1. RSA Approach to Securing the
Smart Grid
Sam Curry (curry_sam@emc.com)
Chief Technology Officer
RSA, The Security Division of EMC
EMC CONFIDENTIAL—INTERNAL USE ONLY 1
2. Introduction – what I am hearing…
―Nothing Strategic Please! I have fines to avoid!‖
Customer in Pacific Northwest, 2009
―All I hear is FUD!‖ and ―Hear comes the FUD!‖
Customer in US Southeast, 2010
―Have others been through this?‖
Customer in Australia, mid-2009
―I don’t have to protect it because it’s not Critical Infrastructure‖
Details withheld to protect the innocent (and not so innocent)
―We have to roll these out…or we don’t get the money!‖
Smart customer who wants grant money…of course no one expected it to be taxable!
―My biggest competitor…definitely Google!‖
Smarter customer who was looking ahead!
EMC CONFIDENTIAL—INTERNAL USE ONLY 2
3. Business First Principles
Rule #1: Business is ultimately about
Risk v. Reward
Rule #2: IT should be a service to the business
– Transparent and easy to use
– Flexible
– Ubiquitous
• ―GRC‖…a little out of order
– G: tell the IT infrastructure what to do and be sure it can do it
– C: have the IT infrastructure tell you what is happening
– R: manage the business priority and reduce risk
EMC CONFIDENTIAL—INTERNAL USE ONLY 3
4. Our Utilities Customers Tell Us They Are
Under Tremendous Pressure…
Industry Drivers and Trends
Smart Grid technologies require infrastructure to support more
Exponential
data than ever before
Data Growth Rising concerns on data security, protections and management
Significant need for new capacity
Supply-Side Carbon legislation in various stages worldwide
Constraints Cost convergence of traditional and renewable generation
sources
Aging Knowledge retention issues will rise with ~30% of the workforce
Exploding Information retiring in the next five years
Workforce
Assets
―The penetration of Most equipment is already past its current life expectancy
Antiquated
Outages and disruptions occurring more frequently now than
smart metering will Infrastructure ever before
increase dramatically
from around 6% of Public Safety Grid vulnerable to acts of terrorism and natural disasters
households in Europe and Security Increased urgency to ―protect the grid‖
and North America
today, to 41% in Europe Increasingly stringent federal and state regulations mandate new
Regulatory
and 89% in North levels of data retention, data security—both electronic and
Concerns
America by 2012‖ physical—and energy efficiency
— Datamonitor Source:McKinsey, Gartner
EMC CONFIDENTIAL—INTERNAL USE ONLY 4
5. …And Today’s Antiquated Energy Grids
Are Not Helping
One way power flow from traditional sources, simple interactions, limited visibility or
communication
Power Co.
Generator Substation Transformer
Step Up Step Down Drum Step
Transformer Transformer Down
Data Center Generation Transmission & Distribution Meter & Home
Limited focus Dominated by Poor power quality Labor-intensive meter
on efficient data central generation Focus on outages not efficiency reading still prolific
management Few generation or resiliency Limited options for
Information options Antiquated equipment past consumers
infrastructure Poorly integrated expected life on average Households typically
not a priority wholesale markets uninformed and
non-participative
EMC CONFIDENTIAL—INTERNAL USE ONLY 5
6. Smart Grid 1.0:
Advanced Metering Infrastructure (AMI)
By adding a communications layer and sensors across the grid, AMI enables more
efficient use of electricity by consumers and improved problem detection and systems
operations by utilities
Communications Layer: Monitoring and Control
Fixed or
Wireless
Sensors
Power Co. Smart
Meters
Data Center Generation Transmission & Distribution Meter & Home
Meter data more Smarter customers Improved problem detection Better understanding of
accessible start to reduce and outage management energy usage via portals
– Sophisticated billing strains on energy
– Customer portals
Real-time pricing
generation becomes available
– Service limiting
Data storage and Simplified demand
compliance capable management
EMC CONFIDENTIAL—INTERNAL USE ONLY 6
7. The Smart Grid
Fully automated and integrated power delivery network, ensuring a two-way flow of
electricity and information between the power plant and the appliance to save energy,
reduce cost and increase reliability
Communications Layer: Monitoring and Control
IP-based Renewables
Surveillance Integration Fixed or
Wireless Electric Vehicle
Energy Sensors Integration
Power Co. Storage Smart
Meters
Data Center Generation Transmission & Distribution Meter & Home
Automated billing Fully integrated Real-time outage notification Demand response
Innovative pricing energy sources Resilient and self-healing management
including Smart appliances
Customer portal renewables, Secure and protected
Cross- and up- biomass, etc. GIS for efficient crew dispatch Remote energy
selling management and
Load balancing Mini-generation within grid control
opportunities
Electric vehicle support
EMC CONFIDENTIAL—INTERNAL USE ONLY 7
8. AMI and Early Smart Grid Best Practices
Are Forming Across the Globe
Deployments underway
Investments planned
Planning/pilot stage
No significant activity
Examples in the United States Examples in the European Union
Smart Grid pilots underway across the country, e.g., EU electricity directive foresees 80% smart meter penetration
– Xcel’s ~$100 million Smart Grid city in Boulder, CO, by 2020
– NationalGrid’s $57 million Smart Grid pilot around Worcester, MA Smart Grid seen as a key element to achieve the 20/20/20
vision (cut greenhouse gas emissions by 20% from 1990 levels,
Federal government has allocated $4.5 billion in stimulus
increase renewable energy usage by 20%, and cut energy
bill to boost Smart Grid consumption through improved energy efficiency by 20%)
Source: Morgan Stanley, McKinsey, Capgemini
EMC CONFIDENTIAL—INTERNAL USE ONLY 8
9. The Potential Challenges
Availability
– Redundancy, Root failure analysis, Self-healing, Incident Management
Integrity
– Digital signatures, Compliance management
Confidentiality
– Authentication, Authorization, Encryption
Visibility
– Logging, Reporting, Alerting
EMC CONFIDENTIAL—INTERNAL USE ONLY 9
10. The Potential Challenges
Denial of Service
– Overloading devices, segments
– Disconnect
Theft of Service
– Data diddling
– Redirection
– Enrollment
Using the Grid to perpetrate other crimes
– Identity theft
– Burglary
– Terrorism
– Vandalism
– Other – e.g. HAN devices
The future…
EMC CONFIDENTIAL—INTERNAL USE ONLY 10
11. EMC Brings IT Leadership and Expertise to
Utilities as IT and Grid Operations Converge
IT and Data Center
CIO office and IT operations
CSO and security operations
Customer and marketing services
Information asset and resource management
Grid Operations
Power delivery
Transmission services
Meter management
Engineering and system performance
Grid asset management
EMC CONFIDENTIAL—INTERNAL USE ONLY 11
12. Information Risk Management
Business / Regulatory Drivers
1 Define Policy
Classification & Control Policy
2 Discover/Detect
High Value
Inadequate
Information,
Entities
Information
Infrastructure controls
Information
Credentials or Risk or process
Assets
3 Implement & Enforce
4 Monitor & Report
EMC CONFIDENTIAL—INTERNAL USE ONLY 12
13. Secure Information Infrastructure
Ensure the right entities
have access to the right information
over a trusted infrastructure
Entities Infrastructure Information
Smart meters
MDM infrastructure
Networks
Enable Block Applications Public Sensitive
Authorized Harmful Databases and files Marketing Control
devices applications data
Storage Earnings
Partners Criminals IP/ PII
Employees Spies Topology
in a system/process that is
easy and efficient to manage
EMC CONFIDENTIAL—INTERNAL USE ONLY 13
14. Our Customers Typically Define AMI Across
a Number of Layers
CIS OMS Billing Other Business Applications
Mission-critical applications that leverage data from the
MDMS for processes like billing and outage management
Middleware (Enterprise Service Bus)
IT and Data
Compute and Meter Data Management System (MDMS)
Center
Central data repository that collects and analyzes meter
Storage MDMS DW
data from the HES, posts billing determinants and delivers
the information to business applications. Increasingly data
warehouses are also being deployed for business
BI Storage intelligence (BI) applications
Communications Network/Head End System (HES)
Head End System The head end system aggregates the stream of data
Grid Operations
flowing back to the utility from thousands to millions of
meters through the AMI network. This can be over a variety
Cell of protocols, with IP emerging.
DCU
Relay
Smart Meters
Meter able to collect and store electricity interval data and
Smart Smart Smart Smart also to initiate and respond to two-way communications
meter meter meter meter with the utility
Customer Portals
Customer Portals End-user tools for real-time energy usage and pricing and a
means to improve the end-user experience
EMC CONFIDENTIAL—INTERNAL USE ONLY 14
15. RSA in Gridstream Architecture
Embedded Crypto
Mesh Network (Routers, Meters, etc.)
Key Proxy
Meter
Collector
Meter
Data
Head-end
Key Manager Servers
15
EMC CONFIDENTIAL—INTERNAL USE ONLY 15
16. RSA, The Security Division of EMC
RSA can provide a suite of data protection, Business Applications
Network and IT Management
encryption, authentication, and log management Compute and Meter Data
Management
Consulting
Security
solutions for end-to-end security and compliance of Communications
Network/HES
the Smart Grid. Smart Meters
Customer Portals
Protecting data at rest and data in flight, while balancing BSAFE
Encryption encryption overhead with limited meter compute, storage
and bandwidth capabilities
Key & Enterprise key management to reduce cost and complexity RSA Key Manager
Certificate Management of securing the different layers of the AMI stack Certificate Manager
User Access & Ensuring appropriate access and control to critical SecurID
Authentication systems and integrating those controls with existing Adaptive Authentication
security infrastructure
Security Information & Collecting, analyzing and reporting on security and
compliance information (e.g. control messages, usage data enVision
Event Management
and user data)
Data Privacy & Discovering all sources of sensitive information across the DLP (Data Loss
Protection Smart Grid infrastructure to ensure proper governance and Prevention)
FERC/NERC compliance
Manage the lifecycle of a security incident from alert Archer
Incident Management through investigation to ultimate close
EMC CONFIDENTIAL—INTERNAL USE ONLY 16
17. The RSA Approach
Products Designed to Work as a System
Business Process Automation
Archer: Policy, Risk, Threat, Vulnerability, Incident Management
Entities Infrastructure Information
Access / Fraud Firewall / Anti- Configuration, Data Loss
Authentication Encryption Rights Mgmt.
Provision Prevention IPS Malware Patch, Vulnerability Prevention
Centralized Policy Management
Datacenter Automation
Authentication Provisioning Fraud DLP Key Mgmt
and Compliance
Policy Decision & Enforcement
Access Fraud DLP
SecurID KM App
Manager Action Ionix Ionix Endpoint
Datacenter Service Mgmt
DLP
BSAFE
Adaptive Federated Transaction Network
Auth Identity Mgr Monitoring Ionix
Ionix DLP
Service SAN Switch
IT Operations Datacenter
Identity Digital eFraud Discovery
Verification Certificates Network Email
Tape/Disk
Encryption
BSAFE Microsoft
Database
RMS
enVision
EMC CONFIDENTIAL—INTERNAL USE ONLY Policy Monitor | Audit | Report 17
18. EMC Can Provide or Support Critical
Components of AMI at Every Level of the Stack
AMI Stack
RSA, The Security Division of EMC
Business Applications
EMC Physical Security
Network and IT Management
EMC Ionix
Compute and Meter
EMC Information Infrastructure Data Management
Security
Consulting
EMC Consulting Communications
- Business Network/HES
- Application
- Infrastructure
Smart Meters
Content Management
Virtualization (VMware)
& the Cloud Customer Portals
EMC CONFIDENTIAL—INTERNAL USE ONLY 18
19. RSA Approach to Securing the
Smart Grid
Thank you!
EMC CONFIDENTIAL—INTERNAL USE ONLY 19
20. Archer Out-of-the-Box Solutions
The Foundation for a Best-in-Class GRC Program
Audit Management Policy Management
Centrally manage the planning, Centrally manage policies, map them to
prioritization, staffing, procedures objectives and guidelines, and promote
and reporting of audits to increase awareness to support a culture of
collaboration and efficiency. corporate governance.
Business Continuity Management Risk Management
Automate your approach to business Identify risks to your business, evaluate
continuity and disaster recovery them through online assessments and
planning, and enable rapid, effective metrics, and respond with remediation
crisis management in one solution. or acceptance.
Threat Management Compliance Management
Track threats through a Document your control framework,
centralized early warning system assess design and operational
to help prevent attacks before effectiveness, and respond to policy
they affect your enterprise. and regulatory compliance issues.
Vendor Management Enterprise Management
Centralize vendor data, manage Manage relationships and
relationships, assess vendor risk, and dependencies within your enterprise
ensure compliance with your policies hierarchy and infrastructure to
and controls. support GRC initiatives.
Incident Management
Report incidents and ethics
violations, manage their
escalation, track investigations
and analyze resolutions.
EMC CONFIDENTIAL—INTERNAL USE ONLY 20
21. How do regulations change?
IV
MATURITY
III
II
I
First Get Tough Dictate Catalysis Mature TIME
Attention
Evolutionary Primordial Simple Complex Vertebrates iLife now
Equivalency soup Celled Life Organisms possible
Regulation ―Please!‖ ―Well, it’s ―Now I’m ―Now we’re ―Looks like
Tone for your going to all adults – you’re a step
own good‖ show you that’s more ahead of
how!‖ like it‖ me!‖
EMC CONFIDENTIAL—INTERNAL USE ONLY 21
22. Smart Grid Will Functionally Evolve Over the
Next 15 Years Beginning with Smart Metering
Evolution of Smart Grid
The Smart Grid
Grid
Grid Automation & Transformation
CUMULATIVE BENEFITS
Home Networking
Smart Metering Plug-in hybrid electric vehicles
integration
Transmission and distribution
automation e.g., fault Distributed storage (including
Advanced Metering prediction vehicle-to-grid)
Infrastructure (AMI) Seamless integration of Supply/demand balancing
renewables Remote home energy
– Intermittent and distributed monitoring and control
15 min. interval meter reads generation Usage aware appliances
Outage monitoring and Smart appliances
management Self-healing grid
– Usage monitoring
Demand side management Large scale energy storage
– Remote management
(DSM): customer tools,
visibility, and portals
Service limiting and prepay
1-3 years 3-7 years 7-15 years TIME
Uncertainty of Requirements/Importance of Standards
Lower Higher
EMC CONFIDENTIAL—INTERNAL USE ONLY 22