[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy InteroperationTechnical Committee
Perhaps my message was misunderstood. I was not advocating the creation of any new security protocols (I think we have enough already to secure data and infrastructure - they're just not applied effectively - but that's another matter). I agree that the business-focused members of this TC should do what they're best at - solving business problems. However, my message is that the TC should overtly include security-minded individuals, and establish explicit security goals for the business protocols so that the new smart grid infrastructure is secure from day-one and not an afterthought. Ultimately, the risk-management decisions of the smart grid are a business function; only the implementation and operations of those risk-management policies are a security function. If the business protocols do not spell-out the security requirements, then the business shouldn't expect to get what they didn't ask for. Arshad Noor StrongAuth, Inc. Marty Burns wrote: > All, > > I agree that security is absolutely important and essential. However, it > is also important that OpenADR and similar efforts do not develop any > security components. Instead uniform security methodologies should be > seamlessly adopted in supporting the underlying messaging. I would try > to focus this TC on a narrow scope so that it does one thing extremely > well. > > Cheers, > Marty > > Arshad Noor wrote: >> OASIS TC's are made up, unfortunately, of either business-focused >> TC's or security-focused TC's. As a result, the business TC's do >> a great job of capturing business-requirements, but rarely address >> security issues (despite the evidence of increasing attacks against >> applications on the internet), while security TC's tend to focus >> on hard-core security without addressing the business drivers to >> ensure their focus and adoption. >> >> Two TC's that have departed from this norm are the OASIS Enterprise >> Key Management Infrastructure (EKMI) TC and the OASIS LegalXML >> eNotarization (eNotary) TC. >> >> The EKMI TC has not only developed a hard-core cryptographic >> key-management protocol - the Symmetric Key Services Markup >> Languague (SKSML), but also focuses on creating Implementation, >> Operations and Audit Guidelines to ensure that implementations of >> EKMI are in compliance with legal/contractual regulations for >> data-security. This was stated as an objective within the TC's >> charter at its inception two years ago. As a result, besides >> security people, the TC includes IT Auditors, application >> developers and IT consultants all of whom are focused on meeting >> security *and* business objectives. >> >> The LegalXML eNotarization TC has just created a protocol called >> the eNotarization Markup Language (ENML) designed to electronically >> notarize electronic documents. While ENML was designed to serve the >> real-estate industry primarily, it is generic enough that it can be >> used to re-engineer any business process that relies on notarized >> paper documents. This not only saves money, but speeds up the >> business transaction and improves the integrity of data-capture in >> applications. ENML specifically addresses security as a core >> component in the protocol because of the impact electronically >> notarized documents can have in the multi-trillion dollar real- >> estate industry. >> >> There is even a document titled "Security implications of ENML" >> within the TC's repository to inform legal and business people on >> what they need to know about securing and trusting eNotarized >> documents. >> >> My suggestion is have the new Energy Interop TC specifically >> include security features (identifying individually desired >> features) as part of its deliverables to ensure the TC meets its >> charter objectives. >> >> Arshad Noor >> StrongAuth, Inc. >> >> Edward Koch wrote: >>> Neil, >>> >>> You are absolutely correct. I know that you are very involved in the >>> AMI-SEC effort and my hope is that much of the requirements from that >>> will be input to the OpenADR task group within UCAIug and therefore >>> become part of the OASIS/UCAIug collaboration. Darren Highfill has >>> been very involved with setting up the OpenADR task group within >>> UCAIug so I’m fairly confident that this topic will not be ignored. >>> >>> I’ve never been involved with an OASIS TC, but it is safe to say that >>> OASIS does have a lot of experience with cyber security. I’m just >>> not sure how they address this cross cutting issue within their other >>> TC’s. Can someone that has more direct experience with OASIS comment >>> on this topic? >>> >>> -ed koch >>> >>> ------------------------------------------------------------------------ >>> >>> *From:* ngreenfield@aep.com [mailto:ngreenfield@aep.com] >>> *Sent:* Monday, February 16, 2009 2:03 PM >>> *To:* William Cox >>> *Cc:* Mary Ann Piette; smartgrid-discuss@lists.oasis-open.org >>> *Subject:* Re: [smartgrid-discuss] Draft charter for proposed OASIS >>> Energy Interoperation Technical Committee >>> >>> Well, I'm not a member, but for someone who's well immersed in my own >>> organization's Smart Grid initiative, I would say that one critical >>> component missing in this draft proposal is a discussion around cyber >>> security. >>> >>> There are a number of interrelated factors that need to be considered >>> relative to cyber security and the Smart Grid, including the basic >>> attributes (primary security services) of */Confidentiality/*, >>> */Integrity/*, */Availability/*, */Accounting/Auditing/*, >>> */Identification/*, */Authentication/*, */Authorization /*and >>> */Non-repudiation/*. Privacy is another attribute, but it relies >>> upon the others and is mainly a consideration of laws and regulations >>> and how it relates to the individual. There are a lot of factors >>> involved with the implementation of the Smart Grid and it relies >>> heavily on cyber security. >>> >>> Best regards, >>> >>> Neil Greenfield >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> smartgrid-discuss-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: >> smartgrid-discuss-help@lists.oasis-open.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: smartgrid-discuss-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > smartgrid-discuss-help@lists.oasis-open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]