Specifying and PurchasingCybersecure Operations Technology Networks

Presentation Outline• CIP Update – Barry Lawson• Changing Market – Tony Thomas• Google for Hackers Demonstration – Andre’ Joseph• Planning for the future – Tony Thomas• Securing the network/RC3 – Andre’ Joseph• Summary - Tony Thomas

NERC Cybersecurity Supply Chain Standards

• FERC Order No. 829 (Docket No. RM15-14-002; July 21, 2016)• Directed NERC to develop cybersecurity supply chain standards for ICS, software, etc.,

for BES operations• Must address software integrity/authenticity; vendor remote access; information system

planning; and vendor risk management and procurement controls

• Upon industry and NERC Board approval, NERC filed new/revised standards with FERC on Sept. 26, 2017 (Docket No. RM17-13-000)

• New CIP-013-1 – vendor issues• Revised CIP-005-6 – remote access issues• Revised CIP-010-3 – software issues

A 50,000’ View of Grid 3.0

Foundational Technologies of Grid 3.0

See the Big PictureWebsites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!

https://www.shodan.io

Custom Integration

Traditional Data Architecture

Met

erin

g

SCAD

A

GIS

CIS

Does your data architecture look like this?

Interoperable Systems

It should look like this…

Why is an Interoperability Standard Important?

The US DOE spent ~$9,000,000,000 dollars to fund the ARRA Smart Grid initiative.

Fully 1/3rd of the money spent was on custom integration for software interoperability.

Enabling Interoperable Systems

Interoperable Systems

MultiSpeak Overview

Why MultiSpeak?

• In continuous development since 2000• Used by >800 electric utilities• Supported by most of the vendors in the utility market• Approximately 40 end-points fully documented and supported• By far, the most commonly used interoperability standard in use by

electric utilities today.• Included in the SGIP Catalog of Standards• Complete standard with cybersecurity extensions.

Coming Changes to MultiSpeak!• MultiSpeak.biz

• MultiSpeak Marketplace (in development now)• New MultiSpeak website specifically designed for non-subscribers• Fee for Service business model.

• MultiSpeak App Store (later this year)• Marketplace for App developers/users• Shared revenue business model

• Modeled on the Apple App Store

Coming Changes to MultiSpeak!• New Testing & Certification program with Digital Badges

• Digital Badges make it easy to see what vendors have MultiSpeak certified products

• Testing & Certification program based on Function Sets• Guide Specifications based on Function Sets

• Guide Specifications are free to MultiSpeak subscribers• Guide Specifications are available to non-subscribers on

MultiSpeak.biz• We’re making specifying and purchasing MultiSpeak interfaces

easier and more consistent.• Improved cybersecurity due to consistent interfaces

Cybersecurity for OT Networks

GOAL: to improve the cyber security and resiliency capabilities of small- and mid-sized

electric cooperatives

NRECA’s Rural Cooperative Cyber Security Capabilities Program

• Self Assessments

• Vulnerability Assessments

• Integrating New Technologies

• Information Sharing

NRECA’s Rural Cooperative Cyber Security Capabilities Program

NRECA’s Rural Cooperative Cyber Security Capabilities Program

Distribution Operations has an over-abundance of software systems with disorganized, redundant data storage patterns that have led to convoluted, inefficient, labor-intensive business processes.

Anonymous utility CEO

Andre’ JosephPrincipal, CybersecurityNRECAandre.Joseph@nreca.coop585.406.2406

Tony Thomas, CEM, GICSPSr. Principal EngineerNRECAtony.thomas@nreca.coop703.850.4718

Questions: