Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Cyber Security for Energy Applications - EPRI
David Terry ASERTTI Executive Director
June 17, 2013
Energy Applications and Cloud Computing Webinar Series
ASERTTI
• ASERTTI's mission is to increase the effectiveness of energy research efforts in contributing to economic growth, environmental quality, and energy security.
• ASERTTI promotes applied research and technology commercialization in energy efficiency and renewable energy through state, federal, and private collaboration on emerging technologies. ASERTTI works to:
– Foster cooperative relationships among its members
– Advocate for policies that support clean energy research, development, demonstration, and deployment (RDD&D)
www.asertti.org
ASERTTI Overview ASERTTI Members Upcoming Activities
ASERTTI Members
ASERTTI’s membership includes state energy agencies, university
energy centers, national laboratories, non-profit organizations,
utilities, and other public interest technology organizations.
www.asertti.org
ASERTTI Overview ASERTTI Members Upcoming Activities
Upcoming Activities
• ASERTTI Webinar Series: Energy Applications and Cloud Computing
– Data Driven Energy Management (ETC Group)
July 15, 2013
– Irrigation Efficiency: Integrated Data Reporting for Decision Support Solutions (NEEA)
August 19, 2013
– Smart Manufacturing: Cloud Data and Computation Services for Performance
Management Modeling (SMLC and EPRI)
September 16, 2013
• ASERTTI Fall Meeting: October 2-4, 2013 – Raleigh, NC
Integrating Smart Grid Technologies for Buildings, Industry, and Vehicles
www.asertti.org
ASERTTI Overview ASERTTI Members Upcoming Activities
6 © 2013 Electric Power Research Institute, Inc. All rights reserved.
EPRI is a company that…
…brings together great people…
…with new and exciting ideas…
…to help energize the world!
Introducing EPRI…
“Together…Shaping the Future of Electricity”
7 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Our History…
• Founded in 1973
• Independent, nonprofit center for
public interest energy and
environmental research
• Collaborative resource for the
electricity sector
• Major offices in Palo Alto, CA;
Charlotte, NC; Knoxville, TN
– Laboratories in Knoxville,
Charlotte and Lenox, MA
Chauncey
Starr
EPRI
Founder
8 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Our Members…
• 450+ participants in more than 40
countries
• EPRI members generate more
than 90% of the electricity in the
United States
• International funding of more than
18% of EPRI’s research,
development and demonstrations
• Programs funded by more than
1,000 energy organizations
9 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Our Mission…
To conduct research on
key issues facing the
electricity sector…on behalf
of its members, energy
stakeholders, and society.
10 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Current Environment
11 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Interconnectedness of the Grid
12 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Smart Grid = Electrical Grid + Intelligence
Combining
electrical and
communication
grids requires
interoperability
2-way flow of electricity and information
13 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Current Grid Environment
• Legacy SCADA systems
• Limited cyber security controls
currently in place
– Specified for specific domains –
bulk power distribution, metering
• Vulnerabilities might allow an
attacker to…
– Penetrate a network,
– Gain access to control software, or
– Alter load conditions to destabilize the grid in unpredictable
ways
• Even unintentional errors could result in destabilization of the
grid
14 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Threats to the Grid
• Deliberate attacks
– Disgruntled employees
– Industrial espionage
– Unfriendly states
– Organized crime
– Terrorists
• Inadvertent threats
– Equipment failures
– User/Administrator errors
• Natural phenomena
– Weather – hurricanes, earthquakes
– Solar activity
15 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Impact on Electric Operations
Malicious Remote Operations
Sleeper Agent – Stuxnet Support Systems Disabled
Malicious Mass Disconnects
16 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Cyber Survivability
Cyber attack on substation
communication Cyber attack corrupts EMS
Can the grid operate in a degraded mode during
isolation and recover from the cyber attack?
17 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Cyber Resiliency of the Electric System
Cannot be the primary
strategy Prevention
Assume that breach will
happen Detect, Respond
and Recover
Can the grid operate
while recovering? Survivability
Opportunity To Improve All Three Aspects of Resiliency Through
Integrating New and Existing Technologies
18 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Trends Impacting Security
• Open protocols
– Replacing vendor-specific proprietary
communication protocols
• Connections with enterprise networks to
obtain productivity improvements and
information sharing
• Reliance on external communications
– Increasing use of public telecommunication
systems, the Internet, and wireless for
control system communications
• Increased capability of field equipment
– “Smart” sensors and controls with enhanced
capability and functionality
19 © 2013 Electric Power Research Institute, Inc. All rights reserved.
• For IT systems, confidentiality and
integrity are the major objectives
• For control systems, availability and
integrity are the major objectives
• Limited bandwidth and processing capability
• Potential loss of life impact if there is a major
compromise
• IT system life cycle varies from 6 months to 2 years
• Control systems life cycle varies from 15 to 40 years
• Availability
– Delays usually accepted in IT systems
– Control systems typically run 24/7/365
IT and Control Systems – Differences…
20 © 2013 Electric Power Research Institute, Inc. All rights reserved.
EPRI Programs
21 © 2013 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security Collaboration
Trade
Organizations
Vendors Policy/
Regulators
Research
Organizations
Standards
Bodies
EPRI in collaboration
with utilities
Representing Utilities Through Coordination and Collaboration
22 © 2013 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security and Privacy Program
Industry
Coordination
and Technology
Transfer
Security for
Transmission
and
Distribution
Cross-Domain Cyber Security Tools,
Architectures, and Techniques
23 © 2013 Electric Power Research Institute, Inc. All rights reserved.
National Electric Sector Cybersecurity
Organization Resource (NESCOR)
Build an industry collaboration
– Public/private partnership funded by DOE
• Participating organizations – 120
• Participants – 180
– Utilities, vendors, academia, consultants, regulators
Approach
– Address critical industry needs
Multi-year effort
– Identify key research topics and develop
products
24 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Team 1: Threat and Vulnerability
Assessment and Mitigation Group
Team 2: Cyber
Security
Requirements and
Standards
Assessment Group
NESCOR Program Structure
Team 3: Technology Testing and Validation
Team 4: Design
Principles Group
25 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Government Activities
26 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Electric Subsector Cybersecurity Capability Maturity
Model (ES-C2M2)
• A DOE Public-Private Partnership
• Document published May 2012
27 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Assess Your Cyber Security Posture
28 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Presidential Policies
• Announced in February 2013
1) Executive Order 13636: Improving Critical Infrastructure
Cybersecurity
2) Presidential Policy Directive – 21: Critical Infrastructure
Security and Resilience
• Replaces Homeland Security Presidential Directive-7
29 © 2013 Electric Power Research Institute, Inc. All rights reserved.
NIST and the Cybersecurity Framework
• Cybersecurity Framework
• Risk management practices
• Use of frameworks, standards, and
best practices
• Developing a Framework to Improve
Critical Infrastructure Cybersecurity
– Current risk management practices
– Use of frameworks, standards, and best practices
– Specific industry practices
30 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Moving Forward…
• Cyber security supports both the reliability and
privacy of the Smart Grid
• Address interconnected systems – both IT and
control systems
– Cyber security needs to be addressed in all
systems, not just critical assets
– Augment existing reliability controls, as applicable
• Consider the lifecycle of IT/telecomm systems
versus control systems
– Patch management/update cycles
– Product life cycle
– Develop new models/paradigms for the two
communities
• Continuously assess the security status
31 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Moving Forward… (2)
• Acknowledge there will be some security breaches
– Focus on response and recovery
• For example, isolate/quarantine infected devices
– Fail secure
• Address both safety and security
• Build security in!
– Confidentiality, integrity and availability –
implement best practices
• Apply IT/telecomm security lessons-learned from
the past 40 years
• Train and educate
– Address advanced persistent threats (APTs)
• Compliance DOES NOT equal security
32 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Discussion
Annabelle Lee [email protected] 202.293.6345
33 © 2013 Electric Power Research Institute, Inc. All rights reserved.
Together…Shaping the Future of Electricity