security profile for openadr - Open Smart Grid - OpenSG - UCA ...

More documents

Recommendations

Info

4 860 Security Controls 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 This section defines the set of recommended security controls for OpenADR systems and components as that satisfy the functionality of the roles and use cases delineated earlier in this document. Many of the security controls in this document are inspired by and intended to cover the technical requirements found in NIST IR 7628 as applied to Demand Response technology and related systems. The controls presented herein may then, in turn, be satisfied by communications protocol definition-level standards and manufacturing specifications. This section defines the controls, and assigns the controls to roles. 4.1 Scope of Security Controls The scope of network topology of OpenADR systems defined in this document is limited to the interactions between a paired DR Controlling Entity and DR Resource over a public (Internet) or private network. The Network Architecture at these points should follow best practices for securing internal systems. The specific practices are out of scope of this document. Numerous documents on best practices are available on the NIST Computer Security Resource Center (http://csrc.nist.gov/publications/index.html), and are summarized in “Generally Accepted Principles and Practices for Securing Information Technology Systems” (http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf). Securing internal systems is also addressed by corporate or other organizational policies that are also out of scope. The process for tailoring security controls to an organization SECURITY PROFILE FOR OPENADR Version – 0.02 UCA International Users Group December 15, 2011 50
881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 are outlined in Section 3.3 of “NIST SP 800-53 – Recommended Security Controls for Federal Information Systems and Organizations” 7 This includes “Specifying organization-defined parameters in the security controls via explicit assignment and selection statements to complete the definition of the tailored baseline” 7 . An example of an organization defined parameter as used in a control is: “SC-5 DENIAL OF SERVICE PROTECTION Control: The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].” 7 4.2 Control Definitions The process for defining the controls in this document is based on an analysis of the roles, use cases, and failures defined in this profile along with careful examination of the NIST IR 7628, the WAMPAC Security Profile, Distribution Management Security Profile, and other collections of security standards and best practices. The process for deriving the controls includes the following steps (with natural iteration and review): 1. Examine the failures and associated controls from the WAMPAC Security Profile for similarities to the failures as defined in this document and for potential re-use of control material. 2. Re-write selected controls from the WAMPAC Security Profile to apply to OpenADR systems. Verify, augment, or correct the mapping of each re-written control to the OpenADR failures. 3. Examine the list of OpenADr failures for complete coverage. Compose new controls as needed to ensure all OpenADR failures are addressed. 4. Explicitly document the applicability of each control to roles or network segments. Tailor and/or split controls where necessary to accommodate implementation and environmental constraints for each role or network segment. 5. Map each OpenADR control against the technical requirements in the NIST IR 7628. Assess coverage of technical requirements in the NIST IR 7628 by OpenADR controls. 6. Modify OpenADR controls to complete coverage of individual NIST IR 7628 requirements where appropriate. Document NIST IR 7628 requirements not completely covered along with reasoning. This document does not attempt to cover general information technology cyber security, cyber security best practices for other control systems, or organizational-level cyber 7 “NIST SP 800-53 – Recommended Security Controls for Federal Information Systems and Organizations” (http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updatederrata_05-01-2010.pdf) SECURITY PROFILE FOR OPENADR Version – 0.02 UCA International Users Group December 15, 2011 51
Page 1 and 2: SECURITY PROFILE FOR OPENADR SECURI
Page 3 and 4: Executive Summary This document pre
Page 5 and 6: 4.2.9 Controls Mapped to Roles ....
Page 7 and 8: Table of Tables TABLE 1 - CONTROLS:
Page 9 and 10: Authors Bruce Bartell Darren Highfi
Page 11 and 12: 22 23 24 25 26 27 28 29 30 31 32 33
Page 13 and 14: 79 80 81 82 83 84 85 86 87 88 89 90
Page 15 and 16: 142 143 144 145 146 147 148 149 150
Page 17 and 18: 200 201 202 203 204 205 206 207 208
Page 19 and 20: 243 244 245 246 247 248 249 250 251
Page 21 and 22: 304 305 306 307 308 309 310 311 312
Page 23 and 24: 358 359 360 361 362 363 364 365 366
Page 25 and 26: 412 413 414 415 416 417 418 419 420
Page 27 and 28: 455 456 457 458 459 460 461 462 463
Page 29 and 30: 502 503 504 505 506 507 508 509 510
Page 31 and 32: 541 542 543 544 545 546 547 548 549
Page 33 and 34: 581 582 583 584 585 586 587 588 589
Page 35 and 36: 622 623 624 625 626 627 628 629 630
Page 37 and 38: 665 666 667 668 669 670 671 672 673
Page 39 and 40: 700 701 702 703 704 705 706 707 sd
Page 41 and 42: 731 732 733 734 735 736 737 738 739
Page 43 and 44: 803 804 805 806 807 808 809 810 811
Page 45 and 46: 842 843 844 845 846 847 848 849 850
Page 47 and 48: F8 sends an incorrect type of mess
Page 49: 859 SF1 DR Resource is physically u
Page 53 and 54: 955 956 957 958 959 960 961 962 •
Page 55 and 56: 966 967 968 Control Control ID ID I
Page 57 and 58: 973 974 975 4.2.5 Identification &
Page 59 and 60: 981 Control Control ID ID ID Short
Page 61 and 62: 984 985 Control Control ID ID ID Sh
Page 63 and 64: Controlling Control Control ID ID S
Page 65 and 66: 987 988 989 990 991 992 993 994 995
Page 67 and 68: 1022 1023 1024 1025 1026 1027 1028
Page 69 and 70: 1048 1049 1050 1051 1052 NIST IR 76
Page 71 and 72: NIST NIST IR IR IR 7628 7628 7628 R
Page 77 and 78: 1065 1066 SECURITY PROFILE FOR OPEN
Page 79 and 80: 1074 1075 1076 1077 1078 1079 1080
Page 81 and 82: 1104 1105 1106 1107 1108 1109 1110
Page 83 and 84: 1131 1132 1133 1134 1135 1136 1137
Page 85 and 86: 1197 1198 1199 1200 1201 1202 1203
Page 87 and 88: 1265 1266 1267 1268 1269 1270 1271
Page 89 and 90: 1331 1332 1333 1334 1335 1336 1337
Page 91 and 92: 1364 1365 1366 1367 1368 1369 1370
Page 93 and 94: 1420 1421 1422 1423 1424 1425 1426
Page 95 and 96: 1470 1471 1472 1473 1474 1475 1476
Page 97: 1529 1530 1531 1532 1533 1534 suite

security profile for openadr - Open Smart Grid - OpenSG - UCA ...

Create successful ePaper yourself

Delete template?

Save as template?