Information Security Blog

Electrical Utilities: Information Security Blackout

Electrical Utilities: Information Security Blackout

Sometimes too much of something, even something well intended, is too much.

We have recently had reason to deeply consider the security of wireless networks intended to support Smart Grid initiatives in the electrical utilities industry. Critical to an optimized design is ensuring that the design addresses all critical risks; including the risk that the design fails to meet the criteria specified in relevant laws, regulations, and guidance.  We found that the risks were (unfortunately)  relatively easy to define and the latter nearly impossible to define.

Oddly the problem wasn’t a lack of guidance, rather it was an overabundance of guidance.  Consider the following list of guidance that is largely relevant;

  • AMI, v1.01
  • NERC CIP-001-1
  • NERC CIP-002-1
  • NERC CIP-003-1
  • NERC CIP-004-1
  • NERC CIP-005-1
  • NERC CIP-006-1
  • NERC CIP-007-1
  • NERC CIP-008-1
  • NERC CIP-009
  • FIPS PUB 140-2
  • FIPS PUB 180
  • FIPS PUB 197
  • IEC/TS 62351-1
  • IEC/TS 62351-2
  • IEC/TS 62351-3
  • ISO/IEC 27002
  • ANSI/ISA-99/IEC 62443-5
  • FIPS PUB 199
  • IEC/TS 62351-6
  • IEC 62443-1
  • IEEE P1689
  • NIST Special Publication (SP) 800-53
  • NIST SP 800-82

NIST Framework and Roadmap for Smart Grid

Unfortunately (for me) I was tasked with establishing the criteria by which we would assess the design and operation of the network.  As if thousands of pages of highly technical and similar documents were not enough, each document cross-referenced many of the other documents and dozens of other technical guidelines.  It only got worse as I came upon other fantastic resources; including NISTIR 7628 which is over 600 pages of additional information.

I suddenly understood the phrase “paralysis by analysis”.  The best intentions of the multitude of entities that have an interest in maintaining the security of our electrical grid, had arguably backfired.  We decided to take an approach that we have used prior when dealing with a large number of overlapping and ambiguous standards (see the Ambiguity Paradox).

Utilize ISO-27002 as a baseline and select the relevant 27002 controls based on their applicability based on the risks identified.  27002 does a great job of defining the “what” but it provides little in the form of “how”.  Accordingly, we mapped the controls selected out of 27002 across the subset of the documents above we deemed relevant based on the business use cases and technologies being deployed.  Then we used both the more general 27002 guidance and the more prescriptive guidance from each of the deemed relevant guidance.

We were very happy with the final result.  We believe that a Smart Grid supporting the business use cases we considered and subject to the risks defined would be well secured if it achieved the criteria that we defined.  Hopefully, the available guidance will consolidate and better differentiate guidance by business use cases, technology supporting the initiative, and information security risks to simplify the process of defining “secure” moving forward.


Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Add a Comment

Share This