2013 Annual Review

Cyber Securityand Privacy Program

Addressing Existing and Emerging Threats

to an Interconnected Electric System throughTechnology, Processes, and Standards

2

Welcome to the 2013 Cyber Security and Privacy Program Annual Review. This annual review summarizes the research results produced by the program in 2013 and presents our research plans for 2014. Cyber security has become a critical priority for electric utilities. The evolving electric sector is increasingly dependent on information technology and telecommunications infrastructures to ensure the reliability and security of the electric grid. Cyber security measures must be designed and implemented to protect the electrical grid from attacks by nation-states and hackers. Cyber security also supports the grid’s resiliency against natural disasters and inadvertent threats such as equipment failures and user errors. As utilities continue to deploy advanced monitoring and communications systems to support wide-area situational awareness applications, distributed energy resources, distribution automation, and advanced metering infrastructures, they face several cyber security challenges: • Combinationoflegacyandnext-generationequipmentinoperationalenvironments • Convergenceofinformationtechnologyandoperationaltechnologyforpowercontrolsystems • Separatesecurityarchitecturesandincidentmanagementsystemsforoperationaldomains • Insufficientsecuritymanagementtoolsforthenetworks,systems,andenddevicesthatarein thefield • Uncertainregulatoryandlegislativeenvironmentforcybersecurity

TheElectricPowerResearchInstitute’s(EPRI’s)CyberSecurityandPrivacyProgramaddressestheemerging threats to an interconnected electric system through collaborative research on cyber security technology, standards, and business processes to protect the electric grid. Ongoing program activities include: • Continuousmappingofinternationalindustry,government,andregulatoryactivitiesinthecyber security and privacy landscape • Securitysolutionsandimplementationguidanceforlegacysystems • Securitymanagementandprotectiontechnologyfortransmissionanddistributionsystems • Incidentmanagementforpowerdeliverysystems • Methodologiesforassessingandmonitoringrisk • Metricstosupporttheriskassessmentactivities • Improvingprocurementmethodologiesandlanguagetosupportcybersecurity

In2014,theprogramwilldeveloplab-basedimplementationsforseveraloftheseactivities,includingadvanced incident correlation techniques and security management for intelligent electronic devices (IEDs).Theprogramwillcontinuetorefineandpilotapproachestoassessingandmonitoringrisk.

—Galen Rasche

Cyber Security Overview Review of 2013 and Introduction to 2014 Research

Dear Cyber Security Advisors and Industry Stakeholders,

Contents

3 Introduction

4 183A – Cyber Security and Privacy Technology Transfer andIndustryCollaboration

8 183B – Cyber Security TechnologyforT&DSystems

12 183D–Cross-DomainCyber Security Tools, Architectures, and Techniques

16 InterestGroups

18 Cyber Security and Privacy TeamMembers

19 SummaryofDeliverables

Reach the EPRI Cyber team at: CyberSecurity@epri.com

3

Cyber Security and Privacy Landscape, Collaboration, & Technology Transfer

This project set provides a high-level view of the cyber security and privacy landscape coupled with a broad view of ongoing collaborative efforts within the electric sector. The landscape and newsletter updates are issued quarterly, while more frequent webcasts provide a deeperdiveintospecifictechnicaltopics.Face-to-face meetings provide additional opportunities to network, learn about, and contribute to industry collaborative efforts.

Cyber Security for Transmission and Distribution (T&D) Systems

ThisprojectsetexploresseveraltopicsaffectingT&Dsystems,includingdeveloping an integrated security operations center, demonstrating substation remote access security solutions, and applying a network management system to a substation environment.Issuesimpactinglegacyequipment and security interoperability are also addressed.

Cross-Domain Cyber Security Tools, Architectures, and Techniques

This project set focuses on approaches to building security controls into power delivery systems and addressing potential security risks and challenges for new systems-of-systems that may be deployed. Includedaremethodologiestohelpassetowners and operators understand their security posture and assess the resiliency of interconnected systems.

National Electric Sector Cybersecurity Organization Resource (NESCOR) ThisDepartmentofEnergypublic-privatepartnershipledbyEPRIisdevelopingcritical cyber security tools and guidance applicabletothesmartgrid.In2013,NESCOR developed failure scenarios that include a description, potential vulnerabilities, mitigations, and impacts. NESCOR also developed penetration test guidance that will be applicable to allsixdomainsofthesmartgrid,andan overview of the distributed energy resources(DER)domainandapplicablecyber security controls.

The EPRI Cyber Security and Privacy Program addresses the cyber security challenges facing the electric sector by developing security architectures, creating new security technologies, and performing lab assessments of technologies. Since the rapid pace of change in the electric sector creates a challenging environment for utilities, the program also monitors the activities of industry groups and helps members understand the cyber security impact of new technologies.

EPRI’s Cyber Security and Privacy Program provides:

•Statusofindustryandgovernmentcollaborativeefforts and standards initiatives•Guidanceondevelopingcybersecuritystrategiesand selectingrequirements•Methodologyforprocuringsystemsthatmeetthe selectedcybersecurityrequirements•Practicalapproachestomitigatingsystemrisk•Technologyforprotectivemeasuresfortransmission and distribution systems•Earlyidentificationofsecuritygapsthroughlab assessmentsofsecuritytechnology•Technologytosupportmanagingcyberincidentsin power systems

Utilitiesmayusetheproductsdevelopedbythisprogramtodefinecybersecurityspecificationsfornewprocurements,toenhancetheircurrentcybersecurityposture,andtoincreasethesecurityofsystemsthataredeployedinthefuture.

Success Story: Field Area Network Penetration Testing

CyberSecurityandPrivacyTechnologyTransferandCollaborationeffortscontinuetoprovidetimelyinformationoneventsimportanttoutilitiesintheelectricsector.Inadditiontotheoverviewofactivitiesinthe“CyberSecurity and Privacy Landscape MappingoftheElectricSector”,thequarterlynewsletterprovidesarticleson current events and updates on industryefforts.In2013,effortsidentifiedandmonitoredincludenumerousgovernmentandregulatoryinitiatives.TheseincludeExecutiveOrder13636,PresidentialPolicyDirectivePPD-21,NERCCIPversion5,andtheNISTCyberSecurityFramework. Therehavealsobeenseveralindustry-basedeffortsbyorganizationsthatincludetheBipartisanPolicyCenter’sElectricGridCyberSecurityInitiative,IEEE’sC37.12standardtitled:“DraftStandardforCyberSecurityRequirementsforSubstationAutomation,ProtectionandControlSystems”,andEPRI’screationoftheInformationandCommunicationsTechnologySectorCouncil. Assecuritythreatsgrowandbecomemoreglobalinnature,theneedforinternationalcollaborationandstandardizationhasincreased.TomeettheseneedsEPRI’sP183Aprojectsetincreaseditsparticipationwithinternationalorganizationsworkingtosecureelectricinfrastructure.Internationaleffortsincludedincreasedcollaborationwithnumerousutilities.

The Project 183A lead is Glen Chason,Project Manager. gchason@epri.com

The old Russian proverb “trust-but-verify” represents a time-honored and valued tenet for anyone responsible for security. When cyber security is a concern, additional rigor is needed because verificationofsecuritymechanismsincybersystemsrequirestechnicalexpertise.Thisexpertiseisnecessaryfortestingandverificationofasystem’ssecuritycontrolsandisexercisedthroughpenetrationtesting.Followingthisprinciple,EPRI’sCyber Security and Privacy Program teamedwithEPRI’sFieldAreaNetwork(FAN)Demonstrationprojecttoperformpenetration testing on pre-deployed WiMaxequipmentandconfigurations.This effort included initial architecture and test plan reviews, followed by on-site testing. This testing was conducted by personnelfromEPRIandtheSouthwestResearchInstitute(SwRI)andleveragedthe NESCOR penetration testing methodology.Inadditiontoreportingthetest results, the technology and knowledge were successfully transferred to allow the participating utility to repeat the tests without outside assistance. The process started with a review of a proposed architecture for a FAN deployment by the Salt River Project (SRP).ThesystemproposedwastobedeployedinandaroundPhoenix,Arizonaand intended to support operations. Following the initial architecture review, EPRI,withassistancefromSwRI,developedanextensivetestplanforthe

WiMaxequipmentSRPwasplanningtodeploy. The process of developing the detailed test plan early in the architecture development process provided SRP personnel with additional insight into how attacks can be conducted against wireless equipmentdeployedtothefield.Usingthisknowledge,SRPandEPRIprioritizedthe test cases to be used in an initial round

of testing conducted in January of 2013. Initialtestingwasconductedusingequipment from two vendors. One base station and one subscriber unit were from “Vendor 1” and a second subscriber unit was from “Vendor 2”. This firstroundoftestingfocusedprimarilyon the base station and subscriber equipment, and their respective user and

Cyber Security and Privacy Technology Transfer and Industry Collaboration (183A)

4

5

network interfaces. A total of 47 tests wereexecutedwith19ofthetestsfailing(40%failurerate).Thisfailureratewashigherthanexpectedforthesetestsanddemonstrated the effectiveness of the approach used for prioritizing the test cases. Recommendations for remediation and mitigation were made for the vulnerabilitiesidentifiedinthefailedtests.

Additional recommendations on processes and procedures were provided to address potential vulnerabilities that could arise from operational scenarios. Of the total recommendations made, 20 mitigations and/or compensating controls were identifiedasaddressablebySRP,withvarying levels of impact to operations. However, 6 recommendations required redress by the equipment vendors. The second round of testing focused oninitialdeploymentconfigurationsand wireless connections. A total of 15 testswereexecutedwith10ofthetestsfailing(66%failurerate).Inadditiontothe high failure rate, this test series was very successful in demonstrating how theexploitationofasinglevulnerabilitycanallowanattackertoexploitothervulnerabilities. Through the sequence of testing, denial-of-service attacks and subscriber connections to a rogue basestationweredemonstrated.Upondiscussions with the vendors, Kyle Cormier with SRP noted that: “This testing resulted in the identification of a significant vulnerability that had gone unnoticed by the industry.” When the equipment vendors were advised of the vulnerability, they confirmedthevulnerabilityintheirlabsand started efforts at remediation. Added BenefitsInadditiontofindingnumerousrealand potential vulnerabilities prior to deployment, SRP was able to gain valuable insight into vendor responsiveness. Some vendors were appreciativeoftheeffortsexpendedand

willingtoreviewthetestfindings.Thesevendors were also quick to verify the findingsandworktowardaddressingvulnerabilities. However, in one case, SRP was informed by a vendor that the vendor would only address vulnerabilities if there was a commitment for a minimum purchase.Havingconfidenceinavendor’sresponsivenessisasignificantbenefitwhendeployingsystemsexpectedtobeinthefieldforanumberofyears. Inadditiontothetestresults,onegoalof this effort was to transfer knowledge of how to perform penetration tests onWiMaxsystemstoutilitypersonnel.Usingthetestplan,testdescriptions,andprevious results, SRP has demonstrated that these resources can be used to test additionalconfigurationsandvendors.

SRPhasverifiedthatsomeofthevulnerabilities found in the original tests were also present in equipment from other vendors. They were able to accomplish this without any additional outside resources or assistance. This represents true added value in a utility’s capabilities for testing and assessing the security of theWiMaxsystemstheyareplanningtodeploy. Per Kyle Cormier: “…testing performed by EPRI was very valuable in bringing to light numerous issues that allowed SRP to address, mitigate, and be aware of potential security vulnerabilities.”

Cyber Security and Privacy Technology Transfer and Industry Collaboration (183A)

“This testing resulted in the identification of a significant vulnerability that had gone unnoticed by the industry.” —Kyle Cormier

6 For more information: gchasen@epri.com

Cyber Security White Papers

There are many initiatives for researching and addressing the cyber security challenges of the electric sector. The purpose of this project is to provide information to utilities about these initiativesandcontinuedevelopingEPRI’slandscape mapping of the electric sector. The landscape mapping has continued as a resource for organizations trying to identify potential gaps and conflicts invariouscybersecurityactivities.Ithasalso been crafted to provide updated statusonactivitiesofinterest.EPRI’slatesttechnical update “Cyber Security and Privacy Landscape of the Electric Sector” (Release5)waspublishedinApril,2013,3002000380. This technical update includes revised information on the ASAP-SG substation Automation Security Profile(Draft)v0.15andanupdateonthetransitionoftheSGIPtoSGIP2.0. Following Release 5, the landscape mapping transitioned from a technical update format to a web based platform, toprovideamoreflexibleandeasilymanaged format for continued updates.

The search capabilities supported by the web-based format have significantly increased the utility of the Landscape Mapping.

Manygroupsareactivelyaddressingspecificcybersecurityneedsfortheelectric sector. However, the staff of asset owners may not be available to participate in all of these efforts. This lack of availability has consequences. First, key personnel may be less aware of changes that might affect them and the industry. Second, the work products being generated by some groups may lack a utility perspective. Aspartofthisproject,EPRItrackskeyworkinggroupsandindustryactivities.Inaddition to contributing to the deliverables of various working groups, this project provides members with a quarterly newsletter that highlights current activities, deliverables, and events.The newsletters published for 2013 are: April 2013 3002000346 July 2013 3002000377 October 2013 3002000378 December2013 3002000379

The Cyber Security and Privacy Industry Tracking Newsletter is a source for timely news and event notices of high relevance to electric-sector utilities.

Cyber Security and Privacy Technology Transfer and Industry Collaboration (183A)

Mapping the Smart Grid Cyber Security and Privacy Activities Landscape

Cyber Security and Privacy Industry Tracking Newsletters

Advanced Metering Infrastructure (AMI) Cyber Security RisksIn2013,EPRIdevelopedawhitepaperentitled“AdvancedMeteringInfrastructure(AMI)CyberSecurityRisks”, 3002000389. This whitepaper provides a prescriptive methodology for assessing and improving the security postureofsystemsdeployingAMIassets.The approach taken utilizes a reference landscape including relevant standards, guidelines, and architectures to identify and analyze potential risks to deployed AMIsystems.Aprocessforestablishingasecurityposturebaselineforanexistingsystem is provided to assist in determining applicable landscape features and assessingpotentialriskexposure.Amethodology to assist with identifying mitigations and compensating controls that can be used to improve a system’s security posture is also provided. Along with prescriptive guidance to assist organizations in developing security baselinesfortheirfieldAMIdeployments.

The methodology presented provides a walkthrough for a process to leverage an existing body of work to assess cyber security in an AMI system.

Securing Cell Relay NetworksEPRI’swhitepaperentitled“SecuringCellRelay Networks”, 3002000390 provides an overview of risks associated with the use of cell relay networks in smart grid deployments. This overview includes information regarding proven attacks on equipment used in cellular networks. Examplesincludeprovenattacksonfemtocells and replay attacks. After reviewing risks to cell relay networks, risk mitigations and compensating controls are addressed. These mitigations and controls cover security mechanisms for multiple deployment scenarios. These scenarios includeAMIbackhaul,unitsusedforcontrol system communications, and sensor monitoring.

This whitepaper provides an approach that accommodates the variability between Cell Relay deployments requiring variables to be broken down into manageable pieces.

7

Cyber Security and Privacy Landscape Mapping of the Electric SectorThe“CyberSecurityandPrivacyLandscapeMappingoftheElectricSector”technical updates were transitioned to a website in 2013. The new format has improved the ability of readers to associate similar activities between disparate organizations. Additional enhancements that will be developed in 2014 are improved search capabilities and increased use of feedback via emails using the Security_Landscape@epri.com link on each web page. These mechanisms will assist inprovidingmoretimelyinformationexchange.Theseexchangesareexpectedto include readers identifying outdated information or incorrect information and readers providing suggestions on additional topics. Content currently slated to be added to the landscape website in 2014 includes updates covering version 5 of the NERCCIPstandardsandincreasedcoverageontheuseoftheNESCORfailurescenarios.

Technology TransferIn2014,CyberSecurityandPrivacyTechnologyTransferandCollaborationeffortswill continue to provide timely information on events important to utilities in the electric sector. This will include the quarterly newsletters and updates to the “Cyber SecurityandPrivacyLandscapeMappingoftheElectricSector”website.Thegoalofthis effort is to ensure that asset owners and operators stay up-to-date on relevant technologyadvancementsintheelectricsector.ThiseffortwillalsoallowEPRItoprovide a technical ‘utility perspective’ to industry groups and other organizations.

Increased International FocusAs new smart grid technologies are deployed around the world, the opportunity for collaboration in cyber security continues to grow. Often there is a misconception that each utility has unique security issues or that it is better not to share security concerns among companies. However, cooperation is vital to protect critical infrastructure from threats such as hackers, terrorists, and organized crime— and from non-malicious eventssuchasproductfailuresandusererrors.Tomeetthisneed,EPRIwillcontinueexpandingitsinvolvementwithinternationalorganizationsandmembersworkingtosecuretheelectricsector.ExamplesincludeConferenceInternationaledesGrandesReseauxElectriques(CIGRE),theEuropeanNetworkandInformationSecurityAgency(ENISA),andtheInternationalElectrotechnicalCommission(IEC).

Emerging TechnologiesIn2014,collaborationandtechnologytransfereffortswillcontinuewithrenewedemphasis on emerging technology. Numerous projects are underway in government labs, academic institutions, and open source organizations. Venders also continue to transitionresearchprojectstotest-readyprototypes.ByutilizingEPRI’slabcapabilitiesandbroad-basedexpertiseinthesecurityneedsofelectricsector,emergingtechnologies can be evaluated from the utilities’ perspective. This will provide utilities with unbiased and vendor-neutral analysis of emerging technologies.

» LookingAheadto2014

Challenges in Implementing Cyber Security ControlsThe issue of implementing effective operations while meeting evolving security requirements has proven to be a challenge for many utilities. A whitepaper on this topic,titled“ChallengesinImplementingCyberSecurityControls”,3002000391,wasdiscussedduringaCyberSecurityandPrivacyProgramsessionatEPRI’sSeptember2013PDUadvisorymeeting.Becauseofthelevelofinterestgeneratedamongtheattendingadvisors,itwassuggestedthatEPRIworktoformaninterestgrouptoaddressthis challenge. This group is being formed and the whitepaper has been rescheduled for publishing in 2014 in order to incorporate input from the interest group.

Reach the EPRI Cyber team at: CyberSecurity@epri.com

630 mi

Charlotte(Substation)

Knoxville(Substation & HQ)

Lenox (Substation)

730 mi

200 mi

Success Story: EPRI Cyber Security Research Laboratory

TheEPRISmartGridSubstationLaboratory(SGSL)isamulti-sitefacilitydesigned to simulate and demonstrate a variety of smart grid and cyber security concepts related to substation, field,andcontrolcenterenvironments.The laboratory spans three locations: Knoxville,Tennessee,Charlotte,NorthCarolina,andLenox,Massachusetts.Knoxvilleservesasbothasubstationandthe control center headquarters, while theCharlotteandLenoxfacilitiesserveasremotesubstationlocations.Usingthesegeographicallydiverselocations,EPRIisable to provide a realistic communications environment for testing secure remote substation access solutions, wide-area monitoring, protection and control (WAMPAC)systems,andevaluatingtheimpact that communication latency can have on these systems. Background In2008,EPRIimplementedtheSGSLas an environment to demonstrate interoperability and use of standards within the substation. The initial motivation for the lab was designing a forward-focused “substation of the future”, which wouldincludeallIP-connecteddevicesusing the most up-to-date vendor products. These products would be capable of supporting both current and future-leaningprotocols,includingIEC61850,DNP/IP,highspeedsynchrophasor

sampling, and allow for the testing of real-world network latency across the three physically diverse locations. Legacy Devices However, even with a focus on a “substation of the future”, the need to integrate, test, and support “legacy” devices is also critically important. From a security perspective, the “legacy” devices maybethemostsignificantchallengeas many of these intelligent electronic devices(IEDs)wereconceived,designedand built before the “Smart Grid” age of inter-connected systems and awareness ofsecuritythreatsthatexiststoday.Forthecontextofthisaccount,“legacy”refers to devices that do not include current standard security protections, are not upgradable to include these latest protections, or are unable to support

some of the security regulations such as NERCCIP. Cyber Security Research Laboratory In2013,theSGSLwasextendedtocreatethe Cyber Security Research Laboratory withthespecificfocusofaddressingthesecurity challenges of power delivery systems. This includes performing research of various architectural options forsubstationandfieldareanetworks,as well as the recommended use and placementoffirewalls,intrusiondetectionsystems(IDS),networkmanagementsystems(NMS),andsecurityinformationandeventmanagement(SIEM)toolswithin these networks. With this increased capability that the Cyber Security Research Laboratory offers, investigations intotechnicalaspectsofdefiningand

Cyber Security Technology for T&D Systems (183B)

TheSecurityTechnologyforTransmissionandDistributionSystemsProjectSetfocusesondesigning protective measures, developingsecurityarchitectures,andmanagingincidentsfortransmissionanddistributionsystems.Asmorecommunication and automation technologyisdeployed,theriskandpotentialimpactofcyberincidentsincreasesaswell.Additionally,largenumbersoflegacydevicesaredeployedthatarenotabletosupportstrongsecurityfeatures.Thisprojectsetaddressesthesecuritychallengesofcurrentlydeployedsystems,legacysystems,andnext-generationgridapplications. In2013,theprojectsetlaunchedtheNetworkManagementTaskforceandtheIncidentManagementTaskForcetobringtogethertheend-usersoftheresearch,includingdomainexpertswhoprovidedgreatinsightsandinformationsharingtoothermembersparticipatingintheTaskForces.Thesegroupsarescheduledtocontinuemeetingthroughout2014. TheTransmissionandDistributionProjectSethasalsogreatlybenefittedfromthelaunchingoftheEPRICyberSecurityResearchLabin2013.Thelabprovidesatestingenvironmentthatisrepresentativeofautility’snetworkandend-to-endcomponents.EPRI’slabresourceswillcontinuetoexpandin2014withtheadditionofnewcomponentsandincreasedaccessibilityfortheutilitymembers.

The Project 183B lead is Scott Sternfeld,Project Manager. ssternfeld@epri.com

8

9

protectingNERCCIPelectronicsecurityperimeters(ESPs)canalsobeperformed. Secure Remote Substation Access Research The lab also incorporates tools focused specificallyonsecureremotesubstationaccessbyutilizingfivevendors’secureremote access solutions that can be used to manage access to substation orfielddevices.Theseremoteaccesssystems have been leveraged to test and validate remote access scenarios and test interoperability between vendor devices. This testing platform will be further expandedin2014withasupplementalproject targeted in this research area. Architecture of the Lab Each location in the multi-site lab features protection relays from multiple vendors, phasor measurement units, phasor data concentrators(PDCs),remoteterminalunits(RTUs),substationgatewayselectrical test sets, security appliances and applications, network routers and switches, and GPS clocks. TheSCADAmaster,locatedinKnoxville,collectsmeasurementdatafromalloftheremotesubstationRTUsandIEDs,includingmeasurementsfromsynchrophasors, asset health information from a transformer monitor, and current, voltage, frequency, and breaker status points from the protective relays. The informationisthenarchivedinaSCADAhistorian for future retrieval or analysis. Hardware Overview There are currently over 60 individual components, including 30+ relays, 10+

phasor measurement units, transformer monitors, data concentrators, 50+ computing platforms, merging units/process bus, substation automation, IEC61850configurators,multipledatahistorians, and an enterprise service bus. A Resource for Utilities TheEPRIlabprovidesamulti-vendor“end-to-end” environment supporting the testing of communications, security and standards-based integration for the enterprise, control center, substation, field,andcustomerenvironments.Itisahighlyflexibleenvironmentthatcanbeeasilyreconfiguredtotestavarietyofarchitecture options in order to match the testing needs of the members. Technology Transfer Opportunities Inlate2012,LGE-KUmadethedecisiontobegindesigningitsfirstIEC61850based substation. This was combined with amigrationtoanIPbasedsubstationnetwork, which is necessary to support IEC61850.Toaccomplishthegoalofsuccessfully deploying and testing this new substationdesign,LGE-KUdesiredtofirstestablish a substation test facility of their own. Inearly2013,LGE-KUapproachedEPRIto solicit feedback about the requirements for establishing such a laboratory facility. SeveralemployeesvisitedtheKnoxvilleofficeinJanuary2013,andexaminedtheexistingEPRIlabfacilitiesanddiscussedthe various considerations and planning steps necessary to embark on such a task. Topics such as power, space, and network requirements were discussed as well as

guidelines and strategies for the eventual growthandexpansionofthefacility. The Smart Grid Substation Lab and CyberSecurityResearchLabinKnoxville,Tennessee, provide demonstration platforms of current research efforts for visitors from a variety of backgrounds, conducting over 100 tours annually. TheseERPIlabfacilitieshaveproventobeextremelyvaluabletoutilitiesasanalternative to building and maintaining independent labs of this scale or as a resource when constructing their own lab capabilities. With the planned modeling of additional use-cases and scenarios through the Cyber Security research program,theEPRIlabshaveproventobevitally important resources to the electric sector.

Cyber Security Technology for T&D Systems (183B)

EPRICyberSecurityResearchLab, Knoxville,TN.

“The Knoxville lab tour was valuable to LG&E and KU Services (LKE) and greatly assisted in our design of the LKE relay test lab. Physical space design, security of our microprocessor relay fleet, and simulation of protection zones in a lab environment were key benefits derived from the tour.”—Brent Birchell, Manager of Transmission Protection and Controls at LG&E and KU Services

10 For more information: ssternfeld@epri.com

IED Password Management StrategiesTheIEDPasswordManagementStrategies technical update focuses on the requirements and functionality of a passwordmanagementsolutionforIEDs.Password management helps ensure that only authorized individuals have access, default passwords have been changed, and employees no longer requiring access are removed for assets falling under NERC CIPregulation. Thereareseveralbenefitsandchallenges associated with implementing passwordmanagement.Onebenefitincludestheabilitytoutilizemaximumpasswordlengthandcomplexityrequirements. This could create challenges by imposing changes in current business practices. Examplesofcurrentandfuturechallenges as well as successful implementationsofIEDpasswordmanagement by utilities are provided within the report. 3002000372

IED password management reduces the risk of device compromises while simultaneously assisting with regulatory compliance.

Lemnos Implementation Guide for IPSECAs the technology utilized within electric utility control systems evolves and become more interconnected, deploying cyber security solutions becomes more complicated for utilities. Equipment interoperability can help minimize some ofthiscomplexity.Whileinteroperabilityis not a new concept within electric utility control systems, it has been absent in the contextofcybersecurity. This project promotes the increased adoptionoftheLemnosIPsecInteroperableConfigurationProfile(ICP)developedbytheDOEfundedLemnosproject.IEEEP2030.102.1InteroperabilityofIPSECUtilizedwithinUtilityControlSystem, leverages the original Lemnos IPsecICPeffortsandincorporatesenhancements including the migration fromIKEv1toIKEv2.Thisprojectincludestesting and validating these changes necessarytotheLemnosIPsecICPandpublicationofconfigurationguidanceto assist utilities deployment efforts. 3002000375

Vendor interoperability with increased security and simplified configurations for IEEE P2030.102.1 based IPSec connections.

This project focuses on two components of managing incidents: improving incident detection capabilities for power delivery systems and providing guidelines forplanninganIntegratedSecurityOperationsCenter(ISOC). The incident detection task involves engagingwithIDSandSIEMvendorstobuild an incident correlation test bed in EPRI’sCyberSecurityResearchLab.Thisresource will provide crucial capabilities for future projects on incident detection methodologies. TheISOCtaskdescribesstrategiesand best practices for utilities to plan an ISOCthatincludescorporatesystems,control systems, and physical security. An ISOCisdesignedtocollect,integrate,andanalyze alarms and logs and increase situational awareness to the utility’s security team. This research focuses on the initial steps in the process of setting upanISOC:developingthebusinesscase, potential organizational challenges, creating requirements for log collection, management, and analysis, and creating theISOCarchitecture.3002000374

An integrated approach provides greater situational awareness and promotes an intelligence driven solution to incident management.

Power systems operations are increasingly reliant upon information infrastructures, including communication networks, intelligentelectronicdevices(IEDs),andself-definingcommunicationprotocols. Managementoftheinformationinfrastructure is crucial to providing the necessary high levels of security and reliability in power system operations. This project focuses on network security management objects for end systems, particularlyIEDs,usedintransmissionsystems.TheIEC62351-7standardwasused as the starting point for the work as an abstract data model for network and systemmanagement.ThisprojectrefinesthedefinitionsintheIECstandardtomake them implementable over various protocols used for network management. ThereviseddefinitionsaremappedtoSNMPandIEC61850toprovideimplementationexamplesandsupportthenextstepsoftestingandvalidatingtheseobjects within a multi-vendor environment. 3002000373

Power control systems will experience increased reliability and security through having a comprehensive, standardized set of network security management (NSM) objects.

Security Strategies and Solutions for Legacy Systems Managing Cyber Security Incidents for T&D Systems

Guidelines for Network Security Management on Distribution Systems

Cyber Security Technology for T&D Systems (183B)

11

Security Strategies and Solutions for Legacy SystemsLegacy systems continue to pose a security challenge for utilities. Supporting requirementssuchasintegrity,confidentiality,andauthenticationcanbeextremelydifficultwhenconfrontedwiththeconstraintsoflimitedcommunicationsbandwidths,lower computation capacity, and legacy protocols. System availability is a primary concern in power control systems and must be taken into account when developing security mitigation strategies. Additionally, vendor design choices such as hard-coding passwords into software also pose security risks. This project will focus on mitigating the cyber security risk of legacy systems by creating transition strategies, cyber security controls, and procedures for legacy systems. In2014,thisprojectwillexaminerecentsecurityimprovementstoDNP3.TheupdatedstandardDNP3SecureAuthenticationversion5(DNP3SAv5)hasbeenapprovedandreleasedasIEEE1815-2012.ThesecureauthenticationfeatureofferstheabilitytodeterminethattheDNP3masterisunambiguouslycommunicatingwiththeproper

slave(outstation).EPRIwillbeprovidingadditionalinformationandeducationalsessions for utilities to learn about implementation and migration challenges associated withDNP3SAv5.Additionally,EPRIwillbehostinganinteroperabilitytestforvendorimplementationsofDNP3SAv5forSCADAandIEDsystems. Protective Measures for Securing T&D SystemsIncreasingthesecurityofnext-generationenergydeliverysystemswillrequireacombination of new security architectures, tools, and procedures that provide end-to-end security and support defense-in-depth strategies. The objective of this project is to develop a security management architecture for transmission and distribution systemssothattheNetworkOperationsCenter(NOC),EnergyManagementSystems(EMS),DistributionManagementSystems(DMS),andfieldequipmentsupportingthesefunctions have a consistent set of information security objects in place that are open and standards-based.Thisprojectintendstoextendthe2013researchontherefinementofIEC62351-7networksecuritymanagementobjectsandthedevelopmentofanIECManagementInformationBase(MIB)toapplyittoexistingNetworkManagementSystemsandIEDs.IncreasingadoptionandvalidatingthesecurityobjectswithintheMIBwill be a focus of the future efforts. In2014,EPRIwillcontinuewiththeinstallationandconfigurationofexistingandemergingNetworkManagementSystems(NMS).Additionally,EPRIanticipatesworkingalongsideIEDvendorstoprovidesupportfortherevisedIEC62351-7objectsthroughSimpleNetworkManagementProtocol(SNMP)orIEC61850protocols.Utilitieswillbe engaged through the development of test scenarios and opportunities to pilot the technology.

Managing Cyber Security Incidents for T&D SystemsCyber security research for energy delivery systems has traditionally focused on the prevention of cyber incidents and neglected the need to prepare for the eventuality of acyberincident.AlthoughindividualIEDsandsystemsmayproducealertsandalarmsforsecurityevents,theyareoftennotcorrelatedacrossdisparateITandOTsystems.Additionally,traditionalintrusiondetectionsystems(IDS)andsecurityinformationandeventmanagement(SIEM)systemsarenottailoredtodetectattackprofilesforpowersystems. In2014,thisprojectwillbuildonthetwocomponentsofmanagingincidentsthatwere developed in 2013: improving incident detection capabilities for power delivery systemsandprovidingguidelinesforplanninganIntegratedSecurityOperationsCenter(ISOC).TheincidentdetectiontaskinvolvescontinuedengagementwithIDSandSIEMvendorstofurtherdeveloptheIncidentManagementTestBedinEPRI’sCyberSecurityResearch Lab. The project will also develop use cases and demonstration scenarios to improvevendors’incidentdetectioncapabilities.TheISOCprojectwillleverageresearchperformedin2013todevelopguidelinesforbuildingandimplementinganISOC.The results of this research will greatly improve a utility’s ability to detect, respond, and recover from cyber incidents in both its corporate and operations domains.

Reach the EPRI Cyber team at: CyberSecurity@epri.com

LOAD

TIME OF DAY8am9am10am11amNoon1pm2pm3pm4pm5pm6pm

Sector 14

Sector 15

Sector 11

Sector 12

Sector 10

DNP3SA v5

DNP3SA v5

Logs

EMSSIEM

IEDIDSRTU

NMS

OPERATIONSNETWORK

SUBSTATIONNETWORK

SUBSTATION

CONTROLCENTER

» LookingAheadto2014

Industry Involvement: Integrating Electricity Subsector Failure Scenarios into a Risk Assessment Methodology

The“Cross-DomainCyberSecurityTools,Architectures,andTechniques”ProjectSetfocusesonsecuritychallengesthataffectmultipleoperationaldomains.Activities

withinthesedomainsincludedesigning security into systems, developingsecurityarchitectures,creating security metricsfortheelectricsector,anddevelopingariskassessmentmethodologythatisdesignedforpowersystems.These

activitiesarecriticaltounderstandingautility’soverallsecuritypostureandmanagingitslevelofcybersecurityrisk.Additionally,themetricsandmethodologiesdevelopedintheseprojectscanhelputilitiesprioritizetheircybersecurityinvestments.

The Project 183D lead is Annabelle Lee,Senior Technical Executive. alee@epri.com

The nation’s power system consists of both legacyandnextgenerationtechnologies.New grid technologies are introducing millions of novel, intelligent components to the electric grid that communicate in muchmoreadvancedways(two-waycommunications, dynamic optimization, andwiredandwirelesscommunications)than in the past. These new components will operate in conjunction with legacy equipment that may be several decades old, and provide no cyber security controls. With the increase in the use of digital devices and more advanced communications and information technology, the overall attack surface has increased.Forexample,assubstationsaremodernized, the new equipment is digital, rather than analog. These new devices include commercially available operating systems, protocols, and applications rather than proprietary solutions. This increased digital functionality provides a larger attack surface for any potential adversary. Also, many of these commercially available solutions have known vulnerabilities in the new control systemcomponentsthatmaybeexploitedby adversaries. Cyber security risk is one component of enterprise risk, which addresses many typesofrisk(e.g.,investment,budgetary,program management, legal liability, safety, and inventory risk, as well as the

riskfrominformationsystems).Acybersecurity risk management strategy is a component within an organization’s enterprise risk management strategy. An enterprise risk management strategy identifieshowanorganizationframes,assesses, responds to, and monitors risk on an ongoing/continual basis. This overallstrategymaybefurtherrefinedandtailoredforspecificdepartments/agencies within an organization and for specificclassesorfamiliesofsystems.Enterprises have developed processes to evaluate risks associated with their

business and to address those risks based on organizational priorities and bothinternalandexternalconstraints.Inaddition, utilities have developed a variety of risk management methodologies, models, and systems for addressing risks related to safety. This management of all these types of risk is an ongoing process that is part of normal operations. A primary difference between enterprise riskmanagementfortypicalITsystemsand control systems is the prioritization ofthesecurityobjectives(confidentiality,integrity,andavailability).

12

Cross-Domain Cyber Security Tools, Architectures, and Techniques (183D)

13

Ingeneral,theprimarysecurityobjectivefor control systems is availability, with integritysecond,andconfidentialitythird.ThisisincontrastwithmostITsystems,whichprioritizeconfidentialityandintegrity as the primary security objectives and availability secondary. These differences in the prioritization of the security objectives may require a separate risk management strategy developedspecificallytoaddresscontrolsystems. A risk assessment may be performed in the acquisition/development phase of the system life cycle. The objective would be to develop the security requirements that will beincludedinprocurementspecificationsorinternaldesigndocuments.Inthisphase, the risk assessment may not include granular detail because the utilityisnotselectingspecificproductsorcomponents.

Also,preliminaryconfidentiality,integrity, and availability impact levels shouldbespecifiedforeachsystemorgroup of systems. These impact levels will affectthespecificationofcybersecurityrequirements. A utility selects the cyber security controls/countermeasures in the implementation phase of the system life cycle. The security controls for each system should be selected and tailored based on an acceptable level of residual risk and should meet the security requirements specifiedintheacquisition/developmentphase. Because the risk assessment may then be updated to a more detailed level,theconfidentiality,integrity,andavailability impact levels should be reevaluated to ensure they remain the same, or are revised, as required. The risk approach can include avoiding sharing, mitigating, transferring, or

accepting the risk. Because cyber security supports the reliability of the electricity subsector, several of these approaches may not be considered acceptable. The residual risk is determined based on the levelofresourcesrequired(includingbothpersonnelandfinancial),theadverse impact on the organization, and prioritization with the other organizational risk types described previously. The focus of this technical update is to document a risk assessment process that uses the failure scenarios and impact ranking criteria developed in the National Electric Sector Cybersecurity Organization Resource(NESCOR)program.Acybersecurity failure scenario is a realistic event in which the failure to maintain confidentiality,integrity,and/oravailabilityof sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. Failure scenarios include malicious and non-malicious cyber security events such as:•Failuresduetocompromising equipment functionality•Communicationsfailures•Humanerror• Interferencewiththeequipment lifecycle•Naturaldisastersthatimpactcyber security posture.

Impactsidentifiedinthefailurescenarios include loss of power, equipment damage, human casualties, revenue loss, violations of customer privacy,andlossofpublicconfidence. Appropriate mitigations are then identifiedtolowerriskwheredeemednecessary.Mitigationsinthedocument

use a common naming schema that improves readability and comprehension, and enables prioritization. Each failure scenario should be allocated to a system group and to specificsystemswithinthatsystemgroup,if applicable. To ensure that the objective levelsforconfidentiality,integrity,andavailability are adequately addressed for a system or group of systems, assumptions about each failure scenario should be documented.Forexample,istheimpactwidespread or limited to a single device? These assumptions will ensure that the failure scenario is accurately applied to the system and that the appropriate mitigation strategies are selected to meet the residual risk. This document is being developed byEPRIandtheDepartmentofEnergy(DOE)andwillbejointlypublished.Inthenextphaseoftheproject,DOEandEPRIwilldeveloptoolstosupporttheriskassessment process and a methodology for determining the security posture usingtheDOEElectricitySubsectorCybersecurityCapabilityMaturityModel(ES-C2M2).BecausethecurrentES-C2M2focuses on organization-level capability maturity, the document will need to be tailored for determining the security posture for systems. Tools will be provided to support this process. The goal of all these projects is to useexistingstandardsandguidelines,processes, and methods to provide the electric sector with tools that they need to assess the overall cyber security status of various systems, identify gaps, and prioritize the various mitigation strategies. Because utilities do not have unlimited resources, prioritization is critical.

“Utilities and others have commented on the usefulness and quality of the failure scenarios.”

Cross-Domain Cyber Security Tools, Architectures, and Techniques (183D)

14 For more information: alee@epri.com

While many asset owners and operators are performing self-assessments of their control systems, the methods and metrics used vary widely across the electric sector. This lack of consistent criteria and metricsmakesitdifficulttobenchmarkand compare the cyber security risks associated with power delivery systems. This technical update develops a framework for identifying cyber security metrics to assess the security posture of power delivery systems. The framework will leverage the Electricity Subsector CybersecurityCapabilityMaturityModel(ES-C2M2)toidentifycategoriesofmetrics and maturity levels. The objective istoapplytheES-C2M2atasystemlevel and create a foundation for the developmentofspecificsecuritymetrics.3002001205

The metrics framework developed in this project provides a consistent approach to evaluating the security posture of power delivery systems.

Security Metrics for Energy Delivery Systems

Assessing and monitoring the cyber security posture for energy delivery systems is vital to understanding and managing cyber security risk. A cyber security risk assessment provides the basis for determining the type, nature, and impact of cyber security risks facing a utility and provides the basis for all subsequent risk management decision making. A risk assessment includes identifying the threat agents, vulnerabilities, impacts, and likelihoods of cyber security events. A risk assessment process addresses malicious and non-malicious events. There are several risk assessment approaches available, but mostareprimarilyfocusedontheITand telecommunication sectors. This technical update provides a standardized risk-assessment approach for the electric sector and uses the failure scenarios and ranking criteria developed by the NESCOR program. 3002001181

By focusing on the electric sector and leveraging the NESCOR failure scenarios, the risk assessment approach in this report provides a key tool to understanding and managing the cyber security risk of power delivery systems.

Assessing and Monitoring Risks

Testing the cyber resiliency of interconnected and automated systems is critical to understanding the impact of cyber incidents on grid reliability and survivability. This technical update addresses cyber security resiliency testing for transmission systems by developing a frameworkfortestexecution.Thisprojectleverages the failure scenarios developed bytheDepartmentofEnergy’sNationalElectric Sector Cybersecurity Organization Resource(NESCOR)todevelopatestcaseforWide-AreaMonitoring,Protection,andControl(WAMPAC)systems.Finally,thetechnical update documents the results of the resiliency testing and provides recommendations to mitigate the impact ofpotentialfailurescenariosonWAMPACsystems. 3002001187

Evaluating the impact of cyber incidents on grid reliability and survivability is a key component of understanding the cyber resiliency of the grid.

Determininghowtoapplycybersecurityrequirements for new power delivery systemsrequirescybersecurityexperts,power system engineers, and procurement organizations to work together with vendors to select, implement, and maintain cyber security controls. Improperorincompleteimplementationsof security controls due to a lack of adequate requirements and/or division of responsibilities between the utility and vendorcanoftenresultincostlybackfittomeet requirements. Thistechnicalupdateextendsthemethodology and requirements developed inEPRI’sTechnicalUpdate“CyberSecurityProcurementMethodologyforPowerDeliverySystems”1026562, providing specificrequirementsforsuppliersanda grading scheme for evaluating the capabilities of their systems. Additionally, itexaminesevidenceofcompliancethatmay be requested by utilities to ensure that their cyber security requirements are being met. 3002001041

The approach of using graded security requirements and evidence of compliance criteria helps ensure that newly procured systems meet a utility’s required cyber security controls.

Security Design and Architectures Security Resiliency Testing

Cross-Domain Cyber Security Tools, Architectures, and Techniques (183D)

15

Cross-Domain Cyber Security Tools, Architectures, and Techniques (183D) » LookingAheadto2014

Security Design and ArchitecturesAsset owners and operators need to deliver cost-effective and reliable power to their customers. Key components of this effort are the various operational systems and cyber assets that are deployed. To rely on these cyber assets, owners and operators must be assured that their cyber assets have been developed in a secure manner and that the necessary cyber security controls have been installed. Owners and operators also need assurance that unnecessary or ineffective cyber security controls are not implemented. This project willdevelopasecurityrequirementsspecificationthatistailoredforpower delivery procurements and includes a prioritization that is relatedtoagradedsecurityindex.Additionally,specificevidenceofcompliance will be developed for the recommended requirements.

Security Metrics for Energy Delivery SystemsUtilitiesaredeployingavarietyoftoolsandtechniquestoaddresscurrent and emerging cyber security vulnerabilities and threats. A standard approach to monitoring the controls that are in place and developing useful metrics could be used to improve a utility’s cyber security program. Such metrics could also be used to provide senior managementwithanongoingreportingprocess.Informationfromthis process could be used as input for cyber security investment decisions in areas such as hardware, software, and personnel resources. This project will develop a set of benchmarking criteria that could be utilized to measure the effectiveness of energy delivery systems’ security controls and the environments in which they reside.

Assessing and Monitoring RisksUtilitiesneedtoassesscybersecurityriskandprioritizethisriskwithothercomponentsoforganizationalrisk,forexample,investment,budgetary, program management, and legal liability. This project will build upon the cyber security risk assessment process that was previously developed and will develop tools that a utility may use to perform a cyber security risk assessment. The NESCOR failure scenarios and ranking criteria will be used as input to the tool set. The output from the cyber security risk assessment will be used as input to the security metrics project for the computation of security posture metrics.

Reach the EPRI Cyber team at: CyberSecurity@epri.com

16

TheNationalElectricSectorCybersecurityOrganizationResource(NESCOR)isaDepartmentofEnergy(DOE)fundedpublic-privatepartnershipthatisledbyEPRI.NESCORprovidestechnicalassessmentsofpower system and cyber security standards to meet power system securityrequirements.NESCORalsofocusesonresearchanddevelopmentpriorities,identifiesand disseminates best practices, andworkscooperativelywithDOEandotherfederalagenciestoenhancethesecurityoftheelectricgrid.Currently,thereareseveralcontractorsrepresentingacademia,DOElabs,researchorganizations,andcybersecurityprivatesectororganizationsparticipatinginNESCOR.Inaddition,manyindividualsthatrepresentutilities,federalagencies,researchorganizations,and private sector companies alsoparticipateintheworkinggroupsandcontributetothevariousdeliverables.TheworkofNESCORiscoordinatedwithotherorganizationstoensurethereisnoduplicationofeffort.

NESCOR has four working groups to address the cyber security needs of the electric sector. The tasks of each group are summarized below:

Technical Working Group 1 developed cyber security failure scenarios and impact analyses for the electric sector. A cyber security failure scenario is a realistic event in whichthefailuretomaintainconfidentiality,integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery ofpower.Informationaboutpotentialcyber security failure scenarios is intended to be useful to utilities for risk assessment, planning, procurement, training, tabletop exercises,andsecuritytesting.Theguidanceon how to use these documents includes a discussion of their use in conjunction with theNationalInstituteofStandardsandTechnologyInteragencyReport(NISTIR7628),Guidelines for Smart Grid Cyber Security,August2010,andtheDepartmentofEnergy(DoE)Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The following is a summary of each document: •Electric Sector Failure Scenarios and Impact Analyses: This document contains cyber security failure scenarios and impact analyses for the electric sector forthesixdomains:advancedmetering infrastructure, distributed energy resources, wide area monitoring, protection, and control, electric transportation, demand response, and distribution grid management. Also included are evaluation criteria and common mitigations.

•Analysis of Selected Electric Sector High Risk Failure Scenarios: These provide detailed analyses for a subset of thefailurescenariosidentifiedintheshort failure scenario document listed above. All analyses presented include an attack tree, which details in a formal notation the logical dependencies of conditions that allow the failure scenario to occur. Several of the analyses also provide adetailedtextwrite-upforthescenario, in addition to the attack trees. Failure scenarios in the short failure scenario document were prioritized for inclusion in this document, based upon level of risk for the failure scenario, and the priorities of NESCOR utility members.

•Attack Trees for Selected Electric Sector High Risk Failure Scenarios: Thisbriefingincludesthemodifiedattack tree diagrams from the detailed analysis documents. The goal was to have a briefingthatutilitiescoulduse.

Technical Working Group 2 focused on DistributedEnergyResources(DER).Thesecurity requirements take into account variationsinDERarchitectures.TheseDERarchitecturesaremappedtotheDERactors,logical interfaces, and logical interface categoriesintheNISTIR7628.TheNISTIR7628 high-level security requirements that are associated with the logical interface categories are assessed and tailored for applicabilitytotheseDERarchitectures.

Technical Working Group 3 developed the NESCOR Guide to Penetration Testing for ElectricUtilities.Thisdocumentfocusesonpenetration testing and attempts to help utilitiesbreakdownthecomplexprocessofpenetration testing. Penetration testing is a specialized form of hands-on assessment where the testing team takes on the role of the attacker and triestofindandexploitvulnerabilitiesinsystems and devices. Testers use the same methodology that attackers use to identify vulnerabilities in a system, which is usually asemi-blindexploratoryinteractionwiththesystem looking for both previously-known and previously-unknown vulnerabilities in the target system. Penetration testing focuses on discovering both known and unknown vulnerabilities and provides the testing team with a better understanding of a particular vulnerability’s risk to the business through the vulnerability’s exploitation.Thisisavaluableresourcebecause there is limited knowledge about how to perform penetration testing.

Technical Working Group 4 focused on theIEC62351familyofstandardsandprovidedcommentstotheIECTechnicalCommittee on Part 8, Role Based Access Control.

National Electric Sector Cybersecurity Organization (NESCOR) Update

16 For more information: alee@epri.com

17

TheEPRICyberSecurityandPrivacyprogramhassetupanInterestGrouptocollaborateonthetopicofsecureremotesubstationaccesssystems.ThisInterestGroupprovidesaforumforutilitiestodiscussremoteaccesschallengeswiththeirpeersandgiveanopportunityfortechnologytransferofpriorEPRIresearch. TheInterestGroupleveragestheworkperformedduringthe2012AssessmentofSubstationSecuritySolutionsprojecttoaccomplishthefollowingobjectives:

•Advancethestate-of-the-artsecureremoteaccesssystemsforthepowerdeliverydomain.

•Buildacommunityofenduserstosocializesecureremotesubstation access concepts and bestpractices.

•Identifyimplementationchallengesforsecureremoteaccessfunctionality.

Membership (Open to all) MembershipoftheInterestGroupisopento all utilities, and may include program advisors,utilitysubjectmatterexperts(SMEs),orotherinterestedemployeesofmember companies funding Cyber Security andPrivacyProgramactivities.Non-EPRImembers can also participate in this group. The free interest group will be focused on understanding the current challenges with remote access systems. RemoteAccessInterestGroup:•Freetoparticipate,opentoallutilities•Quarterlydiscussionofchallengesand

successes•Presentationsonrelatedtopicsbypeers•Utilityonly(novendor)participation.

Planned Activities TheInterestGroupisfocusedonthefollowing activities: •Discussinganddevelopingvarious

scenarios where secure remote substation access solutions may be used. These scenarios will be transformed into test plans for the remote substation access supplementalproject.Uniqueandchallenging scenarios are welcomed.

•Discussingutilityorregulatoryrequirements for secure remote access systems,includingNERCCIP.Policyissueswillnotbediscussed,perEPRI’scharter.

•Discussingoverallsecurityoftheremoteaccess systems.

•Facilitatingpresentationsbymemberutilities on remote access solution implementationexperiences,challenges,and successes.

NERC CIP ThesubjectofNERCCIPrequirements,specificallytherequirementswhereremote

access systems can provide support for compliance,hasbeenatopicofsignificantinterest to the participants. One utility presentedatanInterestGroupmeetingonthesubjectofapplyingNERCCIPversion3 requirements to their RFP for a remote access system. Another utility provided anupdateaboutamappingexerciseusingtheproposedNERCCIPversion5requirements to potential remote access systemfunctionality.Thismatrixwillbemade available for other participants for review and contribution.

Participation and Meeting SchedulesThisInterestGrouphasbenefittedfromthe participation of a wide variety of utilities, ranging from smaller co-op and municipal owned utilities to large investor ownedutilities.TheneedtoaccessIEDsremotely and the challenges and solutions being discussed apply to distribution and transmission companies alike. The topics discussed are relevant to both utilities that are evaluating various remote access solutions and to those utilities

thathaveanexistingsysteminstalled. TheInterestGroupisscheduledtomeetquarterly during 2014.

Future Discussion TopicsFuturediscussiontopicsfortheInterestGroup are listed below. Additional topic suggestions and presentations by utility participants are greatly welcomed, and provide a variety of perspectives when addressing these topics:•IEDpasswordmanagementand

passwordcomplexity•IEDpatchmanagement•IEDconfigurationmanagement•Systemownership•NERCCIPv3andv5requirements

mapping to remote access system capabilities

Interest Group Reference Materials:Ifyouwouldlikemoreinformation,webcastrecordingsandcopiesoftheInterestGrouppresentationsareavailablefromtheEPRISmart Grid Resource Center: http://smartgrid.epri.com/SRSA.aspx

Secure Substations Remote Access Interest Group

For more information: ssternfeld@epri.com

18

Matt Wakefield is Director of Information and Communication Technologies (ICT) at the Electric Power Research Institute (EPRI). With over 25 years of energy industry experience, his research area responsibilities include furthering the development of a modernized grid with a strong focus on leveraging emerging information and communication technologies that can be applied to the electric grid infrastructure. He received his Bachelor of Science degree in Technology Management from the University of Maryland University College.mwakefield@epri.com

Galen Rasche is a Technical Executive in the Power Delivery and Utilization (PDU) Sector at EPRI and the program manager for the PDU Cyber Security and Privacy Program. Additionally, he is responsible for coordinating the cyber security research across the PDU Sector, Generation Sector, and Nuclear Sector. He is experienced in the areas of cyber security, smart grid security and the penetration testing of embedded systems. He is also the CIGRE U.S. National Committee Study Committee D2 representative. grasche@epri.com

Annabelle Lee is a Senior Technical Executive in the Power Delivery and Utilization Sector at EPRI. She provides cyber security support to many of the projects within EPRI and is the program manager for the National Electric Sector Cybersecurity Organization Resources (NESCOR) Program. Lee’s experience comprises over 35 years of technical experience in IT system design and implementation and over 20 years of cyber security specification development and testing. alee@epri.com

Glen Chason is a ProjectManager in the PDU Sector atEPRI with a focus on CyberSecurity and Privacy. Currentefforts include research andanalysis on security standardsand best practices for the electricpower industry with an emphasison securing embedded systems.His work on embedded systemsincludes efforts in the areas ofpenetration testing, malwareprevention, and secure systemconfigurations. Industry groupaffiliations include IEEE,NESCOR, and SGIP. gchason@epri.com

John McGuire joined EPRI in 2012 as a project manager in the Cyber Security and Privacy Program. He enjoys working with utilities and vendors to build a securable smart grid within a reliable architecture. His present efforts build upon a 21 year IT career with 13 years of cyber security work in banking and other critical infrastructure sectors.jmcguire@epri.com

Scott Sternfeld is a licensed professional engineer who serves as a Project Manager within the EPRI Cyber Security and Privacy program. Scott leads the Cyber Security Technologies project set and is responsible for the Smart Grid Substation and Cyber Security Research Labs (Knoxville, TN; Charlotte, NC; and Lenox, MA). His focus areas include secure remote substation access, substation IEDs, and security for legacy devices. He has a BSME from the University of Illinois and is a member of IEEE and CIGRE.ssternfeld@epri.com

Ashley Eldredge is a Technical Assistant with EPRI. She has supported IntelliGrid and Cyber Security Programs within EPRI’s Power Delivery and Utilization group for 6 years. Ashley is responsible for member communications, tracking deliverables, contracts, event coordination, government projects and providing administrative support. aeldredge@epri.com

Jeff Stevenson is a Research Portfolio Manager for Information and Communication Technology (ICT). Jeff joined EPRI in June of 2013. Prior to joining EPRI, Jeff was the Research and Development Officer for a regional bank in Tennessee, Marketing Specialist and Budget Coordinator for Knoxville Utilities Board, and Regional Director of Marketing for Boeing Commercial Airplane Group. Jeff holds a B.S. in Civil Engineering from the University of Arizona and an MBA in Management/Marketing from Seattle Pacific University. jstevenson@epri.com

Cyber Security and Privacy Team Members

19

2013AMI Cyber Security RisksProductID3002000389

Securing Smart Grid Cell Relay NetworksProductID3002000390

Cyber Security and Privacy Industry Tracking Newsletter, April 2013ProductID3002000346 Cyber Security and Privacy Industry Tracking Newsletter, July 2013ProductID3002000377 Cyber Security and Privacy Industry Tracking Newsletter, October 2013ProductID3002000378 Cyber Security and Privacy Industry Tracking Newsletter, December 2013ProductID3002000379

2012Cyber Security and Privacy Landscape of the Electric Sector April 2012,ProductID1024410 July 2012,ProductID1024411 October 2012,ProductID1024412 December 2012,ProductID1024413

The Cyber Security and Privacy Industry Tracking NewsletterApril 2012,ProductID1024414 July 2012,ProductID1024415 October 2012,ProductID1024416 December 2012,ProductID1024417

2013Intelligent Electronic Devices Password Management StrategiesProductID3002000372

Lemnos Implementation Guide for IPSECProductID3002000375

Network System Management: End System related IEC 62351-7 object definitionsProductID3002000373

Guidelines for Planning an Integrated Security Operations CenterProductID3002000374

2012Network and System Management for Reliability and Cyber SecurityProductID1024418

Secure ICCP Implementation GuideProductID1024420

Standardizing Lemnos Interoperability Configuration Profiles (ICPs)ProductID1025449

Substation Security and Remote Access Implementation StrategiesProductID1024424

Draft Risk Assessment Processes ProductID1024422

Risk Mitigation StrategiesProductID1024423

Guidelines for Security Architectures for DER integration into the GridProductID1024425

Network Security Management for Transmission Systems ProductID1024421

2013Framework for Grading Procurement RequirementsProductID3002001041

Integrating Electricity Subsector Failure Scenarios into a Risk Assessment MethodologyProductID3002001181

Security Resiliency Testing ReportProductID3002001187

Framework for Evaluating Cyber Security PostureProductID3002001205

2012Assessment of Technology Used to Protect the Privacy of Energy Usage DataProductID 1024426

Cryptographic Key Management (CKM) Design Principles for the Advanced Metering Infrastructure (AMI)ProductID1024431

Advanced Metering Infrastructure Security ObjectsProductID1024427

Security Testing Techniques for End-User DevicesProductID1024428 Security Testing Tool for End-User Devices (PT2) Version 1.0ProductID1024429

183A Deliverables 183B Deliverables 183D Deliverables

Summary of Deliverables

183C Deliverables

3420HillviewAvenue,PaloAlto,California94304-1338POBox10412,PaloAlto,California94303-0813,USA 800.313.3774•650.855.2121askepri@epri.com•www.epri.com

The Electric Power Research Institute, Inc.(EPRI,www.epri.com)conductsresearchanddevelopmentrelating to the generation, delivery and use of electricity forthebenefitofthepublic.Anindependent,nonprofitorganization,EPRIbringstogetheritsscientistsandengineersaswellasexpertsfromacademiaandindustryto help address challenges in electricity, including reliability, efficiency,affordability,health,safetyandtheenvironment.EPRIalsoprovidestechnology,policyandeconomicanalyses to drive long-range research and development planning, and supports research in emerging technologies. EPRI’smembersrepresentapproximately90percentoftheelectricitygeneratedanddeliveredintheUnitedStates, andinternationalparticipationextendstomorethan 30countries.EPRI’sprincipalofficesandlaboratoriesarelocatedinPaloAlto,CA;Charlotte,NC;Knoxville,TN;andLenox,MA.

©2013ElectricPowerResearchInstitute(EPRI),Inc.Allrightsreserved.ElectricPowerResearchInstitute,EPRI,andTOGETHER...SHAPINGTHEFUTUREOFELECTRICITyareregisteredservicemarksoftheElectricPowerResearchInstitute.

3002002138