Centralized Threat Management

Size: px

Start display at page:

Download "Centralized Threat Management"

Joshua Bishop
6 years ago
Views:

1 Centralized Threat Management Integrating IT, OT, and Physical Security Events for Enterprise-Wide Situational Awareness Ralph E. King Principal Project Leader European Engagement Summit April 29, 2015

2 EPRI s Cyber Security and Privacy Program: Cyber Security Technology Projects for 2015: Protective Measures Network Management Systems DNP3 Secure Authentication v5 Managing Cyber Incidents Integrated Security Operations Center Integrated Threat Analysis Framework Security Incident Management Task Force 2

3 Centralized Threat Management Integrated Security Operations Center

4 Integrated Security Operations Center 2015 Project Plan (Base Program) 2014 Report: Guidelines for Integration of Control Center Systems into an ISOC ISOC Architecture & Lab Testbed for Substations Use Cases for Substation Domain 2013 Report: Guidelines for Planning an Integrated Operations Center Report: Guidelines for Integration of Substations and Field Devices into an ISOC Technology Transfer Workshop 4

5 ISOC Conceptual Architecture 5

6 Security Event Sources IT Security Events Servers Network Devices Firewalls Intrusion Prevention VPN / Remote Access Operational Security Events SCADA Smart Meters Substation Devices ISOC Security Events Physical Security Events Personnel Monitoring Cameras Fire Alarms Building Automation Badge Readers Grid Operations Events? 6

7 Examples of Correlated Alarms in an ISOC An employee has logged into a SCADA workstation in the Control Center. The Physical Access Control System badge credentials to access the Control Center do not match the login credentials from the Identity Management System. An IT employee logs in remotely to perform maintenance on the Historian database. No work order exists in the Work Management System for this work to be performed. The ISOC is alerted that a USB drive being plugged into a field device at the substation. The physical security monitoring center is alerted of a cut fence and an unauthorized person on the grounds of a substation. 7

High-Level Data Flow for Substation and Field

Devices Mediation Device Logging, normalization, &

8 High-Level Data Flow for Substation and Field Systems ISOC SIEM Regions Region 1 Region 2 Region 3 Region (n) Locations Location 3a Location 3b Operational Devices IT Devices Physical Security Devices Mediation Device Logging, normalization, & aggregation Forward data to SIEM Store logs Buffering capability 8

9 EPRI Cyber Security Lab/Smart Grid Substation Lab Example Test bed: Architecture for FirstEnergy TSOC Project CSRL Security Information & Event Management (SIEM) ArcSight LogRythm Splunk Cooper Cybectec GE D60 Radiflow Honeywell HD4MWI Honeywell HDZ20H Honeywell H4D1FR Honeywell H4D2F Region 1 Door Contacts Ruggedcom 2100 Cisco CGR-2010 Honeywell HDZ20H FLIR A310pt Boomerang Ballistic SW FLIR 064Y2 Location 1A SEL 3622 Cisco CGS-2520 TrendNet TPE-1020 Badge Readers PW-6000 SGSL SEL 3620 Cisco MP 9

10 Mediation Device Example Radiflow 3180 Gateway Single source from the location (Substation) to SIEM Single aggregation point for (IT, OT, PS) devices Cost reduction for SIEM tool (one interface for gateway vs. each device) Store and forward real time data from devices Support NERC CIP substation device monitoring requirement Ability to forward messages in common format Multiple Interface to support IP, Serial connectivity Made minimal device modifications to meet FE requirements Function as a syslog server Log and store inbound and out bound data Ability to apply pattern matching and filtering to inbound messages Support (syslog, auditlog, ascii txt) messages 10

11 Radiflow Message Handling 11

12 Radiflow Message Handling 12

13 Security Cameras 13

14 Ballistic Detection Simulator 14

Surgically knocked out 17 giant transformers Rerouted power to avoid blackout

15 PG&E Metcalf Substation Attack April 2013 Wall Street Journal Article (February 4, 2014) Shooting occurred for 19 Minutes Telephone cables were cut Surgically knocked out 17 giant transformers Rerouted power to avoid blackout Police arrived 1 minute after shooters disappeared 27 days to repair and restore system 15

Integrated Threat Analysis Framework (ITAF) New EPRI Supplemental Project Addresses the barriers in correlating security and grid operations

16 Integrated Threat Analysis Framework (ITAF) New EPRI Supplemental Project Addresses the barriers in correlating security and grid operations events Integration between Cyber Security, Physical Security, and Grid Operations Currently in Project Initiation Phase Plan full launch by May 4 16

17 ISOC + Grid Operations Events = ITAF IT Security Events Network Device Logs IT System Logs Business Systems Behavioral Learning Appliances Industrial Security Appliances OT Security Events Control Center Systems Substation Gateways Field Devices Physical Security Systems Threat and Vulnerability Information Sources Log and Event Aggregation Correlation Engine Grid Operations Events Field Network Operations Center Reporting Security Information and Event Management (SIEM) 17

18 Substations Comm Utility Staff Data & Information Flow for Power Systems Data Grid Operations GO Alert Security Operations GM Alert Grid Maintenance GO SO GM One or More Data Buses Sub 1 Sub 2 Sub 3 Sub 4 Integration happens at the Utility Staff level Validated data is sent to Security Operations (SO) and security confirmation is sent back to GO and GM 18

Integrated Event Analysis Framework (ITAF) Objectives and Scope Address the barriers to integrating power system operations events into a security operations center by: Developing security event

19 Integrated Event Analysis Framework (ITAF) Objectives and Scope Address the barriers to integrating power system operations events into a security operations center by: Developing security event scenarios Identifying operational and asset condition data sources to support event detection Developing an event analysis framework Testing scenario detection in EPRI s lab as well as utility host sites Value Centralizes threat analysis for security and grid operations for significantly improved threat response Details and Contact Price: - Level 1: $50,000 - Level 2: $75,000 Project will start in 2015 Ralph King, Principle Technical Leader reking@epri.com, (865) To Join, contact ICCS Technical Advisor: Scott Sternfeld ssternfeld@epri.com, (843) SPN Number: Address the barriers in correlating security and operations events 19

Applications of the IEC 62351-7 Standard 3002003738 Guidelines for Integrating Control Center Systems Into an Integrated

20 2014 Cyber Security Technologies Reports Report Title DNP3 (IEEE Std 1815TM) Secure Authentication: Implementation and Migration Guide and Demonstration Report Product ID Network System Management: Implementations and Applications of the IEC Standard Guidelines for Integrating Control Center Systems Into an Integrated Security Operations Center How to download EPRI Reports: 1. Go to 2. Type the Product ID in the Search Bar 20

21 Together Shaping the Future of Electricity 21

Secure Remote Substation Access Interest Group Kickoff Meeting

Secure Remote Substation Access Interest Group Kickoff Meeting June 5, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com Utility co-chair: John