The Agile Fractal GridChuck SpeicherJohn Reynolds
Friday, July 11, 2014
Security Fabric Alliance
• The Security Fabric Alliance is a working association dedicated to practical deployment of the power grid and critical infrastructure complex system solution in the United States:– Utilities and telecommunications providers– Systems integrators– Manufacturers– Technology partners– National certification and interoperability entity
• The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns. The variation includes the proper orientation for large, medium, and small entities.
The Industrial Internet• The Industrial Internet Consortium was founded in 2014 to further
development, adoption and wide-spread use of interconnected machines, intelligent analytics, and people at work.
• Through an independently-run consortium of technology innovators, industrial companies, academia, and government, the goal of the IIC is to accelerate the development and availability of intelligent industrial automation for the public good.
• This goal of the consortium is to: – Utilize existing and create new industry use cases and test beds for real-world
applications; – Deliver best practices, reference architectures, case studies, and standards
requirements to ease deployment of connected technologies; – Influence the global development standards process for internet and industrial
systems;– Facilitate open forums to share and exchange real-world ideas, practices, lessons,
and insights; – Build confidence around new and innovative approaches to security.
• The Industrial Internet Consortium (“IIC”) is a trademark of the Object Management Group®, Inc. (OMG®), a not-for-profit 501(c)(6) tax-exempt organization.
The OMG process is more about establishing marketsas opposed to just setting standards.
SFA ReferenceBuilds
Certification ofConformance &Interoperability
The OMG is planning to standardize the Security Fabric
for all critical infrastructure.
We are planning to support the 940 rural co-ops in the U.S. with hybrid cloud/device services protected by the Security Fabric.
The FCC recently has emphasized that the best course of action for rural broadband in the United States would be to use the rural electric utilities…
… the UTC and APPA expansions would triple the size of the coverage …
The Vision“The Agile Fractal Grid”
Achieving
Grid Security, Reliability, and Resiliency
through Advanced Analytics and Control
What is needed:1. A hybrid cloud for operations
and analytics2. Substation of the future3. Security Fabric end-to-end
Each level operates in somewhat of a selfish fashion…but recommendations for the best trend for the flock come from management guidance from above.
Primary Data FlowPatterns in
Laminar Control for Power Grids
Electric power distribution and broadband communications are like Siamese twins!
(They can’t go anywhere without each other.)
Digital control is neededat each junction point.
Like electricity,broadband can be used
for multiple things.
The Circulatory System The Nervous System
NRECA
UTC
As envisioned, Internet2 would eventually provide a sequestered core network for the Industrial Internet.
Note the quadruple redundancy
Separation of the Industrial Internetfrom the Generic Internet
The Core NetworkThe Core Network
Generic Internet
Carrier EthernetWith Routing
DWDM Isolation
Cooperative Control Centers
Core CityNode
Enterprise Systems
Industrial Devices
Substation Nodes
Router+
SubstationController
Rout
er+
Carrier Ethernet Isolation
NAN Nodes
HAN Nodes
Wireless LTE700 MHz?
Wireless LTE2.5 GHz?
PicoCell
Gateway
Sensor
Transverter
We will eventually use a combination of DWDM separation
plus Carrier Ethernet separation.
Our communications has redundancybuilt into the control protocols.
LTEMacrocell
andDistribution
Fiber
NANLTE
Picocell
Mobile
HANLTE
Home Gateway
This is the only capability availablethat allows handoff between terrestrialLTE services and satellite services.
This system can simultaneously supportthe public safety 700 MHz frequenciesas well as commercial usage.
15Mbps downloading and 5Mbps when uploading.
100 MB Access Services!Internet2*
Cell Broadcast
The Security Fabric follows the guidelines required by the NIST 7628 for the Department of Energy.
xSystem &Network
Management
Controller
Device
Device TheSecurityFabric
The Security Fabric is an implementation of the Tailored Trustworthy Space.
Embedded Device
ApplicationsDeviceManagement
Hypervisor
The fundamental concept is that you must first separate the management elements of
a device from the application payload portions.
This is similar to the AMT philosophy, but expanded to the software dimension.
Separation of Protection and Security
• The major hardware approach for security or protection is the use of hierarchical protection domains. Prominent example of this approach is a ring architecture with "supervisor mode" and "user mode“.
• This approach adopts capabilities provided by a lower level:(hardware/firmware/kernel).
The Multics Style of Ring Structure
The cybersecurity threat sharing needs to be performed between multiple communities to be effective.
Subscriber
Subscriber
Subscriber
Subscriber
Subscriber
Context
Top Secret
Secret
Unclassified
F
F
ThreatConnect STIX
Custom
Com
mun
ity
Com
mun
ity
Com
mun
ity
1300Communities
1200Subscribers
On-Premises Cloud
UI
API
Private Cloud
Threat ConnectCloud Platform
Amazon EC2
Broker
SourcesFree, $, other
The data arrangements can be hierarchicalto facilitate multi agency awareness.
IODEF
The “Concierge” Service
• Attention! Some of the co-ops have very tiny IT staffs. (Like one person)
• The coming cyber attacks will be very sophisticated.
• Even the central staff will sometimes be challenged to deal with the complexities associated with cyber defense.
• Thus, even with collaboration and data sharing, from time to time, a co-op technician would like to have an “OnStar” button to push to get instant help on demand from a specialist.
This Concierge service from ThreatConnect may be very desirable.Saturn sees the bigger picture.
Discussion
Top Related