Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy InteroperationTechnical Committee

[Arshad Noor <arshad.noor@strongauth.com>]

Perhaps my message was misunderstood.  I was not advocating the
creation of any new security protocols (I think we have enough
already to secure data and infrastructure - they're just not
applied effectively - but that's another matter).

I agree that the business-focused members of this TC should do
what they're best at - solving business problems.  However, my
message is that the TC should overtly include security-minded
individuals, and establish explicit security goals for the
business protocols so that the new smart grid infrastructure
is secure from day-one and not an afterthought.

Ultimately, the risk-management decisions of the smart grid are
a business function; only the implementation and operations of
those risk-management policies are a security function. If the
business protocols do not spell-out the security requirements,
then the business shouldn't expect to get what they didn't ask
for.

Arshad Noor
StrongAuth, Inc.

Marty Burns wrote:
> All,
> 
> I agree that security is absolutely important and essential. However, it 
> is also important that OpenADR and similar efforts do not develop any 
> security components. Instead uniform security methodologies should be 
> seamlessly adopted in supporting the underlying messaging. I would try 
> to focus this TC on a narrow scope so that it does one thing extremely 
> well.
> 
> Cheers,
> Marty
> 
> Arshad Noor wrote:
>> OASIS TC's are made up, unfortunately, of either business-focused
>> TC's or security-focused TC's.  As a result, the business TC's do
>> a great job of capturing business-requirements, but rarely address
>> security issues (despite the evidence of increasing attacks against
>> applications on the internet), while security TC's tend to focus
>> on hard-core security without addressing the business drivers to
>> ensure their focus and adoption.
>>
>> Two TC's that have departed from this norm are the OASIS Enterprise
>> Key Management Infrastructure (EKMI) TC and the OASIS LegalXML
>> eNotarization (eNotary) TC.
>>
>> The EKMI TC has not only developed a hard-core cryptographic
>> key-management protocol - the Symmetric Key Services Markup
>> Languague (SKSML), but also focuses on creating Implementation,
>> Operations and Audit Guidelines to ensure that implementations of
>> EKMI are in compliance with legal/contractual regulations for 
>> data-security.  This was stated as an objective within the TC's
>> charter at its inception two years ago.  As a result, besides
>> security people, the TC includes IT Auditors, application
>> developers and IT consultants all of whom are focused on meeting
>> security *and* business objectives.
>>
>> The LegalXML eNotarization TC has just created a protocol called
>> the eNotarization Markup Language (ENML) designed to electronically
>> notarize electronic documents.  While ENML was designed to serve the
>> real-estate industry primarily, it is generic enough that it can be
>> used to re-engineer any business process that relies on notarized
>> paper documents.  This not only saves money, but speeds up the
>> business transaction and improves the integrity of data-capture in
>> applications.  ENML specifically addresses security as a core
>> component in the protocol because of the impact electronically
>> notarized documents can have in the multi-trillion dollar real-
>> estate industry.
>>
>> There is even a document titled "Security implications of ENML"
>> within the TC's repository to inform legal and business people on
>> what they need to know about securing and trusting eNotarized
>> documents.
>>
>> My suggestion is have the new Energy Interop TC specifically
>> include security features (identifying individually desired
>> features) as part of its deliverables to ensure the TC meets its
>> charter objectives.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Edward Koch wrote:
>>> Neil,
>>>
>>> You are absolutely correct.  I know that you are very involved in the 
>>> AMI-SEC effort and my hope is that much of the requirements from that 
>>> will be input to the OpenADR task group within UCAIug and therefore 
>>> become part of the OASIS/UCAIug collaboration.  Darren Highfill has 
>>> been very involved with setting up the OpenADR task group within 
>>> UCAIug so I’m fairly confident that this topic will not be ignored.
>>>
>>> I’ve never been involved with an OASIS TC, but it is safe to say that 
>>> OASIS does have a lot of experience with cyber security.  I’m just 
>>> not sure how they address this cross cutting issue within their other 
>>> TC’s.  Can someone that has more direct experience with OASIS comment 
>>> on this topic?
>>>
>>> -ed koch
>>>
>>> ------------------------------------------------------------------------
>>>
>>> *From:* ngreenfield@aep.com [mailto:ngreenfield@aep.com]
>>> *Sent:* Monday, February 16, 2009 2:03 PM
>>> *To:* William Cox
>>> *Cc:* Mary Ann Piette; smartgrid-discuss@lists.oasis-open.org
>>> *Subject:* Re: [smartgrid-discuss] Draft charter for proposed OASIS 
>>> Energy Interoperation Technical Committee
>>>
>>> Well, I'm not a member, but for someone who's well immersed in my own 
>>> organization's Smart Grid initiative, I would say that one critical 
>>> component missing in this draft proposal is a discussion around cyber 
>>> security.
>>>
>>> There are a number of interrelated factors that need to be considered 
>>> relative to cyber security and the Smart Grid, including the basic 
>>> attributes (primary security services) of */Confidentiality/*, 
>>> */Integrity/*, */Availability/*, */Accounting/Auditing/*, 
>>> */Identification/*, */Authentication/*, */Authorization /*and 
>>> */Non-repudiation/*.  Privacy is another attribute, but it relies 
>>> upon the others and is mainly a consideration of laws and regulations 
>>> and how it relates to the individual. There are a lot of factors 
>>> involved with the implementation of the Smart Grid and it relies 
>>> heavily on cyber security.
>>>
>>> Best regards,
>>>
>>> Neil Greenfield
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: 
>> smartgrid-discuss-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail: 
>> smartgrid-discuss-help@lists.oasis-open.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: smartgrid-discuss-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: 
> smartgrid-discuss-help@lists.oasis-open.org
>