[smartpowerdir] Fwd: CSWG Architecture review task for PAP01

Fred Baker <fred@cisco.com> Tue, 07 September 2010 18:36 UTC

Return-Path: <fred@cisco.com>
X-Original-To: smartpowerdir@core3.amsl.com
Delivered-To: smartpowerdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id CF7693A6965 for <smartpowerdir@core3.amsl.com>; Tue, 7 Sep 2010 11:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.298
X-Spam-Status: No, score=-109.298 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9FtawVFOTKFf for <smartpowerdir@core3.amsl.com>; Tue, 7 Sep 2010 11:36:10 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com []) by core3.amsl.com (Postfix) with ESMTP id 8EE693A6950 for <smartpowerdir@ietf.org>; Tue, 7 Sep 2010 11:36:08 -0700 (PDT)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-Files: Mail Attachment.gif, Mail Attachment.gif : 10896, 16546
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvwGAGcjhkytJV2b/2dsb2JhbACYdAGIAnGlbJs8gwiCNQSEQYVX
X-IronPort-AV: E=Sophos; i="4.56,329,1280707200"; d="gif'147?scan'147,208,217,147"; a="156605503"
Received: from rcdn-core-4.cisco.com ([]) by rtp-iport-2.cisco.com with ESMTP; 07 Sep 2010 18:36:35 +0000
Received: from Freds-Computer.local (tky-vpn-client-230-171.cisco.com []) by rcdn-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id o87IZOVe009245 for <smartpowerdir@ietf.org>; Tue, 7 Sep 2010 18:36:28 GMT
Received: from [] by Freds-Computer.local (PGP Universal service); Wed, 08 Sep 2010 03:36:34 +0900
X-PGP-Universal: processed; by Freds-Computer.local on Wed, 08 Sep 2010 03:36:34 +0900
From: Fred Baker <fred@cisco.com>
Date: Wed, 8 Sep 2010 03:36:28 +0900
References: <OF6D0B1BEA.3EA9D2EA-ON85257797.005E3015-85257797.005FA391@aep.com>
To: IETF SmartPower Directorate <smartpowerdir@ietf.org>
Message-Id: <4D0E5B98-4E90-4523-9DFE-A4072782443F@cisco.com>
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
Content-Type: multipart/alternative; boundary=Apple-Mail-96-634710335
Subject: [smartpowerdir] Fwd: CSWG Architecture review task for PAP01
X-BeenThere: smartpowerdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Members of the Smart Power Directorate <smartpowerdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/smartpowerdir>, <mailto:smartpowerdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/smartpowerdir>
List-Post: <mailto:smartpowerdir@ietf.org>
List-Help: <mailto:smartpowerdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smartpowerdir>, <mailto:smartpowerdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 18:36:40 -0000

Somebody care to tell me how best to incorporate this comment into draft-baker-ietf-core? 

Begin forwarded message:

> From: ngreenfield@aep.com
> Date: September 8, 2010 2:38:45 AM GMT+09:00
> To: Multiple recipients of list <csctgarchi@nist.gov>
> Subject: Re: CSWG Architecture review task for PAP01
> Reply-To: csctgarchi@nist.gov
> Okay.  I've copied Fred as well.  From my role within AEP as the Cyber Security Systems Engineering and Architecture Team Lead for AEP's smart grid initiative, I have some issues with the direction this is leading. 
> I've read and reviewed the draft IETF document.  My main issue with the discussion on security architecture is that people only think about the technology involved.  The technology discussion is really an issue that is TACTICAL in nature.  Security is less about the technology and more about the process.  What needs to be provided for is a security architecture that is STRATEGIC and HOLISTIC.  What I don't see are any provisions for addressing security processes, which could easily be provided for by using a "Systems Engineering" methodology for cyber security.  My recommendation is to use SSE-CMM (ISO/IEC 21827).  Please note:  Systems Engineering incorporates architecture work.   
> If you look at a typical utility's internal environment, you can divide it up 5 areas, which can then be matched to the various security systems engineering needs: 
> On the security architecture perspective, I still advocate the use of SABSA as a baseline measure of what needs to be included when discussing security architecture and the smart grid.  SABSA can work in conjunction with TOGAF, which I believe is what the SGIP SGAC has settled on - Sandy, correct me if I'm wrong. 
> It sounds like what is being requested is more of a checklist approach and what is needed is really a holistic approach.  I'll use SABSA for my example.  SABSA, in defining a security architecture, asks the following questions: 
> Are the smart grid requirements understood?
> What is the design philosophy of the smart grid?
> Are all smart grid components identified and accounted for?
> Do the smart grid components work together?
> When the components are assembled as a system, is it an integrated smart grid system?
> Is there evidence provided to assure the smart grid system is properly assembled?
> Does the smart grid system run smoothly?
> Is the smart grid system tuned properly?
> Is the smart grid system being operated correctly?
> How is the smart grid system being maintained?
> If you look at the SABSA model, there are six different views of security architecture.  They are: 
> The Smart Grid Business View --------------> Contextual Security Architecture
> The Smart Grid Architect's View -----------> Conceptual Security Architecture
> The Smart Grid Designer's View ------------> Logical Security Architecture
> The Smart Grid Builder's View -------------> Physical Security Architecture
> The Smart Grid Tradesman's View -----------> Component Security Architecture
> The Smart Grid Facilities Manager's View --> Operational Security Architecture
> Since what the NIST SGIP is trying to do is to provide a baseline approach to interoperability and cyber security for the smart grid, I would approach this entire topic using a project management methodology, somewhat along the lines of the PDIM, Plan-Design-Implement-Manage method.  I don't think this is being done right now.  From a SSE-CMM perspective, there are the following high-level major phases of work that need to be reviewed: 
> Security Risk Assessment        
> Discover Information Protection Needs
> Define System Security Requirements
> Define System Security Architecture
> Develop Detailed Security Design
> Implement System Security
> Assess Security Effectiveness
> To date, we have not really provided a security architecture for the smart grid, which was really outside of our NIST defined scope.  It's more of an interface to interface design and not a systems security architecture for end-to-end effectiveness.  The framework provided for by the SABSA model would allow for a more holistic approach to ensuring that the smart grid is protected from any number of threats and vulnerabilities.   
> Neil 
> Sandy Bacik <sandybacik@enernex.com> 
> Sent by: csctgarchi@nist.gov
> 09/06/10 01:34 PM
> Please respond to
> csctgarchi@nist.gov
> To
> Multiple recipients of list <csctgarchi@nist.gov>
> cc
> Subject
> CSWG Architecture review task for PAP01
> Good day everyone, 
> I have a task for us to do. Fred Baker is working on the SGIP PAP01, a communications architecture to support the SGAC's business architecture. He would like comments on how it relates to the NISTIR and our thoughts on security. You can read the current version in http://tools.ietf.org/html/draft-baker-ietf-core-07#section-2. You can either respond to me and I will forward the comments onto Fred or you can email Fred (fred@CISCO.COM) directly with your comments. Because PAP01 is meeting in St. Louis, the comments need to be back by Friday, September 10, 2010. 
> From Fred’s perspective, the security angle of a communications architecture has several major components:
> in anything resembling a public network, such as the HAN or NAN, it is important to know that communicants using network bandwidth are authorized participants in the network. IEEE 802.1X+EAP-TLS, as proposed in Zigbee SEP 2.0, is a reasonable response to that.
> in any network, AAA issues are important. In IP networks, we can discuss IPsec (transport or tunnel mode, basically authorizing systems to communicate with optional encryption) or TLS and its cousins (authorizing applications to communicate, with optional encryption)
> if data is relayed end to end through intermediaries, one needs to understand why the intermediaries are trusted. That might mean signatures on data elements that are relayed (think DKIM, RFC 5585, W3C XML signatures, or what has been proposed in routing as described by RFC 2154 or SBGP). If the intermediary is part of a distributed application as as such summarizes downstream information, it is its own data source/sink as well.
> people will hack into any network. Smart Grid Meters, for example, can be hacked into by using their firmware download
> capabilities to download attack firmware. Part of the question is how to detect compromised systems and exclude them from the flow of data, preventing them from injecting it and not routing other data through them.
> If there are any questions, please do not hesitate to contact me. 
> Regards, 
> Principal Consultant, EnerNex 
> sandy.bacik@enernex.com | (C) 865-696-4470 | www.enernex.com 
> 620 Mabry Hood Road, Suite 300 | Knoxville, TN 37932