The Smart Grid Roadmap, Report to NIST on the Smart Grid Interoperability Standards Roadmap has some very curious conclusions and descriptions. They involve DNP3, NERC CIPs, NIST SP800-53 and NIST SP 800-82. These descriptions and recommendations (or lack therof) can have long term, expensive ramifications. They can even impact the reliability of the Smart Grid. Section 10 provides the following descriptions with my comments in parentheses and major issues in bold:
Application: Substation and feeder device automation
Actors: Protective relays, metering devices, cap bank controllers, switches, SCADA Master, applications
Interfaces: Serial, Ethernet, IP over TCP or UDP,
Maturity: Has security built in, has users group, has certification and testing
Category: De facto, Open, Industry Standard, Deprecated for new work.
(The dictionary defines “deprecated” as to express disapproval, deplore, or belittle.)
10.58 NERC CIP 002-009
The National Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) is a series of standards are directly relevant to the bulk power system critical cyber assets. CIP-002 states the means by which a critical cyber asset is identified. The remaining standards identify security management controls, personnel and training, electronic security perimeters, physical security of cyber assets, systems security management, incident handling and recovery planning.
(no Actors, Interfaces, Maturity, or Category)
10.61 NIST SP 800-53
Application: NIST Special Publication 800-53 is a standard developed as a foundational level of security controls required for federal information systems. The standard provides a method for tailoring security controls to an organization. Appendix I of the document provides guidance for tailoring to industrial control systems (ICS).
Actors: Federal information systems
Interfaces: Interfaces between federal information systems
Maturity: Widely used by federal information systems
Category: Security –Gov NIST/ITL not a standard
10.62 NIST SP 800-82
Application: NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS)
Security is a draft standard covers security guidance for SCADA systems, distributed control systems and other control system configurations. The standard defines ICS characteristics, potential threats and vulnerabilities to these types of systems, developing an ICS security program, network architecture and security controls.
Actors: Actors in distributed control environments
Interfaces: Interfaces in distributed control environments
Maturity: Just released
Category: Security – Gov NIST/ITL not a standard
Per one of the Roadmap author’s, Erich Guenther, DNP3 is the most popular utility automation protocol in North America. According to a 2004 Newton-Evans survey, over 75% of North American utilities were already using or planning to use DNP3 in their SCADA networks. It is applied throughout transmission and distribution networks, providing connections from master stations to substations, between devices within substations, and out to pole-top devices along feeders. DNP3 is an open standard and therefore a good candidate for the Smart Grid. DNP3 is recognized in the IEEE 1379 standard for communications with Intelligent Electronic Devices (IEDs). DNP3 is a viable Smart Grid technology. DNP3 provides limited self-description of data, can be configured using XML, operates over the Internet protocol suite, and has proven to be an extremely reliable and self-healing technology. Furthermore – at least until new additions are developed – there is no comparable IEC 61850 standard for the low-bandwidth and hostile distribution automation environment. Given Guenther’s description of DNP3, why does the EPRI roadmap explicitly want to get rid of it?
The NERC CIPs are recognized as weak and inadequate. The NERC CIPs explicitly exclude electric distribution including home area networks which are the heart of the Smart Grid. NIST SP800-53 is quantifiably more comprehensive. Why aren’t the NERC CIPs “deprecated for new work”?
NIST SP800-53 is mandatory for all federal computing systems including federal power utilities. Non-federal power utilities electronically interface with federal power utilities. NIST SP800-53 is also directly relevant to non-federal utility computing systems including Smart Grid. Why the short-shrift?
NIST SP800-82 includes SCADA as well as process controls. However, the “Actor” and Interfaces” only include process controls. NIST SP800-82 has been out in draft for several years and finalized almost a year ago. However, the Roadmap states it was just released. Again, why the short-shrift?
I have a hard time understanding the motives of the Roadmap. The DNP3 comment was particularly puzzling as it is widely supported, and it has security features that EPRI is currently testing. Also, NIST 800-53 and NIST 800-82 have a lot of good work and NIST SP800-53 is mandatory for federal entities. However, the Roadmap appears to be pushing them aside. What is going on here?