Upload
doankhanh
View
241
Download
0
Embed Size (px)
Citation preview
- 1 -
SC
D2
Info
rma
tio
n S
ys
tem
s a
nd
Te
lec
om
mu
nic
ati
on
CIGRE JWG B5-D2.46
SC D2 Colloquium
Mysore, Karnataka, India13 November 2013
-- Tutorial --
Application & Management of
Cybersecurity Measures for
Protection & Control
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 2 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
JWG Cybersecurity Challenge
Commissioned
• Begin work September 2011
• JWG/ToR approved February/March 2012
• Schedule completion 2014
Objective
• Protection & control responsibilities
• Language of the P&C engineer
Focus
• Technical security controls
• Metrics to manage security
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 3 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Scope
Target audience: Protection engineers, field technicians, and managers of P&C systems
To address cybersecurity mechanisms used to protect/control access (remote access as well as local access via WAN/LAN and device port)to and use of P&C devices, systems and applications such as substation protection relays and substation controllers for fault clearing protection, system integrity protection schemes (SIPS), and local substation control and automation applications
To address cybersecurity management challenges:
(1) Incident management
(2) Vulnerability, patch, configuration and change management
(3) Application security
To address qualitative cybersecurity control of the trust placed in EPU personnel and support personnel
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 4 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Table of Contents as of June 2013
1. Introduction
2. Background: P&C system/architecture, IEC 62351/62443
3. Summary of findings and recommendations
4. Cybersecurity framework: D2.31
5. Cybersecurity threats to P&C systems:Viable threats and landscape, IEC 61850 GOOSE messaging, Vulnerability of unconnected and trusted systems, Stuxnet attack, Threat consequences
6. Applicable standards & best practices
7. Practical solutions for implementing cybersecurity: Physical security, Operational controls, Technical controls, Operational constraints, Security mechanisms compensation, Patching P&C systems
8. Examples of operation to evaluate cybersecurity impacts: P&C metrics for cyber-induced incidents, Field technician’s portable media, Front panel control, HMI control, Enforcement of organizational and management cybersecurity policies
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 5 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Table of Contents as of June 2013
Annexes
A. Definition of terms and acronyms
B. Bibliography
C. Examples of cyber-induced attack
D. Survey of reports, standards and best practices: Newton-Evans survey of 51 EPUs
E. Safely onboarding personal devices
F. Defence against cross-site scripting attacks
G. Cryptographic hash functions
H. Preventing stack overflow attacks
I. Software assurance
J. Configuration audits
K. Identification of suspected threats
L. CySeMoL (Cyber Security Modeling Language, KTH) assessment model
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 6 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
P&C Response to Cyber-induced Fault
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
incident reportrate
protectionrelay settings
P&Capplications
cybersecurityincident reports
cybersecurity incidentassessment status
protectionrelay state
fault
trip / close
fault report
cybersecurityissue
situationassessment report
P&C cybersecuritytraining
P&C operationalimpact
improverelay
response tocyber-event
change relaysettings
real-timeresponse
P&C component(s)patch requirements
Improvesituation
assessment
Real TimeAutomated Response
Incident Assessment
- 7 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Notional Architecture
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 8 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Response to P&C Survey
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Awareness Training
Cyber Management
Tools
Security Patches
Regulatory Requirements
Pro-bono survey conducted by
Newton-Evans
- 9 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Short List of EPU Cybersecurity Issues
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 10 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Do You Test P&C Patches?
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 11 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Do You have Adequate Security Controls?
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 12 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Do You Benchmark Cybersecurity Incidents?
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 13 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Typical Target of Opportunity
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Power system
CT, VT, CB CT, VT, CB
Generator excitation
control system
- Control command
- Control sequence
- Control scenarios- Measurement
- Status
- Measurement
- Status
- Setting
- Measurement
- Status
- Control sequence
- Control scenarios
- Setting
Steady-state data flow
Data flow in the event of
the occurrence of a fault
Central
Equipment
Gateway IEC 61850/CIM converter,
Phasor Data Concentrator, etc.
Control center or
major substation
WAN
IEDPMUPMU IEDEach
substation orpower station
System Integrity Protection Schemes (SIPS)
Remedial Action Schemes (RAS)
Special Protection Schemes (SPS)
Wide Area Monitoring, Protection and Control (WAMPAC)
- 14 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Information Exchanges of WAMPAC
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 15 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Requirements and Cyber Attacks
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Requirements Cyber attack AIC Consequences Countermeasure
Dependability (IED) DOS attack A
Delay of fault clearance or
control delay, failure to trip or
operate
Redundant IEDs
Security/dependability
(IED)
Tamper attack,
software
modification,
malware injection
A, IUnwanted trip or operation,
failure to trip or operate
User authentication,
RBAC, tamper
detection/resistance
Communication delay
Packet delay by
route modification,
competing packet
injection
A Control command delay
Port seal and
hardening of
switches and routers,
NMS hardening
Time synchronization
error
PTP control packet
modification and
delay, GPS
spoofing
I, A
Unwanted trip and failure to
trip due to calculation error
resulting from sampling timing
error
VLAN, private GMC
Communication error
Packet modification
(Trip command,
control table),
replay attack
IUnwanted trip or operation,
failure to trip or operate
Message
authentication
Information
confidentiality
Power system
configuration data
theft (SIPS central
equipment)
CInduces secondary cyber or
physical attacksEncryption
Examples
- 16 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Threat collaboration
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 17 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Cyber Attacks
Gathering attacks involve skimming or tampering with P&C data, eavesdropping (listening & recording communication between P&C IEDs and authorized users), and performing traffic analysis of repeated patterns of communication.
Imitation attacks such as spoofing, cloning, and replay to impersonate legitimate access to P&C IEDs, and between P&C IEDs, to obtain authorized access.
Blocking attacks designed to deplete P&C IED resources, network resources, or interfere with communications using tactics such as denial of service, jamming, and malware.
Privacy attacks designed to disclose sensitive information about legitimate P&C users or groups.
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 18 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Cyber Attacks and Countermeasures
Attacks
Denial of service
Spoofing to impersonate authorized P&C user or IED
Tampering to destroy or corrupt P&C data
Cloning to duplicate and rewrite valid P&C data
First line of defense
Perimeter firewalls
Network router security controls
Impact
Loss of P&C data confidentiality
Loss of availability & protection control
Loss of P&C data integrity
Technical solutions
Anti-virus programs
Intrusion detection/prevention systems
Identity-based authentication
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Attack
1st Line of
Defense
Impact
Technical
Solutions
- 19 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Onboarding Personal Devices
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Strengthen access and use control
Certify the
device
Trust the
user
- 20 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
P&C Vulnerability Management
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Security
Threats Survey
Implementation &
Validation of security
patches into P&C
components
Risk on P&C
componentyes
Release of P&C
components including
security patches
External information
sources (CERT,
Microsoft, Sybase, …)
Threats monitoring and
initial classification
Strategy following
risks analysis
Patch implementation
Workaround /
compensation measure
Customer
Information about
vulnerability
P&C component /
system
deployment
Integration into a
P&C system ?
no
Validation & Release
of P&C system
including security
patches
yes
Workaround /
compensation
measure deployment
Responsibilities :
- P1 : P&C vendor
- P2 : P&C service provider
- P3 : P&C system integrator
- P4 : EPU
P3
P1/P2/P4
P1/P2
P3
P4
P1/P2/P3(opt.)/P4
P1/P2
P1/P2
P4
P1/P2/P3(opt.)/P4
- 21 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
High-priority P&C Security Patching
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
number of vulnerableP&C components
number of hardenedP&C components
patchingB4: normal P&Csystem patching
time to develop P&C patch
fraction of P&C components vulnerable
intrusion rate
B3: P&C components withintrusions are patched
actual P&C patching delaydelay to patch P&C system
perceived threat to P&C system
relative rate of P&C system intrusionsB1: patching is increased byawareness of an increasingnumber of P&C intrusions
P&C intrusion rate threshold
perceived availability of P&C targets
attack on P&C components
B2: running out ofP&C targets
insider attacks
collaborative attackson non-P&C systems
Objectives • Reduce number of vulnerable P&C components
• Increase number of hardened P&C components
• Timely non-invasive deployment
- 22 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Malware Security Guidelines
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Protection mechanism Implementation guidelines
Up-to-date anti-virus • Anti-virus that is not regularly updated should not be
used, since it will create a false security impression.
• When automatic update or remote update is not
available, manual update should be used with care,
since the frequency of the update will likely be too long.
In addition, too many actions on the HMI increase the
risk of human mistakes.
Host-based IPS/IDS IPS/IDS usually offer the ability to stop or alert when it
detects abnormal activities. Blocking features should be
used with care, since false positive could be common.
Alerting is recommended for critical system.
Host-based firewall
(incoming and
outgoing traffic)
• Firewall should deny all traffic by default. All accepted
traffic should be specified.
• Depending on the confidentiality level required,
incoming firewall only could be acceptable as well.
(Windows XP firewall is incoming only).
Hardening measures Disable auto play for external media.
Whitelisting In a static environment like an EPU substation, whitelisting
can be very efficient in preventing malware infection. The
major downside to whitelisting is flexibility. Once it is set-up,
administrator has to reconfigure the whitelist every time a
new application or update needs to be installed.
- 23 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Technical Solution Recommendations
Awareness Training
• Improve ability to detect cyber initiated fault
• Better understand impact on P&C operations and performance
• Identify cost effective pre-planned product improvements
IEC 61850
• Cybersecurity testing requirements
• Integrate with functional testing
• Audit and verify proper security configuration of P&C assets
Patch Management
• 1st priority: Perimeter defense
• 2nd priority: Network router security controls
• 3rd priority: P&C protection relays
Anti-virus & Malware
• Whitelisting policies
• Enforce strong access and use control privileges
• Certify personal devices connected to P&C network & components
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
- 24 -
SC
D2
Info
rmati
on S
yste
ms a
nd
Tele
com
munic
ati
ons
Milestones of JWG
JWG B5-D2.46 Application & Management of Cybersecurity Measures for Protection & Control
Milestone Planned Date Actual Date
Start 09/15/2011 03/03/2012
First meeting – Paris, FR 04/25/2012 04/25/2012
Second meeting – Paris, FR 08/28/2012 08/28/2012
Third meeting – Dubrovnik, Croatia 04/16/2013 04/16/2013
Fourth meeting – Milpitas, CA USA 07/16/2013 07/16/2013
Fifth meeting – Belo Horizonte, BR 08/25/2013
Sixth meeting - TBD
Seventh meeting – Paris, FR 08/26/2014
Early preliminary drafts (Draft 15) 08/27/2012 01/31/2013
First draft (Draft Ae1) 02/13/2013 06/14/2013
Final draft 06/27/2014
Brochure 08/26/2014
Electra summary 08/26/2014
PowerPoint presentation 08/26/2014