Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Similar documents
EPRI Research Overview IT/Security Focus. Power Delivery & Energy Utilization Sector From Generator Bus Bar to End Use

Smart Grid vs. The NERC CIP

Security and Privacy Issues In Smart Grid

Summary of Cyber Security Issues in the Electric Power Sector

TABLE OF CONTENTS. Section Description Page

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

SEGRID storyline. Workshop SEGRID November 14 th, 2016, Barcelona, Spain

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Security by Default: Enabling Transformation Through Cyber Resilience

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Smart Grid Task Force

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Firewalls (IDS and IPS) MIS 5214 Week 6

Expanding Cyber Security Management for Critical Infrastructure

Cisco Smart Grid. Powering End-to-End Communications. Annette Winston Sr. Mgr., Product Operations Customer Value Chain Management

Cyber Criminal Methods & Prevention Techniques. By

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID TCIPG.ORG

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds

Cyber Security for Renewable Energy Systems

IC32E - Pre-Instructional Survey

OpenWay by Itron Security Overview

Realizing the Smart Grid - A Solutions Provider's Perspective David G. Hart July Elster. All rights reserved.

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

ANATOMY OF AN ATTACK!

Identity-Based Cyber Defense. March 2017

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

The Next Generation Grid: Electric Power T & D

BUILDING A SMARTER SMART GRID: COUNTERACTING CYBER-THREATS IN ENERGY DISTRIBUTION

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Industry Best Practices for Securing Critical Infrastructure

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

The role of ICT in managing the complex Smart Grid Infrastructure. Nampuraja Enose Infosys Labs

Protecting productivity with Industrial Security Services

Green California Summit. Paul Clanon Executive Director California Public Utilities Commission April 19, 2011

Innovation policy for Industry 4.0

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

Security analysis and assessment of threats in European signalling systems?

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Verizon Software Defined Perimeter (SDP).

Grid Modernization Challenges for the Integrated Grid

Toward All-Hazards Security and Resilience for the Power Grid

Security+ SY0-501 Study Guide Table of Contents

External Supplier Control Obligations. Cyber Security

Risk-Based Cyber Security for the 21 st Century

The Common Controls Framework BY ADOBE

Internet of Things Toolkit for Small and Medium Businesses

Digital Wind Cyber Security from GE Renewable Energy

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

Changing face of endpoint security

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cyber Security and Privacy Issues in Smart Grids

Security

Language for Control Systems

Control Systems Cyber Security Awareness

NW NATURAL CYBER SECURITY 2016.JUNE.16

Bridging The Gap Between Industry And Academia

Process System Security. Process System Security

CoreMax Consulting s Cyber Security Roadmap

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Designing and Building a Cybersecurity Program

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

The five questions I am being asked by National Policy Makers and Utility CEOs; My Best Answers; And Where the Questions Don't Have Answers

Securing Industrial Control Systems

Forecast to Industry 2016

Run the business. Not the risks.

Interoperability and Standardization: The NIST Smart Grid Framework

CCISO Blueprint v1. EC-Council

Building Resilience in a Digital Enterprise

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Addressing Cyber Threats in Power Generation and Distribution

Cyber Security for Process Control Systems ABB's view

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Intelligent Building and Cybersecurity 2016

Protect Your Organization from Cyber Attacks

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Smart utility connectivity

Data Security and Privacy Principles IBM Cloud Services

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

CA Security Management

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Cybersecurity for the Electric Grid

Toronto Hydro-Electric System Limited EB Exhibit G1 Tab 1 Schedule 1 ORIGINAL Page 1 of 15 SMART GRID PLAN

Protecting Your Cloud

Cyberspace : Privacy and Security Issues

Intelligent Buildings and Cybersecurity

N-Dimension n-platform 340S Unified Threat Management System

Statement for the Record

OpenWay Security Overview

New Guidance on Privacy Controls for the Federal Government

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Transcription:

Securing the Smart Grid Understanding the BIG Picture The Power Grid The electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change that will unfold over a number of years. As the grid is modernized, it will become highly automated, leverage information technology more fully, and become more capable in managing energy from a variety of distributed sources. In this process of becoming increasingly smarter, the grid will expand to contain more interconnections that may become portals for intrusions, error-caused disruptions, malicious attacks, and other threats. 2 The Power Grid The convergence of the information and communication infrastructure with the electric power grid introduces new security and privacy-related challenges. The introduction of these technologies to the electric sector also presents opportunities to increase the reliability of the power system, to make it more capable and more resilient to withstand attacks, equipment failures, human errors, natural disasters, and other threats. These greatly improved monitoring and control capabilities must include cyber security solutions in the development process rather than as a retrofit. 3 Corporate Risk Solutions, Inc. 1

The Power Grid Interoperability of Components Interoperability can be defined as the ability of two or more systems or components to exchange information and to use the information that has been exchanged. The second part of this definition is very important: not only must computer systems exchange information, but they must also be able to understand that information. 4 Advanced Metering Infrastructure (AMI) AMI will provide two-way communications between customers and utilities. This is really what the smart grid is all about. AMI is widely considered to consist of several components. These include: Smart Meter Customer Gateway AMI Communication Network AMI Headend 5 Advanced Metering Infrastructure (AMI) Lesser versions of AMI systems include automated meter reading (AMR) systems that allow remote reading of measurement registers, and automatic meter management (AMM) systems that extend AMR capability with the ability to manage meters remotely. Such devices will allow for numerous advanced capabilities. Several of these that have been proposed include: track customer usage such as total energy consumption remotely connect and disconnect customers send out alarms in case of problems provide real-time pricing send power quality data remotely receive firmware upgrades in order to update software and incorporate new functionality such as providing customers the ability to manage their own energy consumption more accurately. 6 Corporate Risk Solutions, Inc. 2

Smart Grid Domains Although most Smart Grid issues impact all aspects of electric energy delivery, it is convenient to separate the issues into different domains. These domains are: Central generation (and storage), including traditional power plants, renewable energy plants, and other large sources of energy Distributed energy resources, consisting of smaller sources of generation and storage predominantly interconnected at the distribution level, such as photovoltaics, small wind, and plug-in hybrid electric vehicles Transmission system, including ISOs, transmission operations, planning, and maintenance, as well as substation automation and synchrophasor measurements 7 Smart Grid Domains Distribution system, including distribution operations, automation, planning, and maintenance Customer utility interactions, covering utility to customer interactions with respect to metering, energy services, PHEVs, and interfaces to customer gateways (with sub-domains of C&I customers and residential/small commercial customers) Market operations, including energy market, ancillary services, demand response, load management, feed-in tariffs, pollutant cap-and-trade, and other market-based approaches Building, homes, and industries, covering building management systems, home area networks, industrial energy management systems, and other customer systems. 8 Smart Grid Domains 9 Corporate Risk Solutions, Inc. 3

The Smart Grid Characteristics Self-healing Empowers and incorporates the consumer Resilient to physical and cyber attacks Provides power quality needed by 21st century users Accommodates a wide variety of generation options Fully enables maturing electricity markets Optimizes assets Source: The US National Energy Technology Laboratory 10 Smart Grid Technology Sensors Monitoring and detecting the data Communications Moving the data through the build of networks First-level integration Collecting the data Centralized control Using the data for visualization and control Security Protecting the data with Security Services & Solutions Full integration Integrating the data with the rest of the business Services and Applications Using the data in new ways Source: The Emerging Smart Grid, Global Environment Fund - Centre for Smart Energy 11 Smart Grid Cyber Security Drivers Increasing Interconnection and Integration Increasing Use of COTS Hardware and Software New 2-Way Systems (e.g. AMI, DSM) New Customer Touch Points into Utilities Control Systems Not Designed with Security in Mind Increasing Number Of Systems and Size of Code Base Increased Attack Surface Increased Risk to Operations 12 Corporate Risk Solutions, Inc. 4

Potential Cyber Security Issues to the Smart Grid Include: Increasing complexity that could introduce vulnerabilities and increase exposure to potential attackers; Without proper planning, a natural- or man-made event could disable the communications infrastructure, rendering the smart grid ineffective at coping with an emergency situation; A cyber intruder could compromise electricity use data and send false information to the utility and either lower or increase the billing, depending upon the motivation; Linked networks can introduce common vulnerabilities; 13 Potential cyber security issues to the Smart Grid include: Increasing vulnerabilities to communication disruptions and introduction of malicious software that could result in denial of service or compromise the integrity of software and systems; Increased number of entry points and paths for potential adversaries to exploit; Potential for compromise of data confidentiality, including the breach of customer privacy; and 14 Potential cyber security issues to the Smart Grid include: Compromise of the automated device/service control functionality of the Smart Grid devices, in such a way that significantly disrupts, impairs, or destroys the self-sensing and monitoring, self-adaptive, self-healing electricity generation, transmission, and distribution infrastructure. 15 Corporate Risk Solutions, Inc. 5

Functional Requirements for Cross- Cutting Areas Cyber and Physical Security Security policies, as well as training and enforcement Security risk assessment Security requirements Security specifications Identify establishment Authentication Confidentiality Integrity Availability Non-repudiation / Accountability Intrusion detection Audit logging and reporting 16 Functional Requirements for Cross- Cutting Areas Network and System Management Network design to meet performance and security requirements System design with embedded security tools and mechanisms Specifications and Engineering Specifications need to map the business or functional requirements into engineering requirements Engineering design and implementation is needed to develop products and systems from the specifications Integration is needed to interconnect all the equipment and systems into a functioning whole. 17 Functional Requirements for Cross- Cutting Areas Conformance and Interoperability Testing Conformance testing for vendors against standards Interoperability testing of two or more systems with each other to ensure interoperability 18 Corporate Risk Solutions, Inc. 6

Cyber Solutions - Defense in Depth Perimeter Protection Firewall, IPS, VPN, AV Host IDS, Host AV DMZ Physical Security Interior Security Firewall, IDS, VPN, AV Host IDS, Host AV IEEE P1711 (Serial Connections) NAC IDS Intrusion Detection System Scanning IPS Intrusion Prevention System Monitoring DMZ DeMilitarized Zone Management VPN Virtual Private Network (encrypted) AV Anti-Virus (anti-malware) Processes NAC Network Admission Control 19 Recommendations View cyber security as a critical element of your Smart Grid deployment Apply the defense in depth concept isolating and segregating systems and applications, then allow selected connectivity Best accomplished at the foundational / design level Establish a security management system you can t manage what you can t measure Involve your vendors and interconnected partners Embed into your corporate governance systems Develop and track business case: Project by project basis Integrated system 20 References Study of Security Attributes of Smart Grid Systems Current Cyber Security Issues Idaho National Labs April 2009 Cyber Security and the Smart Grid Ontario Smart Grid Forum November 2008 Cyber Security Issues for Advanced Metering Infrastructure - IEEE T&D Conference - April 2008 Proposed Smart Grid Reference Arch & Roadmap - NIST - March 15, 2009 Guidelines for Smart Grid Cyber Security NIST - NISTIR 7628 August 2010 Smart Grid Standards Overview Erich W. Gunther February 2009 21 Corporate Risk Solutions, Inc. 7

Phil Sobol CISSP,CISA,CSSA,C EH,CNA psobol@corprisk.net 22 Corporate Risk Solutions, Inc. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback