Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Similar documents
Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

Merge physical security and cybersecurity for field operations.

Alberta Reliability Standard Cyber Security Electronic Security Perimeter(s) CIP-005-AB-5

NERC CIP Compliance Matrix of RUGGEDCOM ROX II Operating System

IC32E - Pre-Instructional Survey

CYBER SECURITY POLICY REVISION: 12

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

SEL-3620 ETHERNET SECURITY GATEWAY

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Anca Cioraca, Ilia Voloh, Mark Adamiak GE Grid Automation

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Standard CIP Cyber Security Systems Security Management

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Electronic Security Perimeter(s)

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Critical Hygiene for Preventing Major Breaches

Simple and Powerful Security for PCI DSS

Electronic Access Controls June 27, Kevin B. Perry Director, Critical Infrastructure Protection

What Protection Engineers Need to Know About Networking. ANCA CIORACA, ILIA VOLOH, MARK ADAMIAK Markham, ON, CA King of Prussia, PA GE Digital Energy

Security Architecture

ANATOMY OF AN ATTACK!

Standard CIP Cyber Security Electronic Security Perimeter(s)

A. Introduction. Page 1 of 22

Juniper Vendor Security Requirements

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Message Networking 5.2 Administration print guide

Security+ SY0-501 Study Guide Table of Contents

T22 - Industrial Control System Security

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Standard CIP Cyber Security Systems Security Management

Better Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2

CIH

IT Services IT LOGGING POLICY

Standard CIP 007 3a Cyber Security Systems Security Management

CS 356 Operating System Security. Fall 2013

Cyber Defense Operations Center

Standard CIP Cyber Security Electronic Security Perimeter(s)

Total Security Management PCI DSS Compliance Guide

TABLE OF CONTENTS. Section Description Page

Standard CIP 007 4a Cyber Security Systems Security Management

The following chart provides the breakdown of exam as to the weight of each section of the exam.

CIP Cyber Security Systems Security Management

CIS Controls Measures and Metrics for Version 7

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Frequently Asked Questions CIP Version 5 Standards Consolidated FAQs and Answers Version: October 2015

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Awareness Technologies Systems Security. PHONE: (888)

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

2017 Annual Meeting of Members and Board of Directors Meeting

AUTHORITY FOR ELECTRICITY REGULATION

Security Fundamentals for your Privileged Account Security Deployment

Integrating Microsoft Forefront Threat Management Gateway (TMG)

CIS Controls Measures and Metrics for Version 7

July 12, Order No. 822, Revised Critical Infrastructure Protection Reliability Standards, 154 FERC 61,037, at P 64 (2016).

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

IPM Secure Hardening Guidelines

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

PrecisionAccess Trusted Access Control

Designing Secure Remote Access Solutions for Substations

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

HIPAA Regulatory Compliance

Cybowall Solution Overview

Digital Wind Cyber Security from GE Renewable Energy

PCI DSS v3.2 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD PCI DSS

Take Risks in Life, Not with Your Security

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

AT&T Endpoint Security

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Security Standards for Electric Market Participants

Google Cloud Platform: Customer Responsibility Matrix. December 2018

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Addressing Cyber Threats in Power Generation and Distribution

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Understanding Cisco Cybersecurity Fundamentals

Gladiator Incident Alert

Reliability Standard Audit Worksheet 1

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

Google Cloud Platform: Customer Responsibility Matrix. April 2017

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Cloud FastPath: Highly Secure Data Transfer

CompTIA SY CompTIA Security+

How Breaches Really Happen

CompTIA Security+ (2008 Edition) Exam

CIP Cyber Security Systems Security Management

Cyber security tips and self-assessment for business

Transcription:

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems Eroshan Weerathunga, Anca Cioraca, Mark Adamiak GE Grid Solutions MIPSYCON 2017

Introduction Threat Landscape Tactics in Ukraine Attack and their defense Integrating IEDs with security systems

Threat Landscape

Attacks Copper Theft Squirrels PG&E Metcalf substation 2013 Ukraine Cyber Attack 2015, 2016 Stuxnet in 2010

Ukraine Attack Source: Presentation Cybersecurity for Energy Delivery Systems by Michael Assante & Tim Conway

Tactics in Ukraine Attack Spear Phishing Deploy Malware Credential Harvesting Lateral Movement Remote Control Malicious firmware uploads Defense Spam filtering Monthly Phishing test Least Privilege Malware sandboxing Host based Anti Virus IDS/IPS system Strong Password Policy Privileged Identity Management Limit admin rights Password managers Two-factor authentication Network segmentation SIEM tool Device certificates Jump Hosts Geo-blocking Accurate inventories Signed firmware & configuration Patching

Spear Phishing Source: Dilbert Cartoon

Security Zone & Conduit Identification

Defense in Depth Concept

Integrating IEDs with security systems SIEM RADIUS Firewall LDAP IED IPS/IDS PIM KDC SYSLOG

Intrusion Detection Change in Bandwidth Usage during Malicious SW Download

Role Based Access Control CIP-004-6 R4.3 verify accuracy of all user accounts, user account groups, or user role categories, and associated privileges once every 15 calendar months IEC 62351-8 specification defines Role-Based Access Control (RBAC) for enterprise-wide use in power systems, provides a mandatory list of role-to-right mappings Role-based access permissions eliminate the need to perform the privilege review on individual user accounts. CIP-004-6 R5.2 requires that in the case of reassignments or transfers, the individual s authorized electronic access is revoked (One implementation is through RADIUS interfacing with Windows Active Directory)

RADIUS server Remote Authentication Dial-In User Service (RADIUS) Some RADIUS Servers used in utilities Microsoft server 2012 Network Policy Server (MS version of RADIUS) RSA Authentication Manager Juniper Networks Steel-Belted Radius RADIUS multiple Authentication methods

Microsoft Active Directory

Microsoft Active Directory

RADIUS EAP Extensible Authentication Protocol (EAP) RADIUS secure Authentication methods EAP-TLS, EAP-TTLS, EAP-PEAP

LDAP Lightweight Directory Access Protocol (LDAP) is an application protocol that provides mechanism to connect, search and modify directory Using Transport Layer Security (TLS), LDAP can encrypt user sessions between the client and server

Two-factor authentication CIP-005-5 R2.3 requires multi-factor authentication for all Interactive Remote Access sessions Multi-factor authentication (MFA) : knowledge (something they know), possession (something they have), and inherence (something they are) Two-factor authentication: possession (secret token) and knowledge (PIN, Password)

Security Information & Event Logging CIP-007-6 R4.1, utilities should Log events at the BES Cyber System level or at the Cyber Asset level (IED level) for identification of, and after-the-fact investigations of, Cyber Security Incidents. CIP-007-6 R4.2 requires to generate alerts for security events. CIP-007-6 R4.3 requirement, retain applicable event logs for at least the last 90 consecutive calendar days

Syslog Syslog protocol is used to transport IED events to a remote Syslog server The Priority value = Facility number * 8 + Severity number Severity number Informal 6 Warning 4 Error 3 Critical - 2

Privilege Identity Management CIP-007-6 R5.6 requires utilities to enforce password changes or an obligation to change the password at least once every 15 calendar months PIM focuses solely on managing privileged accounts

Monitor & Control Traffic CIP-007-6 R3.1, utilities should deploy method(s) to deter, detect, or prevent malicious code. CIP-007-6 R3.2 requires utilities to mitigate threats from detected malicious code. CIP-005-5 R1.1 requires to place all applicable Cyber Assets connected to a network via a routable protocol within a defined Electronic Security Perimeter (ESP) CIP-005-5 R1.2 requires all External Routable Connectivity through an identified Electronic Access Point (EAP) CIP-005-5 R1.3 requires to enforce inbound and outbound access permissions, including the reason for granting access, and deny all other access by default CIP-005-5 R1.5 requires utilities to have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications

Secure Messaging Defined in IEC 62351 Implemented in the IEC Routable GOOSE and Routable Sample Value profiles Security Mechanisms: - Message Authentication via SHA 256 - Message Encryption via AES 128 - Locked via Shared Key to a Security Group

R-GOOSE SPDU Signature SPDU: Session Protocol Data Unit Signature: keyed hash of all items in the SPDU

Keys & Certificate Management In secure R-GOOSE, key management is based upon Group Domain of Interpretation (GDOI). GDOI implements the Key Distribution Center function

Conclusions Can we prevent an attack such as Ukraine cyber attack in North America? Successful cyber security of a system is a combined effect of technology, procedures, policies, users, monitoring, standard compliance and diligent enforcement To secure IEDs, their security features should be enabled and configured properly IACS and SAS can achieve required IED cyber security by proper integration of third party security systems with IEDs

Thank You Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback