Securing the Grid and Your Critical Utility Functions. April 24, 2017

Similar documents
i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Security Standards for Electric Market Participants

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

CYBER SECURITY POLICY REVISION: 12

Cyber Threats? How to Stop?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

The Importance of Cybersecurity Threat Detection for Utilities

THE TRIPWIRE NERC SOLUTION SUITE

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Cybersecurity for the Electric Grid

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Scope Cyber Attack Task Force (CATF)

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Live Webinar: Best Practices in Substation Security November 17, 2014

Cyber Resilience Solution for Smart Buildings

Grid Security & NERC

Physical Security Reliability Standard Implementation

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Digital Wind Cyber Security from GE Renewable Energy

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Chapter X Security Performance Metrics

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Low Impact Generation CIP Compliance. Ryan Walter

2011 North American SCADA & Process Control Summit March 1, 2011 Orlando, Fl

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities

Secure Development Lifecycle

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Chapter X Security Performance Metrics

Standard CIP Cyber Security Physical Security

Cyber Defense Operations Center

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Continuous protection to reduce risk and maintain production availability

Critical Infrastructure Protection Version 5

Awareness Technologies Systems Security. PHONE: (888)

Standard CIP Cyber Security Electronic Security Perimeter(s)

Implementing Cyber-Security Standards

The five questions I am being asked by National Policy Makers and Utility CEOs; My Best Answers; And Where the Questions Don't Have Answers

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

NEN The Education Network

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

SECURING THE SUPPLY CHAIN

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

DATA CENTER IT/OT SECURITY FOR DATA CENTERS FOXGUARD SOLUTIONS 2285 PROSPECT DRIVE CHRISTIANSBURG, VA FOXGUARDSOLUTIONS.COM

CIP V5 Implementation Study SMUD s Experience

NEXT GENERATION SECURITY OPERATIONS CENTER

Cyber Risk in the Marine Transportation System

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

DRAFT. Standard 1300 Cyber Security

Reinvent Your 2013 Security Management Strategy

Manufacturing security: Bridging the gap between IT and OT

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Designing Secure Remote Access Solutions for Substations

Securing Industrial Control Systems

QuickBooks Online Security White Paper July 2017

Cyber Security. June 2015

NERC CIP in the Real World on a Real Budget

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

NERC CIP Information Protection

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Addressing NERC-CIP Compliance Challenge for Utilities through IT Service Management. Patrik Ringqvist Principal Solution Consultant

AUTHORITY FOR ELECTRICITY REGULATION

Defensible and Beyond

Strengthening Capacity in Cyber Talent sans.org/cybertalent

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

TechAdvantage March 5, Mark Peterson Supervisor of Operations Engineering. Ron Schmitz Manager of Information Services

NERC Staff Organization Chart Budget

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

10 FOCUS AREAS FOR BREACH PREVENTION

Innovation policy for Industry 4.0

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Too Little Too Late: Top Reasons Why You Got Hacked

Addressing Cyber Threats in Power Generation and Distribution

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

NERC Staff Organization Chart

Combating Cyber Risk in the Supply Chain

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

playbook OpShield for NERC CIP 5 sales PlAy

Cybersecurity Auditing in an Unsecure World

Transcription:

Securing the Grid and Your Critical Utility Functions April 24, 2017 1

Securing the Grid Effectively and Efficiently Recent threats to the Electric Grid and the importance of security Standards and Requirements set by the North American Electric Reliability Corporation (NERC) Leveraging resources of both Operations Technology (OT) and Information Technology (IT) 2

Introduction to Paper and Authors Securing the Grid and Your Critical Utility Functions Primary Author and Presenter: William M. Bateman Senior Project Manager, GDS Associates, Inc. Manager of the NERC CIP Team 19 years in the Electric Utility Industry Experience in NERC Operations & Planning, NERC CIP Compliance, Transmission and Balancing Authority Operations Serves as the NERC Compliance Manager and Senior CIP Manager for G&T Cooperative Additional Authors: Alexander Amaya CIP Project Engineer, GDS Associates, Inc. Experience with Physical Security at a major BA/TOP in the western United States Expertise in Transmission Planning and Protection Systems James Fenstermaker CIP Analyst, GDS Associates, Inc. Expertise in electronic security and cyber vulnerability assessments 3

Importance of Security Recent NERC Alerts Substation Sabotage Ukraine Cyber Attack Internet of Things (IoT) Distributed Denial of Service (DDoS) Attack Recent Cyber Attacks outside of NERC Cyber Security Attack on Dallas Emergency Alert System Ransomware Attacks Yahoo Data Breach 4

NERC Requirements Critical Infrastructure Protection (CIP) Standards Applicability Bulk Electric System (BES) Specific to Operations Technology (OT) Impact Levels High Medium Low Most smaller entities fall here Requirements based on Impact Level 5

Low Impact Requirements Entities must create a Cyber Security Plan that addresses the following: Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident Response 6

IT and OT Working Together Evolution of OT Paradigm Shift from traditional OT systems Increased use of IT equipment on the operations side Changes Facilitate the sharing of resources Encounter similar problems Benefits of integration NERC Standards can be used as guidelines for Information Technology (IT) Security 7

Components of Cyber Security protection 1. Human Resources and Human Factors Training Resource Use 2. Technical and Electronic Security Firewalls Intrusion Detection 3. Physical Security Control Rooms Data Centers In the field 8

IT/OT Teams and Human Factors Reasons for Unification of Teams Similar Training is needed for bot Teams Cost savings associated with employing full time staff Overlapping knowledge and skills Overlapping of job functions Operate as a single unit Possible Hurdles Need for additional training May require restructuring different teams Need to promote the idea of teamwork 9

Sample Traditional IT/OT Organization IT Manager OT Manager AM IT System Engineer/Supervisor PM IT System Engineer/Supervisor AM OT System Engineer/Supervisor PM OT System Engineer/Supervisor IT System Tech IT System Tech OT System Tech OT System Tech IT System tech IT System Tech OT System Tech OT System Tech 10

Traditional Labor Allocation and Cost Separate Team 24/7 Coverage 2- Manager $300,000 4- Supervisors $500,000 8 Techs $ 800,000 Total Staff and Costs: 14 Total Employees 2 completely separate teams 8 Techs would be a minimum level for 24/7 coverage for 2 Teams Total Labor Cost: $1.6 Million Estimate based on IEEE-USA Salary & Benefits Survey 2016 Edition 11

Sample Unified IT-OT Team IT/OT Manager IT Supervisor/Engineer OT Supervisor/Engineer AM IT/OT Tech AM IT/OT Tech PM IT/OT Tech PM IT/OT Tech Rotating IT/OT Tech 12

Unified Labor Allocation and Cost IT/OT Team with 24/7 Coverage 1- Manager $150,000 2- Supervisors $250,000 5 Joint Use Techs $500,000 Total Staff and Costs: 8 Total Employees Combined Teams 5 Techs can overlap doing IT and OT support Total Labor Cost: $900,000 Savings of $700,000 with the additional support Tech Estimate based on IEEE-USA Salary & Benefits Survey 2016 Edition 13

Technical and Electronic Security OT and IT Convergence Evolution of OT Infrastructure Electromechanical to microprocessor (OT) Serial to IP Availability vs Security OT systems uptime requirements Integrated Systems IT issues on the operations side Commonalities in equipment 14

Technical and Electronic Security Security Vulnerabilities in OT Networks without Cyber Security Protection Publicly accessibility Insecure remote connectivity Missing security updates Poor password practices Insecure firewall configuration and management OT systems on IT networks Weak protection of the corporate IT network from OT systems Lack of network segmentation Unrestricted outbound internet access from OT networks Insecure encryption and authentication on wireless networks 15

Physical Security Securing IT systems similar to OT NERC standards have requirements in place to protect OT assets, but not the IT system. If entity has an interconnected IT and OT network, they run the risk of having an IT cyber attack migrate to the OT system. A physical hack can occur if an individual decides to clone an ID card from the IT network, to gain access to the OT system. Security experts suggest entities to protect their IT systems with the same rigor as their OT systems. 16

Physical Security Defense in Depth Strategy The more layer of security a utility has, the harder it is to penetrate the system. Example: One of the most common ways is to separate locked critical assets, both IT and OT, within a separately locked room or cabinet. 17

Case Studies Utility A Generation and Transmission cooperative Serving 10 distribution members with over 300,000 customers Multiple BES Generation facilities Multiple 138 kv Transmission Facilities Data Center with both IT and OT systems Low Impact rating 18

Utility A Human Factors Case Studies Multiple Members with combined IT/OT Teams or contractors Physical Security Locking OT assets behind a key-locked gate at Transmission Facilities Locking IT and OT assets behind a keypad door at Data Center Escorting Visitors at all times Electronic Security Separate IT and OT networks Firewalls to control communication to Data Center Switches at Substations 19

Case Studies Utility B Transmission and Distribution cooperative Serving over 70,000 customers Multiple 138 and 69 kv Transmission Facilities Primary/Backup Control and Data Centers, hosting both IT and OT systems Low Impact rating 20

Case Studies Utility B Human Factors Single IT/OT Team made up of in-house staff Field personnel work with the IT/OT Team Physical Security Locking IT and OT assets behind Card Access entry points Individuals are given Card Access after passing applicable training classes Up-to-date master access list Separate IT and OT cabinets with unique keys at Substations Electronic Security Firewalls to control communication to Data Center Strong password policy Secured Remote Access Ability to monitor network through IDS/IPS modules, installed on firewalls 21

Case Studies Utility C Generation and Distribution cooperative Serving over 280,000 customers Multiple Generation Facilities in two different grids Primary/Backup Data Colocation Centers, hosting both IT and OT systems Medium Impact rating 22

Case Studies Utility C Human Factors Single IT/OT Team Team manages all updates at the Collocation Centers Field staff coordinates with the IT/OT Team Physical Security IT and OT assets at Colocation Center with multi-level access Individuals are given Card Access after passing applicable training classes Up-to-date master access list Electronic Security Firewalls to control communication into and out of the IT and OT Networks IT and OT Networks are separate Strong password policy Secured Remote Access Ability to monitor network through IDS/IPS 23

Conclusions IT Systems vs OT Systems Combined Resources increase efficiency NERC Standards can be used as a starting point for IT Security Similar IT and OT Systems Differences are becoming less clear Both are Critical to Utility functions Less labor cost Additional IT and OT support coverage Required for OT Systems Good practice for IT Systems Increases security More efficient 24

Thank you for the opportunity to present at the 2017 IEEE REPC 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback