Specifying and Purchasing Cybersecure Operations ......NERC Cybersecurity Supply Chain Standards •...
Transcript of Specifying and Purchasing Cybersecure Operations ......NERC Cybersecurity Supply Chain Standards •...
Specifying and PurchasingCybersecure Operations Technology Networks
Presentation Outline• CIP Update – Barry Lawson• Changing Market – Tony Thomas• Google for Hackers Demonstration – Andre’ Joseph• Planning for the future – Tony Thomas• Securing the network/RC3 – Andre’ Joseph• Summary - Tony Thomas
NERC Cybersecurity Supply Chain Standards
• FERC Order No. 829 (Docket No. RM15-14-002; July 21, 2016)• Directed NERC to develop cybersecurity supply chain standards for ICS, software, etc.,
for BES operations• Must address software integrity/authenticity; vendor remote access; information system
planning; and vendor risk management and procurement controls
• Upon industry and NERC Board approval, NERC filed new/revised standards with FERC on Sept. 26, 2017 (Docket No. RM17-13-000)
• New CIP-013-1 – vendor issues• Revised CIP-005-6 – remote access issues• Revised CIP-010-3 – software issues
A 50,000’ View of Grid 3.0
Foundational Technologies of Grid 3.0
See the Big PictureWebsites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!
https://www.shodan.io
Custom Integration
Traditional Data Architecture
Met
erin
g
SCAD
A
GIS
CIS
Does your data architecture look like this?
Interoperable Systems
It should look like this…
Why is an Interoperability Standard Important?
The US DOE spent ~$9,000,000,000 dollars to fund the ARRA Smart Grid initiative.
Fully 1/3rd of the money spent was on custom integration for software interoperability.
Enabling Interoperable Systems
Interoperable Systems
MultiSpeak Overview
Why MultiSpeak?
• In continuous development since 2000• Used by >800 electric utilities• Supported by most of the vendors in the utility market• Approximately 40 end-points fully documented and supported• By far, the most commonly used interoperability standard in use by
electric utilities today.• Included in the SGIP Catalog of Standards• Complete standard with cybersecurity extensions.
Coming Changes to MultiSpeak!• MultiSpeak.biz
• MultiSpeak Marketplace (in development now)• New MultiSpeak website specifically designed for non-subscribers• Fee for Service business model.
• MultiSpeak App Store (later this year)• Marketplace for App developers/users• Shared revenue business model
• Modeled on the Apple App Store
Coming Changes to MultiSpeak!• New Testing & Certification program with Digital Badges
• Digital Badges make it easy to see what vendors have MultiSpeak certified products
• Testing & Certification program based on Function Sets• Guide Specifications based on Function Sets
• Guide Specifications are free to MultiSpeak subscribers• Guide Specifications are available to non-subscribers on
MultiSpeak.biz• We’re making specifying and purchasing MultiSpeak interfaces
easier and more consistent.• Improved cybersecurity due to consistent interfaces
Cybersecurity for OT Networks
GOAL: to improve the cyber security and resiliency capabilities of small- and mid-sized
electric cooperatives
NRECA’s Rural Cooperative Cyber Security Capabilities Program
• Self Assessments
• Vulnerability Assessments
• Integrating New Technologies
• Information Sharing
NRECA’s Rural Cooperative Cyber Security Capabilities Program
NRECA’s Rural Cooperative Cyber Security Capabilities Program
Distribution Operations has an over-abundance of software systems with disorganized, redundant data storage patterns that have led to convoluted, inefficient, labor-intensive business processes.
Anonymous utility CEO
Andre’ JosephPrincipal, [email protected]
Tony Thomas, CEM, GICSPSr. Principal [email protected]
Questions: