Cyber security protection for synchrophasors and other grid systems Monday, August 11, 2014
CCET ‐ Husch Blackwell Webinar Series ‐ July, August, Sept and Oct, 2014TODAY’S WEBINAR
Discovery Across Texas:Technology Solutions for Wind Integration in ERCOTA CCET Smart Grid Demonstration Project
Milton Holloway, Ph.D.President & COOCCET
electrictechnologycenter.com
Context: CREZ* Build-out Completion
*Competitive Renewable Energy Zones$7B cost, 3,589 miles of lines
CCET Demonstration Project: Discovery Across Texas
I. Synchrophasor system with applications (ERCOT wide grid monitoring)II. Security fabric demonstration for synchrophasor systems (demonstrated at
Lubbock/TTU/RTC)III. Utility-scale battery with companion wind farm (Lubbock/TTU/RTC)IV. Pricing trials at Pecan Street (Austin)V. Direct Load Control demonstration with dual communication paths (Dallas and
Houston)VI. Solar community monitoring (Harmony Community in Houston and Mueller
Community in Austin)VII. PEV fleet Fast Response Regulation Service demonstration (Fort Worth)
Seven Project Components:
This material is based upon work supported by the Department of Energy under Award Number DE-OE0000194."
Disclaimer: "This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.
CCET Demonstration Project: Discovery Across Texas
Polling QuestionI. What is the probability in the next 10 years that a cyber attack will bring
down more of the U.S. grid than has any natural disaster ever
II. Answers:a. <1%b. 1-5%c. 6-10%d. 11-20%e. >20%
Lorie WigleVice President, General Manager IOT Security SolutionsMcAfee a Division of Intel Security
intelsecurity.com
History of DefiningArchitecture
– Inventor of the world’s most widely used computing architecture
– Defining countless standards used in everyday lives ranging from USB, WiFi, to IoT
– Top 10 Most Influential Brands in the World
Largest Dedicated Security Provider
– Broadest security product coverage in the industry
– Complete portfolio focused upon security
– Leadership position in 6 of 8 Gartner Security Magic Quadrants
Delivering a Next Generation Security Architecture
– Defining innovative industry approaches for collaborative and adaptive security
– Introducing security integrations which are sustainable and broadly reaching
– Developing capabilities for new security paradigms in areas such as Software Defined Datacenter, Cloud, and IoT
Critical ManufacturingCommunicationsCommercial FacilitiesWaterTransportationNuclearInformation TechnologyGovernment FacilitiesFinancialEnergy
Energy 56%
Incidents by Sector for fiscal year 2013, Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team
Energy is a Cyber Target
2014“Dragonfly”- US, EU
Polling Question
13
Critical infrastructure, including the electricity grid, in the U.S. today is…a. At far greater risk from physical attack than cyber attackb. Is very well protected from cyber attackc. Is somewhat vulnerable given that attacks and attackers
are constantly becoming more sophisticatedd. Is at grave risk because security is not a priority
14
“Operators of infrastructure, particularly energy infrastructure, often believe that their need to operate the infrastructure trumps the need to keep others from mis‐operating it.” SANS editor William Hugh Murray
Securing Critical Infrastructure
15
Harden the
Device
Secure the
Comms
Manage the
security
Hardware‐enhanced security + software & services key to achieve mission
4. Audit Records noteworthy events for later
analysis
5. Confidentiality Encrypts sensitive data for matters of
privacy.
6. Integrity Ensures that messages have not been
altered and that they are non-reputable.
7. Availability Prevents denial of service attacks
1. Identity Management Ensures the device identity is
established genuinely
2. Mutual Authentication Allows both the Device Node and the
Controller to verify the trustworthiness their identity to each other.
3. Authorization Manages permission to proceed with
specific operations.
16
SF is designed to address the NIST IR 7628 GuidelinesSecuring the Grid: NIST IR 7628 Guidelines
IT/OT Differences
Confidentiality
IntegrityIntegrity
Availability
Availability Confidentiality
Impo
rtanc
e
Challenges Enterprise IT Security
Industrial Systems/OT
Anti-virus Common widely used
Updates can cause
unacceptable network delays
Patch Deployment Regular Scheduled
Slow to deploy/test,
Unable to reboot
Network Communication
Standard protocols (IP/UDP)
Proprietary protocols
(DNP/ICCP/Modbus)
Security Monitoring
Logs gathered, but reactive
requires based on issues
Logging Only/Monitoring for performance/
availability
Vulnerability Management
“Find-fix” modus operandi for
vulnerabilities
VM scans can destroy machines
Security Connected for Critical Infrastructure:End-to-End Situational Awareness and Management
Integrated Embedded Security… • McAfee Deep Command, Application/Change
Control/Whitelisting, encryption• Wind River OS/Hypervisor/IDP security/encryption• Intel HW-assisted security/encryption
with Secure Intelligence and Connectivity…
• Intel Intelligent Gateways• IPS/Firewalls/TLS• 3rd Party SIA Firewalls & Protocol Filters
Comprehensively Monitored & Managed• McAfee ePolicy Orchestrator (ePO)• McAfee Enterprise Security Management
(ESM/Nitro/SIEM)
Applying Security to the Electricity GridTexas Synchrophasor Field Trial
Electric Power Group (EPG) is adding the security fabric to their synchrophasor products and deploying them at TTU
Texas Tech University (TTU) is the site of the field trial. Synchrophasor deployment already in place at TTU under the CCET projectStand up parallel security-enhanced systemConduct testing
SC4CI
SC4CI
SC4CI
SC4CI
C37.118Data
EPG RTDMS Client
C37.118Data
PMUs
Intelligent Synchrophasor Gateway
AAA: Kerberos/AD
McAfee ePolicy Orchestrator &Enterprise Security Manager (SIEM)
McAfee Integrity Control
Security Connected for Critical InfrastructureTexas Synchrophasor Field Trial Platform Details
ICS-ALERT-14-176-02 ICS Focused Malware campaign that uses multiple vectors for infection(June 2014)
Spam Email Mail GW and/or Whitelisting prevent malware execution on managed
endpoints in the industrial space Exploit kits
Cannot execute due to Application Whitelisting and Configuration Mgmt Malicious Updaters from compromised vendor sites
Handled through secure McAfee Software Update infrastructure for Partner Companies
If the malware has been installed Detect the malicious traffic before it leaves the device and notify Block with the traditional network sensors (Nextgen FW, etc) and notify Revealed in ESM, and then in the Device Mgmt Console for
identification, quarantine, and remediation.
Bridging IT and OT ProtectionProven Security Adapted for New Intelligent Operations
Integrated Embedded Security… • McAfee Deep Command, Application/Change
Control/Whitelisting, encryption• Wind River OS/Hypervisor/IDP
security/encryption• Intel HW-assisted security/encryption
with Secure Communication…• Intel Intelligent Gateways • IPS/Firewalls/TLS/AAA• 3rd Party SIA Firewalls & Protocol Filters
Comprehensively Monitored & Managed• McAfee ePolicy Orchestrator (ePO)• McAfee Enterprise Security Management
(ESM/Analytics)
CYBERSECURITY –A CONTINUING PROBLEM Cybersecurity has been a growing focus and concern over the past
decade. Power providers reported new attacks on the transmission grid:
An attack on a Saudi Arabian oil company in the summer of 2012 wiped data from 30,000 computers.
MISO breach in June.
July study released by Unisys said 67% had at least one security compromise over the last 12 months leading to loss of confidential information or operations disruption caused by: Negligent employees (47% or respondents), many with privileged access. External attack (28% or respondents). Limited preparedness: Most said their firms’ cybersecurity programs had limited ability to ward off attacks. Large majority said cybersecurity not a top corporate priority within their company.
Most indicated little faith in government regulations or industry standards to address risks effectively.
OVERVIEW - TEXAS
Cybersecurity for the electric sector traditionally has been a concern that was addressed at the federal level by the Federal Energy Regulatory Commission (FERC) through the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards focus on the bulk electric system, that is, the transmission portion of the grid.
The Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and FERC with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards, including those for cybersecurity for the remainder of the electric grid.
Since 2009, the state of Texas has taken a significantly greater role in grid cybersecurity, with a large emphasis placed on the distribution portion of the electrical infrastructure.
OVERVIEW - FEDERAL
The electric power industry is the only critical infrastructure industry in the US with mandatory and enforceable cyber standards.
Protecting the grid is a mandate under the Energy Policy Act of 2005 (EPAct 2005).
The Federal Energy Regulatory Commission (FERC) has the authority to oversee the reliability of the bulk power system.
EPACT 2005 AND THE ELECTRIC RELIABILITY ORGANIZATION
EPAct 2005 created the Electric Reliability Organization (ERO).
The North American Electric Reliability Corporation (NERC) designated as the ERO in 2006 in Order No. 672.
NERC worked with electric power industry experts to develop the NERC Critical Infrastructure Protection (CIP) standards CIP-002 through CIP-009.
Since 2008, the standards have been updated.
FERC AND THE ERO
FERC may approve proposed reliability standards or modifications.
• No authority to modify proposed standards. • But FERC may direct the ERO to submit a proposed standard or modification.
FERC jurisdiction limited to the "bulk power system" under the Federal Power Act (FPA).
Exclusions include:
• Facilities used for local distribution, any facilities in Alaska and Hawaii. Much of the smart grid equipment will be installed on distribution facilities and won’t be under FERC's jurisdiction.
• Virtually all the grid facilities in certain large cities, such as New York, not covered by FERC cyber jurisdiction.
CIP RELIABILITY STANDARDSDevelopment of reliability standards involving cyber security: • The first versions of CIP standards announced in 2006. • CIP‐002 through CIP‐009 approved by FERC in 2008 (Order No. 706).
• The standards have been updated to address evolving cyber threats.
The CIP Standards address assets essential to the operation of identified bulk‐power system critical infrastructure ‐ termed “Critical Cyber Assets” ‐ such as: • control centers• control systems• transmission substations • generators
CIP RELIABILITY STANDARDS (continued)
Identified “Critical Cyber Assets” must receive full CIP protections
including:
• cyber protections. • physical protections.• cyber and physical access limitations.
• security training for appropriate personnel.
• development and implementation of incident response and asset recovery plans.
Compliance history of CIP Reliability Standards is
problematic:
• CIP Reliability Standards by far the most violated of Standards.
Polling Question
Violations of Reliability Standards are punishable by per violation, per day fines of up to:
a) $5,000b) $50,000 c) $100,000d) $500,000e) $1,000,000
ORDER NO. 706 (January 18, 2008)
Established eight CIP Reliability Standards (CIP-002 through CIP-009; replaced prior voluntary cyber security standards.
Required "risk-based" vulnerability assessment methodology for cyber assets.
Once cyber assets identified, responsible entities required to: establish plans to safeguard physical and electronic access train personnel report security incidents and be prepared for recovery
actions
ORDER NO. 761 (April 19, 2012)
FERC revised the standards for
identifying cyber assets: “[it] is a step
towards full compliance with
Order 706.”
Replaced NERC’s risk‐based approach with “bright‐line” criteria. • Covers control centers, transmission facilities, generating facilities, flexible AC transmission systems and special protection systems.
FERC established deadline for NERC to submit reliability standards fully compliant with Order 706.
“Find, Fix, Track and Report” ORDER (June 20, 2013) FERC accepted NERC Find, Fix, Track and Report (FFT) program.
Under which: Permits informational filings of lesser-risk, remediated possible
violations. Only possible violations that pose a minimal risk are eligible for
FFT treatment. Allows NERC to focus resources on issues posing greater risk to
reliability. Rejected proposal to remove requirement that senior officers
certify completion of remediation. FFT program allowed NERC to reduce issues dating prior to 2011 by
approximately 80 per cent.
Order No. 791 (November 22, 2013)Approved the Version 5 CIP Reliability Standards (CIP‐002 through CIP‐009).
FERC rejected NERC‐advocated move away from “zero tolerance” to a more flexible standard of requiring entities to “identify, assess, and correct” violations.
The new CIP standards will require major changes for registered entities.
All “Bulk Electric System (BES) Cyber Assets” will receive some level of protection related to the importance of their associated facilities. • Addresses Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for Bulk Electric Cyber Systems, Configuration Change Management and Vulnerability Assessments.
• New approach for identifying bulk electric system (BES) Cyber Systems ‐‐ Low, Medium, or High Impact.• Level of CIP protections required by the Version 5 Standards depends on the risk classification of the relevant BES Cyber Systems.
• Requires, at minimum, all BES Cyber Systems to be categorized as Low Impact.
High and Medium Impact asset requirements compliance by April 1, 2016; 36 months for Low Impact assets.
The expansion of requirements for Low Impact systems and assets will be a time‐intensive task.
NIST unveiled the Cybersecurity Framework for reducing cyber risks to critical infrastructure.
The voluntary framework is intended to reduce
cybersecurity threats and vulnerabilities through a risk‐based approach to improve cybersecurity
practices.
Origins in President Obama’s February 2013 Executive Order 13636 for
Improving Critical Infrastructure Cybersecurity.
Expected to be a first step in a continuous process to
improve the nation's cybersecurity to keep pace with changes in
technology, threats and other factors, and to incorporate lessons learned from its use.
CYBERSECURITY FRAMEWORK (February 12, 2014)
Questions?Milton [email protected]
Lorie WigleMcAfee a Division of Intel Security@LWigle
Marvin GriffHusch [email protected]