A Service of Energy CentralEnergyBlogs.com Logo

There is certainly a difference between how cyber security software performs in a testing environment and how it performs in the real world. The many variables in real world usage patterns add an entirely new dimension to cyber security. Through my work at the Smart Grig Interoperability Panel (SGIP)I’ve come to believe that systems designers must consider the various means of inappropriate use or abuse capable by untrained users or nefarious individuals and provide appropriate testing for such usage at the outset.

When we install conformant and interoperable products in the smart grid and achieve interconnectivity and information flow only a few experts need to know how to use the software. The software is most often a transparent service to the users. But when we are implementing a cyber secure system, we have to implement processes that ensure that the users of the system (who typically are process-oriented individuals and not technical experts) are using it in the proper manner and not opening holes that breach security. Many breaches in systems occur because the user either did not configure them so they would be appropriately secure or because they used them outside of the environment they were intended to function.

Examples abound: Users did not select an appropriate password. Users did not use encryption on their laptop hard drive and it was stolen. That one should sound familiar, as it has occurred multiple times in organizations whose names you would immediately recognize.  Users gave out their private security key or left a hardware token on their desk.  Users added a device to their system which circumvented the organization’s security policy. Etc.

Therefore, interoperability and conformance testing cannot be content to simply focus on testing of message boundary exchanges and data structure syntax or even the presence of proper cyber related algorithms in the software under testing. Going with the examples above, tests might incorporate scenarios of data-at-rest encryption or dual-factor authentication or other product specific tests. While poor user interaction can never be totally predicted and fully addressed, it must be considered in developing interoperability and conformance testing.

So, we must view cyber security as an integral part of the interoperability and conformance testing – performing testing for all of them in a coordinated manner. We must have input from security professionals, both on how the software should be used as well as how it may be used in the real world. Only by employing such a unified approach can we have confidence that our testing methodology is appropriately focused. For more information, see the Smart Grid Testing and Testing Certification Committee wiki page. What are your experiences with these testing and usage challenges? Let us know.

Best,

Rik Drummond, CEO Drummond Group Inc

- An Accredited Test Lab and Certification Body by NAVLAP and ANSI
- Chair emeritus DoE’s Grid Wise Architecture Council
- Chair NIST Smart Grid Interoperability Panel’s Testing and Certification Committee

75 Views Comments 0 Comments Comments Add Comment Author BioAuthor Bio
ReportReport This Post as Foul/Inappropriate

In order to achieve the true promise of a smart grid, both cyber security and interoperability are required.  But this is easier said than done. Why? To put it simply, interoperability and con...

One of the critical items to achieving "off-the-shelf" interoperable products for industry consumption is the ability to know that a product’s claim of interoperability or conforman...

  Interoperability is, of course, one of the cornerstones of a modern electrical grid. Interoperability allows new technologies to be added to the grid infrastructure as soon as it makes b...

 
Toolbox

Blog Editor
Search
Calendar
Recent EntriesRecent Entries
Recent CommentsRecent Comments
RSS


Sponsored Content

Copyright © 1996-2014 by CyberTech, Inc. All rights reserved.
Energy Central ® is a registered trademark of CyberTech, Incorporated.
CyberTech does not warrant that the information or services of Energy Central will meet any specific requirements; nor will it be error free or uninterrupted; nor shall CyberTech be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or inability to use Energy Central.
2821 S. Parker Rd. Ste 1105 Aurora, CO 80014
Contact: Phone - 303-782-5510 Fax - 303-782-5331 or service@energycentral.com.