Securing the North American Electric Grid

Transcription

1 SESSION ID: TECH-R02 Securing the North American Electric Grid Marcus H. Sachs, P.E. SVP and CSO North American Electric Reliability

2 Critical Infrastructure s Common Denominator Most critical infrastructures depend on cyber networks for data exchange Likewise, the cyber infrastructures depend on the physical world for the movement of the data Fiber optic cables Copper wires Microwave and satellite systems But all infrastructures depend on electricity The power grid is the real common denominator 2

3 Energy Grids Energy was originally produced and consumed in the same geographic area Water power Gas and oil heat Electricity generators Since the mid-20th century, most nations have moved towards a grid-based system Energy management and distribution efficiencies are gained through grids Grid distribution systems also have vulnerabilities 3

4 US/Canadian Electric Power Grid The US/Canadian domestic power grid is divided into two major regions: The Eastern Interconnection The Western Interconnection...and three minor regions: The Alaska Interconnection The Québec Interconnection The Texas Interconnection 4

5 NERC Regional Entities and Interconnections Florida Reliability Coordinating Council Midwest Reliability Organization Northeast Power Coordinating Council, Inc. ReliabilityFirst Corporation SERC Reliability Corporation Southwest Power Pool, Inc. Texas Reliability Entity Western Electricity Coordinating Council 5

6 NERC Reliability Coordinators 6

7 Energy Balance Power Generated Power Imported Demand Power Exported Losses MW Daily Load Curve Hour Frequency in Hz 7

8 NERC Balancing Authorities 8

9 345kv+ US Electricity Grid 9

10 Electric Power Control Systems SCADA Supervisory Control and Data Acquisition EMS Energy Management System Also ECS - Energy Control System, TMS Transmission Management System GMS Generation Management System DCS Distributed Control System Distributed processing closer to inputs and outputs Generally, at a generating plant SA Substation Automation At a transmission substation DA Distribution Automation At a distribution substation or on a distribution pole top 10

11 Substation Automation Control System Source: gration%20considerations%20for%20large%20scale%20iec% %20systems.pdf (modified) 11

12 Control Rooms at Control Centers 12

13 Electricity Threat Landscape

14 Threat Defense/Mitigation

15 Most Common Threat Agents 15

16 Natural Threats - Lightning 16

17 Natural Threats Floods, Wind, Ice 17

18 Operational Threats Fire 18

19 Targeted Threats Pipe Bombs 19

20 Targeted Threats IEDs 20

21 Targeted Threats Gun Shots 21

22 Criminal Threats - Copper Theft 22

23 Cy bear Threats 23

24 Most Common Cyber Threat to Utilities 24

25 Some Cyber Threats Result in Power Loss 25

26 Notice to Customers of a Cyber Attack 26

27 Ukraine s Electric Grid 27

28 The Targets Four of a total of 23 Oblenergos in Ukraine, each primarily providing power distribution (as well as some generation and transmission functions) were targeted The attacks were synchronized and coordinated, and likely were preceded by extensive reconnaissance On December 23, 2015 breaker controls at three of the four electricity distribution providers came under remote control of the attackers The fourth provider thwarted the attack by removing remote access functionality 28

29 The Fourth Target One of the four victim Oblenergos did not lose power What did they do right? Weeks before the event, the Ukraine CERT ( issued a warning about malware being used to harvest credentials for falsifying remote access authentication The fourth Oblenergo acted on that information and removed remote access to their control systems Attackers were unable to gain remote access on December 23 rd This action reinforces the need for all entities to both share timely information, as well as act quickly on information received 29

30 Sequence of Events Pre Attack Nine months before the December 2015 event - Spear phishing Microsoft Office attachments Macros pulled down additional tools including BlackEnergy Additional similar phishing reported in January, 2016 November 21, Transmission towers blown up Months or weeks before the event Credential harvesting User names and passwords used to gain additional access and move laterally VPN logins using harvested credentials enabled remote access to control systems Unknown whether intruders use BlackEnergy or some other remote access program like DropBear or Kryptik 30

31 Defense Use Case TLP WHITE document Available to general public via 31

32 Prevention Recommendations Follow and implement industry best practices (Top 20 Controls) Develop and exercise contingency plans for safe shutdown Use application whitelisting (AWL) when available to detect and prevent attempted execution of unauthorized software HMI, historian, and similar systems are good candidates for AWL RTUs, PLCs, and similar devices may not be compatible with AWL Isolate ICS and SCADA networks from all untrusted networks, especially the Internet Turn off unused ports and services Reduce or eliminate any data paths between control networks and public networks Limit remote two-way access functionality as much as possible Use multi-factor authentication when remote access is necessary Audit and monitor any trusted external connections 32

33 Latest Issue: IoT Devices 33

34 Apply What You Have Learned Today Next week you should: Identify electric utility dependencies within your organization Identify any control systems in your organization In the first three months following this presentation you should: Develop plans for business continuity during lengthy power outages Examine your own control system perimeter for weaknesses Within six months you should: Hold at least one table-top exercise to work through a multi-day power outage Review your organization s business continuity plans and revise as needed 34

35 Learn More About Us! Sign up online at Download our how to guides Brochure Understanding Your E-ISAC Engaging the E-ISAC 35

36 36