Cyber Security in the Power Sector...Configured to support multiple SCADA protocols 10 cyber...

© 2018 Electric Power Research Institute, Inc. All rights reserved.

Gerardo Trevino

Technical Leader

Cyber Security

Mexico City, Mexico

November 13, 2018

Cyber Security in the

Power Sector

2© 2018 Electric Power Research Institute, Inc. All rights reserved.

Agenda

▪EPRI Cyber Security Program

▪ Industry Trends Impacting Cyber Security

▪ ISOC

▪Security Metrics

▪Compliance Standards Driven Solutions


Power Delivery Cyber Security Program P183

Cyber Security

Standardization and

Industry Outreach

Apply Research via

Practical

Demonstrations and

Technology Transfer

Identify Gaps and

Research Emerging

Technologies

Energy UtilizationDistributionTransmission

Supporting reliable, resilient, flexible and secure operations for digital utilities


EPRI’s P183 Cyber Security Program Helps Utility Members…

▪ Mitigate risks to legacy and next-generation systems and promote grid

resiliency

▪ Improve security with advanced incident management and threat

management technology and practices

▪ Effectively evaluate security program processes and technologies

▪ Learn how peer utilities address their security challenges

▪ Leverage EPRI’s industry expertise, sector knowledge, and Cyber

Security Research Lab to provide value ranging from thought

leadership to hands-on demonstrations


EPRI Cyber Security Research Lab (CSRL) in Knoxville, TN

2018 CSRL Statistics

▪ Over $2.5 million worth of hardware, software, and other

equipment

▪ 172 devices from over 30 manufacturers

▪ Over 295 Terabytes of storage connected to 108 virtual

machines and servers by 1.5 miles of network cable

▪ Configured to support multiple SCADA protocols

▪ 10 cyber security engineers and managers

▪ Evaluation of new technologies and architectures

▪ Penetration testing and forensic analysis of

embedded systems


Industry Trends Impacting Cyber Security Risk

Generation, Transmission, and Distribution

▪ Real-time situational awareness

▪ Dynamic supply / demand balancing with DER (DERMS)

▪ Mobile workforce

▪ Increased automation and communications

▪ Security regulation

Customer

▪ Self generation (Solar PV, Storage)

▪ Electric vehicles

▪ IoT devices

Third Parties

▪ DER and DR aggregators

Protecting Critical Infrastructure

▪ Malicious attack

▪ System mis-operation



P183 Cyber Security Research Drivers

Security of Emerging

Grid Technologies

Merging of IT and

OT Technologies

Business Processes

for Security Operations


Cyber Security Program (P183) – 2019 Research Projects

• Industry Collaboration

• Integrated Security Operations Center

• Cyber Security Forensics for Industrial Control Systems

• Automated Threat Response and Improved Threat Modeling

• Automating Asset and Configuration Management

• Security Architecture for DER Integration

• Cyber Security Metrics for the Electric Sector

• Compliance Standards Driven Solutions

• Security Risk Mitigation Methodology for the Integrated Grid


What is an ISOC?

Integrated Security Operations Center (ISOC)

Centro de Operaciones de Seguridad Integrada (COSI)


What is a SOC

▪ A SOC is a collection of people, processes,

and technologies responsible for the defense

of systems—such as a computer network or

physical security perimeter—against

unauthorized activity

▪ Uses technologies for defense

Monitoring

Detection

Analysis

Response

Restoration

https://www.mitre.org/sites/default/files/publications/pr-13-

1028-mitre-10-strategies-cyber-ops-center.pdf


SOC Mission

1. Prevention

– Preemptively stop unauthorized activity

2. Monitor/Detect/Analysis

– Collect relevant data from environment

– Apply analytical logic to detect suspicious activity

3. Response/Recovery

– Coordinate/perform activities to mitigate threats

– Restore system to normal operations

4. Situational Awareness– Provide current health and status information to constituents and stakeholders

5. SOC Engineering– Operate/maintain toolsets necessary for SOC functions

– Develop new SOC capabilities


Integrated Security Operations Center (ISOC)

An ISOC extends the SOC responsibilities and capabilities by integrating security operations for

operational technology (OT) and physical security (PS) environments


ISOC Advantages

▪ Improve visibility

– Combine IT, OT, physical security monitoring, and external threat

information sources

▪Coordinate incident response efforts

– Streamlined incident response plans

▪Optimize resources

– Resource sharing and SME experience


ISOC Challenges

▪Organizational barriers between IT and OT groups

▪Lack of mature OT-focused security best practices

▪Broadened skill requirements for staff; availability of talent

▪Budgeting restraints and complications


ISOC Mission and Operations▪ Prevention

– Stop unauthorized activity prior to occurrence

▪ Monitoring, Detection, and Analysis

– Collect relevant security information from the environment and apply logic to detect suspicious activity

▪ Response and Recovery

– Coordinate and perform activities to mitigate threats and restore system to normal operations– Well-defined IR plan

▪ Situational Awareness

– Provide current health and status of systems to relevant stakeholders▪ EPRI “The Common Operating Picture for Power Delivery Systems”

– Utilize metrics for security measurement▪ EPRI “Creating Security Metrics for the Electric Sector”

▪ SOC Engineering

– Operate and maintain tools and technologies necessary to perform ISOC functions


EPRI Cyber Security Metrics for the Electric Sector

Project Objective

▪ Provide an end-to-end solution to utilize EPRI Security Metrics

Approach

▪ Automate Metric Data Collection

– Open data model

– Partnership with vendors / consultancies

▪ Enable Metric Data Aggregation

– EPRI Security Metrics Hub

– Benchmarking, industry statistics, analytics

▪ Putting it all together – mapping and correlations with existing frameworks

– NIST CSF, ES-C2M2, NERC CIP,…

Value

▪ Clear and consistent reporting of cyber security status

▪ Benchmarking among peers and across the industry

▪ Clear mappings to existing frameworks and methodologies

▪ Supports continuous improvement and investment of security operations

EPRI CS Metrics Hub


Cyber Security Metrics for the Electric Sector

Project Objective

Create meaningful and engineering-based security metrics for the electric sector. These metrics must:

1. Be based on quantitative, repeatable data

2. Measure the result of cyber security program independent from the effort

3. Communicate the state of cyber security to different stakeholders

4. Allow for tailoring across the utility, including various business units, functions, and ownership structures

Advantages of Security Metrics

▪ Accurate and clear reporting of security posture

▪ Support continuous improvement beyond the compliance

▪ Accumulation of knowledge for the data-driven security operations


EPRI’s Security Metrics

• Protection Score

• Detection Score

• Response Score

3

Strategic

Metrics

• Network Perimeter Protection Score

• Threat Detection Score

• End-Point Protection Score

• …

10

Tactical Metrics

• Mean Time To Containment

• Monthly Count of Incidents involving Malicious Email

• Security Event True Positive Rate

• …

47 Operational Metrics

• CVSS of a vulnerability

• Number of internal IPs reachable from an asset

• Database criticality rating

• …

120~ Data Points

Full lists of metrics, data points,

descriptions and formulae are

included in 2017 Technical Update:

Cyber Security Metrics for the

Electric Sector: Volume 3

Product ID: 3002010426

(www.epri.com)

https://www.epri.com/#/pages/product/000000003002010426/


EPRI Approach

1. Identify the list of metrics representing the effectiveness of cyber security

program: Protection, Detection and Response

2. Identify and collect relevant and measureable data:

Relevance

▪ What affects the likelihood of a successful compromise?

▪ What affects the duration of a compromise?

▪ What affects the impact of a compromise?

Measurability

▪ Is data available?

▪ Is data deterministic?

▪ Is data objective?

3. Turn the data into numbers and develop metric formula

4. Summarize the lower operational metrics into higher strategic metrics


EPRI OpenMetCalc

▪ Open-source Metric Calculator Tool

▪ Stand-alone Windows Application

▪ Functionalities

– Load data

– Calculate EPRI security metrics

– Load EPRI provided reference values

– Set your own target values

– Generate a dashboard

– Compare your metric with target and

reference values

– Export metrics to an Excel file

– Customizable metric scripts and

parameters


Compliance Standards Driven Solutions

Project Objective

▪ This research can enable utilities and industry to identify, research and resolve

technology challenges associated with the CIP Standards that may impede security

or limit the application innovative approaches.

Approach

▪ This project will develop Implementation Guidance for the CIP Standards to help

resolve pressing issues that affect utility compliance with CIP standards. The

research approach may include:

– Coordination with existing NERC technical committees

– Involvement with Regional Entity Compliance outreach conference to discuss compliance

challenges with members and other Registered Entities.

– Develop an interest group made up of EPRI members to help develop, review and approve

Implementation Guides for endorsement by NERC

Value

▪ Clear and unambiguous solutions to the CIP standards that are technical in nature

and improve industry’s ability to apply the CIP Standards in a manner that address

security and innovation.


Together…Shaping the Future of Electricity

Date post:	20-May-2020
Category:	Documents
Upload:	others
View:	12 times
Download:	2 times

Cyber Security in the Power Sector...Configured to support multiple SCADA protocols 10 cyber...

Documents