Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Similar documents
Cyber security for digital substations. IEC Europe Conference 2017

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

SECURING THE SUPPLY CHAIN

Take Risks in Life, Not with Your Security

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Cyber Security of Industrial Control Systems (ICSs)

The five questions I am being asked by National Policy Makers and Utility CEOs; My Best Answers; And Where the Questions Don't Have Answers

2017 Annual Meeting of Members and Board of Directors Meeting

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

AUTHORITY FOR ELECTRICITY REGULATION

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Defensible and Beyond

Practical SCADA Cyber Security Lifecycle Steps

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

CYBERSECURITY RISK LOWERING CHECKLIST

CYBERSECURITY IN THE INDUSTRIAL INTERNET OF THINGS

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

NW NATURAL CYBER SECURITY 2016.JUNE.16

Securing the North American Electric Grid

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

QuickBooks Online Security White Paper July 2017

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Healthcare HIPAA and Cybersecurity Update

Cybersecurity Survey Results

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Combating Cyber Risk in the Supply Chain

Art of Performing Risk Assessments

Securing Industrial Control Systems

Cybersecurity The Evolving Landscape

Cybersecurity Auditing in an Unsecure World

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Emerging Issues: Cybersecurity. Directors College 2015

MANAGING CYBER RISKS ACROSS THE SOFTWARE SUPPLY CHAIN

Cyber Resilience Solution for Smart Buildings

Getting Started with Cybersecurity

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Business continuity management and cyber resiliency

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Information Technology General Control Review

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Ransomware A case study of the impact, recovery and remediation events

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Security Standards for Electric Market Participants

DeMystifying Data Breaches and Information Security Compliance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Firewalls (IDS and IPS) MIS 5214 Week 6

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

Cyber and Physical Security: Lessons Learned From the Electric Industry. Joel dejesus Dinsmore & Shohl LLP Washington, DC

Service Provider View of Cyber Security. July 2017

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

7.16 INFORMATION TECHNOLOGY SECURITY

ANATOMY OF AN ATTACK!

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Verizon Software Defined Perimeter (SDP).

CCISO Blueprint v1. EC-Council

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Altius IT Policy Collection

Personal Cybersecurity

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Cyber security tips and self-assessment for business

LESSONS LEARNED IN SMART GRID CYBER SECURITY

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Digital Wind Cyber Security from GE Renewable Energy

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cybersecurity Overview

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

A practical guide to IT security

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

SFC strengthens internet trading regulatory controls

Technical Guidance and Examples

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

U.S. State of Cybercrime

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

Standard CIP 007 3a Cyber Security Systems Security Management

Transcription:

S&L Logo Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment Date: October 24, 2017 Authors/Presenters: J. Matt Cole, PE (Presenter) Sargent & Lundy, LLC Atilla Aksoy, PE (Presenter) Sargent & Lundy, LLC Jordan Bridges (Presenter) Sargent & Lundy, LLC F. Lee Napier Sargent & Lundy, LLC 1

Paper Focus Target s Cybersecurity Breach Via a 3 rd Party HVAC Vendor (Fazio Mechanical Services) 40 million accounts affected, $400+ million in damages Utilities rely heavily on several vendors/suppliers Multi-vendor devices (IEDs) installed in substations NERC CIP V5 & V6 do not govern vendors A critical substation s weakest link is a vendor device Vendor s cybersecurity policies Does the policy match the utility s policy? This paper focuses on cybersecurity vulnerabilities utilities face with using multi-vendor smart devices in substations. Critical steps are recommended to minimize security risks when using multiple suppliers. 2

Increased Attack Vector for Utilities Deficiencies in personnel security awareness & training program (no routine, regular or required security training conducted) Appropriate staff not identified as security personnel (for incident reporting or first responders) No security assessments or audits performed (both internal or external) Maintaining legacy devices that vendors no longer support (no more security or firmware patch updates) Allowing vendors remote access capabilities to devices (no management access controls or oversight) 3

Increased Attack Vector for Utilities (cont.) No firewalls, demilitarized zones (DMZs) or data gateways implemented on networks (no access controls) Lack of password management (infrequent password changes or weak passwords) No network segregation/separation (all critical and non-critical devices are on the same network) No intrusion prevention / intrusion detection systems (IPS/IDS) No physical security installed (no record of who is entering or leaving a substation) No data encryption or VPNs utilized (3 rd party leased comm path) Lack of virus / malware protection or no routine signature updates 4

Tools & Techniques Used by Hackers Social Engineering and Spear Phishing Emails Spear Phishing emails used in both Ukraine cyber attacks Sniffing/Spoofing/Jamming Critical Data How do you know the data is good/accurate? Spyware/Malware/Ransomware/Malicious Code WannaCry Ransomware Virus (Worst Attack in 2017) Viruses/Worms/Trojan Horses Distributed Denial of Service (DDoS) Attacks Ukraine s phone network shutdown (no calls coming/going) Man-in-the-Middle (MITM) Attacks Network Breaches/Cyber Intrusions Data Logger/Theft of Credentials Penetration to Data Encryption of VPNs Hijacking SCADA/HMI/IEDs/other critical functions KillDisk - Wiping all code and traces that hackers were there 5

Recent Attacks from Vendor Vulnerabilities Victim Year Technique Used RSA 2011 Phishing Email Target and Home Depot 2013 Theft of Credentials Boston Medical 2014 Security Breach CVS and Wal-Mart 2015 Security Breach Ukraine Cyber Attacks 2015/2016 Phishing Emails Bizmatic 2016 Theft of Credentials Kroger and Wendy s 2016 Theft of Credentials ADP and Seagate 2016 Theft of Credentials DHS and Verizon 2016 Security Breach Multiple Companies (WannaCry) 2017 Security Breach Multiple Companies (Petya) 2017 Security Breach 6

Multi-Vendor Remote Access (Critical Devices) Critical substation devices communicating via internet protocol (IP): Remote Terminal Units (RTUs) SCADA I/O Controllers Human Machine Interfaces (HMIs) IEDs and Programmable Logic Controllers (PLCs) Phasor Measurement Units (PMUs)/Synchrophasors Digital Fault Recorders (DFRs) Communication Processors Smart Meters 7

Proposed Regulation for Utility s 3 rd Party Suppliers FERC released order # 829 on July 21, 2016 to direct NERC to create a new reliability standard (for transmission utilities): Address supply chain risks for control system devices affecting BES To mitigate cybersecurity risks affected by 3 rd Party Vendors Main objectives: 1) Software Integrity & Authenticity 2) Vendor Remote Access to BES Cyber Systems 3) Information System Planning and Procurement 4) Vendor Risk Management & Procurement Controls NERC released draft standard CIP-013-1 on November 2, 2016 8

Recommended Critical Steps for Utilities This paper recommends 15 Critical Steps to perform for decreasing security vulnerabilities caused by vendors/suppliers 1) Develop a vendor risk management program Perform a risk-based approach on the roles vendors will play within the supply chain. 2) Evaluate the vendors Interview the vendors with a thorough list of questions. Evaluate the reliability and security of their products and services. 3) Review the vendor s security policies Ensure the vendors have the same or similar security policies. 4) Mitigation strategies Review the vendor s mitigation strategies for when a cyber breach or incident occurs. 9

Recommended Critical Steps for Utilities (Cont.) 5) Has the vendor had a cyber incident? Clarify whether the vendor has had a cyber breach or incident. Evaluate how the vendor responded to the incident. 6) Clarify the vendor s third party suppliers Evaluate the vendor s third party suppliers and review their cybersecurity policies. 7) Establish a trust relationship with vendors Ensure you have a good working relationship with your vendors and suppliers and they have a proven track record of cybersecurity protection / awareness. Have a backup vendor on hand in case primary vendor relationship deteriorates. 8) Ensure vendors and their suppliers check their employees Ensure that thorough background checks are being performed on vendor employees / contractors and their suppliers. 10

Recommended Critical Steps for Utilities (Cont.) 9) Ensure vendors and their suppliers are training their employees Make sure vendors and their suppliers are training their employees and contractors on cybersecurity annually or on a regular basis. 10) Patch Management Ensure vendors provide firmware updates and security patches on a regular basis to mitigate potential or known security threats. 11) Testing Test and validate all updates and security patches in a lab or testing environment before rolling out to the live system. 12) Monitor vendors/suppliers by performing annual audits Audit the vendors cybersecurity policies on an annual basis. 11

Recommended Critical Steps for Utilities (Cont.) 13) Restrict remote access Restrict all remote access to the utility s networks, if possible. 14) Perform network segregation Isolate networks by only allowing vendors access to the networks required. 15) Cybersecurity insurance Obtain insurance (if possible) to cover direct damages caused by security breaches to vendors or suppliers. 12

Conclusions As more multi-vendor substation devices are connected to IP networks attack surface will continue to increase One solution is to disconnect all devices not feasible due to necessity of increasing Smart Grid applications Exercise caution and test thoroughly - before selecting a vendor to supply smart substation devices Perform security risk assessments of all networked devices within the substation Ensure vendors or suppliers are providing timely updates if there is a potential vulnerability or threat 13

Conclusions (cont.) Test all updates and patches within a lab or testing environment before pushing onto the live system Make sure vendors are properly trained and match your cybersecurity policies Utilities should proof and fortify their networks - against external attacks should vendors or their suppliers equipment become compromised 14

Future Research/Discussions Vendors need to align together to push security patches simultaneously. Additional security should be applied to vendors and their suppliers manufacturing facilities. 15

Questions? There are three power grids that generate and distribute electricity throughout the United States, and taking down all or any part of a grid would scatter millions of Americans in a desperate search for light, while those unable to travel would tumble back into something approximating the mid-nineteenth century. Ted Koppel, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath J. Matt Cole, PE (Presenter) Sargent & Lundy, LLC Atilla Aksoy, PE (Presenter) Sargent & Lundy, LLC Jordan Bridges (Presenter) Sargent & Lundy, LLC F. Lee Napier Sargent & Lundy, LLC 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback