Security Challenges in Smart Distribution

Similar documents
Smart Grid Security: Current and Future Issues

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Security in grid control centers: Spectrum Power TM Cyber Security

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Cyber Attack Information System CAIS. DI Thomas Bleier, MSc, CISSP, CEH

WELCOME ISO/IEC 27001:2017 Information Briefing

Cyber security for digital substations. IEC Europe Conference 2017

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Smart Grid vs. The NERC CIP

ENISA S WORK ON ICS AND SMART GRID SECURITY

Smart Grid Standards and Certification

Security Considerations in M2M Communications

ISA99 - Industrial Automation and Controls Systems Security

Cyber Security Standards Developments

The SPARKS Project Motivation, Objectives and Results

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

You knew the job was dangerous when you took it! Defending against CS malware

Security for smart Electricity GRIDs

Security in Power System Automation Status and Application of IEC Steffen Fries, Siemens Corporate Technology, June 13 th, 2017

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Security analysis and assessment of threats in European signalling systems?

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Tips for Passing an Audit or Assessment

GDPR Update and ENISA guidelines

Cyber Security of Industrial Control Systems (ICSs)

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

IoT Utility Day. Securing Critical Infrastructure. Nadya Bartol, CISSP, CGEIT. Vice President of Industry Affairs and Cybersecurity Strategist

ICT Security AIT

ISA99 - Industrial Automation and Controls Systems Security

Tool-Supported Cyber-Risk Assessment

Addressing NERC-CIP Compliance Challenge for Utilities through IT Service Management. Patrik Ringqvist Principal Solution Consultant

Siemens view and approach on critical infrastructure resilience against cyberthreats Joint OECD-JRC Workshop, Paris September 2018

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

SMART Ship Program. Najmeh Masoudi Cyber safety and security manager. Palazzo S. Giorgio - Genova, 28/06/ Copyright Bureau Veritas

Call for Expressions of Interest

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Les joies et les peines de la transformation numérique

Christoph Schmittner, Zhendong Ma, Paul Smith

Realizing the Smart Grid - A Solutions Provider's Perspective David G. Hart July Elster. All rights reserved.

Secure Development Lifecycle

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

The Challenges of Risk Assessment for Smart Grid

SECURING THE SUPPLY CHAIN

European Union Agency for Network and Information Security

NIS Standardisation ENISA view

TABLE OF CONTENTS. Section Description Page

Industrial control systems

Cymsoft Information Technologies

Cybersecurity, safety and resilience - Airline perspective

Cyber risk management into the ISM Code

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

RISK MANAGEMENT IBERDROLA S CASE

Cybersecurity Risk Assessment in Smart Grids

Cybersecurity for the Electric Grid

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

An Introduction to the ISO Security Standards

Managing SCADA Security. NISTIR 7628 and the NIST/SGIP CSWG. Xanthus. May 25, Frances Cleveland

Workshop on security of personal data processing

The NIS Directive and Cybersecurity in

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Information Technology Branch Organization of Cyber Security Technical Standard

ANALISING SOME OF THE EXISTING RISK ASSESSMENT AND MANAGEMENT STANDARDS APPLIED WORLDWIDE, FOR ENERGY COMPANIES

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

A Cross-Sector Perspective on Product Cyber Security

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

IEC TC57 WG15 - Cybersecurity Status & Roadmap

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Thomas Bleier, Zhendong Ma, Christian Wagner AIT Austrian Insitute of Technology

Maarten Oosterink for PPA 2010 Delft, Vendor Requirements. Process Control Domain - Security Requirements for Vendors

NIST Interoperability Standards Update

Oracle Data Cloud ( ODC ) Inbound Security Policies

Cyber Security for Process Control Systems ABB's view

Challenges in Maritime and Supply Chains Security

13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato

Bridging The Gap Between Industry And Academia

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Discussion on MS contribution to the WP2018

NATIONAL INFORMATION TECHNOLOGY AUTHORITY - UGANDA (NITA-U) REGIONAL COMMUNICATIONS INFRASTRUCTURE PROGRAM (RCIP) INFORMATION SECURITY SPECIALIST

Why you should adopt the NIST Cybersecurity Framework

Electric Sector Security & Privacy Plans for 2011

The importance of STANDARDS to ensure ACCOUNTABILITY and GOVERNANCE in ehealth-ict security processes

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

An Integrated Pan-European Research Infrastructure for Validating Smart Grid Systems

Improving Internet of Things Device Certification with Policy Based Management

Security Management Models And Practices Feb 5, 2008

Assessments Audits CERTIFICATION

Security Challenges with ITS : A law enforcement view

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Industrial Security - Protecting productivity IEC INDA

Cyber Security in Europe and CEER s new PEER initiative

Industrial control system (ICS) security

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Navigate IT Security with a Framework as Your Guide

Transcription:

Security Challenges in Smart Distribution Thomas Bleier Dipl.-Ing. MSc zpm CISSP CEH CISM Thematic Coordinator ICT Security Safety & Security Department AIT Austrian Institute of Technology GmbH

Smart Secondary Substation Energy Smart Metering Automation Meter Data Management New System Interfaces Metering Headend Insider Threat SCADA Cyberwar / Cyberterrorism Transformer Heterogenious Networks Automation System Reliability Automation Network New Threats Remote Access Privacy Data Concentrator New Attack Vectors New Participants Smart Meter Hacking

Security Challenges in Smart Distribution Processes and Organizing Security Secure Development and Comissioning Secure Communication Secure Operation Physical Security Incident Management Based on existing Standards and Best Practices like ISO 27002, ENISA Appropriate security measures for Smart Grids, NIST Guidelines for Smart Grid Cyber Security, NERC CIP, IEC 62443, etc. 3

Processes and Organizing Security Information Security Management General Purpose IT: ISO 2700x, BSI Grundschutz, NIST SP 800-53 Industrial Automation: ISA 99 / IEC 62443, NIST SP 800-82 (Smart) Grid: ISO 27019, NERC CIP, BDEW, ENISA, OE, etc. Risk Management Compliance and Certification ISO 27001, NERC CIP or specific standards? Mandatory? Wikimedia Commons - Diagram by Karn G. Bulsuk (http://www.bulsuk.com) 4

Secure Development and Comissioning Secure Development Processes NIST SDL, MS-SDL, ISSECO, etc. Requirements, Threat Modelling, Code Analysis, Penetration- Tests, Incident Response Processes, etc. For all new components! What about existing? Comissioning/Lifecycle 5

Secure Components COTS vs. Industry components Internet-Technology vs. Industrial Automation Functional Safety (IEC 61508) vs. IT Security (ISO/IEC 15408 Common Criteria) Cryptography Lifecycle, Low Power, etc. Tests and Certification Supply Chain Management c t 6

Secure Communication Protocols from the Automation/Energy World IEC 61850, IEC 60870, DNP3, etc. vs. Protocols from the Internet/Business IT HTTP, SOAP, REST, etc. Security-Extensions SSL/TLS, IEC 62351, IPsec, SAML, XACML, etc. Availability vs. usage in practical applications Protocol design goals vs. application scenarios Privacy-Requirements vs. Functionality 7

Secure Operation Complexity (Operating Personell) Vulnerability Management, Patch Management Configuration Management Third Parties, Suppliers Responsibilities Access Control Authentification, Authorization, Audit Separation of Duties, Least Privilege Safety vs. Security Availability vs. Integrity/Confidentiality 8

Physical Security Next Talk Basic principles stay the same But: increase in volume, new technologies available, new challenges Important part of a holistic security concept 9

Incident Management Response to incidents is key! Logging, Monitoring Situational Awareness Incident Management Information Sharing Culture learning from incidents Obligatory Reporting? 10

Appropriate solutions are needed but don t reinvent the wheel! Specific Requirements: Risk vs. Security vs. Cost Safety & Security System Lifecycle Appropriate security levels Not every substations needs to be Fort Knox! But it also should not become an archilles heel 11

Security is a joint responsibility between manufacturers and operators! Secure components are not enough! Secure commissioning and operation Reliance on the security of specific components Responsibilities for specific security aspects need to be defined XKCD 12

Prevention, detection and reaction Protection mechanisms are useless without detection of attacks and reaction to them System complexity problem Responsibility vs. competence Situational awareness Information Sharing, Reporting 13

Smart Grid Security Research @ AIT Research Topics: Risk analysis and management for Smart Grids Secure architectures for resilient Smart Grids Security Lifecycle Tools Situational awareness anomaly detection, incident information sharing Selected reference projects: SG2 national (coord) Smart Grid Security Guidance PRECYSE EU FP7 SEC Prevention, protection and reaction to cyberattacks to critical infrastructures SPARKS FP7 SEC (coord) Smart Grid Protection against Cyber Attacks HYRIM FP7 SEC (coord) Hybrid Risk-Management for Utility Providers Selected research partners: 14

AIT Austrian Institute of Technology your ingenious partner Thomas Bleier Dipl.-Ing. MSc zpm CISSP CEH CISM Thematic Coordinator ICT Security Research Area Future Networks and Services Safety & Security Department thomas.bleier@ait.ac.at +43 664 8251279 www.ait.ac.at/ict-security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback