© 2018 Electric Power Research Institute, Inc. All rights reserved.
Gerardo Trevino
Technical Leader
Cyber Security
Mexico City, Mexico
November 13, 2018
Cyber Security in the
Power Sector
2© 2018 Electric Power Research Institute, Inc. All rights reserved.
Agenda
▪EPRI Cyber Security Program
▪ Industry Trends Impacting Cyber Security
▪ ISOC
▪Security Metrics
▪Compliance Standards Driven Solutions
3© 2018 Electric Power Research Institute, Inc. All rights reserved.
Power Delivery Cyber Security Program P183
Cyber Security
Standardization and
Industry Outreach
Apply Research via
Practical
Demonstrations and
Technology Transfer
Identify Gaps and
Research Emerging
Technologies
Energy UtilizationDistributionTransmission
Supporting reliable, resilient, flexible and secure operations for digital utilities
4© 2018 Electric Power Research Institute, Inc. All rights reserved.
EPRI’s P183 Cyber Security Program Helps Utility Members…
▪ Mitigate risks to legacy and next-generation systems and promote grid
resiliency
▪ Improve security with advanced incident management and threat
management technology and practices
▪ Effectively evaluate security program processes and technologies
▪ Learn how peer utilities address their security challenges
▪ Leverage EPRI’s industry expertise, sector knowledge, and Cyber
Security Research Lab to provide value ranging from thought
leadership to hands-on demonstrations
5© 2018 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security Research Lab (CSRL) in Knoxville, TN
2018 CSRL Statistics
▪ Over $2.5 million worth of hardware, software, and other
equipment
▪ 172 devices from over 30 manufacturers
▪ Over 295 Terabytes of storage connected to 108 virtual
machines and servers by 1.5 miles of network cable
▪ Configured to support multiple SCADA protocols
▪ 10 cyber security engineers and managers
▪ Evaluation of new technologies and architectures
▪ Penetration testing and forensic analysis of
embedded systems
6© 2018 Electric Power Research Institute, Inc. All rights reserved.
Industry Trends Impacting Cyber Security Risk
Generation, Transmission, and Distribution
▪ Real-time situational awareness
▪ Dynamic supply / demand balancing with DER (DERMS)
▪ Mobile workforce
▪ Increased automation and communications
▪ Security regulation
Customer
▪ Self generation (Solar PV, Storage)
▪ Electric vehicles
▪ IoT devices
Third Parties
▪ DER and DR aggregators
Protecting Critical Infrastructure
▪ Malicious attack
▪ System mis-operation
8© 2018 Electric Power Research Institute, Inc. All rights reserved.
P183 Cyber Security Research Drivers
Security of Emerging
Grid Technologies
Merging of IT and
OT Technologies
Business Processes
for Security Operations
9© 2018 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Program (P183) – 2019 Research Projects
• Industry Collaboration
• Integrated Security Operations Center
• Cyber Security Forensics for Industrial Control Systems
• Automated Threat Response and Improved Threat Modeling
• Automating Asset and Configuration Management
• Security Architecture for DER Integration
• Cyber Security Metrics for the Electric Sector
• Compliance Standards Driven Solutions
• Security Risk Mitigation Methodology for the Integrated Grid
10© 2018 Electric Power Research Institute, Inc. All rights reserved.
What is an ISOC?
Integrated Security Operations Center (ISOC)
Centro de Operaciones de Seguridad Integrada (COSI)
11© 2018 Electric Power Research Institute, Inc. All rights reserved.
What is a SOC
▪ A SOC is a collection of people, processes,
and technologies responsible for the defense
of systems—such as a computer network or
physical security perimeter—against
unauthorized activity
▪ Uses technologies for defense
Monitoring
Detection
Analysis
Response
Restoration
https://www.mitre.org/sites/default/files/publications/pr-13-
1028-mitre-10-strategies-cyber-ops-center.pdf
12© 2018 Electric Power Research Institute, Inc. All rights reserved.
SOC Mission
1. Prevention
– Preemptively stop unauthorized activity
2. Monitor/Detect/Analysis
– Collect relevant data from environment
– Apply analytical logic to detect suspicious activity
3. Response/Recovery
– Coordinate/perform activities to mitigate threats
– Restore system to normal operations
4. Situational Awareness– Provide current health and status information to constituents and stakeholders
5. SOC Engineering– Operate/maintain toolsets necessary for SOC functions
– Develop new SOC capabilities
13© 2018 Electric Power Research Institute, Inc. All rights reserved.
Integrated Security Operations Center (ISOC)
An ISOC extends the SOC responsibilities and capabilities by integrating security operations for
operational technology (OT) and physical security (PS) environments
14© 2018 Electric Power Research Institute, Inc. All rights reserved.
ISOC Advantages
▪ Improve visibility
– Combine IT, OT, physical security monitoring, and external threat
information sources
▪Coordinate incident response efforts
– Streamlined incident response plans
▪Optimize resources
– Resource sharing and SME experience
15© 2018 Electric Power Research Institute, Inc. All rights reserved.
ISOC Challenges
▪Organizational barriers between IT and OT groups
▪Lack of mature OT-focused security best practices
▪Broadened skill requirements for staff; availability of talent
▪Budgeting restraints and complications
16© 2018 Electric Power Research Institute, Inc. All rights reserved.
ISOC Mission and Operations▪ Prevention
– Stop unauthorized activity prior to occurrence
▪ Monitoring, Detection, and Analysis
– Collect relevant security information from the environment and apply logic to detect suspicious activity
▪ Response and Recovery
– Coordinate and perform activities to mitigate threats and restore system to normal operations– Well-defined IR plan
▪ Situational Awareness
– Provide current health and status of systems to relevant stakeholders▪ EPRI “The Common Operating Picture for Power Delivery Systems”
– Utilize metrics for security measurement▪ EPRI “Creating Security Metrics for the Electric Sector”
▪ SOC Engineering
– Operate and maintain tools and technologies necessary to perform ISOC functions
17© 2018 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security Metrics for the Electric Sector
Project Objective
▪ Provide an end-to-end solution to utilize EPRI Security Metrics
Approach
▪ Automate Metric Data Collection
– Open data model
– Partnership with vendors / consultancies
▪ Enable Metric Data Aggregation
– EPRI Security Metrics Hub
– Benchmarking, industry statistics, analytics
▪ Putting it all together – mapping and correlations with existing frameworks
– NIST CSF, ES-C2M2, NERC CIP,…
Value
▪ Clear and consistent reporting of cyber security status
▪ Benchmarking among peers and across the industry
▪ Clear mappings to existing frameworks and methodologies
▪ Supports continuous improvement and investment of security operations
EPRI CS Metrics Hub
18© 2018 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Metrics for the Electric Sector
Project Objective
Create meaningful and engineering-based security metrics for the electric sector. These metrics must:
1. Be based on quantitative, repeatable data
2. Measure the result of cyber security program independent from the effort
3. Communicate the state of cyber security to different stakeholders
4. Allow for tailoring across the utility, including various business units, functions, and ownership structures
Advantages of Security Metrics
▪ Accurate and clear reporting of security posture
▪ Support continuous improvement beyond the compliance
▪ Accumulation of knowledge for the data-driven security operations
19© 2018 Electric Power Research Institute, Inc. All rights reserved.
EPRI’s Security Metrics
• Protection Score
• Detection Score
• Response Score
3
Strategic
Metrics
• Network Perimeter Protection Score
• Threat Detection Score
• End-Point Protection Score
• …
10
Tactical Metrics
• Mean Time To Containment
• Monthly Count of Incidents involving Malicious Email
• Security Event True Positive Rate
• …
47 Operational Metrics
• CVSS of a vulnerability
• Number of internal IPs reachable from an asset
• Database criticality rating
• …
120~ Data Points
Full lists of metrics, data points,
descriptions and formulae are
included in 2017 Technical Update:
Cyber Security Metrics for the
Electric Sector: Volume 3
Product ID: 3002010426
(www.epri.com)
20© 2018 Electric Power Research Institute, Inc. All rights reserved.
EPRI Approach
1. Identify the list of metrics representing the effectiveness of cyber security
program: Protection, Detection and Response
2. Identify and collect relevant and measureable data:
Relevance
▪ What affects the likelihood of a successful compromise?
▪ What affects the duration of a compromise?
▪ What affects the impact of a compromise?
Measurability
▪ Is data available?
▪ Is data deterministic?
▪ Is data objective?
3. Turn the data into numbers and develop metric formula
4. Summarize the lower operational metrics into higher strategic metrics
21© 2018 Electric Power Research Institute, Inc. All rights reserved.
EPRI OpenMetCalc
▪ Open-source Metric Calculator Tool
▪ Stand-alone Windows Application
▪ Functionalities
– Load data
– Calculate EPRI security metrics
– Load EPRI provided reference values
– Set your own target values
– Generate a dashboard
– Compare your metric with target and
reference values
– Export metrics to an Excel file
– Customizable metric scripts and
parameters
22© 2018 Electric Power Research Institute, Inc. All rights reserved.
Compliance Standards Driven Solutions
Project Objective
▪ This research can enable utilities and industry to identify, research and resolve
technology challenges associated with the CIP Standards that may impede security
or limit the application innovative approaches.
Approach
▪ This project will develop Implementation Guidance for the CIP Standards to help
resolve pressing issues that affect utility compliance with CIP standards. The
research approach may include:
– Coordination with existing NERC technical committees
– Involvement with Regional Entity Compliance outreach conference to discuss compliance
challenges with members and other Registered Entities.
– Develop an interest group made up of EPRI members to help develop, review and approve
Implementation Guides for endorsement by NERC
Value
▪ Clear and unambiguous solutions to the CIP standards that are technical in nature
and improve industry’s ability to apply the CIP Standards in a manner that address
security and innovation.