1-888-PIVOT-POINT | 1-888-748-6876

Sometimes too much of something, even something well intended, is too much.

We have recently had reason to deeply consider the security of wireless networks intended to support Smart Grid initiatives in the electrical utilities industry. Critical to an optimized design is ensuring that the design addresses all critical risks; including the risk that the design fails to meet the criteria specified in relevant laws, regulations, and guidance.  We found that the risks were (unfortunately)  relatively easy to define and the latter nearly impossible to define.

Oddly the problem wasn’t a lack of guidance, rather it was an overabundance of guidance.  Consider the following list of guidance that is largely relevant;

  • AMI, v1.01
  • NERC CIP-001-1
  • NERC CIP-002-1
  • NERC CIP-003-1
  • NERC CIP-004-1
  • NERC CIP-005-1
  • NERC CIP-006-1
  • NERC CIP-007-1
  • NERC CIP-008-1
  • NERC CIP-009
  • FIPS PUB 140-2
  • FIPS PUB 180
  • FIPS PUB 197
  • IEC/TS 62351-1
  • IEC/TS 62351-2
  • IEC/TS 62351-3
  • ISO/IEC 27002
  • ANSI/ISA-99/IEC 62443-5
  • FIPS PUB 199
  • IEC/TS 62351-6
  • IEC 62443-1
  • IEEE P1689
  • NIST Special Publication (SP) 800-53
  • NIST SP 800-82

 

Unfortunately (for me) I was tasked with establishing the criteria by which we would assess the design and operation of the network.  As if thousands of pages of highly technical and similar documents were not enough, each document cross-referenced many of the other documents and dozens of other technical guidelines.  It only got worse as I came upon other fantastic resources; including NISTIR 7628 which is over 600 pages of additional information.

I suddenly understood the phrase “paralysis by analysis”.  The best intentions of the multitude of entities that have an interest in maintaining the security of our electrical grid, had arguably backfired.  We decided to take an approach that we have used prior when dealing with a large number of overlapping and ambiguous standards (see the Ambiguity Paradox).

Utilize ISO-27002 as a baseline and select the relevant 27002 controls based on their applicability based on the risks identified.  27002 does a great job of defining the “what” but it provides little in the form of “how”.  Accordingly, we mapped the controls selected out of 27002 across the subset of the documents above we deemed relevant based on the business use cases and technologies being deployed.  Then we used both the more general 27002 guidance and the more prescriptive guidance from each of the deemed relevant guidance.

We were very happy with the final result.  We believe that a Smart Grid supporting the business use cases we considered and subject to the risks defined would be well secured if it achieved the criteria that we defined.  Hopefully, the available guidance will consolidate and better differentiate guidance by business use cases, technology supporting the initiative, and information security risks to simplify the process of defining “secure” moving forward.