Smart Grid Cybersecurity Committee. July 28, 2017

Transcription

1 Smart Grid Cybersecurity Committee July 28,

2 2017 Technical Program Smart Grid Cybersecurity Committee (SGCC) Working Group Meeting 2

3 Antitrust Guidelines for SEPA Meetings & Conferences The antitrust laws and other business laws apply to SEPA, its members, funders, and advisers; violations can lead to civil and criminal liability. SEPA is committed to full compliance, as well as to maintaining the highest ethical standards in all of our operations and activities. These guidelines apply to all occasions: before, during, and after SEPA meetings and conferences, including in the hallways, over lunch, cocktails and at dinner. SEPA'S MISSION is to facilitate the utility industry s smart transition to a clean energy future through education, research, standards, and collaboration. YOUR ROLE AT SEPA MEETINGS AND CONFERENCES varies based on what you are attending, but could include sharing information with and learning from peers, potential partners, and industry experts and/or to provide guidance to SEPA on its activities. Consult with your company counsel if at any time you believe discussions are touching on sensitive antitrust subjects such as pricing, bids, allocation of customers or territories, boycotts, tying arrangements and the like. DO NOT DISCUSS pricing, price terms, such as, for example, discount and credit policies, promotions, or product category pricing levels and industry pricing levels, production capacity, or cost information which is not publicly available; confidential market strategies or business plans; or other competitively sensitive information. Do not disparage suppliers and/or competitors of SEPA and/or SEPA Members and participants. BE ACCURATE, OBJECTIVE, AND FACTUAL in any discussions of goods and services offered in the market by others, including your competitors, suppliers, and customers. SEPA DOES NOT RECOMMEND the use of particular vendors, contractors or consultants. SEPA will not promote or endorse commercial products or services of third parties. You must draw your own conclusions and make your own choices independently. DO NOT AGREE WITH OTHERS to discriminate against or refuse to deal with (i.e., "boycott") a supplier; or to do business only on certain terms and conditions; or to set price, divide markets, or allocate customers. PLEASE BE AWARE that an agreement regarding price need not relate to a specific price, but may relate to levels, discounts policy, allowance policy, and other terms affecting price levels or movements and may be inferred from a discussion and ensuing conduct. DO NOT TRY TO INFLUENCE or advise others on their business decisions, and do not discuss yours (except to the extent that they are already public). ASK for advice from your own legal department, if you have questions about any aspect of these guidelines or about a particular situation or activity at SEPA; or ask the responsible SEPA manager to contact SEPA's Legal Counsel. 3

4 Agenda Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA SGCC Leadership Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 4

5 Cyber-Physical Resiliency Chair: Dr. Elizabeth Sisley Vice-Chair: Dr. Michael Cohen 5

6 Cyber-Physical Resiliency Architecture/ Engineering Cyber-Physical Resiliency Cybersecurity Why SGCC (Smart Grid Cybersecurity Committee) and GAWG (Grid Architecture Working Group) both Sponsor Resiliency The Smart Grid needs not only sound architecture for functionality and cybersecurity for security, but also resilience to satisfy its high operational availability requirements. There are existing best practices and tools (and an opportunity to identify any gaps), that could be more widely used across system(s) lifecycle, to address the need for Cyber-Physical Resiliency. 6

7 What Problem Do We Have? Takeaway: The electric system is, for better or worse, of such size and complexity of: Stakeholders Decision-makers Changing Technologies that it will not stand still to be designed like a single systemof-systems, nor will there be a person or group of people charged with designing it as such. Resilience implies adaptability to change and improvement. It must also continue to operate in providing electricity while being under stress, attack, and upgrade. E.G. Continue to deliver electricity while sophisticated adversary is inside the system. 7

8 Resiliency Definitions Presidential Policy Directive 21 Critical Infrastructure Security and Resilience The term "resilience" means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Traditionally this is Architecture/ Engineering The terms "secure" and "security" refers to reducing the risk to critical infrastructure by physical means or defensive cyber measures to intrusions, attacks, or the effects of natural or manmade disasters. Traditionally this is Cybersecurity Both Architecture/Engineering and Security are Necessary 8

9 Deliverables Phase 1 (launched Sept 29 th ): Catalog/Repository Identify Published Best Practices Inclusion Criteria Architecture/Engineering Cybersecurity Exclusion Criteria Webinar March 21 st : registered 207, attended 95 Will publish via SEPA process Phase 2 (just launching): Task 1: Identification of Smart Grid Resiliency Gaps Task 2: Prepare Resiliency Gap Filler Supplement to NISTIR 7628 Rev.1 Red text update from Tuesday s Grid Architecture Working Group 9

10 Inclusion Criteria: Lifecycle Focuses on resilience that is designed and engineered into the Cyber-Physical System (CPS) itself Designs the CPS to use evolving technologies, such as predictive self-healing, to allow systems to automatically fix themselves Designs the CPS to gracefully shut down, and implement fault tolerance mechanisms Design CPS to operate in degraded or alternative modes of operation, and recovery. Lessens the reliance of the CPS on external dependencies or mitigates the impacts of the loss of those dependencies 10

11 Architecture/Engineering: Inclusion Criteria Describes employment of all resilience strategies during CPS design and operations such as: Eliminating single points of failure and designing for fault tolerance Utilizing redundancy and diversity/heterogeneity Includes the use of analog or manual backups Design for Graceful Degradation 11

12 Cybersecurity: Inclusion Criteria Describes employment of all resilience strategies during CPS design and operations such as: NIST Framework functions: Identify, Protect, Detect, Respond, and Recover Anticipate, continue to operate correctly in the face of, recover from, and evolve to better adapt to advanced cyber threats Malware and forensic analysis Technical defense-in-depth Dynamic threat modeling 12

13 Exclusion Criteria Focuses exclusively on traditional IT Cybersecurity, addressed by e.g. NIST Rev 4, etc. Focuses exclusively on traditional physical security external to the system, e.g., guns, gates, and guards Focuses on IT supply chain risk management, addressed by e.g. NIST , NERC-013, etc. Focuses on external (to the CPS) organizational continuity of operations/disaster recovery processes and procedures. Reference them as related processes, such as Disaster Recovery Institute Best Practices, NIST , enterprise risk management manuals SP , -35 & -37, etc. 13

14 20+ List of Candidate Best Practices Systems Engineering INCOSE.org worldwide education: BS, MS, Ph.D. Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems Cyber-Physical Systems Framework NISTIR 7628 Rev 1 Cyber Resiliency Engineering Aid-The Updated Cyber Resiliency Engineering Framework and Guidance on Applying Cyber Resiliency Techniques CREDC: Cyber Resilient Energy Delivery Consortium IIC Security Framework Named Data Networks (NDN) and its applicability to critical and challenged networks MITRE-Developed Cyber Security and Resiliency Assessment Tools Intelligence Preparation for Operational Resilience (IPOR) CERT Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk CRR NIST Framework Crosswalk Cross-reference chart for how the NIST Cybersecurity Framework aligns to the Cyber Resilience Review (CRR) IEC TC57 WG15 - IEC Resilience and security for power systems with Distributed Energy Resources (DER) Stanford Seminar - Engineering Cyber Resiliency: A Pragmatic Approach - (references to power grid & tool) Cybersecurity Procurement Language for Energy Delivery Systems And more! 14

15 Catalog/Repository Attributes 1. Item Name (short) 8. Classify as Specify, Design, Build (Re-Engineer), Operate 2. Item Full Title 9. Short Description 3. URL 10. Attribute indicating whether the item contains Cybersecurity, or Architectural, or Both, specific to addressing resiliency and its cousins e.g. availability, reliability, fault-tolerance, etc. 4. Linked to Industry Standards 11. Context (specific technique, set of processes, framework, tool, etc.) 5. Content Owner 12. Maturity / Industry Acceptance Level of this Technique. (To show history include origination date and date of last modification) 6. Education: webinars, training/classes, degrees, etc. 7. Applicability to What Grid Domains 13. Attribute indicating whether the item contains Cybersecurity, or Architecture, or Both specific to addressing resiliency and its cousins e.g. availability, reliability, fault-tolerance, etc. Etc. 15

16 Phase 2 (just launching) Task 1: Identification of Smart Grid Resiliency Gaps Task 2: Prepare SEPA Resiliency [Gap Filler] Supplement to NISTIR 7628 Rev.1 NOTE: Call for Participation Details during Friday s 1:00-3:00 Smart Grid Cybersecurity Committee (SGCC) meeting 16

17 Phase 2: Proposed Tasks Objective: Enable Smart Grid resilience as well as Cybersecurity Task 1:Identification of Smart Grid Resiliency Gaps Identify resiliency gaps that currently exist in NISTIR 7628 Rev1. SG.AC-1 SG.AC-2 SG.AC-3 SG.AC-4 SG.AC-5 SG.AC-6 SG.AC-7 SG.AC-8 SG.AC-9 SG.AC-10 SG.AC-11 SG.AC-12 SG.AC-13 SG.AC-14 SG.AC-15 SG.AC-16 SG.AC-17 SG.AC-18 SG.AC-19 SG.AC-20 SG.AC-21 NISTIR 7628 Rev.1 MAPPING to Resiliency Best Practices NISTIR 7628, Rev. 1 High-Level Security Requirements Access Control (SG.AC) Access Control Policy and Procedures Remote Access Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts Cross- Walk Between NISTIR 7628r1 and Resiliency Controls Smart Grid Information System Use Notification Previous Logon Notification Concurrent Session Control Session Lock Remote Session Termination Permitted Actions without Identification or Authentication Remote Access Wireless Access Restrictions Access Control for Portable and Mobile Devices Use of External Information Control Systems Control System Access Restrictions Publicly Accessible Content Passwords Awareness and Training (SG.AT) Resiliency Best Practice Resiliency Best Practice Systems Security Cyber-Physical Systems Engineering : Appendix Framework H Resiliency Best Practice Cyber Resiliency Engineering Aid 17

18 Phase 2 Proposed Tasks Task 2: Prepare SEPA Resiliency [Gap Filler] Supplement to NISTIR 7628 Rev.1 This task will prepare a draft Resiliency Supplement to NISTIR 7628r1. Entries will consist of: Resiliency Family Name (either an existing Security Requirement Family Name or a new Resiliency Family Name) Resiliency Requirement Description Requirement Enhancements (optional) Additional Considerations (optional) Impact Level Allocation 18

19 Agenda Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA SGCC Leadership Nelson Hastings Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 19

20 Agenda Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA SGCC Leadership Nelson Hastings Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 20

21 NIST Cybersecurity Smart Grid Efforts and Proposed SGCC Activities Nelson Hastings, NIST Cybersecurity and Privacy Applications Group Leader Applied Cybersecurity Division 21

22 NIST Smart Grid Cybersecurity Efforts Supporting SEPA by chairing the Smart Grid Cybersecurity Committee (SGCC) Applying the NIST Cybersecurity Framework to identity/characterize risk to emerging smart grid architectures To be integrated into the NIST Smart Grid Interoperability Framework update 22

23 Security of Grid Edge Devices Grid edge devices include Smart Meters, Inverters, Thermostats, HVAC systems, Securing these devices is critical to scaling control systems that may leverage grid edge devices. The NISTIR 7628 provides Guidelines for Smart Grid Cyber Security. Ideally we would like a strategy to decompose these system level guidelines to device specifications.

24 Profiling performance of Grid Edge Devices We are currently developing technology to profile the performance impact of security solutions on grid edge devices. The eventual goal is to balance cybersecurity tools across a DER architecture, minimizing system level risk exposure. Diversity in design, legacy and communication protocols pose a challenge requiring continuing engagement with device manufacturers.

25 Proposed SGCC Activities for Discussion Develop best practices for identity management from a relying party perspective Managing identities of an organizations employees or owned devices verses customers or devices not owned by an organization connected to their network Profiling the NIST Cybersecurity Framework for a smart grid use case Similar to what was created for the manufacturing sector ring-profile-draft.pdf 25

26 An Example: Manufacturing Profile 26

27 Core Cybersecurity Framework Components What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 27

28 Core Cybersecurity Framework Components Function Category ID Identify Protect Detect Respond Recover Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.AM ID.BE ID.GV ID.RA ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated Informative References COBIT 5 APO01.02, DSS06.03 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 CP-2, PS-7, PM-11 COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP Rev. 4 PM-8 ID.BE-4: Dependencies COBIT 5 APO02.01, APO02.06, and critical functions for APO03.01 delivery of critical services ISA : , NIST SP Rev. 4 PM-11, SA-14 are established ID.BE-5: Resilience requirements to support delivery of critical services are established ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-8, PE-9, PE- 11, PM-8, SA-14 28

29 Ways to think about a Profile A customization of the Core for given sector, subsector, or organization A fusion of business/mission logic Respond and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management Identify Protect Detect Recover 29

30 Business/Mission Objectives Prioritized cybersecurity practices that will promote and support key business/mission goals for the manufacturer. Maintain Personnel Safety Maintain Environmental Safety Maintain Product Quality Maintain Production Goals Maintain Trade Secrets 30

31 31

32 Profile Example ID AM ID.AM-1 Physical devices and systems within the organization are inventoried 32 32

33 Profile Language ID.AM-1 33

34 Agenda SGCC Leadership Nelson Hastings Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 37

35 Why PKI Is So Darn Complicated and Why You Might Want to Use it Anyway Tim Polk 38

36 Objectives Establish the historical context Understand how PKI works Why it is so complex Which design choices matter Recognize which problems PKI can (and can t) solve 39

37 History of PKI in 4 Slides 40

38 Secret Key Cryptography is Easy, Key Management is Hard Sharing secrets has always been hard Secret key cryptography is easy (Caesar could do it!) This allows Alice and Bob to share a secret But there is a bootstrap problem You have to share a secret, and sharing secrets has always been hard 41

39 Public Key Cryptography is Easy, Key Management is Hard 1976, public key cryptography is invented and sharing secrets is easy Alice uses her private key, which no one else knows, to encrypt a message Alice shares her public key with everyone, Bob uses it to decrypt the secret But there is a bootstrap problem authenticating the public key (e.g., ensuring it [still] belongs to Alice) is hard almost as hard as sharing a secret Public key certificates were proposed soon after But we need a scalable mechanism for authenticating certificates And saying that key is no good anymore 42

40 PKI Standards are simple, as long as you support one application 1988, the X.509 certificate standard is published to facilitate the interconnection of information processing systems for the emerging Global X.500 directory Approximately 12 of the 21 normative pages specify formats and processes to create a strictly hierarchical trust infrastructure, so a single public key authenticates the world Hey, we can use that to support lots of applications! But many details required to support more general applications are omitted, so they soon published versions 2 and 3 And the emerging Global directory system doesn t materialize 43

41 The great thing about PKI standards is there are so many of them 1999, IETF publishes RFC 2459 to align X.509 v3 with the needs of Internet applications and leverage the Lightweight Directory Protocol RFC 2459 had 64 normative pages, and another 65 pages of appendices to aid implementers And we omitted stuff in 2459, so we had to publish RFCs 3280 and 5280 And another 67 supporting RFCs to cover new revocation strategies, logos, and trust anchors 44

42 So Why In the World Should You Use PKI? PKI offers a scalable mechanism to implement strong authentication to systems, digitally sign documents and code, share secret keys to support encrypted , sessions, etc., etc., etc. As a toolkit, it is kind of a Swiss Army knife for security, supporting a broad range of applications and services Of course, a Swiss Army knife isn t usually the very best knife for any particular purpose When features are carefully chosen, it can be a very successful and straightforward mechanism 45

43 PKI Roles and Objects Mandatory Roles and Objects Certification authorities (CAs), Registration authorities (RAs), a repository to store and distribute certificates and CRLs, certificate subjects (the entities that hold the private keys), and relying parties (who use the public keys) Optional Attribute certificates to specify extra information about certificate subjects Certificate Status Responders Path Validation Servers 46

44 Certificates Certificates bind an identity (the subject) to a public key. An issuing or certifying authority builds a certificate that contains: Subject s Distinguished Name Subject s Public Key Issuer s Distinguished Name Extensions that further describe the subject, limit the use of the key, or The issuer digitally signs the certificate so no one can change its contents. Certificate of Authenticity 47

45 X.509 Certificate Format O=USG, OU=Commerce, CN=CA1 O=USG, OU=Commerce, CN=Tim Polk ACBDEFGH VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER v1 or v2 or v3 RSA with SHA-2 VALIDITY 1/1/16-1/1/19 SUBJECT SUBJECT PUBLIC KEY INFO ISSUER UNIQUE ID SUBJECT UNIQUE ID RSA, RSTUVWXY EXTENSIONS SIGNATURE 48

46 Public Keys Public key associated with any asymmetric algorithm Public key used to support: Digital Signature and Non-repudiation Key Management Data Encipherment Certificate Signature Certificate Revocation List Signature Best Current Practice: Give certificate subjects two ECC keys, one for signatures and another for key management. 49

47 X.509 Certificate Extensions Authority Key Identifier Subject Key Identifier Key Usage Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Freshest CRL Basic Constraints Name Constraints Policy Constraints Extended Key Usage CRL Distribution Points Inhibit Any-Policy Authority Information Access Subject Information Access Subject Directory Attributes Please don t define your own proprietary extension. We have at least one solution for almost everything! 50

48 Certificate Revocation Lists (CRLs) Lists of certificates that should no longer be trusted Can be big! Delta CRLs, Sliding Window Delta CRLs, Indirect CRLs are all optimizations for different environments 51

49 X.509 CRL Format v1 or v2 O=USG, OU=Commerce, CN=CA1 7/29/17 VERSION SIGNATURE ALGORITHM ISSUER LAST UPDATE 7/28/17 NEXT UPDATE REVOKED CERTIFICATES CRL EXTENSIONS RSA with SHA-2 SIGNATURE SEQUENCE OF 6/4/17 SERIAL NUMBER REVOCATION DATE CRL ENTRY EXTENSIONS 52

50 Certification Authority Establish and maintain an accurate binding between the public key and attributes contained in a certificate Manages and publishes certificates Issues and renews certificates Issues Certificate Revocation Lists (CRLs) Initializes tokens (optional) Generates and provides recovery for public/private key pairs (optional) 53

51 How do I get a certificate, anyway? The RA confirms the subjects identity and any other attributes in the certificate, then the CA issues the certificate and passes it to both the certificate subject and the repository Two basic strategies: Face-to-face registration Online registration Unfortunate note: there are lots of Certificate Management Protocols to implement this 54

52 Making it Scale: Certification Path Alice can verify Bob s certificate by verifying a chain of certificates ending in one issued by a Certification Authority (CA) she trusts 55

53 Making it Scale: Public Key Infrastructure Topologies 56

54 Customizing PKI Online Certificate Status Protocol (OCSP) Responder answers the basic question: is this certificate revoked? Irrevocable trust in OCSP responder Delegated Path Validation Trusted server builds the entire path, but the relying party makes its own decision Simple Certificate Validation Protocol (SCVP) Server builds path and validates it for the client 57

55 Which leaves us with A certificate subject (Alice) with a couple of private keys and certificates who wants to sign and/or encrypt some data A relying party (Bob) that has selected one or more trusted roots, knows how to build and validate a path, and Can use public keys from validated certificates to verify the signature or decrypt the data And this works even though Alice and Bob may work for different organizations 58

56 Takeaways PKI is not for the faint of heart, but PKI provides a scalable and flexible foundation for the full range of cryptographic security in applications across organizational boundaries 59

57 THANK YOU