Security in grid control centers: Spectrum Power TM Cyber Security

Transcription

1 Security in grid control centers: Spectrum Power TM Cyber Security Thomas Schmidt, Information Security Manager siemens.at/future-of-energy

2 Spectrum Power TM 7 Historical Information System Table of content Motivation Collection, Storage and Processing Cyber Security Standards Security challenge in Smart Grids (Patch Management, Communication Page 2

3 Motivation Control Centers are critical infrastructures Threats from outside by cross linking of various system components Threats from inside by own staff based on inadequate administration of user privileges Smart Grids are raising complexity and cross linkage Page 3

4 Motivation: Threats from outside Drivers for the Importance of Cyber Siemens Number and Severity of Attacks increasing Cyber-Attack Against Ukrainian Critical Infrastructure ((IR-ALERT-H ) Australian Sewage Spill, 2000 SQL-Slammer impacts US power plant control in 2003 Publicly announced vulnerability in SCADA protocol (ICCP) in 2006 Page 4

5 Motivation: Threats from inside Drivers for the Importance of Cyber Siemens Threats from inside the company Risks inside People leaving the company Any time an employee leaves the company, all access rights have to be removed, facility access and PKI cards have to be retrieved and deactivated Insufficient security awareness Social engineering Dissatisfied staff Page 5

6 Cyber Security Standards As a supplier of a broad range of products, systems and solutions to electric power transmission and distribution organizations around the world, we keep a close watch on existing and emerging standards worldwide. These include: NERC CIP standards in North America IEC TC57 WG15 (Control System - Data and Communication Security) ISO/IEC (Common Criteria) ISO/IEC 27002:2005 (formerly ISO/IEC 17799) various NIST and other security-related standards and recommendations BDEW Whitepaper and other European security-related standards and recommendations Siemens and S-CERT employees are active in these organizations. Security Requirements of EA Products are based on those standards Page 6

7 Integrated in lifecycle Integrated part of the complete product/system Lifecycle All phases of the product lifecycle include security Security requirements Security tests as mandatory in the concept phase Secure coding guidelines Security tests as mandatory part of the system test Page 7

8 Integrated in lifecycle Integrated part of the complete product/system Lifecycle Security test through independent testers FAT/SAT have to include security tests Cyber Vulnerability assessments as service for customer Staff (development and operations) are trained on security Page 8

9 Smart Grid Scope Large and Flexible Generation Distributed Generation Transmission & Distribution Control Center Storage Industrial & Residential Electro Mobility Page 9

10 Security challenge in Smart Grids New challenges with proven technology Interaction of many different vulnerable devices Any connection to the outside world increases the risk Isolated (secure) devices get vulnerable by interconnecting them New challenges by interconnecting end customers A complex infrastructure generate complex tasks Page 10

11 Potential Attacks for Smart Grid Applications Generation / DER Misuse of local administrative rights Distribution and Transmission Falsified status information in widely dispersed locations may limit the power flow. Page 11 Customer Prosumer behavior tracking, e.g., through smart meters Fraud through smart meter manipulation Market Fraud based on falsified offers and contracts (Customer, Utilities, DNOs, ) Operation Unauthorized remote service access

12 Patch management: To-Dos Patch-Management to do Interconnected systems increase the risk Systems have to be up-to-date Latest release Test system available Disaster recovery working Concept of patch management Workflow clear (who does what?) Staff available Page 12

13 Security Patch-Management Steps Working steps Notification by 3 rd party vendor (Oracle, Microsoft, ) Verification and relevance check by Siemens Test on standard system Release and Information Bulletin Test on Customer reference system Installation on customer (test) system Test on customer system Release by customer Page 13

14 SCADA Secure Communication: Secure Communication All System communication has to be encrypted Certificate Management Spectrum Power encrypts internal communication Support for encryption also at external interfaces available ICCP Sec and IEC Sec are supported Support of two factor authentication Page 14

15 Contact Thomas Schmidt Siemens Aktiengesellschaft Österreich RC-AT EM DG SWS GC NMS Ruthnergasse Wien, Österreich Tel.: Fax: Mobil: mailto:thomas.w.schmidt@siemens.com Page 15