Securing Buildings & Facilities From Emerging Cyber Threats

Transcription

1 Session 5: [Session Title] Securing Buildings & Facilities From Emerging Cyber Threats Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific Northwest National Lab August 10, 2016 Rhode Island Convention Center Providence, Rhode Island

2 DOE PNNL Buildings Cybersecurity Framework Energy Exchange: Federal Sustainability for the Next Decade

3 DOE PNNL Buildings Cybersecurity Maturity Model (B C2M2)

4 Buildings Cybersecurity Maturity Model (B C2M2) & Application Maturity Indicator Levels Defined progression of goals Each cell contains the defining practices by goal for domain for that maturity indicator level. If performing those practices, you earn this maturity level. DOE and PNNL developed a tool and visualization platform to measure cybersecurity maturity for energy utilities. This tool has been adapted to buildings, but its current form does not compare maturity levels of buildings and is difficult to distribute A tool and data set for measuring and comparing nation s buildings cybersecurity maturity does not exist PNNL conducted various B C2M2 pilot tests to inform the development of the B C2M2 app Need: Tool and data sets to quickly identify and compare buildings

5 Cybersecurity Maturity Model (B C2M2) Application Web and mobile based cybersecurity maturity model Obfuscate identity of users, but collects valuable information and data set Provide online and offline sharing solution A tool and data set for measuring and comparing cybersecurity maturity of energy infrastructure PNNL conducted various B C2M2 pilot tests to inform the future development of an application Need: Tool and data sets to quickly identify and compare cybersecurity maturity

6 Assessment Findings Building Control System Vulnerabilities Smart building control systems often prioritize ease of use and interoperability before security Energy Exchange: Federal Sustainability for the Next Decade

7 Building Cybersecurity Mitigation Illustrative/Assessment Findings Recommendations Build security into your smart building design criteria Introduce a security program to promote cyber best practices Introduce a cyber security training program. Introduce cyber security policies and standard operating procedures. Maintain a list of staff members and contractors. Use procurement guidelines NIST Cyber Security Framework DOE Cyber Energy Maturity Model Energy Exchange: Federal Sustainability for the Next Decade

8 Building Control System Risk Matrix Heat Map Energy Exchange: Federal Sustainability for the Next Decade

9 Cyber Secure Facility Energy Decision System

10 Cyber Secure Facility Energy Decision System (CS FEDS) Challenges Challenge 1: Cybersecurity solutions often times increase costs, reduce functionality and lack a clear value proposition. Challenge 2: Networking and digitizing energy technology and controls can reduce costs, increase functionality and efficiency, but often times increases cyber vulnerabilities. Challenge 3: A turn key tool to improve energy efficiency and cybersecurity does not exist Proposed Solution PNNL have beta tested a tool called the Cyber Secure Facility Energy Decision System (CS FEDS) that could potentially help building owners reduce their energy consumption, while increasing their cybersecurity maturity and situational awareness. Key Features Models energy and cost performance of heating, cooling, ventilation, lighting, motors, plug loads, building shell, and hot water systems, plus central plants and thermal loops. Models buildings systems interoperability and inventories critical cyber assets Identifies cybersecurity vulnerabilities in building automation systems Turn Key buildings cybersecurity and energy efficiency tool 10

11 CS FEDS Energy Efficiency and Security Training Modeling both energy and cost performance and cyber vuns in buildings Modeling buildings systems interoperability and inventories critical cyber assets Identifies critical cybersecurity assets in building automation systems and controls Combined energy efficiency and cybersecurity training targeted at IT and OT professionals Helped increase cybersecurity situational awareness, overview of cyber physical threats, vulnerabilities and mitigation Upcoming training with operations managers, cybersecurity professional and senior policy makers from USG interagency PNNL conducted various B C2M2 pilot tests to inform the development of training curriculum

12 Risk Management Cycle for Building Automation Systems

13 Risk Management Cycle for Building Automation Systems Building Automation Systems (BAS) Building energy efficiency Safety systems Gird level controls integration BAS Vulnerabilities (select) IT/OT separation Patch management Roles and responsibilities Cyber attack impacts Safety (Buildings/Occupants) Property damage (Equipment) Operational costs (Campus) Energy security (Campus/Utility) Credit Sri Nikhil Gourisetti/Brooke Brisbois Need: A systematic approach to identify requisite security enhancements to prevent/mitigate impact

14 Cybersecurity Risk Assessment for Building Automation Systems Cybersecurity Risk Assessment for Building Automation Systems Adapted from All Hazards Power Grid Risk Framework developed for OE 40 (Veeramany, 2015) Framework for power grid was developed to model natural hazards and manmade threats Adapted to systematically formulate and quantify attack scenarios for risk informed decision making based on NIST and Buildings Cybersecurity Frameworks Risk mitigation Identify, protect, detect, respond, and recover

15 Resilient Controllers for Campus Building Management Systems

16 Resilient Controllers for Campus BMS Demand Side Management Schedulable/controllable loads Distributed energy resources Transactive energy schemes Utility contracts Increasing cyber threats Vulnerable, insecure controllers Cyber attack impacts Safety (Buildings/Occupants) Property damage (Equipment) Operational costs (Campus) Energy security (Campus/Utility) Need: Resilient Controllers for schedulable loads in a campus to detect and mitigate cyber attacks.

17 Resilient Controllers for Campus BMS Proposed Solution: Cyber Anomalies Local measurements (Voltage, Current, PV, Weather) Load level, resilient controllers using a combination of machine learning techniques and cyber physical alert correlation algorithms for control validation. Machine learning to baseline physical system behavior ON/OFF Command s Resilient Controller Alerts to BMS Schedules/ Pricing Signals Spatial & Temporal Measurement Correlation Baselines Local voltage measurements Spatial & Temporal correlation across RCs Additional sources Weather, Solar irradiance Cyber physical alert correlation to fuse Cyber anomalies from IDS Physical anomalies from learnt patterns in machine learning Relevant stakeholders/clients DOE FEMP Tim Unrue DOE BTO Joe Hagerman DOE CEDS Carol Hawk

18 Human in the Loop Virtual Reality Cyber Security and Building Operations Trainer (VCS BOT)

19 Human In The Loop Virtual Reality Cyber Security And Building Operations Trainer (VCS BOT) Approach Scientific Challenges BC2M2 Cyber Security and building operations training methodologies need to adapt with evolving buildings infrastructure and smart grid Can we design human action based adaptive models? Can such enhanced immersive approach lead to incorporating cyber secure practices in IT & OT? Can we improve repeatability? Best Practices BCF Evaluation Assessment Oculus Human in the loop VR App Javascript C# Unity 3D Holo Lens Concept An augmented/virtual reality based adaptive building environment application enabling human in the loop for immersive and enhanced training experience Impact Strengthen Building Cyber Security practices Next-generation BCF based training framework Novel combination of unsupervised ML, AR/VR, and AI Situational models with realistic attack-action scenarios Deliverables Design Train Explore Software with AR/VR CS scenarios Cyber physical Training Curriculum Pilot training for buildings managers Train the trainers workshop Cyber Physical training landscape Enhanced human action area Papers Patent BCF Visibility Energy Exchange: Federal Sustainability for the Next Decade