for high-availability, compute/bandwidth constraints, and interorganizational versus control systems.
The basis of this presentation is the NISTIR 7628 User's Guide, a document currently under development by the SGIP and anticipated to be published by the end of March 2013. This user's guide provides advice to an organization on how to improve cyber-security maturity, leveraging the NISTIR 7628.
This presentation focuses on the reference architecture and how it can be used to identify an organization's high-risk systems and system security requirements, with much of the User's Guide detail simplified just for context. The User's Guide is intended to provide a hands-on, step-by-step procedure that a utility can follow to identify their own organization's architecture and any security gaps. Key members of the User's Guide team are utility experts, so embedded into the guide is practical "here's how we do it" advice. A pointer to the full guide, available for public use when published, will be provided. The NISTIR 7628 has been publically available for download since its publication.
While the NISTIR 7628 and the related User's Guide are specific to the Smart Grid, a similar risk-ranked process, leveraging a reference architecture and the organization's own specific enterprise architecture, would be applicable to any organization attempting to improve their cyber-security maturity.
Many thanks to the NISTIR 7628 User's Guide team!