© OASIS 2010

Security, Privacy, the SmartGrid and

open standards

Jamie Clark, OASISBob Griffin, EMC

Hal Lockhart, OracleSanta Clara, CA May 2010

© OASIS 2010

● OASIS is a member-led, international non-profit standards consortium for global e-business & the information economy

● Over 650 members● Over 70 technical

committees producing royalty-free and RAND standards

"The largest standards group for electronic commerce on the Web."

15% Government & Academic

35% Users & influencers

50% Technology Providers

IntroductionJames Bryce Clark, General Counsel, OASIS

jamie.clark@oasis-open.orgwww.twitter.com/JamieXML

Common transport (HTTP, etc.)

Common language (XML)

Discovery

Orchestration & Management

Security & Access

Messaging

Data Content

S O AS O A Description

Common transport (HTTP, etc.)

Common language (XML)

Discovery

Orchestration & Management

Security & Access

Messaging

Data Content

S O AS O A

Description

ebXML MSG, ebXML IIC, WS-RX, WSQM, [WS-Reliability]

BIAS Integration, DSS-X, EKMI, PKI, SAML, WS-SX, [DSS], [WS-Security], [XCBF]

SCA- Policy, SPML, WS-Federation, XACML, [DSML]

DCML (x2), WSDM, WSRF, WS-Notification

ASAP, CAM, ebXML-BP, Semantic Exec, SCA-BPEL, WSCAF , WS-TX, [BTP]. [WSBPEL]

ebXML RegRep, UDDI

RELAX NG, XSLT Conformance

ElectionML, Emergency, Forest, IHC, Legal XML(4), Materials, OBIX, PLCS, PPS, RCXML, TaxXML,TransWS, XLIFF, [Auto Repair], [AVDL], [eGov]

Code Lists, DITA, SCA-C, SCA-J, SearchWS, XDI, XRI, [Entity Res], [Topic Maps]

ebXML CPPA, HumanML, SCA-Assembly, SDD, UIMA, UIML, WSRP

BCM, ebSOA, FWSI, SCA-Bindings, SOA-RM, Test Assertions, [Conformance]

CIQ, CGM, DocBook, OpenDocument, ODF Adoption, UBL, UnitsML, UOML

Energy Interop, EMIX, WS-Calendar

© OASIS 2010

What is an Open Standard?An open standard is: publicly available in stable, persistent versions developed and approved under a published,

transparent process open to public input: public comments, public archives,

no NDAs, multiple stakeholder sides licensable under to explicit, feasible IPR termsAnything else is proprietary: Using methods from a single company, or close group,

may be fine: but different risks than using standards Government and industry RFPs increasingly demand

open standards, for modularity & sourcing

© OASIS 2010

Real-world installations are composed of multiple standards

IPTCP

URIs

SMTP

IMAP / POP3

HTML

ASCII / Unicode

Typical e-mail

© OASIS 2010

Big networks (like the Internet and the SmartGrid) necessarily are modular: multiple legitimate ways to do things

© OASIS 2010

Multiple standards may co-exist

SimplerMore complex

Lightweight code Heavyweight code, more functionality

Easier to tool, deploy Bigger tools, higher cost

Loose coupling to other methods More exclusive

Limited use case Highly scalable

Innovation & interoperability require Innovation & interoperability require modularity & flexibilitymodularity & flexibility

© OASIS 2010

SmartGrid Topology for Dummies

Devices

?PrivacyPrivacy

AMI

HAN

© OASIS 2010

Privacy: what are we collecting?

Data from distinct devices Data from distinct devices Data from aggregate load signaturesData from aggregate load signatures

• When do you usually come home? • After last call, maybe?• Are your kids home? Are they home alone?• Is your alarm system armed?• How often do you take baths?• Are you taking one right now?

© OASIS 2010

Instances of data control & access Designed control & monitoring uses Designed control beyond expected limits -- shutoffs

from above -- "upgrades" from above Unintended access (hacking) -- wardriving, Google

Maps survey cars Undisclosed designed uses Do your appliances "phone home"? Like

webcookies: in addition to the data conversation you know, how many others are going on?

Data mining for marketing; warranty filtering; etc.

© OASIS 2010

Legal & regulatory tools for privacy

(EU) Data ownership Use of PII (health, social security numbers, accounts

& internet devices) Privacy notices & contract breach "Fair information practices" per the FTC Fourth Amendment searches & overintrusiveness Trade secrets (?) Location services from mobile devices (?) Anonymization

© OASIS 2010

SmartGrid Topology for Dummies

Devices

?SecuritySecurity

AMI

HAN

© OASIS 2010

NIST/DoE SGIP Cybersecurity WG

http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/ CyberSecurityCTG

NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements

In beta; comment period closing June 2 Principles for practices & use of data standards Builds on DHS Catalog of Control Systems Security:

Recommendations for Standards Developers (March 2010): developing mappings for HAN, AMI

http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/ CSCTGHighLevelRequirements

© OASIS 2010

DHS Catalog of Control Systems Security ...

Published Security Policies Organizational & Management Practices Personnel Issues

Hiring, Roles, Transfer, Accountability, Termination Physical Security

Gate/access control Logs & records Emergency systems, environmental systems & shutoffs Deliveries, Removals, Portable Media Location of sensitive controls & assets

. . .

© OASIS 2010

DHS Catalog of Control Systems Security ...

Acquisition RFP, purchases, supply chain assurance &

lifecycles Mergers & newly acquired businesses Documentation control Software management, licensing, outsourcing

Configuration Managament Policies, Baselines, Change control, Function limits

Planning & Risk Mitigation. . .

© OASIS 2010

DHS Catalog of Control Systems Security ...

Systems & Communication Protection Integrity, Authenticity, Cryptography, Function isolation Situational issues (mobile, VoIP, cloud, virtualization, &c)

Information (Document) Management System Maintenance, Backup, Recovery Training Incident Response Data Medium Protection

. . .

© OASIS 2010

... DHS Catalog of Control Systems Security

System Integrity Alerts, Errors, Spam, Malware, etc.

Access Control Policies, Identifiers, Authenticators, Enforcement

Audit & Accountability Monitoring of Security Policy Compliance Risk Management Security Program Management

Common transport (HTTP, etc.)

Common language (XML)

Discovery

Orchestration & Management

Security & Access

Messaging

Data Content

S O AS O A

Stable, Stable, tested, tested, well-well-tooled tooled open open standardstandards s dodo fulfill fulfill many of many of these these SmartGrSmartGrid needsid needs

© OASIS 2010

Security, Privacy, the SmartGrid and

open standards

Jamie Clark, OASISBob Griffin, EMC

Hal Lockhart, OracleSanta Clara, CA May 2010