Energy Control Systems Cybersecurity Considerations

Transcription

1 Track 4 Session 5 Energy Control Systems Cybersecurity Considerations Daryl Haegley Office of the Assistant Secretary of Defense (Energy, Installations, & Environment) August Rhode Island Convention Center Providence, Rhode Island

2 UNCLASSIFIED Cyber Securing Control Systems

3 Smart Buildings, Energy Managers & Cyber Security SMART Buildings, Cars, Cities, and Beyond 3

4 //FOUO Cyber Vulnerabilities in Power Grid Information Technologies (IT) Power Marketing Administration (4) Balancing Authority (100) Control Systems (CS) 15,700 stations Trans. 642,000 miles Subst. 140,000 stations Distr. 6,300,000 miles Subst. Source: eia.gov Utility fiber Internet Power Regional Transmission Organization (15) Utility Control Center Expanding Attack Surface Wholesale power market Utility Headquarters (3200) Power Plant (7300) Cyber vulnerabilities Market vulnerabilities Conventional network attacks Internet-connected devices DHS Vulnerable protocols Building automation Smart grid DoD

5 Advanced Metering Infrastructure (AMI) Building Automation Systems Building Management Control Systems CO2 Monitoring Digital Signage Systems Closed Circuit Television (CCTV) Surveillance Systems Digital Video Management Systems Electronic Security Systems Emergency Management Systems Energy Management Systems Exterior Lighting Control Systems Fire Alarm Systems Fire Sprinkler Systems Interior Lighting Control Systems Intrusion Detection Systems Physical Access Control Systems Public Safety/Land Mobile Radios Renewable Energy Geothermal Systems Renewable Energy Photo Voltaic Systems Shade Control Systems Smoke and Purge Systems Vertical Transport System (Elevators and Escalators) Laboratory Instrument Control Systems Laboratory Information Management Systems (LIMS) Control Systems Configuration options: Stand alone / isolated = not on DoD network Connected directly to the Internet = not on DoD network Connected to DoD network = could be on or isolated from NIPRNET

6 Buildings UNCLASSIFIED Weapon Platforms Operational Energy Electrical and HVAC Pumps and Motors Nuclear Vehicles/Charging Medical Typical Controller Manufacturing Same Commercial Control System Device Installed Across DoD Enterprise

7 What s in Your Building? Fire Sprinkler System Interior Lighting Control Intrusion Detection Land Mobile Radios Renewable Energy Photo Voltaic Systems Shade Control System Smoke and Purge Physical Access Control Vertical Transport System (Elevators and Escalators) Advanced Metering Infrastructure Building Automation System Building Management Control CCTV Surveillance System CO2 Monitoring Digital Signage Systems Electronic Security System Emergency Management System Energy Management System Exterior Lighting Control Systems Fire Alarm System SECURITY Info Sys Control Systems # devices 50,000 40,000 30,000 20,000 10,000 0 Independently Managed, Resourced, Tech-refreshed 7

8 Current Obstacles Not considered / managed like Information Systems Cyber Tech buy, refresh unplanned & unfunded Neither CIO nor Facility Managers are trained or staffed to manage CS cyber security Defense wide vulnerability alerts / patch management procedures in progress Many vendors emerging need sensor strategy for CS networks "We can't solve problems by using the same kind of thinking we used when we created them." A Einstein 8

9 Relevant Policies via OASD EI&E Website RMF KS Portal GRASSMARLIN passive network mapping tool = DHS ICS CERT CSET DoDI Cybersecurity 14Mar14 DoDI Risk Management Framework 12Mar14 DoDI Cybersecurity Activities Support to DoD Information Network Operations 7Mar16 NIST SP r2 Guide to Industrial Control Systems (ICS) Security May15 Recent Cybersecurity Rules Applying to Control Systems Register for notification of specific threats and cyber vulnerabilities affecting control systems through the DHS ICS CERT secure portal 9

10 ASD EI&E Memo 31 Mar 16 Affirms "the system owners/operators are accountable for the system s operational resilience and defense posture, to include cybersecurity and are responsible for securing their IT networks, systems and devices" Directs staffs develop plans identifying the goals, milestones and resources needed to identify, register, and implement cyber security controls on DoD facility related Control Systems under your cognizance Plans due 31Dec 16; implement cybersecurity controls on most critical facility related control systems by end FY19 10

11 Facility, Site, Asset Control System 500 Installations 4,000 Sites 550,000 Facilities

12 System & Device Ownership???,000 Intrusion Attempts Per / hr 250,000 Intrusion Attempts Per / hr Which Do You Depend Upon More? Which Do you Own? 12

13 CYBER ATTACK UNCLASSIFIED Mission Dependency Analysis OFF COMMS OUT OFF Down Systems OFF Delays LOGISITCS PROBLEMS LATE TO THE FIGHT Cyber-Landscape Needs to Include Control Systems 13

14 NDAA Language Cybersecurity Risk to DoD Facilities DoD facilities transitioning to smart buildings; increased connectivity has increased threat and vulnerability to cyber attacks, particularly in ways existing DoD regulations were not designed to consider. Therefore, SECDEF deliver a report: (1) Structural risks inherent in control systems and networks, and potential consequences associated with compromise through a cyber event; (2) Assesses the current vulnerabilities to cyber attack initiated through Control Systems (CS) at DoD installations worldwide, determining risk mitigation actions for current and future implementation; (3) Propose a common, DoD wide implementation plan to upgrade & improve security of CS and networks to mitigate identified risks; (4) Assesses DoD construction directives, regulations, and instructions; require the consideration of cybersecurity vulnerabilities and cyber risk in preconstruction design processes and requirements development processes for military construction projects; and (5) Assess capabilities of Army Corps of Engineers, Naval Facilities Engineering Command, Air Force Civil Engineer Center, and other construction agents, as well as participating stakeholders, to identify and mitigate full spectrum cyber enabled risk to new facilities and major renovations. CS include, but are not limited to, Supervisory Control and Data Acquisition Systems, Building Automation Systems Utility Monitoring and Energy Management and Control Systems. Such report shall include an estimated budget for the implementation plan, and delivered no later than 180 days after the date of the enactment of this Act.

15 8-star letter! Include CS in scorecard Invest in detection tools 7x cyber incidents 15

16 UFC Objectives 1. Define new Design and Construction Methodology to apply RMF & NIST SP ICS Security Guide 2. Define IT / CS Reference Architecture as it applies to Control Systems 3. Verify 50-75% construction: conduct Factory Acceptance Testing (FAT) of major components Final Version by 30 August Verify 100% construction complete: conduct Site Acceptance Testing (SAT)

17

18 Energy Consumption Data Building Level Base Level Power plants, peaking plants, and combined heat and power (CHP) plants for multiple installation-level loads Large-scale renewable energy where viable to provide base load Generators for individual critical facilities Usage or Criticality? Regional / Enterprise Level T or F: All Energy Data is UNCLAS

19 Mission Functions Requiring Emergency Generators Medical treatment facilities Air navigation aids and facilities Refrigerated storage rooms POL storage and dispensing facilities Critical utility plants and systems Civil engineer control centers Communication facilities and telephone exchanges Fire stations, including fire alarm, fire control, and radio equipment Critical computer automatic data processing facilities Air traffic control towers Base weather stations Surveillance and warning facilities Command and control facilities Weapon systems Security lighting systems Aircraft and aircrew alert facilities Law enforcement and security facilities Emergency operations centers (EOCs) Mission, property, and life support facilities at remote and not readily accessible sites, such as split site aircraft warning and surveillance installations Industrial facilities that have noxious fumes requiring removal provide power for exhaust system only Readiness facilities relying on electrical power to support tactical or critical missions Photographic laboratories providing critical and essential support to combat and contingency tactical missions Other facilities, including facilities required for emergency response, approved by the Authority Having Jurisdiction (AHJ). Note: Some installations have contingency plans in place that transfer the function to an alternate location in the event something disrupts the operation of a single facility for emergency response 19

20 DoD Critical Infrastructure Security Information DoD critical infrastructure security information Sensitive but unclassified information that, if disclosed, would reveal vulnerabilities in DoD critical infrastructure that, if exploited, would likely result in the significant disruption, destruction, or damage of or to DoD operations, property, or facilities Include information related to critical infrastructure or protected systems owned or operated by or on behalf of the DoD, including vulnerability assessments prepared by or on behalf of the DoD, explosives safety information (including storage and handling), and other site-specific information on or relating to installation security." 20

21

22 System / Device Accountability Key ENERGY MONITORING and CONTROL SYSTEM FACILITY POINT OF CONNECTION Supervisory Controller Control Center (The Building) Computers Supervisory Controller Operational Server Network Time Synch Access Control System Firewall Appliance Network Switches Monitor/Keyboard/Mouse Virtualized Server Host Intrusion detection/prevention Storage Area Network (SAN) Uninterruptable Power Supply Communication Lines Linear Structure Asset (only EMCS traffic) Installation Router aka: Network Device Internal Use Software on Servers and network components Real Property Real Property Installed Equipment (RPIE) Personal Property / Collateral Equipment Ethernet Radio (only EMCS traffic) Ethernet Radio (only EMCS traffic) BUILDING / UTILITY CONTROL SYSTEM Part of thefacility s PRC Sensors Actuators Internal Use Software on DDC components DDC Direct Digital Controls Sensors Actuators Internal Use Software on SCADA components SCADA Supervisory Control and Data Acquisition AMI Meter Supervisory Controller Ethernet Radio Electrical System Protective Relay Camera Utility system monitoring camera

23 Many Completely Vendor Run 23

24 My Control Systems are Secure Kaspersky Lab report: Industrial Control Systems and Their Online Availability, discovered 188,019 hosts with ICS components, spread across 170 countries percent of public facing ics components are remotely exploitable/119142/ 24

25 Shodan 25

26 Never Attribute Evil When Stupid is Still Available

27 Shodan ICS Radar Energy System Protocols radar.shodan.io/ 27

28 Discovered Via Shodan Now Resolved Military Base -TridiumNiagara zzz Military HQ zzz Joint Military Base zzz VA Care Center zzz.static.net VA Medical Center t1.ccctel.net West Point Alumni Center zzz Military Hospital zzz Military Base Fuel Cell zzz Military Base Headquarters zzz Military Base Squadron Operations zzz Military Base Hangar zzz Military Base General Maintenance Facility zzz Military Base Multipurpose zzz Military Base Civil Engineering zzz Military Base Supply zzz Military Base Vehicle Maintenance zzz Military Base Flight Simulator zzz Military Base Deployment zzz Military Base ENT Server zzz Military Base zzz

29 Never Attribute Evil When Stupid is Still Available 29

30 DoD IG Audit Determine whether DoD is implementing cybersecurity controls to protect, detect, counter and mitigate potential cyber attacks on control systems supporting DoD critical missions / assets. Visit 5 Sites: Aug-Nov 16 Discussion draft: Dec 16 Draft report: Feb 17 Final report: Apr 17 30

31 Cyber Threat Focus Toward Energy Systems Information Technology 2% Transportation 5% Unknown 2% Chemical 2% Commercial Facilities 3% Nuclear 2% Communications 6% Major Incidents Reported in FY14 Health Care 6% Water 6% Government Facilities 5% Food & Ag 1% Finanace 1% Energy 32% Source: DHS ICS CERT FY14 Annual Report Critical Manufacturin g 27%

32 Potential CS Exploitation Paths 32

33 Building Systems and Technology Solutions UNCLASSIFIED Facilities Energy Management Competencies Apply fundamentals of building energy systems & facility management technologies to support compliance with applicable energy codes, Federal requirements, & professional standards. 6.A Collaborate with stakeholders on the planning and design of sustainable building systems to optimize building performance while balancing human and mission needs. 6.B Serve as subject matter expert on current technologies, codes and regulations to identify, evaluate, and recommend technologies and/or energy reduction solutions. 6.C Interact with the energy management community and provide lessons learned/best practices on operational and financial performance of technologies. 6.D Collaborate with Information Assurance / Cyber Security personnel to ensure Industrial Control Systems comply with DoD Information Technology requirements. 6.E Advise on technical design standards specific to the installation to provide designers with project sustainability guidelines. 6.F Support emerging technologies and innovative acquisition strategies, if and where appropriate, to expedite technology adoption and advance energy performance. Very Limited Cyber Role How Much is Enough? 33

34 Solutions / Discussion Build cyber security into your smart building network design criteria Ensure awareness of cyber security policies and standard operating procedures Collaborate with all relevant stakeholders & contractors Best practices & guidelines RMF KS Portal Daryl Haegley daryl.r.haegley.civ@osd.mil 34

35 Industrial Security Advisory: Ransomware Masquerading as Allen-Bradley Update Rockwell Automation learned about malicious file called Allenbradleyupdate.zip NOT an official update from Rockwell Automation File contains ransomware malware that, if successfully installed and launched, may compromise the victim s computer 35

36 36