Engineering Consulting Research Modeling Simulation Security
The Practical Grid VisionariesTM
Cyber Security
Doug Houseman [email protected]
Warnings
•
The costs given are based on prior projects
• They may not reflect your local market
•
Items in the lists are based on prior projects
• They may not reflect everything required
•
Staffing levels are based on prior projects
• They may not reflect actual needs
•
Experts differ on specifics of security practice
• You should consult several before accepting any solution
Key Documents
• IEEE Salary Survey – updated annually – ieeeusa.org/careers/salary/ • SANS 20 – sans.org/critical-security-controls/
• NERC CIP – nerc.com/pa/Stand/Pages/CIPStandards.aspx
• Organizational Models for Computer Security Incident Response Teams (CSIRTs) – resources.sei.cmu.edu/asset_files/handbook/2003_002_001_14099.pdf
• Common Sense Guide to Mitigating Insider Threats, 4th Edition – resources.sei.cmu.edu/asset-view.cfm?assetID=34017
• NISTIR 7628: Guidelines for Smart Grid Cyber Security, Revision 1 – released September 2014
• Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), v1.1 – released February 2014
• NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0 - released February 2014
Things to Remember
•
Security is never “DONE” – the hackers continue to find new ways to
get in
•
Security is both a capital exercise and an O&M exercise
•
A chain saw can do as much damage as a hacker – but with far more
risks of getting caught
•
Insiders cause far more damage than outsiders
•
Most government programs share information – but only if you have
the right clearance and a need to know
•
Most security staffs work day-shift, hackers know this is true
•
Hackers don’t have budget cycles or approval processes for new gear
– Utilities do
Staffing
•
Security position 24/7 in the control center(s)
• Transmission, Distribution, Meter Operations all can have control centers • Each position takes 5 full-time employees and a supervisor
•
There are a range of roles that need security people:
1. Physical security 2. Network security 3. Communications 4. Security trainer 5. Incident response 6. Information analysis 7. Security architecture
8. Device and system penetration 9. Software testing and verification 10. Device configuration management 11. Access control and monitoring 12. Vendor security management
13. Firewall support 14. Cryptography
15. Intrusion detection
16. Logistics and supply chain 17. Security team administration 18. Record keeping
19. Standards development
20. Personnel reliability program 21. Device maintenance
22. Investigation
23. Literature monitoring 24. Sweeping
Staffing Costs
•
Average cost of security management staff is around $165,000
•
Average senior staff salary is around $108,000
•
Average staff salary is around $80,000
•
Average benefits is around $60,000 (health, training, retirement, etc.)
•
Security clearance $5-8,000 + wait time (3 to 15 months)
•
Wall Street hired Neil Greenfield for more than $1 million a year from
AEP
•
Other key industry specialists have been hired for 3 to 5x the industry
average salary
Cyber Security Equipment Categories
Hardware
1. Firewalls
2. Intrusion detection devices 3. Sniffers
4. Sweepers
5. Secure communications modules 6. Secure radios/telephones/tablets
Software
1. Packet inspection 2. Element managers
3. Manager of managers (MOM) 4. Key management
5. Virus protection
6. Monitoring (several types)
7. Risk and Vulnerability analysis
8. Security design (both physical and cyber)
Cyber Security Equipment Categories
Hardware
1. Firewalls - $50,000 to $250,000 each
2. Intrusion detection devices - $12,000 to $250,000 each 3. Sniffers - $1,500 to $4,500 (handheld, mobile)
4. Sweepers - $250 to $5,000 (handheld, mobile)
5. Secure communications modules - $200 to $10,000 each
6. Secure radios/telephones/tablets – typically 2 to 4 times non-secure (NOTE: you can buy non-secure and add software – the labor to do so tends to make the decision a wash financially)
Cyber Security Equipment Categories
Software (software only cost – hardware & installation is extra)
1. Packet inspection – Free to $350,000 per connection
2. Element managers – Free to $5 per node
3. Manager of managers (MOM) - $20,000 to $250,000
4. Key management - $ 1/mo/device - $1 million
5. Virus protection – Free to $ 10/mo/device
6. Monitoring (several types) – Free to $50,000 per monitoring system
7. Risk and vulnerability analysis – $10,000 to $500,000
8. Security design (both physical and cyber) - $20,000 per seat
9. Automated testing systems – Free to $2,200,000
Other Security Related Issues
•
Secure Communications
• The FCC is allowing Telecomm companies to drop copper (POTS) lines and Frame Relay
• The FCC is refusing to provide new frequencies for use by utilities and forcing movement to alternate frequencies, and narrow-banding of radio channels • This means that utilities will have to find alternative ways of communicating
• Primarily this is resulting in decisions to deploy Fiber Optics – at roughly $200K per mile
• So far telecomm companies have been unwilling to sign up for the QoS and longevity
required to make utilities comfortable
•
Physical Security
• NERC CIP-006 and NERC CIP 014-1 and other mandates for physical security are also driving the need for more communication
• Cabinet and door lock monitors, biometrics, cameras, etc. All need monitoring and
Other Security Related Issues
•
Distributed Generation and Storage
• At some point – the amount of DG and DS will become significant and a key to system reliability
• The vast majority of this equipment is in the hands of customers
• The new IEEE 1547 interconnect standards, the new IEC standards (Europe primarily) and the new California Rule 21 requirements all require
communications
•
Distribution Automation/Substation Automation/AMI
• Programs designed to improve the operation of the grid, given the changing generation and usage environment
•
Workforce Automation
• Changes in workforce (e.g. higher turnover, younger workers, etc.) and safety regulations, as well as smaller staffs, and FCC rules
