1. SCOPE 1North American Energy Standards Board

1、north american energy standards board response to the sandia national laboratories surety assessment report of the naesb internet electronic transport and related standards june 30, 2007 prepared by naesb wgq electronic delivery mechanisms subcommittee naesb retail gas and retail electric quadrant i

2、nformation requirement and technical electronic implementation subcommittees naesb response to the 2006 sandia national laboratories surety assessment date prepared: june 30, 2007 page 2 executive summary: this document was prepared by the north american energy standards board (naesb) wholesale gas

3、quadrant (wgq) electronic delivery mechanisms (edm) subcommittee and the retail electric quadrant (req)/retail gas (rgq) information requirements (ir) subcommittee and technical electronic implementation subcommittee (teis) of naesb in response to the surety assessment prepared by the sandia nationa

4、l laboratories in 2006. many thanks go to the chairs of the above subcommittees and contributors to this report, without whose contributions, this report would not be possible. george behrenergy services group chair, rgq teis subcommittee christopher burdenwilliams gas pipeline co-chair, wgq edm sub

5、committee jesse clineec power contributor, wgq edm subcommittee julie fortinmidamerican energy contributor, wgq edm subcommittee dan rothfussduke energy contributor, rgq teis subcommittee leigh spanglerlatitude technologies co-chair, wgq edm subcommittee mike stenderel paso pipe line company contrib

6、utor, wgq edm subcommittee barbara wisebaltimore gas and electric contributor, req teis subcommittee sandia national laboratories (sandia), under a project funded by the u.s. department of energy, performed a surety assessment of the naesb internet electronic transport (internet et) standards, versi

7、on 1.8. the surety assessment was undertaken as an independent analysis of the naesb internet et standards and related naesb documents, by the snl information design assurance red team (idart). the assessment provided recommendations on the security of the electronic commerce guidelines for conducti

8、ng business with emphasis on the use of the internet. the surety assessment had 27 findings, categorized in the surety assessment as: 7.1recommendations to address areas of opportunity for an attacker within the guidelines set forth by the security standards (20 findings) 7.2recommendations for naes

9、b principles (1 finding) 7.3recommendations for miscellaneous and format/ layout of naesb manual/material (6 findings) in reading the naesb response to the snl surety assessment, the individual responses refer to the specific findings as cited in the snl surety assessment, (for example: sandia findi

10、ng no. 7.1.1, 7.1.2, etc.). for each snl finding, there is a description of their finding, their analysis and their recommendation. in some instances the text from the snl surety assessment report are abbreviated. immediately following the 3 snl categories is the naesb response. the naesb responses

11、indicate whether or not naesb concurs with the snl finding, the analysis and the recommendation. if naesb naesb response to the 2006 sandia national laboratories surety assessment date prepared: june 30, 2007 page 3 standards need to be update/changed, the naesb response will also contain informatio

12、n on how the recommendation is to be implemented. in addition, actions to be taken by naesb in lieu of implementing a recommendation are also described in this segment. of the 27 findings, naesb agreed with the findings and analysis for ?%, (? findings1.) moreover, naesb supported ?18 of the recomme

13、ndations provided by sandia in total, and an additional seven of the recommendations in part (71%). these recommendations will be implemented either in version 1.9 or future releases of the naesb standards2. for those recommendations that naesb is not planning to implement in a future release, they

14、can be classified either as a recommendation restating an existing standard3 or a recommendation for which a low cost commercially available and commercially viable, wgq/req/rgq specific, solution does not exist4. naesb appreciates the effort that sandia through its representatives (david duggan, ph

15、illip campbell, annie mcintyre, aura morris and charles marrow) and the department of energy (christopher freitas) expended to improve the naesb standards used by the north american energy industry to move information across the internet. our industry relies on the internet as a major way to facilit

16、ate communication between trading partners. the standards that govern naesbs communication protocols are critical to ensuring security, performance, reliability and interoperability. the public-private partnership forged between naesb and the department of energy has provided several benefits to the

17、 north american energy industry, both in the past as well as this report, and the actions that naesb has taken as result. 1 for finding 7.2.6, gisb did not agree with the finding, the analysis or the recommendation. gisb agreed with all other findings and analysis. 2 the formatting recommendations f

18、or findings 7.4.1, 7.4.2 and 7.4.3 will be evaluated for inclusion in future versions. 3 the “restatement of a standard” recommendations for findings 7.2.3, 7.2.4, 7.2.7, 7.3.6 and 7.3.7 were not supported by gisb. 4 a low cost commercially available solution is unavailable for the recommendations f

19、or findings 7.1.4 7.1.11, 7.1.12, 7.3.5 and 7.4.3 and the recommendations were not supported by gisb. naesb response to the 2006 sandia surety assessment naesb response to the 2006 sandia national laboratories surety assessment date prepared: june 30, 2007 page 4 7.1.1 versioning of software and pro

20、tocols sandia finding: recommended versions of software and protocols are addressed in several places in the standard. for example, standard 4.3.61 states “data communications for customer activities web sites should utilize 128-bit secure sockets layer (ssl) encryption. there are also specific tech

21、nical requirements for workstations listed in appendix b. sandia analysis: specifically requiring versions of software or protocols creates the risk that these versions may become outdated or ineffectual before the standard is revised. it also leaves open the possibility that some necessary applicat

22、ions or protocols may not be addressed. if either of these occurs, vulnerable versions of software or protocols may be allowed by the standard. an attacker could take advantage of these vulnerabilities, or an insider could negotiate using a vulnerable version of an application and then exploit that

23、vulnerability. sandia recommendation: where required versions must be specifically noted, it should be stated that the most current versions of applications and protocols are required, along with the latest patches. naesb standards do not enumerate specifics. refer to a well-known standards organiza

24、tion such as sans6 or nist7. naesb response: we concur with the snl finding, analysis and recommendation. the internet et document only contains version specifications for the pgp and http. the pgp is a minimum version set in order to ensure compatibility with the openpgp product specified as the pr

25、imary encryption product to be used. a note will be added that newer versions of the pgp proprietary product are encouraged. the following are the recommended changes to the internet et manual: naesb internet et manual, version 1.8, page 13 (yellow, underlined denotes addition to existing manual lan

26、guage; yellow, strike-through denotes deletion from existing manual language) security naesb internet et establishes several security measures as standards to ensure a minimum level of confidence in conducting business over the internet, and to provide uniformity in the implementation of security. f

27、our security concepts, often referred to by the acronym pain, are vital to protecting internet et packages: data privacy authentication data integrity non-repudiation data privacy and encryption privacy is the assurance to an entity that no one can read a particular piece of data except the receiver

28、(s) explicitly intended. data privacy is accomplished by encrypting payload files. internet et allows encryption using: openpgp, defined by (ietf rfc 2440) with opgp 2.6 (minimum) or higher (strongly naesb response to the 2006 sandia surety assessment naesb response to the 2006 sandia national labor

29、atories surety assessment date prepared: june 30, 2007 page 5 modifications described in this specificationrencouraged), with rsa keys can be used on a mutually agreed basis naesb wgq qedm manual, version 1.8, page 87 (yellow, underlined denotes addition to existing manual language; yellow, strike-t

30、hrough denotes deletion from existing manual language) appendix b - minimum technical characteristics and guidelines for the developer and user of the customer activities web site browser characteristics (includes defined naesb wgq current versions): features as supported by the latest generally ava

31、ilable (ga) versions of both netscape5 and internet explorer3 within 9 months of such ga version becoming available, including - frames yellow, strike-through denotes deletion from existing manual language) appendix b frequently asked questions q1: how many times do i attempt to send an internet et

32、package unsuccessfully before i notify my partner? .55 q2: do i send my gisb-acknowledgement-receipt before or after i decrypt the internet et package?.55 q3: what cryptographic algorithms should we use or not use?.55 q4: use of time-c-qualifier across quadrants. we understand that the retail quadra

33、nts require the time- c-qualifier for gisb-acknowledgement-receipt, while the wgq does not require this data element. if we participate in multiple quadrants, which standard do we use?.56 q5: naesb edm / as2 compatibility. what is the status of naesb compatibility with as2?.56 q6: atomic clock synch

34、ronization. how often do we need to synchronize our system clocks with an atomic clock?.56 q7: internet continuous connection. as an end user, do i need a continuously-connected internet web naesb response to the 2006 sandia surety assessment naesb response to the 2006 sandia national laboratories s

35、urety assessment date prepared: june 30, 2007 page 7 server to participate in the internet et in the energy industry, or can i just use a dial-up connection to my isp and my favorite shrink-wrapped browser software?.56 q8: use of ansi x12.58. if we use ansi x12.58 encryption do we still need to use

36、openpgp or pgp encryption?.56 q9: what does naesb recommend for the openpgp/pgp descriptive text?.56 q10:what does naesb say about my organizations security?.57 naesb internet et manual, version 1.8, page 57 (yellow, underlined denotes addition to existing manual language; yellow, strike-through den

37、otes deletion from existing manual language) q10: what does naesb say about my organizations security? a: naesb internet et participants are encouraged to maintain their system security in such a manner that reduces the risk of unauthorized/malicious activity. however, naesb does not dictate overall

38、 security requirements for individual companies. for further information on general security guidelines please reference the sans (www.sans.com) or nist (www.nist.com) websites. naesb has instituted several checks and balances in their business processes that are supported electronically. such as sc

39、heduled quantities after the nominations have been processed, and confirmations, both upstream and downstream so that the risk of foul play is minimized. 7.1.3 protection of sensitive information sandia finding: protection of sensitive information such as pgp private keys, other private keys, the tr

40、ading partner agreement (tpa), and technical exchange worksheets does not appear to be addressed by the standard. sandia analysis: in the internet electronic transport (iet) document (page 194), it is stated that “utmost care” is needed in the protection of private keys. the phrase is not actionable

41、 and is interpreted differently at each organization. sandia recommendation: each trading partner should protect these sources of information as company proprietary. destruction of these documents and electronic information should also be addressed in the standard. naesb response: we concur with the

42、 snl finding, analysis and recommendation. the following are the recommended changes to the naesb internet et manual: naesb internet et manual, version 1.8, page 45 (yellow, underlined denotes addition to existing manual language; yellow, strike-through denotes deletion from existing manual language

43、) you should never divulge your private key to another party must use the utmost care in protecting your private key. if an untrusted party has your private key, your security is compromised. it is recommended that a key size of 1024 be chosen when generating the key pair. this provides a significan

44、tly secure transaction. naesb response to the 2006 sandia surety assessment naesb response to the 2006 sandia national laboratories surety assessment date prepared: june 30, 2007 page 8 naesb internet et manual, version 1.8, page 20 (yellow, underlined denotes addition to existing manual language; y

45、ellow, strike-through denotes deletion from existing manual language) 10.3.x26 the information contained in the technical exchange worksheet and trading partner agreement as well as trading partner digital signature and encryption keys should be considered company proprietary information and handled

46、 as with any other proprietary, internal or contractual document or information. 7.1.4 standards compliance sandia finding: throughout the standard, “should” is currently used as a directive for requirements. “should” implies a recommendation as opposed to a requirement; cambridge online dictionary

47、states that “should” is used to indicate “what is the correct or best thing to do.” sandia analysis: stating that something “should be done” is comparable to stating that it “is recommended,” not that it is required. this allows users to ignore the recommendations if they so choose. the word “should

48、” is properly used in the principles, where it is expected to be used. use of the word “should” in standards suggests that “should” is used as though it denotes “must.” sandia recommendation: language throughout the standard should be precise. if a particular action is required to be compliant to th

49、e standard, it should be stated that it is required, that a user “must” conform to it. definitions of the terms “should”, “must”, “required”, “may”, and other associated words should be developed, documented, and implemented within the standards documents. naesb response: over the past several years

50、 the usage of the subjective words “should”, “may”, etc has been discussed. in 2006, the wgq received an official request asking for the interpretation of these words. in agreement with the wgq ec, the internet et manual will post a reference (link) to the faq document posted on the wgq naesb websit

51、e. the following is the actual text from that document: naesb internet et manual, version 1.8, page 55 (yellow, underlined denotes addition to existing manual language; yellow, strike-through denotes deletion from existing manual language) appendix b frequently asked questions q1: how many times do

52、i attempt to send an internet et package unsuccessfully before i notify my partner? .55 q2: do i send my gisb-acknowledgement-receipt before or after i decrypt the internet et package?.55 q3: what cryptographic algorithms should we use or not use?.55 q4: use of time-c-qualifier across quadrants. we

53、understand that the retail quadrants require the time- c-qualifier for gisb-acknowledgement-receipt, while the wgq does not require this data element. if we participate in multiple quadrants, which standard do we use?.56 q5: naesb edm / as2 compatibility. what is the status of naesb compatibility wi

54、th as2?.56 q6: atomic clock synchronization. how often do we need to synchronize our system clocks with an naesb response to the 2006 sandia surety assessment naesb response to the 2006 sandia national laboratories surety assessment date prepared: june 30, 2007 page 9 atomic clock?.56 q7: internet c

55、ontinuous connection. as an end user, do i need a continuously-connected internet web server to participate in the internet et in the energy industry, or can i just use a dial-up connection to my isp and my favorite shrink-wrapped browser software?.56 q8: use of ansi x12.58. if we use ansi x12.58 en

56、cryption do we still need to use openpgp or pgp encryption?.56 q9: what does naesb recommend for the openpgp/pgp descriptive text?.56 q10:what does naesb say about my organizations security?.57 q11: why do naesb wgq standards use discretionary verbs such as “should” instead of non- discretionary ver

57、bs such as “shall”?.57 naesb internet et manual, version 1.8, page 57 (yellow, underlined denotes addition to existing manual language; yellow, strike-through denotes deletion from existing manual language) q11: why do naesb wgq standards use discretionary verbs such as “should” instead of non- disc

58、retionary verbs such as “shall”? a: please see the following naesb wgq link for current information. /wgq/default.asp note: for ease in reading of this report only, the following shows the content of the above referenced link. (not to be included as text in any naesb manual) frequ

59、ently asked questions concerning naesb wgq standards q: why do naesb wgq standards use discretionary verbs such as “should” instead of non-discretionary verbs such as “shall”? a:naesbs certificate of incorporation - article ii, section 1 states, “the objectives and purpose of naesb are to propose an

60、d adopt voluntary standards and model business practices designed to promote more competitive and efficient natural gas and electric service.” naesbs use of the term “should” reflects naesbs objective to adopt voluntary standards and model business practices. q: how do naesb wgq standards become man