Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Transcription

1 Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012 Paul Kalv Electric Director, Chief Smart Grid Systems Architect, City of Leesburg Doug Westlund CEO, N-Dimension Solutions Inc.

2 Agenda Introductions Current and Emerging Threats Regulations and Standards How to Protect Your Utility City of Leesburg Case Study Q & A Contact Information

3 N-Dimension Solutions Cyber Security solutions provider laser focused on the Power & Energy market Part of EPRI team selected for multi-year DOE project to protect the US grid Member of key standards bodies (NERC, NIST, DOE Labs) Frost & Sullivan Award for Best Practices in Industrial Cyber Security HD Supply Utility s cyber security partner success in public power APPA activities: Author of Cyber Security Primer document which will be published shortly Author of articles published in APPA s Public Power magazine Webinars for APPA s Academy seminar series Cyber Security Course developed for APPA 2012 E&O and National Conferences Selected by Hometown Connections as their cyber security partner

4 Leesburg Overview Leesburg, Fl is located 40 miles north of Orlando in central Florida 24,000 electric customers also provide gas, water & internet. 9,700 (42%) AMR electric 18,900 (34%) AMR total meters. (Discontinued further AMR deployment 2007) 140 residential electric meter AMI pilot deployed January Completed AMI Business Case December $19,497,625 SGIG half from DOE & $1,240,000 EECBG from State Smart Grid project elements include: AMI meters & mesh communications network, data backhaul, Grid Data Manager, ESB, systems integration, Utility and Customer Web portal, Organizational Change Management, Business Process Management, Operational Transition, Pre-pay, DRMS, and substation transformers and Distribution Automation equipment with advanced monitoring and communications capability. Nominated for 2012 APPA Energy Innovator Award

5 Current and Emerging Threats Distributed Intelligent devices offer on-ramps to operational networks and equipment Challenging to protect against current and future threats City Intranet and operational systems interconnectedness Limited cyber security monitoring Unprotected communications Weak security for remote access

6 Technology Trends Increasing Cyber Security Risk Technology Trends Increasing Cyber Security Risks Adoption of common technology (e.g. Microsoft, IP, Ethernet) Connectivity of utility control systems to other systems Increasing automation Creates increased attack surface that can be exploited External Attackers: Hackers conferences are identifying utility systems as valuable target Hackers Tool Kits specific to Utility systems are available for download and use Internal Users (Insiders) can knowingly or unknowingly exploit systems For utilities, there are increasingly advanced and persistent threats to a growing attack surface

7 Cyber Security Threats - Stuxnet Stuxnet worm first discovered in July 2010, may have existed for up to a year before First Windows-specific worm that infects and reprograms industrial control systems First worm to include a programmable logic controller (PLC) rootkit Uses four zero-day Windows vulnerabilities Uses Windows rootkit that hide its binaries Bypasses and exploits security products such as firewalls Duqu, a derivative of Stuxnet has been detected

8 McAfee Report Stuxnet has transformed the threat landscape. It was a sophisticated, successful, weapon with a single purpose sabotaging an industrial control system. We found accelerating threats and vulnerabilities One in four survey respondents have been victims of extortion through cyberattacks or threatened cyberattacks. Recommendations from the report include: Improved authentication measures Better network hygiene Increased oversight of access to industrial control systems Source: In the Dark - Crucial Industries Confront Cyberattacks, McAfee, May 2011

9 Industry Frameworks / Standards / Regulations DOE FERC Standards Organizations NERC CIP NIST

10 How To Protect Your Utility Complete a comprehensive Cyber Security Assessment Develop a utility specific Cyber Security Plan Install necessary security controls including hardware and software at network interfaces Conduct periodic Vulnerability Assessments

11 Cyber Security Program Elements

12 Cyber Security Plan Describes the utility s approach to cyber security and should be used to communicate and achieve alignment with key stakeholders including utility personnel and applicable third parties Key elements of a good plan: Roles and Responsibilities Vulnerability Assessments Awareness and Training Policies and Procedures Technical Security Controls Key Point: For a Cyber Security Plan to be effective it needs to be clearly understood by all stakeholders. Often, larger and more complicated Plans are less effective.

13 Vulnerability Assessments (VA s) VA s (sometimes called audits ) test the implementation of security controls as well as determine the security posture of the utility at a given point in time. Good practices such as NERC CIP-010 (V5) call for VA s on an annual basis or when new systems are implemented. VA s should identify risks to the utility s cyber access points, systems, applications, and interconnection points VA s should rank and prioritize risks from a threat / impact to operations perspective. Penetration tests are a specific form of vulnerability assessments and are used to determine weaknesses in the technical security controls

14 Defense-in-Depth Network segregation Perimeter Security Interior Security Communications Security Host Security Monitoring Held Together by Processes Start with the assumption that utility assets will be compromised and then build your defenses from there...

15 Privacy NIST Smart Grid Interoperability Panel Cyber Security Working Group New Smart Grid technologies, particularly smart meters, smart appliances, and similar types of endpoints, may create new privacy risks and concerns that may not be addressed adequately by the existing business policies and practices of utilities and third-party Smart Grid providers. Good framework used in Ontario

16 Lifecycle Management NIST Revision 2 document, Security Considerations in the System Development Life Cycle : Implementing information security early in the project allows the requirements to mature as needed and in an integrated and cost-effective manner. Engineering security into a product s initiation phase typically costs less than acquiring technologies later that may need to be reconfigured, customized or may provide more or fewer security controls than required. Security should be included during the requirements generation of any project. Designing a solution with consideration for security could substantially reduce the need for additive security controls. Monitoring the cyber security health of a utility is an important element of lifecycle management.

17 City of Leesburg Case Study

18 A couple of plugs 1. Soon to be published APPA Document: Cyber Security Primer Aligns with this webinar, written for broad utility stakeholder audience 2. APPA National Conference Cyber Security Course Aligns to this webinar, with more detail and public power case studies

19 Acknowledgement and Disclaimer Acknowledgement: This material is based upon work supported by the Department of Energy under Award Number DE-OE Disclaimer: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.

20 Contact Information Paul Kalv Electric Director, Chief Smart Grid Systems Architect City of Leesburg, FL Office: Doug Westlund, CEO N-Dimension Solutions Inc. Office: x227 Mobile: