Communications and Cyber Security

Transcription

1 Communications and Cyber Security Satya Gupta Head(IT) & CISO Tata Power Delhi Distribution Ltd 10 th March 2017

2 Tata Power-DDL BUSINESS OVERVIEW Parameter Values (Jul'02) Values (Mar'16) AT&C Loss 53.10% 8.88% Annual Energy Requirement 970 MW 1791 MW Total Registered Customers 7 Lakhs 15.3 Lakhs Number of Employees Joint Venture of Tata Power Company and Govt. of NCT of Delhi (51: 49) Licensed for distribution of power in North and North West Delhi Certifications : ISO 9001, 14001, 27001, 22301, 31000, SA 8000 & OHSAS Turnover Area INR 6174 Crs 510 SQ KMS

3 TPDDL Turnaround Story-Brief Snapshot What TPDDL had inherited Current scenario AT&C losses: > 50% No concept of consumer service and IT interface Lack of performance orientation AT&C losses: 8.88 % Parameter UoM One stop solution: State-of-the-art Integrated Call Centers & Consumer Care Centers AT&C Losses % % System Reliability ASAI % % Electricity supply system on the Number verge of of collapse Employees Nos Number of Consumers Mln Remarkable improvement in System Reliability: DT losses <1% Performance orientation through Change Management & Balanced Scorecard Approach Multi-pronged approach adopted by Management to turnaround a traditional Government setup into a role model for private sector efficiency in only 10 years 3

4 Vision 2022

5 Industry s Shift Towards Smart Grid Power Sector s move towards Smart Grid Practices has resulted in steep rise in adoption of various advance IT & OT technologies. Communication technology plays a key role in the implementation of various Smart Grid Technologies. Robust Cyber Security practices are required to ensure all systems & services are up and running(24x7).

6 Communication a Key Enabler of Smart-Grid Smart Grid requires a robust and a two-way communication system. Applications like AMI, ADR, ADMS etc.. requires information to communicated on a real time basis. Communication system acts as the cornerstone for successful implementation of various Smart Grid applications. Any failure in ensuring an effective communication system will have severe impact on reliability and services.

7 TPDDL Communication System: Objectives TPDDL established its Communication Network (in FY ) across its area of operation ; to support Operational applications like SCADA/ Tele-protection / GIS /OMS/ Commercial and Billing applications Enterprise applications SAP CRM/ SAP BCM/SAP ERP, etc. TPDDL has upgraded its Communication Network support to TP-MPLS (in FY ) ; to forthcoming Smart grid applications such as AMI, EV charging stations, MWM, ADR and Integrated security solution etc.

8 TP-DDL Communication Landscape The Communications landscape consists of laying its own OFC network covering all main offices, data-centers, stores, district offices and Zonal Offices.

9 Redundant Communication Network DSIDC1 NARELA NARELA DO BAWANA WATER WORKS and Bawana DO POOTH KHURD GRID 2 DSIDC2 NARELA 2 BAWANA GRID- 6 RG-23 DSIDC A7, NARELA SGTN JAHANGIR PURI AIR KHAMPUR BADLI Grids Fiber Sub Ring Fiber Main Ring SUB Ring 5 STM 4 RG-22 RG-5 HDR PUR SUB Ring 4 STM 4 RG-6 RG-IV PP-1 2 Enterprise DATA 2 Enterprise and Grid VSNL VSNL Gateway for internet FIBER RING - TPDDL SHAKTI NAGAR DO GTK Grid 2 RG-3 SUB Ring 1 SHALIMAR 2 BAGH 2 PITAM PURA DO STM 4 2 RANIBAGH CCC PP III 2 2 RG-1 PP II WZP-I CORE RING MGP-II STM 16 SUB Ring 3 HUDSON LINES INDER PURI RG-II STM 4 MGP-1 2 VSNL PANDU NAGAR GULABI BAGH CIVIL LINES SUB Ring 2 STM 4 SHEHJADA BAGH SARASWATI GARDEN NEW ROHTAK ROAD PUSA ROAD RANIBAGH GRID WAZIRABAD RAMA ROAD NARAYANA PH-I Saraswati garden INDER VIHAR S PARK WZP-II AZAD PUR ROHTAK ROAD ASHOK VIHAR GRID RAM PURA 2 ASHOK VIHAR H BLOCK CCC 2 TRI NAGAR KESHAV PURAM DO

10 Adoption of Technology OFFICES TRANSCO Grid Stations Sub Transmission Grid Stations Distribution Stations CUSTOMERS WEB D A T A C E N T E R O N E D A T A C E N T E R T W O SAP-ISU (CRM/BILLING) SAP (PM/PS/MM/HR/FICO) AMR/PG/SPT BILL SCADA/ DMS/DA GIS OMS Call Centre COMMUNICATION NETWORK ISO 9001, ISO & BCMS (ISO 22301:2012) certified

11 Integrated Communications Architecture External Data Access Field Crew 3 rd Parties Customers Web Access Internet, HTTPS, VPN Back-Office & Operational Systems AMI Mgmt System T&D Management System Field Workforce Automation Ethernet LAN Control & Monitoring Centers Back Haul Communication Utility Wide Comm. Monitoring SA, DA T&D Equipment Microwave, SDH,MPLS,MPLS-TP, CE Neighborhood Aggregation Access Communication Monitoring, DA Monitoring AMI Local Field Comms Distribution Equipment WiFi, WiMax, PLC, RF Mesh, GSM, CDMA Meters & Premise Gateways Home Network Home /Customer Network 200kW Phosphoric Acid Fuel Cell DG PEV $ /kW Zigbee, Bluetooth, HomePlug The power plant in Santa Clara is rated at 1.8 MW AC net It contains more than 4,000 cells

12 Cyber Security-Vital for Survival Mail service on mobile and web(external/internal) Website Consumers accessing connection, reading, bill, payment details,etc. On line bill payment SMS services for consumers E-procurement Smart Grid Applications require to communicate with various field based devices IT & OT Integration for enhancing consumer experience FFA for improving field based operations

13 Cyber Security Challenges Highly exposed and distributed environment Technology Obsolescence Separate IT & OT Verticals with limited coordination Less awareness about cyber security practices among OT team members Cyber Security not considered during fundamental design phase Fast and constantly evolving nature of security risks Ever evolving standards, technologies, services, applications Increasing complexity of systems Mobile & Wireless Everywhere Heterogeneous Systems Multiple Interfaces

14 Cyber Security for Smart Grid Change in traditional scenario Grid automation systems use public networks due to lower costs Increases the vulnerability of grids to cyber attacks Classification of Attacks Component Wise Protocol Wise Field components like RTU are attacked through remote access Using communication protocols available in public domain, an intruder can reverse engineer the data acquisition protocols & exploit them Topology Wise Network topology vulnerability is exploited e.g. DOS attack

15 Strategies to detect & Mitigate Network Segmentation Effective network segmentation restricts communication between networks and reduces the extent to which an adversary can move across the network Strict Role-Based Access Control Grants or denies access to resources based on job function Active Directory (AD) implements role-based user access control through group policies. Application Whitelisting Permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else Eliminates the execution of unknown executable, including malware

16 Multiple Layers of Security Firewall based security Intrusion Detection System Threat Management Gateway(Proxy Server) Demilitarized zone for all public portals Single sign-on Secure tunnel via two factor authentication for Remote Access Vulnerability assessment & Penetration Testing

17 Operationalizing Information Security Regular Review meeting of Information Security Council (ISC) for identifying new risks, mitigating them and discussing Incidents Involvement of Top Management Cyber Security Awareness through TIPS, Quiz, sessions etc. Involvement of all major departments like OT, HR, Finance, Administration, Safety, Legal, etc. in Council Annual Plan for review and implementation - - Review and update processes - Focus on creating awareness on IT Security - DR Drill at regular intervals - Pro-active approach before implementing any new solution System driven implementation of various policies Password & patch management, anti-virus, etc

18 Cyber Security Control Room EMS, NMS and SIEM generates huge logs. Cyber Security Control Room required for real time monitoring and analysis to decide and quickly take preventive and corrective actions in case of any event / incident and activating Emergency Response Team, if required

19 IT OT Technology Segregation at DCs ISP DC1 Segregation of IT & OT MUX ISP router (CENNET) DMZ Enterprise Router SCADA Router ISA 6509 Switch 4507 Switch SCADA Switch OMS Switch SAP/R3 Application servers CHECKPOINT (4800 series) Websense Ironport Exchange server Local LAN for CENNET Crystal Reports SCADA Servers OMS Servers Database Servers Mailbox IT Network OT Network 19

20 Risk Mitigation Penetration Testing followed by Grey Box testing, through CERT approved agency for all portals on public domain e.g. Website, Customer Portal, E-tendering, etc. to ensure that - Public portals are Secured to avoid hacking. - Consumer data remains confidential. Training team members to develop secure web enabled S/W s Robust Change Management Process for H/W & S/W Pro-active approach for Security of System before implementing any new solution in both IT & OT side

21 Best Practices at TPDDL ISO certification for both IT & OT Systems HR directly activates and de-activates mail-ids on joining and separation Revalidation of User ids, VPN access specially for critical roles or discontinuation of BA services Regur DR Drill for all critical applications, network, electrical equipment's, etc. n-1 for all elements i.e. IT Infra, Communication, Data Center, Application and Manpower Use of BitLocker Drive Encryption to protect hard disk on laptops to protect Enterprise Data Security Incidents handled by Information Security Council Measurement of Information Security parameters through Departmental Balanced Score Card 3/16/

22 THANK YOU