Cybersecurity for Department of Defense Microgrids: An Army Perspective

Transcription

1 Cybersecurity for Department of Defense Microgrids: An Army Perspective Lori Ross O Neil with Cliff Glantz, David McKinnon, Fleur DePeralta, Mark Watson, Paul Boyd, Emily Barrett and Darlene Thorsen Pacific Northwest National Laboratory Richland, WA Author contact information: Lori@pnnl.gov;

2 We will cover: 1. Threats to energy security 2. What cybersecurity requirements does DoD place on its energy infrastructure to enhance protection and resiliency? 3. Risk Management Framework 4. Next Steps 5. Questions 2

3 Energy Reliability and Security Constraints and threats to the supply of energy, water and other resources are growing in scope and complexity both abroad and at home. The Army is making investments to ensure the Army of tomorrow has the same or greater access to energy, water, land, and natural resources as the Army of today. 3

4 Energy Security Energy security is the uninterrupted availability of energy sources at an affordable price. The security of energy assets involves the protection of those assets from natural events or human activities. Human-based security threats to energy assets may involve physical attack (e.g., explosions, sabotage), cyber attack (e.g., loss of availability, loss of control), or a blend of a physical and cyber attack. 4

5 The Threat of a Cyber Attack Concerns about cyber attack are growing because of: the increase in the sophistication and availability of attack tools how easy it is to mount an attack the high consequences from simultaneous attacks on many assets the relative lack of attribution and retribution 5

6 Requirements for the Cybersecurity of the DoD Energy Infrastructure Purchasing Power from Utilities No special DoD Army requirements The cybersecurity requirements from NERC apply to large generation and transmission resources, but not small smaller assets (including distribution assets) The utilities internal cybersecurity program apply, but they may not be very protective for a high-value target like a military installation 6

7 DoD Cybersecurity Requirements (Cont.) Utility Generation on the Installation Supplying Power to the Grid (e.g., a solar power array) NERC CIPS typically do not apply (generation capacity is typically too small) Cybersecurity requirements negotiated with the Army Army Office of Energy Initiatives (OEI) has established risk-based cybersecurity requirements for its installation-based, privately owned and operated Renewable Energy Generation Facilities (REGFs). 7

8 DoD Cybersecurity Requirements (Cont.) Utility Generation on the Installation Supplying Power to an Installation Microgrid NERC CIPS typically do not apply (generation capacity is typically too small) Follow the DoD Risk Management Framework (RMF) (DoDI ) and the standards and guidance cited in the RMF Recommend also implementing OEI Cybersecurity Requirements to provide a secure foundation for a cybersecurity program. 8

9 The DoDI RMF Risk Management Framework Provides a process for developing and implementing a cybersecurity program Provides a process for selecting security controls using NIST Security and Privacy Controls for Federal Information Systems and Organizations (this document is over 400 pages long and contains over 200 security controls). References other guidance documents from NIST, DoD, and other sources 9

10 10 RMF Cybersecurity Lifecycle

11 RMF: 18 Families of Security Controls NIST Depending on the risklevel of the asset, up to 200 specific security controls may be applicable under the RMF. 11

12 12 As a starting point, we began using Prepared by the Energy Sector Control Systems Working Group (ESCSWG) Seeks to promote cybersecurity by design through procurement language. Is tailored to the energy sector but has broader applications Published in April 2014 Considers cybersecurity starting with design and continuing through testing, manufacturing, delivery, installation, support, etc. Focuses on what to do, not how to do it

13 Where Did This Come From A strong push by utilities to give them standard guidance for developing cybersecurity requirements to use when dealing with contractors, vendors, suppliers, and integrators. Spearheaded by Duke Energy after a lot of frustration in negotiating for appropriate cybersecurity in their acquired energy generation and transmission facilities and systems.

14 Army OEI Cybersecurity Requirements Loss or Fluctuation in Electrical Power q Lose or fluctuation in electrical power that could result in brownouts, blackouts, or damage to installation systems Physical Damage to the Installation Direct or Indirect Connections Theft or Manipulation of Data q Physical damage to the installation from a fire, explosion, release of toxic air pollutants, spray or spill of toxic materials, etc. at the energy asset q Direct or indirect connections between the energy asset and installation systems that allow the spread of a cyber attack to the installation q The theft or manipulation of data in order to monitor or jeopardize installation operations 14

15 15 Criteria for Defining the Risk Level in Each Category are Defined in our REGF Risk Screening Document

16 Examples: Determining the Overall Risk Level Based on Highest Risk in the Categories Case 1 High Risk Case 2 Moderate Risk 16

17 Army OEI Cybersecurity Requirements (Cont.) Risk-based OEI Cybersecurity requirements are based on the Energy Sector s Cybersecurity Procurement Language for Energy Delivery Systems Provides a concise set of key requirements that tell the utilities what they need to do but not how to do it. 17

18 Army OEI Cybersecurity Requirements (Cont.) Requirements focus on the following topic areas: Asset Identification and Management Effective and appropriate management, operational and technical controls Training and awareness Integrating cyber and physical security Defense-in-depth Security monitoring and analysis Incident response and recovery Configuration control Lifecycle security Risk assessments and evaluation of performance. 18

19 DoD Next Steps The DoD is taking steps to enhance the cybersecurity of its infrastructure The cyber threat is real and growing and can impact mission readiness. The cybersecurity of facility related control systems is one topic being actively addressed. Activities and guidance products are being planned to enhance the protection and resilience of DoD energy- and infrastructure-related systems. 19

20 20 Questions?