IEEE Power and Energy Society New Orleans Chapter Lunch Tech Talk 09/19/2016 Copyright 2016, Cybirical, LLC All rights reserved. www.cybirical.com 1 19 Sept 2016 Power Systems Cybersecurity Why, what are we missing, and when is it enough? Nathan Wallace, PhD, CSSA [email protected][email protected]@NathanSWallace Overview • Why State of Affairs: Grid & Cyberspace Cybersecurity => Safety MisconcepSons & Challenges • What are we missing Cyber aware devices and systems • When is it enough Your thoughts? 80 – 95% of the Grid’s Cyber Assets Fall Outside NERC-CIP 80 – 90% of the Grid’s Cyber Assets are Outside NERC-CIP Most Violated: NERC-CIP & NERC-PRC 2006 2015 • Licensed Engineering Firm • SubstaSon Engineering • Relay/SCADA/CommunicaSon • T&D Line Engineering • EPC/Design-Build/Turnkey • Project Development • Licensed Engineering Firm • Cyber Design Engineering • Risk Assessments • Vulnerability/Patch Management • Internal Cybersecurity Research • Patent-Pending Efforts CreaSng a safe, secure, and reliable grid
Objective of Presentation: Power System Cybersecurity Awareness
Only 10% of the grid is federally required to have a basic level of cybersecurity in place. Of all the federally required (NERC) standards, those pertaining to cybersecurity remain the most violated. As engineers, how can we make these systems and devices more secure and therefore safer and more reliable.
With expertise across both organizations, Ampirical and Cybirical are able to provide a multitude of engineering services and solutions that help create a safe, secure, and reliable grid.
All of Cybirical’s services and solutions can be divided up into these two main threads. Asset Mgmt. include monitoring for vulnerabilities and vendor patches. Shown on the right is a mobile simulatedsubstation environment used for training, research, and demonstration purposes.
Power Systems Cybersecurity: using the security definition from relay protection reveals that the security challenge requires more than justIT solutions. Threats to the grid can be divided up into those with intent (right) and those without (left). All six can negatively impact the grid and may pose a risk to life and property.
As we continue to evolve towards the smart grid, there is a growing reliance on the cyber infrastructure. We have automation, systems, and devices to monitor and protect the flow of power, but we DO NOT currentlyengineer the system to monitor and protect the grid’s supporting cyber infrastructure; even though the technology exists to make this a reality.
The website listed shows live signature-basedcyber attacks. Statistics are pulled from various sources and reflect the state of cyber threats for 2014/2015. A 0-day is a vulnerability the manufacturer is not aware of, and no patch exists. Dwell time is the length of time from breach till detection.
Shown is a representation of the smart gridincluding each domain and communication channel. Each point marked provides an avenue for malicious actors to perform a man-in-the-middleattack. Protective security measures should be implemented on all channels even if that channel is only used for monitoring.
Each asset that has either computational and/or communication capability is classified as cyber. Shown is a list of four power system outages. All four have been determined to be the result of cyber.
With the legal and illegal buying, selling, and trading of malicious software, attacks against control system environments are increasing.Unlike a physical attacks, cyber attacks canimpact devices and systems outside the original scope and intent of the attack.
Using 21 lines of code, this experiment showed how a malicious cyber event can result in the physical destruction of assets and poses a dangerto life. By opening and closing the connected breaker out of sync, the generator was completely destroyed.
With the increase in distributed energy resources, the grid now has to support the bi-directional flow ofpower. This posses a risk, as technicians working on lines may not be able to ensure all switches are and remain open. To handle DER, ‘Distribution System Operators’ and ‘Virtual power plants’ are being introduced and increases the dependence on cyber.
Based on the evolving threats and conversations with asset owners and engineers, these are the top three misconceptions & concerns regarding power systems cyber security.
Ipviking is a website showing live cyber attacks.After a few minutes, the attacks against the US skyrocket. Just by being in the US, assetsacross multiple industries are an attractivetarget.
Shodan is an ongoing research project for scanning and profiling Internet-facing assets. By continuously scanning, researchers found thousands of control system devices. The results are searchable online and reveal information like: protocol (Modbus, DNP) andvendor (ABB, SEL, Siemens).
Successful control system attacks are on the rise. Over the past four years, ICS-CERT responded to more than 900 incidents. These events only include incidents where malicious actors gained access to critical infrastructurenetworks.
The grid is a target. Researchers found multipleforeign file servers containing engineering drawings of generation, transmission, anddistribution systems. The servers were also housing malicious code.
First cyber attack resulting in the physical lossof power to a load. The Ukraine event showed that systems considered out of scope byNERC-CIP should still have protective cybermeasures in place. During this event, attackers were able to remotely rewrite firmware on assetsafter de-energizing 30 stations.
Assets considered low-impact today may be classified as medium tomorrow. Standards evolve over time but not at the rate to keep up with the evolving threats. By focusing first on developing adequate security, asset owners will economically be able to meet current and future compliance standards.
With a growing number of states recognizing NERC’s jurisdictional boundaries, states are starting to enact their own cyber standards and requirements. The order shown requires all Water and Electric utilities in NJ to implementcyber security for all assets. Similar orders are underway in WA and TX.
Do you have to be connected to be attacked?As revealed by Stuxnet, the ‘air-gap’ should not be considered an end-all cybersecurity approach.Discovered in 2010, Stuxnet used multiple 0-day vulnerabilities to cause physical damage to the control system environment. The controllers attacked are also used in generation plants.
Some generation asset owners and operators claim they are not connected to the Internet. However, in order to take part in the energy markets, systems have to be connected to the Internet.
The primary challenge is that we must move away from the ‘Set It and Forget It’ mentality. Devices and systems are increasingly becoming dependent on computational and communication technologies. These devices require continuous security monitoring and updates.
Some view firewalls as devices that create a physical barrier separating untrusted systems from trusted ones. However, firewalls can be misconfigured and have their own set of vulnerabilities. Aug 13th 2016, gov. servers housing vulnerabilities and offensive cyber tools was compromised and information publicly realized.
There is a growing level of complexity as the grid becomes an interconnected system of systems.Items shown with increasing complexity left to right.Another primary challenge is the idea of abstraction. Looking at the two service transformers, the differences and age is obvious. With IEDs*, ageand differences are revealed via internal code.*IED Intelligent Electronic Device
We are currently examining an automation device that uses over 120 3rd party software libraries. Of those examined we’ve determined 45 had known vulnerabilities.
Effective cyber risk management requires a multi-disciplinary engineering approach. This is because no single device or software package can satisfy all the cybersecurity concerns and requirements. The device and system has to be designed and integrated for security.
Authorization of devices and people helps ensureevents remain isolated and prevents malware fromspreading. Additionally, these key pieces of information can be used in intrusion detection systems (IDSs) to detect, log, and report suspicious activity.
Example of three vulnerabilities that were published in 2016. Criticality ranges from 1-10 and describes the severity of the vulnerability, 10 being the worst. CVE-2016-2310 revealed that GE used hardcoded passwords on 6 network switches. Vulnerability tracking is essential to reducing risk and should beperformed in the context of the system.
Accountability should include: devices, people, and vendors. Devices can be configured to recordevents and securely transmit logs. One primary way to hold people accountable is to useunique credentials. Lastly, vendors should be heldaccountable for the security of the products theyproduce.
Vendors now have to be tracked in order to determine if a patch/update has been issued. Example: The SEL-3530 R136 firmware patch issued in 2016 corrected a vulnerability publicly announced in 2013.
Security monitoring includes the active monitoring, detection, logging, and reporting of potentially malicious cyber events. This can be performed in a number of ways and at ranging levels of sophistication. With modern substation IEDs, basic security monitoring can be economicallyimplemented, if engineered.
HMI Example: Here is a generic HMI screendepicting a one-line an operator may use to control the power flowing through a station. The industry has been doing this for a number of years.
HMI Example: Leveraging the same communicationinfrastructure and IEDs used to create the one-line shown previously, the system can be engineered insuch a way that operators can also monitor the supporting cyber infrastructure.
HMI Example: Here is an example of a cyber one-line HMI screen that can be used to monitor and control the cyber infrastructure. Information related to: if the device is online,temperature, number of active users, and warningmessages can be directly viewed.
HMI Example: In this example, the HMI screenhas been programmed with additional buttons allowing an operator to click ‘DETAILS’ in order toview more information related to the asset. This information is reported to the operator in real-time. Note: This is just an example of what’s possible.
Incident response planning should include a rangeof scenarios that outline how people and devices should respond to a cyber event.
HMI Example: Shown in the cyber one-linein the blue boxes is a ‘Cyber-Lockout’. If an operatorsees something suspicious in the control room, he can use this to send a signal to all connected IEDsinstructing them to take corrective actions. This is an example of active incident response technique used to decrease the impact to operations. Note: This is just an example of what’s possible.
The primary enabling factor for effective cyber riskmanagement is sound cyber engineering. As in other disciplines of engineering, this includes a design element and an analysis element. By bakingsecurity into the design, the system can be engineeredfor security and increased situational awareness.
This publication by the Dept. of Energy in 2011provided an analysis of industry shortcomings related to cybersecurity. The report optimistically identified key goals for near-, mid-, and long-term that should be implemented to achieve energy sector cybersecurity across all levels of generation, transmission, and distribution.
Overall, we have to do a better job of cyber riskmanagement. The traditional silos between design, operations, and maintenance will have to be bridged. This includes the IT/OT divide.
The 2020 vision is somewhat optimistic provided, the rate of change and life span of assets. However,overall this report offers multiple benchmark assetowners and engineers can use to help judge the cybersecurity posture and capabilities.
4.1 Tools to identify cyber events across all levels of energy delivery system networks 4.2 Tools to support and implement cyber attack response decision making for the human operator
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Though this can be manually performed, the industry lacks commercial software capable ofperforming this type of evaluation. To adequately perform this type of analysis requires an individual or team to have expertise across multiple disciplines including: power systems engineering, computer science, communications, and information technology.
Real-time forensics capability does exists via contextdriven monitoring, logging, and reporting. However, this ability is currently not being integrated into the systems.
This is still not a reality for most asset owners. However, as demonstrated with the HMI example previously described, this capability can be engineered into the system.
This type of capability depends on the level ofsophistication of the cyber attack. In most cases, this can be achieved via proper techniques in network segmentation and integrated engineering.
As demonstrated by the cyber lockout example, the capability exists to make this a reality. However,any cyber automation needs to be integrated andengineered into the system. Also, this type of responsewill have to be tested to ensure little to no unexpectedimpact to the operational environment.
The real-time security state monitoring and riskassessments across all levels and cyber-physicaldomains is possible and will involve incorporatingcutting-edge research that is currently being performed at various universities and DOE labs.
Taking into account the six threats on the bottom left and how the grid and cyberspace are both evolving, as engineers we need to ask: is a new security approach needed and when is it enough?
There are a number of similarities between the protection and control of the flow of power and the protection and control of the grids supporting cyber infrastructure.
The modern grid is classified as a Cyber-Physical System due to the fact that today’s grid could not operate without the supporting cyber infrastructure.However, as an industry we do not currently have universal models and standards to monitor and protect the system at this layer.
If you have any questions, you can reach me at: (o) 985-292-5502 Thank you for your time and interest as we strive to create a more secure and reliable grid.
