Sunday, September 5, 2010

NISTIR 7628 Is Final...So Now What?

The entire Smart Grid deployment and cyber security world has been waiting for NISTIR 7628 to move from "Draft" status to "Final" status for nearly one and a half years. This magnificent effort, which included over 400 participants from many industries, government agencies, public and private groups, and just plain interested individuals, has culminated in 3 volumes that essentially read like an encyclopedia of cyber security best practices and technical jargon, complete with tables, drawings, and lots of arrows pointing all over the place. It is an impressive compendium of knowledge, and you can get your very own copy by going here.

So what does this all mean to the world of Smart Grid security? Does this make us more secure?

Well, as things stand right now, not exactly.

First of all, let's understand something about NIST and NISTIR 7628. The title is both prescient and potentially misleading. Here is the title for Volume 1:

Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements

Look carefully at the first word and the title and bear in mind that, for all legal intents and purposes that is all that matters. It is a "Guideline". I know it says "Requirements" at the end of the sentence, but understand that NIST does not dictate requirements to anyone who has the authority to enforce anything. The only requirements NIST has any authority over is the requirements NIST sets forth to comply with NIST standards (i.e. there are certain specific requirements that an entity must meet in order to become FIPS certified).

Why do I say this is potentially misleading? Well, because unless an authoritative body passes a rule, law, or mandate of some sort that requires the adoption of all or part of the recommendations in NISTIR 7628, it is nothing more than a magnificent exercise.

The simple existence of Smart Grid security guidelines does not make the Smart Grid more secure. The correct implementation of Smart Grid security standards, however, can.

Yet simply pointing at the NISTIR 7628 and saying "do this" will not suffice. This is because NISTIR 7628 is a collection of NIST standards and recommendations. While this may seem sufficient for some, it is still too open ended to serve as anything close to prescriptive. In fact, NISTIR 7628 is not intended to be prescriptive, and it says so in section 2.2 of Volume 1:

"This list of technologies and services is not intended to be prescriptive; rather, it is to be used as guidance."

This leads to the obvious conclusion that NISTIR 7628 is not intended to serve as "the rulebook", but to assist the rulemakers in writing "the rulebook".

So who are the rulemakers?

Well, that is a good question, and one that is not so easy to answer without first understanding that it all depends on what part of the Smart Grid we are talking about.

To try to simplify this as much as possible, and forgive me if this is oversimplified (or overly complicated as the case may be).

We can break the power Smart Grid into three categories:

1. Generation - Where the power is generated (i.e. the power plant)
2. Transmission - How the power gets from the power plant to the substations that send it to those who use it.
3. Distribution - The part of the organization that the user directly interfaces with (the ones who read your meter and send you a bill and shut off your power if you do not pay your bill).

So Generation and Transmission are generally not considered part of AMI (Advanced Metering Infrastructure). AMI is the part of the Smart Grid where smart meters live. Generation and Transmission currently fall under the jurisdiction of the Federal Government, and are therefore subject to the whims of the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC). NERC is not a Federal agency, but is given authority by FERC to conduct audits, levy fines, and all sorts of interesting stuff that tends to keep utilities in various stages of insomnia and cold sweats.

Distribution, on the other hand, falls under the jurisdiction of the individual States, and consequently the Public Utility Commission (PUC) of a given state.

So what this means is that FERC, NERC, and the State PUC's must now take a long and hard look at NISTIR 7628 (not to say they have not already been doing so) and try to synthesize some specific regulations based upon what is contained in this very verbose 3 volume set. This is no easy task, as one can imagine. Let's examine one particular section, taken from Volume 1: Physical Security Environment
...In determining the appropriate level of physical protections required for a device, it is important to consider both the operating environment and the value and sensitivity of the data protected by the device. Therefore, the specification of cryptographic module physical protections is a management task in which both environmental hazard and data value are taken into consideration. For example, management may conclude that a module protecting low value information and deployed in an environment with physical protections and controls, such as equipment cages, locks, cameras, and security guards, etc., requires no additional physical protections and may be implemented in software executing on a general purpose computer system. However, in the same environment, cryptographic modules protecting high value or sensitive information, such as root keys, may require strong physical security...

If, for example, you are the CPUC (California Public Utility Commission) and are attempting to create a requirement based upon this section for physical protection of cryptographic modules (and the data contained within them), one must first define what "high value or sensitive information is". The root key mentioned is a good example, but what about other information stored on the device? What is the information? Is it also sensitive? Who determines if it is sensitive or not?

If the CPUC then determines that the information stored is not overly sensitive (i.e. not a root key), then it is important to ensure that the scope of the information stored on such modules does not "creep" to a point where it may indeed become sensitive. This is no easy task, because sometimes what is deemed safe today does not always remain safe going forward. A good example of this is a Social Security Number. There was a time when nobody had a problem sharing their Social Security Number with anyone. Heck! In many cases it was your ID number for school, work, military, etc. What happened, however, is that the scope of the Social Security Number expanded, and it was soon discovered that if you knew someone's number you could do all sorts of bad things with it.

If the CPUC determines that the information is indeed sensitive, then they are tasked with determining what standard for protection of such information must serve as a baseline (i.e. FIPS 140-2).

Providing they can accomplish these tasks, they must then determine if and how they are going to audit (and potentially certify) such requirements.

...but first they have to determine what is in scope and what is not in scope, and why. This in and of itself requires the PUC's (and FERC and NERC) to have an intimate understand of what parts of NISTIR 7628 (and potentially other guidelines, such as the excellent work done by the UCAIUG AMI-SEC Task Force, which is specifically credited for their contributions to NISTIR 7628 within Volume 1) apply to their purview. Looking at this at the Federal level, one might conclude that they have enough resources to tackle this task, but having listened to FERC Commissioner Philip Moeller's keynote address at my Smart Grid Cyber Security Summit last month, in which he stated "We don't have all the answers, we need all of you to help.", I am led to believe that we still have a long way to go.

...and it is even more challenging for State PUC's. The CPUC is a fairly well staffed organization, being that California is indeed a very large State. Nonetheless, the CPUC does not currently have anything close to a comprehensive understanding of cyber security. To be fair, why would they? In its many years of existence they have never had to deal with cyber security issues with respect to regulation of utilities, and up until the passage of California SB 17 it has never been their responsibility. However, being staffed with some very intelligent (and diligent) people, and now being responsible for making decisions relating to cyber security and the Smart Grid, the CPUC has indeed taken it upon themselves to rise to the occasion. I have personally attended two public hearings at the CPUC where Smart Grid security was discussed, contributed to requests for comments from the CPUC regarding cyber security, and the CPUC is planning a public hearing to specifically discuss NISTIR 7628 with the NISTIR 7628 team at the CPUC at the end of September, 2010 (currently planned for September 28th and 28th), as well as additional workshops to hash out the details of Smart Grid security.

This is all good stuff!

...but what about other PUC's? Some States (from what I have been told by members of the CPUC) have PUC's that could fit into a small room with plenty of space to spare for filing cabinets, chairs, and tables. In other words, they are woefully understaffed and underfunded. How are they going to manage cyber security?

Well, one answer is contained in one of my favorite sayings "As goes California, so goes The Nation." Their eyes are on California, and what California decides is quite likely to serve as a template for the rest of the nation. Some have also argued that Texas is also serving as a template. While this may be true, I have a sneaking suspicion that California will likely prevail as a trendsetter. Only time will tell, I imagine.

The great news is that there seems to be no shortage of people who are willing to volunteer their time in working through these challenges. It may not be entirely altruistic in nature (hey, everyone wants a piece of the Smart Grid security market pie, including yours truly), but the fact remains that we are indeed well served by some of the great minds working on the effort. PG&E has a cyber security team currently led by CISO Dave Tyson (who came from the security team of eBay) and PG&E has been dealing with Smart Grid security for longer than just about any utility in the world. The UCAIUG AMI-SEC Task Force is still working hard and growing stronger with every meeting (I try to attend and contribute as often as possible). Many AMI vendors are currently specifically dedicating resources to cyber security efforts, and are working together in a spirit of "coopetition", where they cooperatively share information with each other despite being competitors. Anyone who attended my conference is well aware of just how many organizations are involved in this effort, and the list keeps growing.

We still have a lot of work to do, but we have come a long way, and I am not even close to tired yet! NISTIR 7628 is worthy of being celebrated for finally being completed, but now the real work begins.

No comments: