smartgrid-discuss message

Subject: Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy InteroperationTechnical Committee

From: Arshad Noor <arshad.noor@strongauth.com>
To: Toby Considine <Toby.Considine@gmail.com>
Date: Mon, 16 Feb 2009 17:34:28 -0800

Unfortunately, Toby, the sub-committee, while useful from
an administrative point-of-view, relegates security to an
after-thought and may result in a less than optimal product.
Here's why:

The main TC will focus on business protocols and "throw it
over the wall" to the security SC to secure it when completed.
The security SC may or may not have the mandate to change the
business protocols if securing it requires changes (depending
on what flexibility the TC gives the SC).  While the SC can go
back to the TC for clarifications and raise potential issues,
there will be little appetite in the main TC to change business
protocols once completed.  As a result, security will be force-
fitted, potentially leaving subtle vulnerabilities.

On the other hand, if the security goals are explicit in the
business charter, and security-minded people were part of the
development work in the main TC, there are two benefits:

1) They learn first-hand of the business requirements on a
    "day-to-day" basis and the rationale for the evolution of
    the business protocols; and

2) They are in a position to educate the business people of
    new risks in the industry and in adjusting the business
    protocol as it is being developed.  While this "education"
    might be considered a distraction to the people in the main
    TC, it has the immediate benefit of not having to re-write
    business protocols later on, and the long-term benefit of
    building security-awareness in the business community.

The process will be a little slow in the beginning, but as
both sides adjust to the new groove, it will not only move
faster, but the end-result will be a great piece of work -
from a business *and* security point-of-view.

Arshad Noor
StrongAuth, Inc.

Toby Considine wrote:
> 
> Perhaps a sub-committee could be focused on defining the profiles 
> assembling existing security standards would be in line. Such a 
> sub-committee could recomend a profile for market operations (borrow one 
> of the trading house profiles), a profile for secure operations (the 
> space SCADA Security is in now) and another for retail operations
>

References:
- Draft charter for proposed OASIS Energy Interoperation TechnicalCommittee
  - From: William Cox <wtcox@CoxSoftwareArchitects.com>
- Re: [smartgrid-discuss] Draft charter for proposed OASIS EnergyInteroperation Technical Committee
  - From: ngreenfield@aep.com
- RE: [smartgrid-discuss] Draft charter for proposed OASIS EnergyInteroperation Technical Committee
  - From: Edward Koch <ed@akuacom.com>
- Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy InteroperationTechnical Committee
  - From: Arshad Noor <arshad.noor@strongauth.com>
- Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy InteroperationTechnical Committee
  - From: Marty Burns <burnsmarty@aol.com>
- Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy Interoperation Technical Committee
  - From: Toby Considine <Toby.Considine@gmail.com>