Cyber security protection for synchrophasors and other grid systems

(1)

Cyber security protection for

synchrophasors and other grid systems

Monday, August 11, 2014

CCET

‐

Husch

Blackwell

Webinar

Series

‐

July,

August,

Sept

and

Oct,

2014

(2)

Discovery Across Texas:

Technology Solutions for

Wind Integration in ERCOT

A CCET Smart Grid

Demonstration Project

Milton Holloway, Ph.D.

President & COO CCET

[email protected]

512.472.3800

(3)

Context: Continuing Investment in Wind Generation

(4)

Context: CREZ* Build-out Completion

*Competitive Renewable Energy Zones $7B cost, 3,589 miles of lines

(5)

(6)

(7)

CCET Demonstration Project: Discovery Across Texas

I. Synchrophasor system with applications (ERCOT wide grid monitoring)

II. Security fabric demonstration for synchrophasor systems (demonstrated at Lubbock/TTU/RTC)

III. Utility-scale battery with companion wind farm (Lubbock/TTU/RTC)

IV. Pricing trials at Pecan Street (Austin)

V. Direct Load Control demonstration with dual communication paths (Dallas and Houston)

VI. Solar community monitoring (Harmony Community in Houston and Mueller Community in Austin)

VII. PEV fleet Fast Response Regulation Service demonstration (Fort Worth)

(8)

This material is based upon work supported by the Department of Energy under Award Number DE-OE0000194."

Disclaimer: "This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or

responsibility for the accuracy, completeness, or usefulness of any

information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name,

trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.

(9)

CCET Demonstration Project: Discovery Across Texas

Polling Question

I. What is the probability in the next 10 years that a cyber attack will bring down more of the U.S. grid than has any natural disaster ever

II. Answers: a. <1% b. 1-5% c. 6-10% d. 11-20% e. >20%

(10)

Lorie Wigle

Vice President, General Manager IOT Security Solutions McAfee a Division of Intel Security

[email protected] 503.466.4405

(11)

History of Defining Architecture

– Inventor of the world’s most

widely used computing

architecture

– Defining countless standards used

in everyday lives ranging from

USB, WiFi, to IoT

– Top 10 Most Influential Brands in

the World

Largest Dedicated

Security Provider

– Broadest security product

coverage in the industry

– Complete portfolio focused upon

security

– Leadership position in 6 of 8

Gartner Security Magic Quadrants

Delivering a Next Generation

Security Architecture

– Defining innovative industry approaches for collaborative and adaptive security

– Introducing security integrations which are sustainable and broadly reaching

– Developing capabilities for new security paradigms in areas such as Software Defined Datacenter, Cloud, and IoT

(12)

Critical Manufacturing Communications Commercial Facilities Water Transportation Nuclear Information Technology Government Facilities Financial Energy

Energy

56%

Incidents by Sector for fiscal year 2013, Department of Homeland Security, Industrial

Control Systems Cyber Emergency Response Team

Energy is a Cyber Target

2014

“Dragonfly” - US, EU

(13)

Polling Question

13

Critical infrastructure, including the electricity grid, in the

U.S. today is…

a.

At far greater risk from physical attack than cyber attack

b.

Is very well protected from cyber attack

c.

Is somewhat vulnerable given that attacks and attackers

are constantly becoming more sophisticated

(14)

14

“Operators of infrastructure, particularly energy infrastructure, often believe that their need to

(15)

Securing Critical Infrastructure

15

Harden

the

Device

Secure

the

Comms

Manage

the

security

(16)

4.

Audit

̶ Records noteworthy events for later

analysis

5.

Confidentiality

̶ Encrypts sensitive data for matters of

privacy.

6.

Integrity

̶ Ensures that messages have not been

altered and that they are non-reputable.

7.

Availability

̶ Prevents denial of service attacks

1.

Identity Management

̶ Ensures the device identity is

established genuinely

2.

Mutual Authentication

̶ Allows both the Device Node and the

Controller to verify the trustworthiness their identity to each other.

3.

Authorization

̶ Manages permission to proceed with

specific operations.

16

(17)

IT/OT Differences

Confidentiality Integrity Integrity Availability Availability Confidentiality

Importance

Challenges Enterprise IT Security Industrial Systems/OT

Anti-virus Common widely _used

Updates can cause unacceptable network delays Patch Deployment Regular

Scheduled Slow to deploy/test, Unable to reboot Network Communication Standard protocols (IP/UDP) Proprietary protocols (DNP/ICCP/Modbus ) Security Monitoring Logs gathered, but reactive requires based on issues Logging Only/Monitoring for performance/ availability Vulnerability Management “Find-fix” modus operandi for vulnerabilities VM scans can destroy machines

(18)

Security Connected for Critical Infrastructure:

End-to-End Situational Awareness and Management

Integrated Embedded Security…

• McAfee Deep Command, Application/Change Control/Whitelisting, encryption

• Wind River OS/Hypervisor/IDP security/encryption • Intel HW-assisted security/encryption

with Secure Intelligence and Connectivity…

• Intel Intelligent Gateways • IPS/Firewalls/TLS

• 3rd _{Party SIA Firewalls & Protocol Filters}

Comprehensively Monitored & Managed

• McAfee ePolicy Orchestrator (ePO)

• McAfee Enterprise Security Management (ESM/Nitro/SIEM)

(19)

Applying Security to the Electricity Grid

Texas Synchrophasor Field Trial

Electric Power Group (EPG) is

adding the security fabric to their synchrophasor products and deploying them at TTU

Texas Tech University (TTU)

is the site of the field trial. Synchrophasor deployment already in place at TTU under the CCET project

Stand up parallel security-enhanced system Conduct testing SC4CI SC4CI SC4CI SC4CI

(20)

C37.118 Data EPG RTDMS Client C37.118 Data PMUs Intelligent Synchrophasor Gateway AAA: Kerberos/AD

McAfee ePolicy Orchestrator & Enterprise Security Manager (SIEM)

McAfee Integrity Control

Security Connected for Critical Infrastructure

(21)

ICS-ALERT-14-176-02 ICS Focused Malware

campaign that uses multiple vectors for infection(June 2014)  Spam Email

̶ Mail GW and/or Whitelisting prevent malware execution on managed

endpoints in the industrial space

 Exploit kits

̶ Cannot execute due to Application Whitelisting and Configuration Mgmt

 Malicious Updaters from compromised vendor sites

̶ Handled through secure McAfee Software Update infrastructure for

Partner Companies

 If the malware has been installed

̶ Detect the malicious traffic before it leaves the device and notify

̶ Block with the traditional network sensors (Nextgen FW, etc) and notify

̶ Revealed in ESM, and then in the Device Mgmt Console for

(22)

Bridging IT and OT Protection

Proven Security Adapted for New Intelligent Operations Integrated Embedded Security…

• McAfee Deep Command, Application/Change

Control/Whitelisting, encryption

• Wind River OS/Hypervisor/IDP

security/encryption

• Intel HW-assisted security/encryption

with Secure Communication…

• Intel Intelligent Gateways

• IPS/Firewalls/TLS/AAA

• 3rd _{Party SIA Firewalls & Protocol Filters}

Comprehensively Monitored & Managed

• McAfee ePolicy Orchestrator (ePO)

• McAfee Enterprise Security Management (ESM/Analytics)

(23)

Marvin Griff

Partner, Energy & Natural Resources Husch Blackwell

202.378.2311

[email protected] huschblackwell.com

(24)

CYBERSECURITY –

A CONTINUING PROBLEM

 Cybersecurity has been a growing focus and concern over the past decade.

 Power providers reported new attacks on the transmission grid:

̶ An attack on a Saudi Arabian oil company in the summer of 2012 wiped data from 30,000 computers.

̶ MISO breach in June.

 July study released by Unisys said 67% had at least one security compromise over the last 12 months leading to loss of confidential information or operations disruption caused by:

̶ Negligent employees (47% or respondents), many with privileged access.

̶ External attack (28% or respondents).

̶ Limited preparedness:

 Most said their firms’ cybersecurity programs had limited ability to ward off attacks.

 Large majority said cybersecurity not a top corporate priority within their company.

̶ Most indicated little faith in government regulations or industry standards to address risks effectively.

(25)

OVERVIEW - TEXAS

Cybersecurity for the electric sector traditionally has been a concern that was addressed at

the federal level by the Federal Energy Regulatory Commission (FERC) through the North

American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP)

standards focus on the bulk electric system, that is, the transmission portion of the grid.

The Energy Independence and Security Act of 2007 (EISA) provided the National Institute

of Standards and Technology (NIST) and FERC with responsibilities related to

coordinating the development and adoption of smart grid guidelines and standards,

including those for cybersecurity for the remainder of the electric grid.

Since 2009, the state of Texas has taken a significantly greater role in grid cybersecurity, with a

(26)

OVERVIEW - FEDERAL

 The electric power industry is

the only critical infrastructure industry in the US with

mandatory and enforceable cyber standards.

 Protecting the grid is a

mandate under the Energy Policy Act of 2005 (EPAct 2005).

 The Federal Energy

Regulatory Commission (FERC) has the authority to oversee the reliability of the bulk power system.

(27)

EPACT 2005 AND THE ELECTRIC

RELIABILITY ORGANIZATION



EPAct 2005 created the Electric

Reliability Organization (ERO).



The North American Electric Reliability

Corporation (NERC) designated as the

ERO in 2006 in Order No. 672.



NERC worked with electric power

industry experts to develop the NERC

Critical Infrastructure Protection (CIP)

standards CIP-002 through CIP-009.



Since 2008, the standards have been

(28)

FERC AND THE ERO

FERC may approve proposed reliability standards or modifications.

• No authority to modify proposed standards.

• But FERC may direct the ERO to submit a proposed standard or modification.

FERC jurisdiction limited to the "bulk power system" under the Federal Power

Act (FPA).

Exclusions include:

• Facilities used for local distribution, any facilities in Alaska and Hawaii. Much of the

smart grid equipment will be installed on distribution facilities and won’t be under

FERC's jurisdiction.

• Virtually all the grid facilities in certain large cities, such as New York, not covered by

(29)

CIP RELIABILITY STANDARDS

Development

of

reliability

standards

involving

cyber

security:

• The first versions of CIP standards announced in 2006.

• CIP‐002 through CIP‐009 approved by FERC in 2008

(Order No. 706).

• The standards have been updated to address evolving

cyber threats.

The

CIP

Standards

address

assets

essential

to

the

operation

of

identified

bulk

‐

power

system

critical

infrastructure

‐

termed

“Critical

Cyber

Assets”

‐

such

as:

• control centers

• control systems

• transmission substations

(30)

CIP RELIABILITY STANDARDS

(continued)

Identified “Critical Cyber Assets”

must receive full CIP protections

including:

• cyber protections.

• physical protections.

• cyber and physical access

limitations.

• security training for appropriate

personnel.

• development and

implementation of incident

response and asset recovery

plans.

Compliance history of CIP

Reliability Standards is

problematic:

• CIP Reliability Standards by far

(31)

Polling Question

Violations of Reliability Standards are punishable by

per violation, per day fines of up to:

a)

$5,000

b)

$50,000

c)

$100,000

d)

$500,000

(32)

ORDER NO. 706 (January 18, 2008)



Established eight CIP Reliability Standards (CIP-002

through CIP-009; replaced prior voluntary cyber security

standards.



Required "risk-based" vulnerability assessment

methodology for cyber assets.



Once cyber assets identified, responsible entities

required to:

̶

establish plans to safeguard physical and electronic access

̶

train personnel

̶

report security incidents and be prepared for recovery

actions

(33)

ORDER NO. 761 (April 19, 2012)

FERC revised the

standards for

identifying cyber

assets: “[it] is a step

towards full

compliance with

Order 706.”

Replaced NERC’s risk‐

based approach with

“bright‐line” criteria.

• Covers control centers,

transmission facilities,

generating facilities,

flexible AC transmission

systems and special

protection systems.

FERC established

deadline for NERC to

submit reliability

standards fully

compliant with

(34)

“Find, Fix, Track and Report” ORDER

(June 20, 2013)

 FERC accepted NERC Find, Fix, Track and Report (FFT) program.

Under which:

̶ Permits informational filings of lesser-risk, remediated possible

violations.

̶ Only possible violations that pose a minimal risk are eligible for

FFT treatment.

̶ Allows NERC to focus resources on issues posing greater risk to

reliability.

̶ Rejected proposal to remove requirement that senior officers

certify completion of remediation.

 FFT program allowed NERC to reduce issues dating prior to 2011 by

(35)

Order No. 791 (November 22, 2013)

Approved the Version 5 CIP Reliability Standards (CIP‐002 through CIP‐009).

FERC rejected NERC‐advocated move away from “zero tolerance” to a more flexible standard

of requiring entities to “identify, assess, and correct” violations.

The new CIP standards will require major changes for registered entities.

All “Bulk Electric System (BES) Cyber Assets” will receive some level of protection related to

the importance of their associated facilities.

• Addresses Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response

Planning, Recovery Plans for Bulk Electric Cyber Systems, Configuration Change Management and Vulnerability

Assessments.

• New approach for identifying bulk electric system (BES) Cyber Systems ‐‐Low, Medium, or High Impact.

• Level of CIP protections required by the Version 5 Standards depends on the risk classification of the relevant BES

Cyber Systems.

• Requires, at minimum, all BES Cyber Systems to be categorized as Low Impact.

High and Medium Impact asset requirements compliance by April 1, 2016; 36 months for Low

Impact assets.

The expansion of requirements for Low Impact systems and assets will be a time‐intensive

(36)

NIST unveiled the Cybersecurity Framework for reducing cyber risks to critical infrastructure. The voluntary framework is intended to reduce cybersecurity threats and vulnerabilities through a risk‐based approach to improve cybersecurity practices. Origins in President Obama’s February 2013 Executive Order 13636 for Improving Critical Infrastructure Cybersecurity. Expected to be a first step in a continuous process to improve the nation's cybersecurity to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use.

CYBERSECURITY FRAMEWORK

(February 12, 2014)

(37)

Questions?

Milton Holloway

CCET

[email protected]

Lorie Wigle

McAfee a Division of Intel Security

@LWigle

Marvin Griff

Husch Blackwell

(38)