Disruptive Ideas for Utility Resilience & IT/OT Security

Erfan Ibrahim, Ph.D.

Director, Cyber-Physical Systems Security & Resilience Center

Erfan.ibrahim@nrel.gov

NCEMC Technology Conference 2017

August 16th 2017

2

• NREL Overview

• Resilience Challenges for Utilities & Possible Mitigations

• Cybersecurity Challenges with Distributed Generation

• NREL 9-layer Cybersecurity Architecture Overview for IT/OT Security with DG

• NREL 10-Step Systems Engineering Approach to Securing an Enterprise

• Cyber Governance Assessment Technical Deep Dive

• Q&A

Agenda

3

Erfan Ibrahim’s Profile

Education: • Ph.D., Nuclear Engineering

(University of California, Berkeley) • M.S., Mechanical Engineering

(University of Texas at Austin) • B.S., Honors Physics

(Syracuse University). Thirty years of professional experience in: • Telecommunications • Network management • Cybersecurity (information

technology/operation technology) • Internet Protocol network design • Water desalination (Reverse Osmosis, Multi-

Stage Flash) • Nuclear reactor engineering (fission & fusion).

Erfan.Ibrahim@nrel.gov 925-785-5967

NREL, 44030

4

Diversified Skill Set in Energy Sector:

• Erfan Ibrahim, Director

• Tami Reynolds, Networking & Communications / Business Dev.

• Maurice Martin, Networking & Cybersecurity

• Brian Miller (PE), Power Systems Engineering (Part Time)

• Danish Salem, Lab Manager, Power Systems Engineering

• Thomas Doepke,* Networking & Security Intern

• Andrew Michalski, * Network Security Intern

• Joshua Rivera, * Networking & Security Intern

• George Edwards, * Visiting Professor, University of Denver

*New staff since June 2017.

NREL’s CPSS&R Team of Nine

5

NREL’s Cybersecurity Research and Development Strategy

• Assist public and private sector clients in implementing the National Institute of Standards Technology’s (NIST’s) Cybersecurity Framework and the U.S. Department of Energy (DOE’s) Cybersecurity Capability Maturity Model (C2M2) through strategic partnership projects (electric, water, oil and gas, and other sectors).

• Identify research-and-development (R&D) gaps in cybersecurity and resilience in the public and private sector via strategic partnerships.

• Inform DOE, NIST, the U.S. Department of Defense, Advanced Research Projects Agency-Energy (ARPA-E), state and local governments, and regulatory bodies of empirically verified cybersecurity and resilience R&D gaps identified via client engagements.

• Research the gaps through funded R&D projects in partnership with academia, industry, and other national laboratories.

6

• Deep expertise in:

o Power systems Supervisory Control and Data Acquisition (SCADA)

o Cybersecurity

o Networking

o Distributed energy resources (DERs).

• Advanced research capabilities at the Energy Systems Integration Facility’s (ESIF’s) Systems Performance Laboratory, including:

o Complete test bed with modular power systems, communications, and cybersecurity capabilities

o Vendor and technology agnostic perspective

o Ability to pen test at interface, component, or systems level.

• Flexibility to expand to water, oil and gas, and thermal systems testing for cybersecurity and resilience.

Unique Value Proposition for CPSS&R

NREL, 35452

NREL, 35445

7

Energy Systems Integration Facility

NREL—Golden, Colorado, Campus

NREL, 26954

8

Energy Systems Integration Facility

Addressing the challenges of large-scale integration of clean

energy technologies into the energy systems infrastructure

Offices HPC, DC Laboratories • NREL’s largest R&D facility

(182,500 ft2 /20,000 m2) • Space for approximately 200

NREL staff and research partners

• Petascale High-Performance Computer (HPC) and Data Center supports all research at NREL

• Labs focus on R&D of integrated energy systems: • Electricity • Fuels • Transportation • Buildings and campus.

• Integrated electrical, thermal, fuel, and data infrastructure. http://www.nrel.gov/esif/

NREL, 30433

9

Systems Performance Lab with Cyber Buildings and Loads

Power Systems Integration Lab Grid Simulators,

Microgrids

Energy Systems Integration Lab Fuel Cells, Electrolyzers

Outdoor Test Areas EVs, Power Transformers

Rooftop PV and Wind Energy Storage Lab Residential, Community

and Grid Battery Storage, Flywheels and Thermal

HPC and Data Center

Auxiliary Control Room

Advanced Distribution Management System

Test Bed

ESIF Laboratories

NREL, 28836 NREL, 40902

NREL, 24614

10

Resilience Challenge for Utilities In The Future

• Climate change • Reduced collection at meters

• Automation & AI (Less demand for workforce) • Interoperability challenges

11

Challenges With Distributed Generation

Solar and wind power: • Intermittent resources • Not available when needed (“duck curve”) • Rely too much on natural gas peaker units (too sensitive to fuel price) • Energy storage is still quite expensive and highly flammable. • Carbon footprint in manufacturing and delivery of wind turbines and solar panels • Net zero customer facilities reduce revenue for utilities to maintain reliable grid.

Source: California Independent System Operator

12

• The utility could buy and install solar and wind generation sources at the utility scale or on the customer’s premises to protect the revenue stream (microgrid discussion to follow).

• The utility could implement effective demand response programs with price incentives to modify electric consumption based on electricity availability from renewable energy.

• The utility could introduce a transactive energy market at the area and feeder level to increase the availability of low-carbon electricity and ancillary services and improve customer engagement.

Mitigations for Distributed Generation Reliability Challenges

NREL, 14338

NREL, 26962

13

• Recycle solar panels and wind turbines.

• Recycle energy storage batteries.

• Apply demand-response programs for EV charging to align with solar and wind power.

• Generate hydrogen for transportation fuel and peak power generation during periods of excess solar and wind power to reduce dependence on electric storage.

Carbon Footprint Mitigations for Distributed Generation

NREL, 40157

NREL, 41473

14

Disruptive Technologies for Utilities to Consider

Increase electrification of society through:

• Hydrogen Production from Solar/Wind for Transportation Fuel & Peak Power Generation

• Small Modular Nuclear Reactors at Medium Voltage for Distributed Base Load Support & Inertia

• Reverse Osmosis Plants for Desalination & Brackish Water Purification

• Plasma Arc Furnaces for 100% Non Radioactive Waste Recycling

15

Desalination & Ground Water Purification With Reverse Osmosis

• Desalinate water near coast and pump inland

• Purify brackish water inland and distribute

• Sell fresh water for $$ • Replenish ground

water with irrigation for landscaping

• Build small to medium size RO plants

• Recycle concentrate feed (higher yield)

16

Plasma Arc Furnace for 100% Recycling of Waste

• Make landfills become a revenue source • Separate salts from RO plants into elemental products in plasma arc furnace for $$ • Minimize dependence on mining for new raw materials • Repurpose landfills as parks and school yards • Increase self-sufficiency of communities (simplify supply chain)

Courtesy of Hydrocore

17

High-Level Strategic Goals:

• Transform from electricity generation and distribution company to energy services company.

• Diversify portfolio (multiple sources of revenue).

• Align business goals with sustainability goals of the service territory.

• Improve customer engagement with long-term partnership (i.e., the customer is not a load).

• Redesign electric grid to reliably and securely support distributed generation and new energy services.

• Groom a new generation of the workforce from colleges and mid-career transitions that embraces modern technologies while preserving established best practices for operation and maintenance.

Recommended Business Strategy for Utilities in the Future

18

• Utility-owned distributed generation

• Demand response • Transactive energy clearinghouse

for commercial and industrial microgrids

• Integrated EV charging infrastructure

• Integrated hydrogen fuel cell charging infrastructure

• Desalination, brackish water purification, and wastewater treatment powered by small modular nuclear reactors

• Utility-owned microgrid to power plasma arc furnaces for 100% recycling of nonradioactive waste (solid, liquid, and gas).

A Possible Model of the Future

NREL, 39241

19

Cyber-Challenge With Distributed Generation

CHALLENGE:

Distributed intelligence creates new cybersecurity vulnerabilities on the electric grid.

SOLUTION:

A new, disruptive approach to system security based on nine layers.

NREL, 18979

20

Evolution of the Grid

Past: A fortress Present: A network

21

Distribution Utility Attack

GIS

MDM

Payment Processing

Enterprise Network SCADA Network

Server

Engineering Analysis

Field Design

Operations Center

Substation

Smart Meter

Smart Feeder Switch

Inverter

Smart Capacitor

EV Charger

Microgrid Controller

Distributed Generation

Internet

❶

❷

Online

Substation online Offline

Substation Online

❸

❹

❺

❻

22

• Power generation SCADA

• Transmission energy management system (EMS)

• Distribution SCADA

• Advanced metering infrastructure

• Home area networks

• Electric vehicle (EV) charging

• Energy storage

• Photovoltaics (PV)

• Wind energy.

Utility Infrastructure: A Communications and Security Challenge

Source: iStock

23

Approach: Lock down everything.

• Encrypt all communications.

• Enforce protocol-level security.

• Monitor advanced authentication at the end-device level.

Limitations:

• Reactive—hackers are always ahead of an organization’s cybersecurity capabilities (i.e., standard security processes are too slow).

• There is too much overhead (e.g., memory, processing, networking).

• Required upgrades of legacy equipment are costly.

Common Practice in Security: Protocol and End Point Focused

24

NREL R&D Approach: Systemic Security

Approach: Limit damage that can be done from the start. • Adhere to cyber hygiene (e.g., sound network design principles and

cybersecurity management best practices). • Use third-party, off-the-shelf technologies selectively for in-line

blocking and context-based intrusion detection to maximize situational awareness and provide systemic cyber protection.

• Ensure that the strategy is compatible with legacy and modern equipment on Day 1 (so that no upgrades are required to function).

• Ensure that the strategy is modular and scalable. • Ensure that the strategy does not depend on cybersecurity controls

at the end-device or protocol level. Limitations: • Legacy end devices in the field are still vulnerable to tampering

(limited authentication available).

25

Cybersecurity Test Bed Network View

Diagram created by NREL, August 2017

26

Cybersecurity Test Bed Network View

Diagram created by NREL, August 2017

27

Cybersecurity Test Bed Network View

Diagram created by NREL, August 2017

28

9-Layer Security Architecture - Testbed Technologies

SecLab Denelis

BlackRidge TAC Cisco Firewall + Switches

NexDefense Integrity

N-Dimension N-Sentinel

Albeado PRISM

GWAC 5-6 Business

GWAC 4 Semantic

OSI 7 Application

OSI 6 Presentation

OSI 5 Session

OSI 4 Transport

OSI 3 Network

OSI 2 Data Link

OSI 1 Physical

security application

layer

Diagram updated by NREL in July 2017

29

Cybersecurity Test Bed Power Systems View

Diagram created by NREL

30

CPSS&R Cyber Testbed Power Systems Use Cases

• Develop five use cases utilizing distribution management system (DMS) applications:

o Auto-sectionalizing and restoration

o Volt/volt-ampere reactive optimization

o Demand response with EV charging

o PV smoothing with storage

o Frequency regulation with storage.

• Build the distribution system testbed with a DMS, enterprise SCADA,

substation automation platform, intelligent electronic devices (Remote Terminal Units, Programmable Logical Controllers, and field sensors), energy storage, electric vehicles, and simulated grid with capacitor banks and smart switches.

NREL, 24927

31

1. Assess cyber-governance (security controls in place, prioritized action items for gaps in security controls) (identify and protect).

2. Implement technical plan to address gaps from cyber-governance assessment (protect).

3. Perform due diligence on cutting-edge cybersecurity technologies for energy systems, including functional and integration testing (identify and protect).

4. Develop procurement language for secure, reliable, and resilient SCADA systems (protect).

5. Review utility SCADA cybersecurity architecture and benchmark against NREL nine-layer cybersecurity model, including vulnerability assessment and risk mitigation (identify, protect, monitor, and respond).

NREL’s 10-Step Systems Engineering Approach to Security

32

6. Scan software code and binary executables to identify malware and cyber risks as well as techniques for mitigation (identify and protect).

7. Test data fuzz of SCADA systems with risk mitigations (identify and protect).

8. Pen-test SCADA systems in NREL’s cybersecurity test bed to identify residual cyber risks and provide mitigations (monitor, respond, and recover).

9. Develop and analyze failure scenarios with mitigations (recover).

10. Provide training on cybersecurity awareness for corporate staff and information technology/operation technology audiences to reduce cyber risks from social engineering and phishing schemes from advanced persistent threats (identify, protect, monitor, respond, and recover).

NREL’s 10-Step Systems Engineering Approach to Security

Cyber-Governance Maturity Oversight Model

Cyber intrusions have the potential to cause a plethora of

detrimental problems throughout any organization. The Cyber-Governance Maturity Oversight Model (CMOM) is the missing

link that provides immediate visibility into cybersecurity operations, enabling leaders to work together to mitigate

enterprise cyber risk.

34

• CMOM uses the combination of DOE’s C2M2 and the NIST Cybersecurity Framework to assess the cyber-governance of an organization.

• Below are the 10 domains defined in the C2M2, wherein the CMOM

identifies the cybersecurity controls that have been implemented and those that are missing (in order of priority):

1. Risk management 2. Asset change and configuration management 3. Identity and access management 4. Threat and vulnerability management 5. Situational awareness 6. Information communication and sharing 7. Event and incident response 8. External dependency management 9. Workforce management 10. Cybersecurity program management.

Cyber-Governance Maturity Oversight Model

35

Situational Awareness (Examples of Assessment Questions)

• Logging occurs for important assets wherever possible.

• Logging requirements have been defined for all assets important to the organization.

• Cybersecurity reviews of log data are conducted periodically.

• Data from monitoring activities are aggregated to create a “common operating picture” of organizational security.

• Information is collected from within the organization to enhance the common operating picture. Sources: iStock

36

Information Sharing and Communication (Examples of Assessment Questions)

• We collect cybersecurity information from selected people and organizations.

• Provisions are established and maintained to enable secure sharing of sensitive or classified information.

• Responsibilities and obligations for cybersecurity information reporting have been assigned to personnel.

• We have relationships with experts outside our organization that are trusted to vet and validate information about cybersecurity events.

• Adequate people, funding, and tools are provided in support of cybersecurity information sharing.

Source: iStock

Contact Information: Erfan.Ibrahim@nrel.gov

925-785-5967