Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210

Frankfurt (Germany), 6-9 June 2011

IT COMPLIANCE IN SMART GRIDS

Martin Schaefer – Sweden – Session 6 – 0210


1. Smart Grid Architecture

2. Risk Scenarios

3. Comparison with other markets

4. Methods

5. Certification





IT COMPLIANCE IN SMART GRIDSSmart Grid Architecture

Based on: NIST SP 1108 NIST Framework andRoadmap for Smart Grid Interoperability Standards,Release 1.0



IT COMPLIANCE IN SMART GRIDSSmart Grid Architecture

Challenges: Introduction and expansion of a communication network for the current

and future electricity grid Introduction of new technology Introduction of intelligent control and connectivity between different

domains Constraints:

Long-term use of legacy assets in the domains of operation, bulk generation, transmission and distribution

In some parts, use of a large-scale homogeneous technical environment, e.g. Smart Meters

There are currently no common or aligned standards designed to achieve an architecturally compatible technology.


Customer Data – Confidentiality Aggregating and sharing of customer data

throughout different grid actors Different legal environments

Fraud – Integrity Tampering with customer data Energy theft and fraud

IT COMPLIANCE IN SMART GRIDSRisk Scenarios



Technical threats

IT COMPLIANCE IN SMART GRIDSRisk Scenarios


Intentional Unintentional

Malicious E.g. a dedicated attackby criminal individuals,groups, terrorists or nations

E.g. an undirected attackby a ‘common’ Botnetvirus

Non-malicious E.g. a disgruntled employee/outsourcing vendorintentionally manipulatessensor data

E.g. malfunction of softwareor procedures


Financial Market Sarbanes-Oxley Act (SOX)

adapted to EuroSOX, JSOX - global rule set for activities such as governance, reporting and enterprise risk management.

COSO guidance on organizational governance, business ethics, internal

control, enterprise risk management, fraud and financial reporting

COBIT control framework for technical compliance

IT COMPLIANCE IN SMART GRIDSComparison with other markets



Compliance for Telecommunications Signaling System 7 (SS7)

enabling interconnectivity between large networks basis for telecommunication services that are compliant

with different legal requirements

EU formed Body of European Regulators for Electronic Communications (BEREC)

Ensure compliance with EU regulatory framework

IT COMPLIANCE IN SMART GRIDSComparison with other markets



Existing frameworks/standards (ISA 99 series, NERC Critical Infrastructure Protection (CIP) series, NIST 800-82)

Maps or models to apply such standards (e.g. Zone Model / Zoning Principles)

Avoid compliance with standard A implies non-compliance with standard B Currently heavy technical focus Currently no common / complete standards that steer and enable Smart

Grid development considering all aspects (customer privacy, technical issues, fraud)

Target: framework of mutually compliant standards to enable compliant development of Smart Grids and build trust / acceptance

IT COMPLIANCE IN SMART GRIDSMethods



From competitive advantage to operational requirement Quality Management ISO 9000 series IT Service Management ISO 20000 series Information Security Management ISO 27000 series

Certifications for certain areas are available, giving currently competitive advantage

Focus area for certification could be Smart Meter (huge amount of homogeneous devices)

IT COMPLIANCE IN SMART GRIDSCertification



Increasing interconnectivity in Smart Grid architecture New risk scenarios e.g. increasing amount of customer

data throughout different grid actors IT Compliance with a framework of mutually compliant

standards could help to build secure systems and trust Certification - from competitive advantage to operational

requirement

IT COMPLIANCE IN SMART GRIDSSummary




Thank you for your attention!


Documents

Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210