AMI-SEC Task ForceAMI-SEC Task ForceNew Orleans Face-to-Face Meeting @ EntergyNew Orleans Face-to-Face Meeting @ Entergy

System Security Architectural DescriptionSystem Security Architectural Description

Darren Reece Highfill, CISSPDarren Reece Highfill, CISSP

EnerNex CorporationEnerNex Corporation

darren@enernex.comdarren@enernex.com

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC• Relevant Security Work (reference material)Relevant Security Work (reference material)• Use of Public NetworksUse of Public Networks• Security Use CasesSecurity Use Cases• System Security Architectural DescriptionSystem Security Architectural Description• Planning and Logistics Planning and Logistics

Formation

CharterInitial Discussions

ProcessDiscussions

Scope, Def’n

Init

Dev/Acq

Impl

Op/Maint

Decomm

IEC

IEEE

NIST

Risk Assm’nt

Arch Descr

Comp Catalog

Implt’nGuide

Sys Sec Reqmt’s

FAQ

SDLCExternal

Interfaces

Reports, Recd’nsTesting

ASAPSupport

OutreachOutreach

• RoadmapRoadmap– 11stst cut at drawing complete cut at drawing complete– Put together outlinePut together outline– Parking Lot itemsParking Lot items– Volunteers for contributionsVolunteers for contributions

• FAQFAQ– On the SharePoint site, needs contributionsOn the SharePoint site, needs contributions

• Marketing GroupMarketing Group– UtilityAMI / OpenAMI / UtiliSECUtilityAMI / OpenAMI / UtiliSEC– Press releasesPress releases– Other collateralOther collateral

Roadmap OutlineRoadmap Outline

• Problem StatementProblem Statement– Link to Charter, Scope, and Link to Charter, Scope, and

DefinitionDefinition– Pictures?Pictures?

• Target AudienceTarget Audience– How is the utility problem space How is the utility problem space

different (from e.g.: telecom)?different (from e.g.: telecom)?• Educational resourcesEducational resources• Reference materialReference material

– LandscapeLandscape• TechnologiesTechnologies• Why is AMI different from IT (or Why is AMI different from IT (or

SCADA)?SCADA)?

• BackgroundBackground– Purpose / Value PropositionPurpose / Value Proposition– GoalsGoals– RisksRisks– Benefits / ExpectationsBenefits / Expectations– ScopeScope– Roles, Responsibilities, External Roles, Responsibilities, External

PartiesParties– TimelineTimeline– CostCost

• ProcessProcess– How to find project resources How to find project resources

(e.g.: Tasks, Milestones, (e.g.: Tasks, Milestones, Deliverables / Work Items)Deliverables / Work Items)

– How to participate / contributeHow to participate / contribute– DependenciesDependencies

• Additional ResourcesAdditional Resources– FAQFAQ– ASAPASAP

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC

– Jeremy McDonaldJeremy McDonald

• Relevant Security Work (reference material)Relevant Security Work (reference material)• Use of Public NetworksUse of Public Networks• Security Use CasesSecurity Use Cases• System Security Architectural DescriptionSystem Security Architectural Description• Planning and Logistics Planning and Logistics

UtiliSec SmartGridSystem Security Specification

- Requirements Organized by Capability Robustness (i.e., Low, Med, High) - Organized by SmartGrid Application Framework (i.e., Loosely applied)

- Categorization based on Security Services (e.g., Confidentiality) - Defines Risk Assessment Process (Probability + Impact)

UtiliSec SmartGridRemote Disconnect

Protection Profile

UtiliSec SmartGridRemote Meter Read

Protection Profile

UtiliSec SmartGridPremise DR

Protection Profile

AMIProfiles

UtiliSec SmartGridRemote Switch

Protection Profile

UtiliSec SmartGridSensor

Protection Profile

UtiliSec SmartGridSensor

Protection Profile

SmartGrid Architecture Framework

(Application View, Data View, Communication View)

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC• Relevant Security Work (reference material)Relevant Security Work (reference material)

– Neil GreenfieldNeil Greenfield

• Use of Public NetworksUse of Public Networks• Security Use CasesSecurity Use Cases• System Security Architectural DescriptionSystem Security Architectural Description• Planning and Logistics Planning and Logistics

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC• Relevant Security Work (reference material)Relevant Security Work (reference material)• Use of Public NetworksUse of Public Networks

– Open DiscussionOpen Discussion

• Security Use CasesSecurity Use Cases• System Security Architectural DescriptionSystem Security Architectural Description• Planning and Logistics Planning and Logistics

Use of Public NetworksUse of Public Networks

• Regulatory Issues:Regulatory Issues:– ““Obligation to serve?”Obligation to serve?”

• In-addition-to, not instead-ofIn-addition-to, not instead-of– Third parties becoming de-facto utilities - regulatory gapThird parties becoming de-facto utilities - regulatory gap

• Scope definitionScope definition– Relevance to AMI-SEC: points of interfaceRelevance to AMI-SEC: points of interface

• Back officeBack office• HAN (if/when third party interfaces with HAN at the meter)HAN (if/when third party interfaces with HAN at the meter)

– Reliability vs. EconomicsReliability vs. Economics• Third party gateways into the homeThird party gateways into the home

– Energy managementEnergy management– Who owns / controls the gateway?Who owns / controls the gateway?– Load control – not allowed (indirect only)Load control – not allowed (indirect only)– C&I customersC&I customers

• Motivation: “natural security?”Motivation: “natural security?”• Information model (CIM)Information model (CIM)

– Need guidance of AMI-SEC when that is createdNeed guidance of AMI-SEC when that is created

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC• Relevant Security Work (reference material)Relevant Security Work (reference material)• Use of Public NetworksUse of Public Networks• Security Use CasesSecurity Use Cases

– Bobby Brown, Coalton BennettBobby Brown, Coalton Bennett

• System Security Architectural DescriptionSystem Security Architectural Description• Planning and Logistics Planning and Logistics

External Interactions View (Contextual)External Interactions View (Contextual)

AMICustomer Utility

Third Party

Customer Use Cases #1Customer Use Cases #1

Customer Accesses AMI Data:Stimulus: Customers view a variety of information gathered by AMIResponse: Customers make choices in response to various pricing and/or emergency stimuli

Security Objectives:• Customer wants their personal information only accessible by desired targets (e.g. utility)• Customer wants to receive their credit for enrolling in a demand response program (availability)

Customer Use Cases #2Customer Use Cases #2

•PrepayStimulus: Customers use the AMI system to prepay their accounts and read their current balance.Response: The AMI system tightly correlates the electric service to the status of the customer account

Customer Use Cases #3Customer Use Cases #3

Sub-Actors:• Residential Customer• Commercial Customer• Industrial Customer• Municipalities Customer

Utility Use CasesUtility Use Cases

• Remote Meter ReadsThe AMI system permits the utility to remotely read meter data in intervals so that customers may be billed on their time of use, and demand can therefore be shifted from peak periods to off-peak periods, improving energy efficiency.

• Remote Connect / DisconnectThe AMI system permits customers' electrical service to be remotely connected or disconnected for a variety of reasons, eliminating the need for utility personnel to visit the customer premises.

• Notification – Demand ReductionThe utility can notify customers through the AMI system that demand reduction is requested for the purposes of either improving grid reliability, performing economic dispatch (energy trading), or deferring buying energy.

Third Party Use CasesThird Party Use Cases

• Third Party AccessThird Parties (e.g. gas and water utilities, contract meter readers, aggregators) access AMI to read electrical meters, read gas and water meters, or control third-party equipment on customer premises.

AMI Use CasesAMI Use Cases

• Outage ManagementThe AMI system can be used to report outages with greater precision than other sources, or verify outage reports from other sources.

• Power Quality AnalysisThe AMI system can be used to analyze the quality of electrical power by reporting harmonic data, RMS variations, Voltage and VARs, and can communicate directly with distribution automation networks to improve power quality and fault recovery times.

• Distributed Generation ManagementThe AMI system can be used to detect, measure, regulate and dispatch distributed generation by customers.

• Energy TheftThe AMI system can be used to report when customers are stealing energy or tampering with their meter.

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC• Relevant Security Work (reference material)Relevant Security Work (reference material)• Use of Public NetworksUse of Public Networks• Security Use CasesSecurity Use Cases• System Security Architectural DescriptionSystem Security Architectural Description

– Bobby Brown, Coalton Bennett, James IversBobby Brown, Coalton Bennett, James Ivers

• Planning and Logistics Planning and Logistics

System Security Architectural DescriptionSystem Security Architectural Description

• Objectives and goalsObjectives and goals– Describe the abstract (logical, platform-agnostic) mitigation plan for Describe the abstract (logical, platform-agnostic) mitigation plan for

addressing requirements identified in the Risk Assessment / System addressing requirements identified in the Risk Assessment / System

Requirements Document.Requirements Document.

• ApproachApproach– Architectural Representation of Security SystemsArchitectural Representation of Security Systems

– Logical Function DescriptionsLogical Function Descriptions

– System, Subsystem, and Function BoundariesSystem, Subsystem, and Function Boundaries

• Reference: IEEE 1471-2000Reference: IEEE 1471-2000

• Tell the story of the architectureTell the story of the architecture

• AMI is unique from most systemsAMI is unique from most systems

– Heterogeneous environmentsHeterogeneous environments• Utility EnterpriseUtility Enterprise

• Customer PremiseCustomer Premise

• ““Unknown / Variable” Territory in-betweenUnknown / Variable” Territory in-between

– Heterogeneous sources and levels of controlHeterogeneous sources and levels of control• UtilityUtility

• CustomerCustomer

• Third PartiesThird Parties

System Security Architectural DescriptionSystem Security Architectural Description

• Story cannot be told without talking about Story cannot be told without talking about

environmental aspectsenvironmental aspects

• Views become cross-products of:Views become cross-products of:– Function (business)Function (business)

• e.g.: meter read, load shed, etc…e.g.: meter read, load shed, etc…

– Context / EnvironmentContext / Environment

• Proximity, controlProximity, control

– Service Category (security)Service Category (security)

• e.g.: premise, communications, network ops, utility opse.g.: premise, communications, network ops, utility ops

– User / StakeholderUser / Stakeholder

• ConcernsConcerns

System Security Architectural DescriptionSystem Security Architectural Description

What do we need next?What do we need next?

• IllustrationsIllustrations• Spreadsheet: business functions vs. use casesSpreadsheet: business functions vs. use cases• Get all of the business functions definedGet all of the business functions defined

– Do business functions fit within the views?Do business functions fit within the views?

• StepsSteps– ArchitectureArchitecture

• Complete the viewsComplete the views• Identify business functionsIdentify business functions• Validate view against functionsValidate view against functions

– Perform risk assessment against functionsPerform risk assessment against functions– Apply requirements against riskApply requirements against risk

• Create flowchart illustrating the processCreate flowchart illustrating the process

AgendaAgenda

• AMI-SEC RoadmapAMI-SEC Roadmap• UtiliSECUtiliSEC• Relevant Security Work (reference material)Relevant Security Work (reference material)• Use of Public NetworksUse of Public Networks• Security Use CasesSecurity Use Cases• System Security Architectural DescriptionSystem Security Architectural Description• Planning and Logistics Planning and Logistics

Planning / LogisticsPlanning / Logistics

• Next meeting datesNext meeting dates– F2FF2F

• August 22August 22ndnd, 9am-3pm EDT, 9am-3pm EDT– UtilityAMI WG meetings run 20UtilityAMI WG meetings run 20thth-22-22ndnd

• Hosted by EnerNex:Hosted by EnerNex:620 Mabry Hood Road620 Mabry Hood Road

Knoxville, TN 37932Knoxville, TN 37932

– Teleconferences:Teleconferences:• July 9July 9thth, 1-2pm EDT, 1-2pm EDT• July 23July 23rdrd, 1-2pm EDT, 1-2pm EDT• August 6August 6thth, 1-2pm EDT, 1-2pm EDT