Strategies for securing the smart grid
The key point is that securing against sophisticated smart grid threats cannot be effectively retrofitted; robust security measures must be designed in from the beginning. And since security claims are a dime a dozen, confidence can only come from independent expert assessments based on internationally accepted security evaluation standards.
The international standard for evaluating the security of IT systems is ISO/IEC 15408, more commonly known as the Common Criteria. Under the Common Criteria, IT products are evaluated against Protection Profiles that specify the product family’s functional security requirements and Evaluated Assurance Level (EAL). For example, there are Protection Profiles for firewalls, antivirus applications and operating systems. The Protection Profiles themselves must be evaluated as well, to ensure that products are measured against well-understood, valid and accepted standards. Table 1 includes a list of Common Criteria profiles for operating system protection, their security levels, and the intended threat environment corresponding to each security level. As you can see, only the Separation Kernel Protection Profile (SKPP) is appropriate to protect high-value resources (such as the smart grid) against sophisticated and determined attackers.
 Table 1. Operating system protection profiles as described under the Common Criteria (ISO/IEC 15408). Click on image to enlarge. |
The National Security Agency (NSA) created the SKPP to specify security requirements for “high robustness” operating systems that control computers that manage and protect high-value resources in the face of attacks by resourceful adversaries (Table 2). According to Department of Defense guidance, high robustness refers to “security services and mechanisms that provide the most stringent protection and rigorous security countermeasures.”
Table 2. NSA robustness requirements relative to the asset value and the threat environment.
Click on image to enlarge.
SKPP contains both functional and assurance requirements. Functional policies are those enforced by the operating system. For example, an SKPP-compliant platform must guarantee that a malicious application cannot harm (corrupt, deny service to, steal information from, etc.) any other application running on the computer.
Assurance, on the other hand, refers to evidence indicating, with high confidence, that the products implement the security functional requirements.
The requirements of SKPP re far more stringent than those of any other operating system security standard. The resulting assurance (or confidence) that developers, users and other stakeholders derive from an SKPP evaluation is extremely high and is indeed unprecedented in the world of computer security. SKPP requires an extremely rigorous development process, formal methods (to provide mathematical proof of security) and penetration testing by NSA security experts who have complete access to the source code.
Green Hills Software has achieved high-robustness (Common Criteria EAL 6+) software security certification from the NSA and is actively working on high-assurance smart grid security architecture with other cyber-security organizations across the industrial, government and academic communities.
The emerging architecture addresses such issues as hardware and systems software partitioning and management strategies, robust control of cryptographic and key management systems for device authentication and information protection, and scalability from battery-powered devices up to high-end network concentrators and back-office servers.
About the author
David Kleidermacher is chief technology officer at Green Hills Software, where he is responsible for technology strategy, platform planning and solutions design.
Loading comments... Write a comment