Friday, December 21, 2012

Europe: More on Security for Smart Grids

The European Network and Information Security Agency (ENISA) has published on Dec 6, 2012 a new report titled:

Appropriate security measures for smart grids
Guidelines to assess the sophistication of security measures implementation

The report provides “guidance to smart grid stakeholders by providing a set of minimum security measures which might help in improving the minimum level of their cyber security services. The proposed security measures are organised into three (3) sophistication levels and ten (10) domains, namely:
1. Security governance & risk management;
2. Management of third parties;
3. Secure lifecycle process for smart grid components/systems and operating procedures;
4. Personnel security, awareness and training;
5. Incident response & information knowledge sharing;
6. Audit and accountability;
7. Continuity of operations;
8. Physical security;
9. Information systems security; and
10. Network security.”

Does any of these documents make any system more secure? No! The security will increase only if smart people implement appropriate measures! There are many documents that suggest needed measures – the text written is sometimes nothing else than toner on paper or pixels on a screen.

What to do? Invest in doing something. Don’t wait until the perfect measures are defined and accepted by every manager! That will never happen. Security is an ongoing process that required permanent improvements of measures.

The report recommends “Organisations wishing to establish, implement, operate, monitor and continuously maintain and improve an appropriate level of smart grid security, must also carefully and continuously consider and assess the actual level of preparedness and the related security risks they face.
A risk assessment should be performed throughout the system life cycle: during requirements definition, procurement, control definition and configuration, system operations, and system close-out.”

Security measures should be taken from the very beginning of planning to use automation and information systems. The big show-stopper is that all these measures cost money and need increased resources (manpower, software and hardware, …). In the domain of DNP3, IEC 60870-5-104, IEC 61850 and IEC 61400-25 basic measures are defined in the documents of the series IEC 62351.

Download the complete report [84 pages. pdf]

No comments: