security profile for openadr - Open Smart Grid - OpenSG - UCA ...

More documents

Recommendations

Info

118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 SECURITY PROFILE FOR OPENADR Figure 2 – Artifact Relationships The individual use case steps within each use case provide a detailed view of the activities that are considered within the scope of the profile. Each step is carried out by a specific role, and that role is responsible for the security controls that mitigate potential failures of the step. These potential failures are identified in step 3 above by considering of how each step in these use cases may fail and, consequently, how the failure might prevent the system or role from successfully carrying out the use case. Each identified potential failure of a step in a use case prompts the development of one or more controls to mitigate it. Though most controls are assigned to specific roles, some failures span two or more roles and therefore imply a failure of the communication network that is used by the roles to coordinate their actions. These failures are mitigated by network controls that focus specifically on protecting the movement of information within the use case. These controls take the form of recommended network segmentation (see Section 4.1). Whenever a control is derived from sources identified in step 4, that source (e.g., reference to a specific NIST IR 7628 requirement number) is noted. 1.3 Audience & Recommended Use The primary audience of this document is organizations that are developing or implementing solutions requiring or providing OpenADR functionality. This document is written for system owners, system implementers, and security engineers with at least a year of experience in securing electric utility field operations. The user is assumed to be experienced at information asset risk estimation. The user is further assumed to be knowledgeable in applying security requirements and guidance. The user will ultimately Version – 0.02 UCA International Users Group December 15, 2011 14
142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 leverage this profile by reference as the specific set of security controls that must be implemented by OpenADR components and systems, above and beyond organizationallevel requirements as specified in the NIST IR 7628 and other recommended best practice documents for cyber security as listed in Section 4.2 and Appendix E:References. Additional sections below discuss how the document should be used by various stakeholders. The profile development approach (summarized in Section 1.2) guides the reader through the process used in this document for determining controls required for given failures (impacts) for roles and the functionality they implement (use cases), thereby providing traceability and justification for each of the controls selected. 1.3.1 Electric Utility and Demand Response Aggregators An electric utility may use this document to help achieve multiple security objectives for their organization through activities such as: 1. developing security requirements for OpenADR technology procurement activities 2. configuring and operating OpenADR systems 3. evaluating planned or deployed OpenADR solutions (see Appendix C: for more information) In some cases, a utility will not make use of all functionality described in the included use cases, which may obviate the requirements for certain controls. The tables within the document can be used to determine security controls needed for a utility’s environment and provide traceability and justification for the design requirements and control selection. In other cases, an organization may identify an alternative (mitigating) control that makes a required control unnecessary, but the utility should be sure it addresses all the same failures and should perform a risk analysis to confirm the adequacy of the alternative control. 1.3.2 OpenADR Vendors Vendors may use this document to incorporate security controls needed for the development of OpenADR products as well as solutions built upon or derived from OpenADR technology. This document provides enough requirement detail to allow a vendor to begin design activities, but avoids prescription that would thwart innovation or drive toward specific implementations. The reference architecture and use cases also offer tools for understanding OpenADR applications in an abstract sense. SECURITY PROFILE FOR OPENADR Version – 0.02 UCA International Users Group December 15, 2011 15
Page 1 and 2: SECURITY PROFILE FOR OPENADR SECURI
Page 3 and 4: Executive Summary This document pre
Page 5 and 6: 4.2.9 Controls Mapped to Roles ....
Page 7 and 8: Table of Tables TABLE 1 - CONTROLS:
Page 9 and 10: Authors Bruce Bartell Darren Highfi
Page 11 and 12: 22 23 24 25 26 27 28 29 30 31 32 33
Page 13: 79 80 81 82 83 84 85 86 87 88 89 90
Page 17 and 18: 200 201 202 203 204 205 206 207 208
Page 19 and 20: 243 244 245 246 247 248 249 250 251
Page 21 and 22: 304 305 306 307 308 309 310 311 312
Page 23 and 24: 358 359 360 361 362 363 364 365 366
Page 25 and 26: 412 413 414 415 416 417 418 419 420
Page 27 and 28: 455 456 457 458 459 460 461 462 463
Page 29 and 30: 502 503 504 505 506 507 508 509 510
Page 31 and 32: 541 542 543 544 545 546 547 548 549
Page 33 and 34: 581 582 583 584 585 586 587 588 589
Page 35 and 36: 622 623 624 625 626 627 628 629 630
Page 37 and 38: 665 666 667 668 669 670 671 672 673
Page 39 and 40: 700 701 702 703 704 705 706 707 sd
Page 41 and 42: 731 732 733 734 735 736 737 738 739
Page 43 and 44: 803 804 805 806 807 808 809 810 811
Page 45 and 46: 842 843 844 845 846 847 848 849 850
Page 47 and 48: F8 sends an incorrect type of mess
Page 49 and 50: 859 SF1 DR Resource is physically u
Page 51 and 52: 881 882 883 884 885 886 887 888 889
Page 53 and 54: 955 956 957 958 959 960 961 962 •
Page 55 and 56: 966 967 968 Control Control ID ID I
Page 57 and 58: 973 974 975 4.2.5 Identification &
Page 59 and 60: 981 Control Control ID ID ID Short
Page 61 and 62: 984 985 Control Control ID ID ID Sh
Page 63 and 64: Controlling Control Control ID ID S
Page 65 and 66:
987 988 989 990 991 992 993 994 995
Page 67 and 68:
1022 1023 1024 1025 1026 1027 1028
Page 69 and 70:
1048 1049 1050 1051 1052 NIST IR 76
Page 71 and 72:
NIST NIST IR IR IR 7628 7628 7628 R
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
1065 1066 SECURITY PROFILE FOR OPEN
Page 79 and 80:
1074 1075 1076 1077 1078 1079 1080
Page 81 and 82:
1104 1105 1106 1107 1108 1109 1110
Page 83 and 84:
1131 1132 1133 1134 1135 1136 1137
Page 85 and 86:
1197 1198 1199 1200 1201 1202 1203
Page 87 and 88:
1265 1266 1267 1268 1269 1270 1271
Page 89 and 90:
1331 1332 1333 1334 1335 1336 1337
Page 91 and 92:
1364 1365 1366 1367 1368 1369 1370
Page 93 and 94:
1420 1421 1422 1423 1424 1425 1426
Page 95 and 96:
1470 1471 1472 1473 1474 1475 1476
Page 97:
1529 1530 1531 1532 1533 1534 suite
show all

security profile for openadr - Open Smart Grid - OpenSG - UCA ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?