Rhode Island Convention Center • Providence, Rhode Island
Energy Control Systems Cybersecurity Considerations
Track 4 Session 5
Daryl HaegleyOffice of the Assistant Secretary of Defense (Energy, Installations, & Environment)
August 10 2016
3
‘Smart’ Buildings, Energy Managers & Cyber Security
UNCLASSIFIED
‘SMART’ Buildings, Cars, Cities, and Beyond
Expanding Attack Surface DoD
DHS
Cyber Vulnerabilities in Power Grid
Power Plant(7300)
Trans. Subst.Distr. Subst.
15,700 stations642,000 miles
140,000 stations6,300,000 miles
Source: eia.gov
Market vulnerabilities
Internet-connected devices
Vulnerable protocols
Building automation
Smart grid
Conventional network attacks
Utility fiberInternetPower
Control Systems (CS)
Cyber vulnerabilities
Utility Headquarters(3200)
Utility Control Center
Balancing Authority(100)
Power Marketing Administration (4)
Regional Transmission Organization (15)
Wholesale power
market
Information Technologies (IT)
UNCLASSIFIED//FOUO
‐ Advanced Metering Infrastructure (AMI)‐ Building Automation Systems‐ Building Management Control Systems‐ CO2 Monitoring‐ Digital Signage Systems‐ Closed‐Circuit Television (CCTV) Surveillance Systems‐ Digital Video Management Systems‐ Electronic Security Systems‐ Emergency Management Systems‐ Energy Management Systems‐ Exterior Lighting Control Systems‐ Fire Alarm Systems‐ Fire Sprinkler Systems‐ Interior Lighting Control Systems‐ Intrusion Detection Systems‐ Physical Access Control Systems‐ Public Safety/Land Mobile Radios‐ Renewable Energy Geothermal Systems‐ Renewable Energy Photo Voltaic Systems‐ Shade Control Systems‐ Smoke and Purge Systems‐ Vertical Transport System (Elevators and Escalators)‐ Laboratory Instrument Control Systems‐ Laboratory Information Management Systems (LIMS)
Configuration options: ‐Stand‐alone / isolated
= not on DoD network ‐Connected directly to the Internet
= not on DoD network ‐Connected to DoD network
= could be on or isolated from NIPRNET
UNCLASSIFIED
Control Systems
Buildings
Electrical and HVAC
Medical
Operational EnergyWeapon Platforms
Pumps and Motors
ManufacturingTypical Controller
Same Commercial Control System Device Installed Across DoD Enterprise
NuclearVehicles/Charging
UNCLASSIFIED
7
What’s in Your Building?
50,000
40,000
30,000
20,000
10,000
0
Info SysSECURITY
Independently Managed, Resourced, Tech-refreshed
Advanced Metering Infrastructure
Building Automation System Building Management Control CCTV Surveillance System CO2 Monitoring Digital Signage Systems Electronic Security System Emergency Management
System Energy Management System Exterior Lighting Control
Systems Fire Alarm System
Fire Sprinkler System
Interior Lighting Control
Intrusion Detection Land Mobile Radios Renewable Energy
Photo Voltaic Systems
Shade Control System
Smoke and Purge Physical Access
Control Vertical Transport
System (Elevators and Escalators)
# devices
Control Systems
UNCLASSIFIED
Current Obstacles
8
• Not considered / managed like Information Systems
• Cyber Tech buy, refresh unplanned & unfunded
• Neither CIO nor Facility Managers are trained or staffed to manage CS cyber security
• Defense‐wide vulnerability alerts / patch management procedures in progress
• Many vendors emerging ‐ need sensor strategy for CS networks
"We can't solve problems by using the same kind of thinking we used when we created them." A Einstein
UNCLASSIFIED
9
Relevant Policies via OASD EI&E Website http://www.acq.osd.mil/eie/IE/FEP_CSC.html
• RMF KS Portal https://rmfks.osd.mil/login.htm
• GRASSMARLIN passive network mapping tool = https://github.com/iadgov/GRASSMARLIN
• DHS ICS CERT CSEThttps://www.us-cert.gov/forms/csetiso
• DoDI 8500.01 Cybersecurity 14Mar14http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf
• DoDI 8510.01 Risk Management Framework 12Mar14http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
• DoDI 8530.01 Cybersecurity Activities Support to DoD Information Network Operations 7Mar16http://www.dtic.mil/whs/directives/corres/pdf/853001p.pdf
• NIST SP 800-82r2 Guide to Industrial Control Systems (ICS) Security May15http://csrc.nist.gov/publications/PubsDrafts.html#800-82r2
• Register for notification of specific threats and cyber vulnerabilities affecting control systems through the DHS ICS CERT secure portal https://ics-cert.us-cert.gov/alerts
UNCLASSIFIED
Recent Cybersecurity Rules Applying to Control Systems
10
ASD EI&E Memo 31 Mar’16
• Affirms "the system owners/operators are accountable for the system’s operational resilience and defense posture, to include cybersecurity and are responsible for securing their IT networks, systems and devices"
• Directs “staffs develop plans identifying the goals, milestones and resources needed to identify, register, and implement cyber security controls on DoD facility‐related Control Systems under your cognizance”
Plans due 31Dec’16; implement cybersecurity controls on most critical facility‐related control systems by end FY19
UNCLASSIFIED
12
System & Device Ownership…
Which Do You Depend Upon More? Which Do you Own?
250,000IntrusionAttemptsPer / hr
???,000IntrusionAttemptsPer / hr
UNCLASSIFIED
13‘Cyber-Landscape’ Needs to Include Control Systems
OFFOFF OFF
DelaysDown Systems
COMMSOUT
LATE TO THE FIGHT
LOGISITCS PROBLEMS
CYBER ATTACK
Mission Dependency AnalysisUNCLASSIFIED
NDAA Language “Cybersecurity Risk to DoD Facilities”
DoD facilities transitioning to smart buildings; increased connectivity has increased threat and vulnerability to cyber‐attacks, particularly in ways existing DoD regulations were not designed to consider. Therefore, SECDEF deliver a report: (1) Structural risks inherent in control systems and networks, and potential consequences associated
with compromise through a cyber event; (2) Assesses the current vulnerabilities to cyber attack initiated through Control Systems (CS) at DoD
installations worldwide, determining risk mitigation actions for current and future implementation; (3) Propose a common, DoD‐wide implementation plan to upgrade & improve security of CS and
networks to mitigate identified risks; (4) Assesses DoD construction directives, regulations, and instructions; require the consideration of
cybersecurity vulnerabilities and cyber risk in preconstruction design processes and requirements development processes for military construction projects; and
(5) Assess capabilities of Army Corps of Engineers, Naval Facilities Engineering Command, Air Force Civil Engineer Center, and other construction agents, as well as participating stakeholders, to identify and mitigate full‐spectrum cyber‐enabled risk to new facilities and major renovations.
CS include, but are not limited to, Supervisory Control and Data Acquisition Systems, Building Automation Systems Utility Monitoring and Energy Management and Control Systems. Such report shall include an estimated budget for the implementation plan, and delivered no later than 180 days after the date of the enactment of this Act.
UNCLASSIFIED
15
8-star letter!
‐ Include CS in scorecard
‐ Invest in detection tools
‐ 7x cyber incidents
UNCLASSIFIED
UFC Objectives
1. Define new Design and Construction Methodology to apply RMF & NIST SP 800-82 ICS Security Guide
2. Define IT / CS Reference Architecture as it applies to Control Systems
3. Verify controls @ 50-75% construction: conduct Factory Acceptance Testing (FAT) of major components
4. Verify controls @ 100% construction complete: conduct Site Acceptance Testing (SAT)
Final Version by 30 August ’16
UNCLASSIFIED
Building LevelBase Level
Regional / Enterprise
Level
• Generators for individual critical facilities
• Power plants, peaking plants, and combined heat and power (CHP) plants for multiple installation-level loads
• Large-scale renewable energy where viable to provide base load
Energy Consumption DataUNCLASSIFIED
T or F: “All Energy Data is UNCLAS”
Usage orCriticality?
19
Medical treatment facilities Weapon systemsAir navigation aids and facilities Security lighting systemsRefrigerated storage rooms Aircraft and aircrew alert facilitiesPOL storage and dispensing facilities Law enforcement and security facilitiesCritical utility plants and systems Emergency operations centers (EOCs)
Civil engineer control centersMission, property, and life support facilities at remote and not readily accessible sites, such as split‐site aircraft warning and surveillance installations
Communication facilities and telephone exchanges Industrial facilities that have noxious fumes requiring removal ‐provide power for exhaust system only
Fire stations, including fire alarm, fire control, and radio equipment
Readiness facilities relying on electrical power to support tactical or critical missions
Critical computer automatic data processing facilities Photographic laboratories providing critical and essential support to combat and contingency tactical missions
Air traffic control towers Other facilities, including facilities required for emergency response, approved by the Authority Having Jurisdiction (AHJ). Note: Some installations have contingency plans in place that transfer the function to an alternate location in the event something disrupts the operation of a single facility for emergency response
Base weather stations
Surveillance and warning facilities
Command and control facilities
Mission Functions Requiring Emergency Generators
UNCLASSIFIED
20
DoD Critical Infrastructure Security Information
• “’DoD critical infrastructure security information‘
– Sensitive but unclassified information that, if disclosed, would reveal vulnerabilities in DoD critical infrastructure that, if exploited, would likely result in the significant disruption, destruction, or damage of or to DoD operations, property, or facilities
– Include information related to critical infrastructure or protected systems owned or operated by or on behalf of the DoD, including vulnerability assessments prepared by or on behalf of the DoD, explosives safety information (including storage and handling), and other site-specific information on or relating to installation security."
UNCLASSIFIED
Operational ServerNetwork Time Synch Access Control System Firewall Appliance Network Switches Monitor/Keyboard/MouseVirtualized Server HostIntrusion detection/preventionStorage Area Network (SAN)Uninterruptable Power Supply
Real Property Installed Equipment (RPIE)
FACILITY POINT O
F CO
NNECTIO
N
ENERGY M
ONITO
RING and CO
NTRO
L SYSTEM
SCADADDC
AMI Meter
Electrical System Protective Relay Camera
Utility system monitoring camera
Sensors
Actuators
Ethernet Radio(only EMCS traffic)
Control Center (The Building)
Supervisory Controller
Computers
Internal Use Software on Serversand network components
Installation Router aka: Network Device
BUILD
ING / U
TILITY CO
NTRO
L SYSTEMPartof
thefacility’s
PRC
Personal Property / Collateral Equipment
Supervisory Control andData Acquisition
Direct Digital Controls
Ethernet Radio
Internal Use Software on DDC components
Real Property
Sensors
Actuators
Internal Use Software on SCADA components
Supervisory Controller
Ethernet Radio(only EMCS traffic)
Communication LinesLinear Structure Asset (only EMCS traffic)
Supervisory Controller
Key
UNCLASSIFIED
System / Device Accountability
24
“My Control Systems are Secure…”
https://threatpost.com/91‐percent‐of‐public‐facing‐ics‐components‐are‐remotely‐exploitable/119142/
Kaspersky Lab report: “Industrial Control Systems and Their Online Availability,” discovered 188,019 hosts with ICS components, spread across 170 countries
UNCLASSIFIED
Discovered Via Shodan – Now Resolved• Military Base -TridiumNiagara -24.172.231.zzz• Military HQ -24.35.199.zzz• Joint Military Base -98.174.214.zzz • VA Care Center -65-100-130-zzz.static.net• VA Medical Center 184-81-84-3.t1.ccctel.net• West Point Alumni Center -63.138.199.zzz• Military Hospital -68.14.208.zzz• Military Base Fuel Cell -96.35.177.zzz• Military Base Headquarters -96.35.177.zzz• Military Base Squadron Operations -96.35.177.zzz• Military Base Hangar -96.35.177.zzz • Military Base General Maintenance Facility -96.35.177.zzz• Military Base Multipurpose -96.35.177.zzz• Military Base Civil Engineering -96.35.177.zzz• Military Base Supply -96.35.177.zzz • Military Base Vehicle Maintenance -96.35.177.zzz• Military Base Flight Simulator -96.35.177.zzz• Military Base Deployment -96.35.177.zzz• Military Base ENT Server -96.35.177.zzz• Military Base 1860 -166.248.228.zzz
UNCLASSIFIED
30
DoD IG Audit
• “Determine whether DoD is implementing cybersecurity controls to protect, detect, counter and mitigate potential cyber attacks on control systems supporting DoD critical missions / assets.”
• Visit 5 Sites: Aug-Nov’16• Discussion draft: Dec’16• Draft report: Feb’17• Final report: Apr’17
UNCLASSIFIED
Cyber Threat Focus Toward Energy Systems
Source: DHS ICS‐CERT FY14 Annual Report
Energy32%
Critical Manufacturin
g27%
Communications6%
Commercial Facilities
3%
Chemical2%
Unknown2%
Water6%
Transportation5%
Nuclear2%
Information Technology
2%
Health Care6%
Government Facilities
5%
Food & Ag1%
Finanace1%
Major Incidents Reported in FY14
UNCLASSIFIED
33
Facilities Energy ManagementCompetencies
• Building Systems and Technology Solutions
– Apply fundamentals of building energy systems & facility management technologies to support compliance with applicable energy codes, Federal requirements, & professional standards.
• 6.A Collaborate with stakeholders on the planning and design of sustainable building systems to optimize building performance while balancing human and mission needs.
• 6.B Serve as subject matter expert on current technologies, codes and regulations to identify, evaluate, and recommend technologies and/or energy reduction solutions.
• 6.C Interact with the energy management community and provide lessons learned/best practices on operational and financial performance of technologies.
• 6.D Collaborate with Information Assurance / Cyber Security personnel to ensure Industrial Control Systems comply with DoD Information Technology requirements.
• 6.E Advise on technical design standards specific to the installation to provide designers with project sustainability guidelines.
• 6.F Support emerging technologies and innovative acquisition strategies, if and where appropriate, to expedite technology adoption and advance energy performance.
Very Limited Cyber Role – How Much is Enough?
UNCLASSIFIED
34
Solutions / Discussion
• Build cyber security into your smart building network design criteria
• Ensure awareness of cyber security policies and standard operating procedures
• Collaborate with all relevant stakeholders & contractors
• Best practices & guidelinesRMF KS Portal
https://rmfks.osd.mil/login.htm
Daryl Haegley 571‐372‐[email protected]
UNCLASSIFIED
35
Industrial Security Advisory:Ransomware Masquerading as Allen-Bradley Update
• Rockwell Automation learned about malicious file called ‘Allenbradleyupdate.zip’
• NOT an official update from Rockwell Automation
• File contains ransomware malware that, if successfully installed and launched, may compromise the victim’s computer
UNCLASSIFIED