UCAIug: AMI SecurityUCAIug: AMI SecurityUpdate – September 2008Update – September 2008

AMI-SEC Task ForceAMI-SEC Task ForceAMI Security Acceleration Project (ASAP)AMI Security Acceleration Project (ASAP)

AMI-SEC Task Force Chair:AMI-SEC Task Force Chair:

Darren Reece Highfill, CISSPDarren Reece Highfill, CISSP

darren@enernex.comdarren@enernex.com

AMI-SEC Task ForceAMI-SEC Task Force

• AMI-SEC is concerned with securing AMI system AMI-SEC is concerned with securing AMI system elements.elements.– Contextual Definition:Contextual Definition:

“…“…those measures that protect and defend AMI information and those measures that protect and defend AMI information and systems by assuring their ability to operate and perform in their systems by assuring their ability to operate and perform in their intended manner in the face of malicious actions.intended manner in the face of malicious actions.””

• PurposePurpose– Produce technical specificationProduce technical specification

• Used by utilities to assess and procureUsed by utilities to assess and procure

• Used by OpenAMI – part of AMI/DR Reference DesignUsed by OpenAMI – part of AMI/DR Reference Design

– Determine baseline level of detailDetermine baseline level of detail• Prescriptive in naturePrescriptive in nature

• Compliant products will have known functionality and robustnessCompliant products will have known functionality and robustness

AMI-SEC Task ForceAMI-SEC Task Force

• Formation: Formation: August 23, 2007August 23, 2007• Q4 2007: Q4 2007: Initial exploration, definition of scope, Initial exploration, definition of scope,

consensus on approachconsensus on approach• January 2008: January 2008: Identification of 4 DeliverablesIdentification of 4 Deliverables

– Risk AssessmentRisk Assessment– Architectural DescriptionArchitectural Description– Component CatalogComponent Catalog– Implementation GuideImplementation Guide

• Current Participation:Current Participation:– 127 Subscribers to Listserv127 Subscribers to Listserv– More than a dozen major utilities actively engagedMore than a dozen major utilities actively engaged

Academia / Gov’t

VendorsUtilities

AMI-SEC

UtiliSEC

OpenSG

Tech Committee

AMI-SEC 2008 – Original PlanAMI-SEC 2008 – Original Plan

Requirement 1 Requirement 2 Requirement nF

un

ctio

n

A

Fu

nct

ion

B

Fu

nct

ion

N

Risk Assessment / System Requirements

Architectural Description

Component Catalog

Implementation Guide

System RequirementsSystem Requirements

• Problem: Problem: Q1 2008 AMI-SEC work to generate Risk Q1 2008 AMI-SEC work to generate Risk Assessment was significant taskAssessment was significant task

– Substantially tapped volunteer resourcesSubstantially tapped volunteer resources

• Risk Assessment very thorough, but only implied Risk Assessment very thorough, but only implied requirements (not explicit)requirements (not explicit)

– System Requirements document needed to be separatedSystem Requirements document needed to be separated

• Utilities expressing need for requirements to use in Utilities expressing need for requirements to use in procurement processprocurement process

Outrunning the TrainOutrunning the Train

• Initial Concept: Initial Concept: Late January 2008 Late January 2008 (hat tip to Consumers Energy)(hat tip to Consumers Energy)

• Challenge:Challenge: AMI-SEC TF is volunteer-basedAMI-SEC TF is volunteer-based

– Operates somewhat like a standards bodyOperates somewhat like a standards body

– Heavy deliverable schedule, pressing industry needHeavy deliverable schedule, pressing industry need

– Utilities strapped for human resourcesUtilities strapped for human resources

• Solution: Solution: Utility-initiated collaborative project with DOE and EPRIUtility-initiated collaborative project with DOE and EPRI

– Band together to fund SME’sBand together to fund SME’s

• Make the team directed, agile, and accountableMake the team directed, agile, and accountable

• Do “AMI-SEC homework” for utilities (off-load utility personnel)Do “AMI-SEC homework” for utilities (off-load utility personnel)

– Utilize FFRDC resources (INL, ORNL, SEI)Utilize FFRDC resources (INL, ORNL, SEI)

– Perform independent 3rd party testingPerform independent 3rd party testing

• Collaborative R&D at EnerNex, EPRI Living Laboratory, Utility Laboratories, and Pilot Collaborative R&D at EnerNex, EPRI Living Laboratory, Utility Laboratories, and Pilot

LocationsLocations

• Outcomes:Outcomes: Support utilities procuring and Support utilities procuring and deploying AMIdeploying AMI

• Roadmap Challenges:Roadmap Challenges: Lack of security Lack of security standards, guidance, best practicesstandards, guidance, best practices

• Approach:Approach:– Provide "drop-in" RFP security Provide "drop-in" RFP security

requirements requirements

– Develop test plans and methodologies Develop test plans and methodologies

– Perform vulnerability testing of AMI Perform vulnerability testing of AMI solutions solutions

– Produce recommendations for AMI Produce recommendations for AMI security architecture security architecture

• Progress/accomplishments:Progress/accomplishments: Team built, Team built, research underway, documentation research underway, documentation emergingemerging

AMI Security Acceleration Project (ASAP)AMI Security Acceleration Project (ASAP)

Schedule: Jan08 – Dec08 Level of Effort: High Performers: EnerNex, Intelguardians,

SEI, INL, ORNL Partners: Utilities, DOE, EPRI

Roadmap to Secure Control Systems in the Energy Sector

AMI-SEC 2008 – Revised PlanAMI-SEC 2008 – Revised Plan (includes ASAP) (includes ASAP)

Requirement 1 Requirement 2 Requirement n

Fun

ctio

n A

Fun

ctio

n B

Fun

ctio

n N

System Requirements

Architectural Description

Component Catalog

Implementation Guide

Risk 1 Risk 2 Risk n Risk Assessment

Risk AssessmentRisk Assessment

• What must be addressed by the system and whyWhat must be addressed by the system and why• Provide traceability for eventually selected mitigation Provide traceability for eventually selected mitigation

methods back to organizational valuemethods back to organizational value• Features:Features:

– Asset CatalogAsset Catalog– Threat ProfilesThreat Profiles– Vulnerability AnalysisVulnerability Analysis– Threat-Vulnerability-Asset MappingThreat-Vulnerability-Asset Mapping– Scenario PrioritizationScenario Prioritization

System Security RequirementsSystem Security Requirements

• Catalog of available requirementsCatalog of available requirements• Pulled from wide library of many sourcesPulled from wide library of many sources

– Common CriteriaCommon Criteria– DHS Control Systems CatalogDHS Control Systems Catalog– FIPS 140-2FIPS 140-2– NIST 800-53, 800-82NIST 800-53, 800-82– NERC CIPNERC CIP– … … (more coming)(more coming)

• FeaturesFeatures– System ConstraintsSystem Constraints– States and ModesStates and Modes– Security ObjectivesSecurity Objectives– Assembled and Categorized RequirementsAssembled and Categorized Requirements

Architectural DescriptionArchitectural Description

• Abstract (logical, platform-agnostic) mitigation plan for Abstract (logical, platform-agnostic) mitigation plan for addressing requirements identified in the Risk addressing requirements identified in the Risk Assessment.Assessment.

• Features:Features:– Architectural Representation of Security SystemsArchitectural Representation of Security Systems– Logical Function DescriptionsLogical Function Descriptions– System, Subsystem, and Function BoundariesSystem, Subsystem, and Function Boundaries

Component CatalogComponent Catalog

• Commonly found patterns of functions and services Commonly found patterns of functions and services performed by individual componentsperformed by individual components

• Include specific technologies, but will not be competitive Include specific technologies, but will not be competitive in nature – patterns will overlapin nature – patterns will overlap

• Note: Any single system implementation will use only a Note: Any single system implementation will use only a subset of the catalog.subset of the catalog.

• Features:Features:– Design PatternsDesign Patterns– Functional PrimitivesFunctional Primitives– Technological Applications and ConsiderationsTechnological Applications and Considerations

Implementation GuideImplementation Guide

• Guidance to utilities and vendors for selection, assembly, Guidance to utilities and vendors for selection, assembly, and implementation of components from the Component and implementation of components from the Component CatalogCatalog– Integration PatternsIntegration Patterns– Procedures, Considerations, Guarantees, and Risks for Procedures, Considerations, Guarantees, and Risks for

Component AssemblyComponent Assembly– Performance Parameters and Relative MetricsPerformance Parameters and Relative Metrics– Recommendations and Guidance for Technology SelectionRecommendations and Guidance for Technology Selection– Best Practices to Ensure Component Interoperability and Best Practices to Ensure Component Interoperability and

System LongevitySystem Longevity

EnerNexEnerNexProcess management and Process management and draft contributions / editingdraft contributions / editing

ASAP – ParticipantsASAP – Participants

Red TeamRed TeamTesting procedures / Testing procedures / methodologies and first-methodologies and first-level evaluation of level evaluation of landscapelandscape

Software Engineering Software Engineering Institute (Carnegie Mellon)Institute (Carnegie Mellon)Process review / support and targeted Process review / support and targeted analytical reportsanalytical reports

Idaho National LabIdaho National LabDetailed analytical report and Detailed analytical report and recommendations for AMI recommendations for AMI communications architecturecommunications architecture

• Current Signees:Current Signees:– Consumers Energy, SCE, PG&E, Duke, Oncor, AEP, BC HydroConsumers Energy, SCE, PG&E, Duke, Oncor, AEP, BC Hydro

• Two more in-process, two more committedTwo more in-process, two more committed

ASAP – ObjectivesASAP – Objectives

1.1. Ease utility HR demandsEase utility HR demands of participating in volunteer task force of participating in volunteer task force– Dedicated, accountable resourcesDedicated, accountable resources

– Utility personnel needed for requirements gatheringUtility personnel needed for requirements gathering

2.2. Provide Provide “drop-in”“drop-in” set of set of RFPRFP security security requirementsrequirements– Vendor-oriented summary of requirementsVendor-oriented summary of requirements

3.3. Develop Develop test planstest plans and methodologies and methodologies– Evaluate security functionalityEvaluate security functionality

4.4. Perform Perform vulnerability testingvulnerability testing of AMI solutions of AMI solutions– Establish 3Establish 3rdrd party collaborative testing party collaborative testing

– First-cut cross-sectionFirst-cut cross-section

5.5. Produce Produce recommendationsrecommendations for AMI communications for AMI communications security security architecturearchitecture– Underlying protocols and technologiesUnderlying protocols and technologies

– Survivability and the Systems Development Life Cycle (SDLC)Survivability and the Systems Development Life Cycle (SDLC)

AMI-SEC / ASAP RoadmapAMI-SEC / ASAP Roadmap

Deliverable UsageDeliverable Usage

Goals & Objectives – StatusGoals & Objectives – Status

1.1. Ease utility HR demandsEase utility HR demands– Done and continuingDone and continuing: utilities have been able to guide the process : utilities have been able to guide the process

through AMI-SEC with occasional email and phone calls.through AMI-SEC with occasional email and phone calls.

2.2. Provide RFP materialProvide RFP material– Almost doneAlmost done: System Security Requirements document at 95% mark.: System Security Requirements document at 95% mark.

3.3. Develop test plansDevelop test plans– UnderwayUnderway: Red Team and Idaho National Laboratory have been : Red Team and Idaho National Laboratory have been

working on these since early summer.working on these since early summer.

4.4. Perform vulnerability testingPerform vulnerability testing– Ready to startReady to start: Red Team currently awaiting vendor equipment.: Red Team currently awaiting vendor equipment.

5.5. Produce recommendations for security architectureProduce recommendations for security architecture– UnderwayUnderway: Architectural Description document at 95% mark, INL : Architectural Description document at 95% mark, INL

recommendations in progress.recommendations in progress.

Questions?

darren@enernex.com

AMI-SEC Collaboration Sitehttp://osgug.ucaiug.org/utilisec/amisec