Post on 30-Jan-2016
© OASIS 2010
Security, Privacy, the SmartGrid and
open standards
Jamie Clark, OASISBob Griffin, EMC
Hal Lockhart, OracleSanta Clara, CA May 2010
© OASIS 2010
● OASIS is a member-led, international non-profit standards consortium for global e-business & the information economy
● Over 650 members● Over 70 technical
committees producing royalty-free and RAND standards
"The largest standards group for electronic commerce on the Web."
15% Government & Academic
35% Users & influencers
50% Technology Providers
IntroductionJames Bryce Clark, General Counsel, OASIS
jamie.clark@oasis-open.orgwww.twitter.com/JamieXML
Common transport (HTTP, etc.)
Common language (XML)
Discovery
Orchestration & Management
Security & Access
Messaging
Data Content
S O AS O A Description
Common transport (HTTP, etc.)
Common language (XML)
Discovery
Orchestration & Management
Security & Access
Messaging
Data Content
S O AS O A
Description
ebXML MSG, ebXML IIC, WS-RX, WSQM, [WS-Reliability]
BIAS Integration, DSS-X, EKMI, PKI, SAML, WS-SX, [DSS], [WS-Security], [XCBF]
SCA- Policy, SPML, WS-Federation, XACML, [DSML]
DCML (x2), WSDM, WSRF, WS-Notification
ASAP, CAM, ebXML-BP, Semantic Exec, SCA-BPEL, WSCAF , WS-TX, [BTP]. [WSBPEL]
ebXML RegRep, UDDI
RELAX NG, XSLT Conformance
ElectionML, Emergency, Forest, IHC, Legal XML(4), Materials, OBIX, PLCS, PPS, RCXML, TaxXML,TransWS, XLIFF, [Auto Repair], [AVDL], [eGov]
Code Lists, DITA, SCA-C, SCA-J, SearchWS, XDI, XRI, [Entity Res], [Topic Maps]
ebXML CPPA, HumanML, SCA-Assembly, SDD, UIMA, UIML, WSRP
BCM, ebSOA, FWSI, SCA-Bindings, SOA-RM, Test Assertions, [Conformance]
CIQ, CGM, DocBook, OpenDocument, ODF Adoption, UBL, UnitsML, UOML
Energy Interop, EMIX, WS-Calendar
© OASIS 2010
What is an Open Standard?An open standard is: publicly available in stable, persistent versions developed and approved under a published,
transparent process open to public input: public comments, public archives,
no NDAs, multiple stakeholder sides licensable under to explicit, feasible IPR termsAnything else is proprietary: Using methods from a single company, or close group,
may be fine: but different risks than using standards Government and industry RFPs increasingly demand
open standards, for modularity & sourcing
© OASIS 2010
Real-world installations are composed of multiple standards
IPTCP
URIs
SMTP
IMAP / POP3
HTML
ASCII / Unicode
Typical e-mail
© OASIS 2010
Big networks (like the Internet and the SmartGrid) necessarily are modular: multiple legitimate ways to do things
© OASIS 2010
Multiple standards may co-exist
SimplerMore complex
Lightweight code Heavyweight code, more functionality
Easier to tool, deploy Bigger tools, higher cost
Loose coupling to other methods More exclusive
Limited use case Highly scalable
Innovation & interoperability require Innovation & interoperability require modularity & flexibilitymodularity & flexibility
© OASIS 2010
SmartGrid Topology for Dummies
Devices
?PrivacyPrivacy
AMI
HAN
© OASIS 2010
Privacy: what are we collecting?
Data from distinct devices Data from distinct devices Data from aggregate load signaturesData from aggregate load signatures
• When do you usually come home? • After last call, maybe?• Are your kids home? Are they home alone?• Is your alarm system armed?• How often do you take baths?• Are you taking one right now?
© OASIS 2010
Instances of data control & access Designed control & monitoring uses Designed control beyond expected limits -- shutoffs
from above -- "upgrades" from above Unintended access (hacking) -- wardriving, Google
Maps survey cars Undisclosed designed uses Do your appliances "phone home"? Like
webcookies: in addition to the data conversation you know, how many others are going on?
Data mining for marketing; warranty filtering; etc.
© OASIS 2010
Legal & regulatory tools for privacy
(EU) Data ownership Use of PII (health, social security numbers, accounts
& internet devices) Privacy notices & contract breach "Fair information practices" per the FTC Fourth Amendment searches & overintrusiveness Trade secrets (?) Location services from mobile devices (?) Anonymization
© OASIS 2010
SmartGrid Topology for Dummies
Devices
?SecuritySecurity
AMI
HAN
© OASIS 2010
NIST/DoE SGIP Cybersecurity WG
http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/ CyberSecurityCTG
NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements
In beta; comment period closing June 2 Principles for practices & use of data standards Builds on DHS Catalog of Control Systems Security:
Recommendations for Standards Developers (March 2010): developing mappings for HAN, AMI
http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/ CSCTGHighLevelRequirements
© OASIS 2010
DHS Catalog of Control Systems Security ...
Published Security Policies Organizational & Management Practices Personnel Issues
Hiring, Roles, Transfer, Accountability, Termination Physical Security
Gate/access control Logs & records Emergency systems, environmental systems & shutoffs Deliveries, Removals, Portable Media Location of sensitive controls & assets
. . .
© OASIS 2010
DHS Catalog of Control Systems Security ...
Acquisition RFP, purchases, supply chain assurance &
lifecycles Mergers & newly acquired businesses Documentation control Software management, licensing, outsourcing
Configuration Managament Policies, Baselines, Change control, Function limits
Planning & Risk Mitigation. . .
© OASIS 2010
DHS Catalog of Control Systems Security ...
Systems & Communication Protection Integrity, Authenticity, Cryptography, Function isolation Situational issues (mobile, VoIP, cloud, virtualization, &c)
Information (Document) Management System Maintenance, Backup, Recovery Training Incident Response Data Medium Protection
. . .
© OASIS 2010
... DHS Catalog of Control Systems Security
System Integrity Alerts, Errors, Spam, Malware, etc.
Access Control Policies, Identifiers, Authenticators, Enforcement
Audit & Accountability Monitoring of Security Policy Compliance Risk Management Security Program Management
Common transport (HTTP, etc.)
Common language (XML)
Discovery
Orchestration & Management
Security & Access
Messaging
Data Content
S O AS O A
Stable, Stable, tested, tested, well-well-tooled tooled open open standardstandards s dodo fulfill fulfill many of many of these these SmartGrSmartGrid needsid needs
© OASIS 2010
Security, Privacy, the SmartGrid and
open standards
Jamie Clark, OASISBob Griffin, EMC
Hal Lockhart, OracleSanta Clara, CA May 2010