Security and smart grid what you need to know john chowdhury 2012 final

Utility of the Future Seriesintroducing

Smart Grid Security & Reliability

What You Need to Know – February, 2012 John Chowdhury

© 2012 Smarterutility.com | Not to be reproduced without permission Page: 2

John Chowdhury:• has been working in the Utility Industry for the last 23 years• His clients includes CenterPoint, San Diego Gas & Electric, APS, Southern California Edison, Vectren, TXU, NIPSCO to name a few

Objectives of SmarterUtility.com:• Create a Federated Knowledge Repository to take advantage of knowledge, regardless of where it is housed

• Support multiple channels from a single knowledge repository (Country‐State‐City‐Utility‐Regulator‐Partner‐Vendor‐etc.)

• Knowledge repository is based on the context and intent• To Leverage Subject Matter Experts to improve yoursuccess factors

• Adaptive Knowledge architecture that will support all yourneeds with a single repository and remain flexible tochange as needed

• Use the Adaptive Knowledge architecture to supportTransparency of knowledge, Cloud computing, Mobilepresentation, and Social use of knowledge with no additional changes

It’s about Success, and Knowledge Sharing

About the Author

2/22/2012 © 2012 Smarterutility.com | Not to be reproduced without permission Page: 3

Why you should consider this report

• Understand current security issues• Understand the reliability standards• How to develop a sustainable security and reliability process

• Approach to governance• Tips beyond planning

System vulnerabilities and threats are constantly changing


Objective of This Research

A good framework can be start

Ultimate objectives of Smart Grid is to have interconnected critical power generation and distribution systems (intelligent supply and demand)

Defining, designing, implementing and managing Security should consider the overall objectives of Smart Grid


Security Concerns for Smart Grid

The security concerns of smart grid are numerous. For this presentation, we are assuming the SG/AMI encompasses Generation to Meter capabilities (or a subset of this process). Thus SG/AMI represents an extremely large network that touches many private networks and is designed for command and control in order to support FLISR, Volt/Var, Intelligence Switch, Remote Disconnect, Demand Response, Billing, and other features. Combined with a lack of industry‐accepted security standards, the smart grid represents significant risk to connected systems that are not adequately isolated. Specific security concerns include the following:

1. Smart meters are highly accessible and therefore require board‐ and chip‐level security in addition to network security2. Smart grid protocols vary widely in their inherent security and vulnerabilities3. Neighborhood, home, and business LANs can be used both as an ingress to the AMI, and as a target from the AMI4. Smart grids are ultimately interconnected with critical power generation and distribution systems (main focus of this presentation)5. Smart grids represent a target to private hackers (for financial gain or service theft) as well as to more sophisticated and serious attackers (for sociopolitical gain or cyber warfare)


Challenges Faced by Organizations

With rapid development and deployment of AMI and Smart Grid, security issues with ever increasing threat profiles, organizations faced with these challenges, organizations ask themselves:

– What are the potential security threats and vulnerabilities? – Are our Smart Grid security initiatives aligned with our business needs?– Are our Smart Grid vendors security implementation within their products

compliant with Federal Requirements and compatible with ours? – Are our Smart Grid security practices providing adequate assurance to meet

regulation or compliance agreements?– Are we perceived as a responsive and proactive organizationmeeting the

needs of our stakeholders, our customers, and trading partners?– Do our Smart Grid security controls align with industry‐related and

internationally accepted practices, standards and guidelines?– Are we aware of our security risks and are they being effectively managed?– Are we measuring the effectiveness of our Smart Grid security Investments?

Bottom Line…..Are We Secure?


Security and Sustainability ‐ New School Solutions

Old School New School Develops comprehensive,

sustainable, capable, and transforming processes

Recognizes opportunities to experimentally change processes and seeks to adapt

Develops Reliability, Cyber, Control System, IT in separate silos

Cling to safe, existing processes even when they are inadequate

Rely on past solution to solve today’s issues


Emerging Technologies in Smart Grid, introducing new opportunities for security breach

Security and Reliability: Standards and Regulations

NIST(DOE/DHS)

NERC / CIP

(under FERC)

NISPI

ISO‐27002ISA‐99

SECURITYTHREATS


NERC CIP ExplainedNERC CIPThe NERC CIP reliability standard identifies security measures for protecting critical infrastructure with the goal of ensuring the reliability of the bulk power system. Compliance is mandatory for any power generation facility, and fines for noncompliance can be steep. The CIP reliability standards consist of nine sections, each with its own requirements and measures. They are CIP‐001‐4—Sabotage Reporting. Requires that all disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies.CIP‐002‐4—Critical Cyber Asset Identification. Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk‐based assessment.CIP‐003‐4—Security Management Controls. Requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets.CIP‐004‐4—Personnel and Training. Requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness.CIP‐005‐4—Electronic Security Perimeter(s). Requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.CIP‐006‐4—Physical Security of Critical Cyber Assets. Ensures the implementation of a physical security program for the protection of Critical Cyber Assets.CIP‐007‐4—Systems Security Management. Requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (noncritical) Cyber Assets within the Electronic Security Perimeter(s).8CIP‐008‐4—Incident Reporting and Response Planning. Ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets.9CIP‐009‐4—Recovery Plans for Critical Cyber Assets. Ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices


ISO 27002 Explained

ISO 27002 is a set of security recommendations published by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), and may be referred to as ISO/IEC 27002 or ISO/IEC 27002:2005. ISO 27002 defines “Information technology—Security techniques—Code of practice for information security management,” and is not specific to industrial network security. ISO standards are widely used internationally and can be easily mapped to the recommendations of NIST, NRC, NERC, and others, as they consist of functional guidelines for:

1. Risk assessment 2. Security policy and management 3. Governance4. Asset management 5. Personnel security 6. Physical and environmental security 7. Communications and operations management 8. Access control9. Asset acquisition, development, and maintenance 10. Incident management 11. Business continuity management 12. Compliance


ISA‐99 ExplainedISA standard 99 (ISA‐99) is an industrial control security standard created by the International Society of Automation (ISA) to protect SCADA and process control systems. ISA‐99 offers varying security recommendations based on the physical and logical location of the systems being protected as well as their importance to the reliable operation of the system. In orderto accomplish this, ISA‐99 first attempts to classify functional areas of an industrial system into specific security levels andthen provides recommendations for separating these areas into “zones.” ISA‐99 also defines the interconnectedness of zones as well as how to enforce security. For utilities, the most public systems such as Internet or Internet‐facing systems within the business LAN would continue level 5, while the rest of the business LAN may map to level 4. Supervisory networks (i.e., the SCADA DMZ network) would represent level 3, and so on, with the actual “control system” (the SCADA networks, HMI systems, field devices, instrumentation and sensors) at level 0. ISA‐99 organizes security recommendations into seven foundational requirements and each foundational requirement consists of multiple system requirements (SRs).

FR1—Access Control (AC)FR2—Use Control (UC)FR3—Data Integrity (DI)FR4—Data Confidentiality (DC)FR5—Restrict Data Flow (RDF)FR6—Timely Response to an Event (TRE)FR7—Resource Availability (RA)

SR 1.1—IACS user identification and authenticationSR 1.2—Account managementSR 3.1—Communication integritySR 3.2—Malicious code protectionSR 3.3—Security functionality verificationSR 3.4—Software and information integritySR 4.3—Cryptographic key establishment and managementSR 5.1—Information flow enforcementSR 5.2—Application partitioningSR 5.4—Boundary protectionSR 7.1—Denial of service protectionSR 7.2—Management of network resourcesSR 7.6—Network and security configuration settings


NERC Compliance Monitoring Methods

Initiated by NERC and Regional Entities (Audits) 1. Periodic compliance audits 2. Post‐event investigations 3. Random spot‐checking or audits

NERC Approach

1. Completeness2. Clarity3. Practicality4. Commensurate with BES impact5. Reduce Administrative Overhead6. Minimize the Need for TFEs7. Leverage Investment in Current Standard

8. Looked at NIST and other frameworks for suggestions and guidance9. Preserved some existing components of CIP‐002 through CIP‐00910. Requirements adapted from the DHS Catalog of Control Systems Security (subset of NIST SP 800‐53)11. Includes directives from FERC Order 706

Initiated by Entities (Continuing Compliance) Self‐certification of compliance1. Periodic reporting of compliance data andstatistics

2. Exception reporting of compliance data andstatistics (post‐event)

3. Self‐reporting of non‐compliance4. Technical Feasibility Exceptions (TFEs)


NERC Proposed Changes

• A discrete set of one or more programmable electronic devices organized for the collection, storage, processing, maintenance, use, sharing, communication, disposition, or display of data.

Cyber System

• A Cyber System which if rendered unavailable, degraded, or compromised has the potential to adversely impact functions critical to the reliable operation of the Bulk Electric System.

BES Cyber System • A group of one or more

BES Facilities (i.e., Generation Subsystem, Transmission Subsystem, and Control Center) used to generate energy, transport energy or ensure the ability to generate or transport energy.

Bulk Electric System Subsystem (BES Subsystem)

NERC Approach: 1. Looked at NIST and other frameworks for suggestions and guidance2. Preserved some existing components of CIP‐002 through CIP‐0093. Requirements adapted from the DHS Catalog of Control Systems Security (subset of NIST SP 800‐53)4. Includes directives from FERC Order 706


Proposed CIP‐010‐1 and CIP‐011‐1

• Reliability Functions identified in the standard

• Responsible Entity (Owner) identifies BES Cyber Systems performing Reliability Functions

• BES Cyber Systems are categorized (High / Medium / Low ) based on BES Impact Criteria identified in the standard

• Security requirements (controls) are applied based on BES Cyber System impact categorization

• All assets will be categorized• Retiring Terms: CA, CCAs, ESP, PSP

Major Differences

Potential Impacts

• Redesign of the ESP

• Redesign of the PSP

• Additional Network Security Devices

• Access Controls• Monitoring and Logging

Leverage Current Investments

• CA and CCA Lists

• Restructure ESP• Restructure PSP


NIST Interoperability and Cyber Security Standards

NIST Framework and Roadmap for Smart Grid Interoperability Standards v1 (NIST SP‐1108)Smart Grid interoperability standards should be open meaning the standards should be developed and maintained through a collaborative, consensus‐driven process

Phase II

Smart Grid Interoperability Panel (SGIP) is a public‐private partnership providing a permanent organizational structure to support the continuing evolution of the framework.

Phase III

Smart Grid Conformity Testing Framework

Other Issues to Address

1. Electromagnetic Disturbances2. Electromagnetic interference3. Privacy Issues in the Smart Grid4. Safety


NISTIR 7628 Guidelines for Smart Grid Cyber Security

Smart Grid Cyber Security Strategy, Architecture, and High‐Level Requirements

Chp 1 – Cyber Security Strategy C, I, A, NRChp 2 – Logical Architecture Seven Domains 22 Interface CategoriesChp 3 – High Level Security Requirements Chp 4 – Cryptography and Key Management

Privacy and the Smart Grid

Chp 5 – Privacy and the Smart GridFour Dimensions:1. Privacy of personal information2. Privacy of the person3. Privacy of personal behavior4. Privacy of personal communications

Supportive Analyses and References

Chp 6 – Vulnerability Classes Chp 7 – Bottom‐Up Security Analysis of the Smart Grid Chp 8 – Research and Development CS in the SG Chp 9 – Overview of the Standards Review Chp 10 – Key Power System Use Cases for Security Requirements

Volume I Volume II Volume III


Emerging Technologies in Smart Grid, introducing new opportunities for security breach

Regional Reliability Standards – Major Bodies

• ERCOT: Electric Reliability Council of Texas, Inc.

• FRCC: Florida Reliability Coordinating Council

• MRO: Midwest Reliability Organization• NPCC: Northeast Power Coordinating

Council• RFC: Reliability First Corporation• SERC: SERC Reliability Corporation• SPP: Southwest Power Pool, Inc.• WECC: Western Electricity Coordinating

Council


Reliability Considerations

• Coordination of controls and protection systems• Cyber security in planning, design, and operations• Ability to maintain voltage and frequency control• Disturbance ride‐through (& intelligent reconnection)• System inertia – maintaining system stability• Modeling harmonics, frequency response, controls• Device interconnection standards• Increased reliance on distribution‐level assets to meet bulk system reliability requirements


Reliability Functional Model


Reliability Standard Categories

BALResource and Demand Balancing MOD

Modeling, Data, and Analysis

CIPCritical Infrastructure Protection ORG Organization Certification

COM Communications PER

Personnel Performance, Training, and Qualifications

EOPEmergency Preparedness and Operations PRC Protection and Control

FAC

Facilities Design, Connections and Maintenance TOP Transmission Operations

INTInterchange Scheduling and Coordination TPL Transmission Planning

IRO

Interconnection Reliability Operations and Coordination VAR Voltage and Reactive


Functional Entity/Reliability Standard Relation

XXXDistribution Provider

XXXPurchasing-Selling Entity

XXXXXXXXLoad Serving Entity

XResource Provider

XXXTransmission Planner

XXXXXXXGenerator Owner

XXXXXTransmission Owner

XXXXXXXXGenerator Operator

XXXXXXXXXXTransmission Operator

XXXXXTransmission Service Provider

XXXXXXXXBalancing Authority

XXInterchange Authority

XXXPlanning Coordinator

XXXXXXXXRegional Reliability Org

XXXXXXXXXReliability Coordinator

Compliance Monitor

Standards Developer

VARTPLTOPPRCPERORGMODIROINTFACEOPCOM CIPBAL

XXXDistribution Provider

XXXPurchasing-Selling Entity

XXXXXXXXLoad Serving Entity

XResource Provider

XXXTransmission Planner

XXXXXXXGenerator Owner

XXXXXTransmission Owner

XXXXXXXXGenerator Operator

XXXXXXXXXXTransmission Operator

XXXXXTransmission Service Provider

XXXXXXXXBalancing Authority

XXInterchange Authority

XXXPlanning Coordinator

XXXXXXXXRegional Reliability Org

XXXXXXXXXReliability Coordinator

Compliance Monitor

Standards Developer

VARTPLTOPPRCPERORGMODIROINTFACEOPCOM CIPBAL


Smart Grid Components

Devices•Synchrophasors and PMUConcentrators•Wholesale and customersmart meters• Intelligent end devices(IEDs)•Switched/controllablecapacitor banks•Digital fault recorders• Plug‐in electric vehicles•Power quality meters•Direct control loadmanagement•DLR for operations• Tension and SagMeasurement

Applications•State Estimator andContingency Analysis•Wide‐area situationalawareness•Event detection•Disturbance location•Dynamic Ratings•Pattern recognition•Protection systems•Remedial action•Demand Response•Automatic meter Reading•Voltage/reactive control•Operator training simulator•Data storage and retrieval

Measurement/Data•Voltage and current angledifferences•Voltage and currentphasors and DLR• Frequency• Three‐phase AC voltageand/or current waveforms•Power system modelingdata and real‐time datafrom DLR•Meter data commonprofiles•Dynamic Line Ratings

Communications•Precision time protocols• Information Managementprotocols•Wide‐area networks andcommunications• Field area networks andcommunications•Premises networks andcommunications•Wireless communications•Substation LANs•Global Positioning System•Encryption•Phasor ManagementNetworks


Smart Grid Conceptual Architecture

Theft detection

Transmission Automation

Generation Automation

Generation ConsumerT&D

Dedicated Circuits (fiber, T1) Backhaul (fiber, WiMAX, cellular)

Transformer Monitor

Recommendation engine

Load control & shaping

EV Management

Generation Control Devices

Generation

Cap Bank controller & voltage regulator

Recloser/Switch controllers

Electric Meters

Gas Meters

Water Meters

PV/Inverters

Load Switch

PCT

IHD/Gateway

Smart Appliances

SCADA

Batteries

Flywheels

Distribution Automation

Advanced Metering

Meter data management

Meter management

Neighborhood Area Networks

Network Management SW (including device monitoring and APIs to support the SW components)

Non‐utility

Automatic generation control

Remedial action scheme

Circuit breaker

Pricing

Load disaggregation & targeting

DG/DS dispatch optimization

Microgrid/ Islanding

Municipal services apps

Street lights

Parking meters

Emergency services

Mobile devices

Substation Automation DR/EV EE

DER(DG/DS) Smart City

Phasor measurement unit

Intra‐SS comms (Enet, fiber, WiFi, serial)

Load tap changer & voltage regulator

PMU

Digital fault recorder

SCADA

Renewable load following

EVSE

Wide area monitoring

Operator Simulation

Market management Fault detection & management

Load management Volt‐VAR optimization

Asset monitoring

Parking meter monitor

Street light monitor & control

RTUs Public EVSE

Consumer portal Public EV Management

FCI/line sensor

Low‐voltage transformer monitor

RF Mesh

M&V

Alternative Networks (Broadband, Cellular)

WiMAX PLC 3G/GPRS RF Tower

Home Area Network (2.4 GHz ZigBee, SEP 2.0, PLC, Zwave)

Grid/Asset monitoring & mapping

Outage detection


Security compliance must be tested for each Network Gateway

Current offerings have better cyber security, increased situational awareness, lower cost of ownership, and improved data surfacing capabilities.

Backhaul to Officetypically Fiber, PTP or Cellular Network

WAN

NAN to Concentrator/Substationtypically Radio, PLC or Cellular

LANMeter/HAN to Concentratortypically Radio, Mesh, PLC or Cellular

NAN HAN


Network Security – Multiple Layers


A Note About DNP3

DNP3 ‐ Security ConcernsWhile much attention is given to the IP network, there is no authentication or encryption inherent within DNP3 (although there is within Secure DNP3). Because of the well‐defined nature of DNP3 function codes and data types, it then becomes relatively easy to manipulate a DNP3 session. Also, while DNP3 does include security measures, the added complexity of the protocol increases the chances of vulnerability. There are several known vulnerabilities with DNP3 that are reported by ICS‐CERT.

Because there are known exploits in the wild and DNP3 is a heavily deployed protocol, proper penetration testing and patching of DNP3 interconnections is recommended.


The risks are enormous… and internal and external pressure continues to mountEffective management of Smart Grid security risks using a framework can drive better business and technology decisions and achieve better results. It can:

Compliance Liability

BusinessLiability

PublicityNightmare

Escalating Costs

Reduced Effectiveness

Unprotected Grid and AMI Network Risks

• Protect electric grid• Ensure Smart Grid integrity, availability,

confidentiality• Reduce compliance liability • Provide performance, compliance and

reliability• Enhance productivity and quality• Protect company assets• Align Smart Grid programs with business

objectives• Improve customer service and

responsiveness• Leverage risk to support competitive

opportunities• Protect the Company reputation• Reduce cost by enhancing efficiency


Architectures and Standards –Standards‐based, business driven security architecture is used to develop and implement an enterprise‐level security program, operating model – core security program and architecture established

Management Processes – Business management processes are refined and calibrated to efficiently integrate security standards and expertise throughout the system development lifecycle and day‐to‐day operations –evolutionary integration of security across the enterprise including AMI and Smart Grid

Managing the risks to Smart Grid requires a management lifecycle

Management Processes

Processes & MethodsRoles & Responsibilities

Tools / EnablersTraining & Awareness

Standards & Architecture

Solution Implementati

on

Compliance Monitoring

Solution Implementation – Security for Smart Grid Applications and Architectures is defined, developed and deployed consistent with the organization’s desired risk profile – end‐to‐end transaction integrity achieved

Compliance / Monitoring – Monitoring solutions are established to allow mid‐level and senior management to monitor and report security performance effectiveness by measuring key performance indicators – is everything ok?

Smart Grid Risk Management Elements


Qualitative Risk Assessment

Risk Assessment: activities that are carried out to discover, analyze, and describe risks.Risk assessments may be qualitative, quantitative, or a combination of these.Internal audit is related to risk assessment;

Qualitative Risk Assessment: A qualitative risk assessment occurs with a pre‐definedscope of assets or activities. Assets can, for example, consist of software applications, information systems, CIP equipment, or physical security. Activities may consist of activities carried out by an individual, group, or department.

A qualitative risk assessment will typically identify a number of characteristics about anasset or activity, including:

• Vulnerabilities. These are weaknesses in design, configuration, documentation,procedure, or implementation.• Threats. These are potential activities that would, if they occurred, exploit specificvulnerabilities.• Threat probability. An expression of the likelihood that a specific threat will be carriedout, usually expressed in a Low‐Medium‐High or simple numeric (1–5 or 1–10) scale.• Countermeasures. These are actual or proposed measures that reduce the riskassociated with vulnerabilities or threats.


Risk Assessment Methodologies

There are several different approaches and methodologies exist, among these approaches are:

• OCTAVE: (Operationally Critical Threat, Asset, and Vulnerability Evaluation): Developed by Carnegie Mellon University’s Software Engineering Institute (SEI), OCTAVE is an approach where analysts identify assets and their criticality, identify vulnerabilities and threats, evaluate risks, and create a protection strategy to reduce risk.• FRAP: (Facilitated Risk Analysis Process). This is a qualitative risk analysismethodology that can be used to pre‐screen a subject of analysis as a means todetermine whether a full blown quantitative risk analysis is needed.• Spanning Tree Analysis: This can be thought of as a visual method for identifyingcategories of risks, as well as specific risks, using the metaphor for a tree and itsbranches. This approach would be similar to a Mind Map for identifying categoriesand specific threats and/or vulnerabilities.• NIST 800‐30: Risk Management Guide for Information Technology Systems. Thisdocument describes a formal approach to risk assessment that includes threat andvulnerability identification, control analysis, impact analysis, and a matrix depiction ofrisk determination and control recommendations.


Steps in Creating Smart Grid Security Governance Process

Smart Grid Security Vision & Mission

Smart Grid Security Conceptual Architecture

Smart Grid Security Functional Architecture

Smart Grid Security Architecture Design

Principles

Smart Grid Security Physical Architecture

Smart Grid Security Principles

Smart Grid Security Architecture

Smart Grid Security Policies

MotivationImplicationRisk Tolerance

Legislation and Regulatory Compliance

Motivation

Security and ReliabilityMission

Smart Grid Security Standards

Corporate Policies

Smart Grid Security Policy Framework

Smart Grid Security Strategy

Smart Grid Security Controls

Smart Grid Security Operational Processes

Smart Grid Security Management Processes


Security & Reliability Framework

Security and Reliability Management

Smart Grid Security Drivers

Smart Grid Security

Architecture

Operations

Security & Reliability Governance

StrategyRequirements & Planning

Measurement & Assessment

PrinciplesPolicies

StandardsGuidelinesProcedures

Audit

Enforcement

RiskManagement

Awareness & Training

Reliability, Risk Tolerance , Legislation & Regulations

Monitoring & Management

Security & Reliability Framework


Security & Reliability Architecture

Conceptual (Models )‐ Security & Reliability Principles‐ Security & Reliability Policies‐ Security & Reliability Design Objectives‐ Threat Risk Profile/‐ Security & Reliability Architecture Principles

Functional (Components )‐ Security & Reliability Standards ‐ Security & Reliability Design Decisions‐ Security & Reliability Design Patterns ( )‐ Security & Reliability Component

Definition

Physical (Nodes )‐ Technical Operating Standards‐ Product Standards‐ Security & Reliability Design Patterns ‐ Process Documents‐ Configuration Guidebooks‐ Security & Reliability Node Definitions Access

ManagementAMI Network &

SG InfrastructureTrust & AssuranceSecurity & Reliability

Management

Firewalls /VPNsSwitches /RoutersIPS , NIDS & HIDS

FIPS 140‐2Anti‐VirusURL Filter

EncryptionPrivate Keys & Certificates

Message DigestDigital Signature

NTP

Trust ModelAvailability

CredentialsProfiles

Authorization RulesCredential Repository

IdentityAuthenticationAuthorization

Credential ManagementRole Based Access Control

User CommunitiesBusiness Partners

Stakeholders

Intrusion DetectionNetwork Access ControlNetwork SegmentationData Management

DMZ

Security & Reliability Operation

Administration,Monitoring & Compliance

ConfidentialityBusiness Continuity Backup & RecoveryNon‐repudiationTrusted Time

Secure Storage & Destruction

Physical Security

Logging & MonitoringIncident Management

ReportingSecurity Operation CentreVulnerability & Configuration

Management

Security ZonesInformation Flow Control

SIM & SEMKPIs & Dashboard

Vulnerability AssessmentSecurity Baseline

…. provides a mechanism to deliver a consistent approach to Smart Grid security decisions and solutions


Smart Grid Security Assessment

Information Gathering Review environment Types of systems Timing requirements Locations Security & Reliability requirements

Network Analysis Gain understanding of network architecture and systems in place Identify Security & Reliability issues related to the network architecture Identify Security & Reliability issues based on observed network

components and network traffic Identify interconnections with other networks - Intranets, wireless, dialup

Network Vulnerability Analysis

Identify vulnerabilities in devices Identify vulnerabilities in applications

System Vulnerability Analysis

Identify vulnerabilities in devices Identify system configuration and procedural vulnerabilities such as weak

passwords, virus protection, patch management, system logging, etc.

Application Vulnerability Analysis

Identify vulnerabilities in Smart Grid application components

Vulnerability Identification/Validation

Review all data from automated tools and, where possible, check systems to verify identified vulnerabilities


How does the Smart Grid security program operate? – Define the links, start with ISO and ELSSI

Del

iver

y

SECURITY MANAGEMENT ACCESS MANAGEMENT OPERATIONS MANAGEMENT

Risk Office ManagementRisk Office

Management

Training & AwarenessTraining &

Awareness

Policy Management

Policy Management

Risk Management

Risk Management

Certification & AccreditationCertification & Accreditation

Compliance ManagementCompliance

Management

IdentityIdentity

InfrastructureInfrastructure

DataData

PersonnelPersonnel

ApplicationApplication

PhysicalPhysical

Change Management

Change Management

Configuration ManagementConfiguration Management

Vulnerability ManagementVulnerability Management

Incident Management

Incident Management

Customer SupportCustomer Support

Systems Management

Systems Management

Str

ateg

icP

lann

ing

STANDARDIZATION

Normalized RequirementsNormalized

Requirements

Exceptions Policy

Exceptions Policy

Enterprise ArchitectureEnterprise

Architecture

Tools & Infrastructure

Tools & Infrastructure

Approved Asset ListApproved Asset List

Risk Control Library


Compliance Reporting


Risk Reporting

Risk Reporting

RESILIENCE

Backup & RestorationBackup &

Restoration

RedundancyRedundancy

DiversificationDiversification

Network DefenseNetwork Defense

GOVERNANCE

ExecutiveSteering Committee


Architecture Definition

Committee


Committee

PolicyDefinition

Committee

PolicyDefinition

Committee

Performance Metrics &

Incentives

Performance Metrics & Incentives

Risk Budget&

Planning

Risk Budget&

Planning

Third Party Management Committee


Project/Portfolio Review

Committee


Committee

I nfor mation

Sec ur ityPr ogr am

INFORMATION TECHNOLOGY & SECURITY OPERATING MODEL

Del

iver

y

SECURITY MANAGEMENT ACCESS MANAGEMENT OPERATIONS MANAGEMENT

Risk Office Management

Risk Office Management

Training & Awareness

Training & Awareness

Policy Management

Policy Management

Risk Management

Risk Management

Certification & Accreditation

Certification & Accreditation

Compliance Management

Compliance Management

IdentityIdentity

InfrastructureInfrastructure

DataData

PersonnelPersonnel

ApplicationApplication

PhysicalPhysical

Change ManagementChange

Management

Configuration Management

Configuration Management

Vulnerability Management

Vulnerability Management

Incident ManagementIncident

Management

Customer Support

Customer Support

Systems ManagementSystems

Management

Str

ateg

icP

lann

ing

STANDARDIZATION

Normalized RequirementsNormalized

Requirements

Exceptions Policy

Exceptions Policy

Enterprise ArchitectureEnterprise

Architecture

Tools & InfrastructureTools &

Infrastructure

Approved Asset List

Approved Asset List





Risk ReportingRisk

Reporting

RESILIENCE

Backup & RestorationBackup &

Restoration

RedundancyRedundancy

DiversificationDiversification

Network Defense

Network Defense

GOVERNANCE




Committee

Architecture Definition Committee

PolicyDefinition

Committee

PolicyDefinition Committee

Performance Metrics &

Incentives

Performance Metrics & Incentives

Risk Budget&

Planning

Risk Budget&

Planning




Committee


Committee

ISO 27002 Information Security Management System


A sound Smart Grid security strategy should have proper balance and integration with the security governance, architecture and operations

A security strategy is supported by three critical components …

Architecture providestechnology standards,

models and technologies tobe leveraged by the business

Architecture

StrategyStrategy links security initiatives

with business and technologyobjectives


Smart Grid Security Process Integration

RequirementsDefinition

Solution DesignAnd Package Selection

Functional-TechnicalArchitectureDefinition

Process Design

Organization Definition andPlanning

CommunicationsAnd Training

Application Buildand Configuration

Unit AndIntegrationTesting

Infrastructure Build AndConfiguration

Rollout AndDeployment

DetailedApplicationDesign

Determine BusinessRisks And Security Requirements

High Level SecurityDesign

Security Functional-TechnicalArchitecture And Application Security Design

Design Security Processes

Design Security Roles AndOperational SupportRequirements

Build Application And Infrastructure Security Components And Ensure Secure Configurations

Develop Security Related Training, Communications, and Procedures

Pre-Deployment SecurityTesting

Establish Users And Permissions

Rollout Security Architecture

Deploy Processes, Procedures,And Organization

Monitor and Continuous Improvement


Suggested Approach

• Develop a prudent and compliant cyber security program• Identify systems considered business critical• Identify systems considered critical per NERC standards• Perform risk assessment for each category to determine the

financial impact of cyber security for each category• Develop documentation that meets needs for business critical

systems and documentation to meet NERC requirements– Be compliant with the NERC standards– Also, be prudent in the application of cyber security programs across

business and support systems, in addition to operational systems– Strive for compliant and prudent cyber security practices


Cyber Security is On‐going

• System vulnerabilities and threats are constantly changing– Any modification, integration, upgrade, or test can impact a system’s

cyber vulnerability– Vulnerability assessments are only a snap‐shot in time

• There is NO silver bullet– No single technology is sufficient to protect control systems– Relevant control system security policies and procedures are the best

solutions that we have without new technology developments – Without appropriate policies, any technology can be defeated


Tips beyond Planning

1. Do a gap analysis between requirements and what is provided by the vendors2. Get your vendors to comply with all security requirements3. Follow‐up and make sure your vendors are complying with all security

requirements4. Select a system based on SIEM to help manage and do compliance5. Using multiple layers of defense 6. Using alternate threat detection mechanisms 7. Use the full capability of security monitoring and analysis tool8. Look for either intentionally as an act of sabotage or in innocence and ignorance9. Only a properly trained and motivated staff can ultimately ensure that the

established technical controls will operate successfully 10. Secure all wireless network11. Misconfigurations – most vulnerabilities comes form configuration weaknesses


How to Choose a SIEM Tool

What is SIEM?SIEM is the combination of two different types of products, SIM (Security Information Management) that gathers and creates reports from security logs and SEM (Security Event Manager) that uses event correlation and alerting to help with the analysis of security events.

What to look for in a SIEM solution?Now that we know what a SIEM is and the resource commitments it requires, we can take a look at various features and characteristics that you should pay attention to when choosing a product:

Licensing and scalability: Different SIEM vendors license their products differently. Some of the most common licensing modes are:1. Number of monitored computers/devices2. Number of events per day/hour/minute and log volume size (in MB). If you have a

baseline of the logs you wish to monitor, you should already know most (if not all) of this information beforehand.


If you have any questions…Please email or call me:

John ChowdhuryPhone: 214‐213‐6226

[email protected]://www.smarterutility.com.

Upload, embed, and share away!

Utility of the Future Seriesintroducing

Smart Grid Security & Reliability

What You Need to Know – February, 2012 John Chowdhury