View
216
Download
1
Category
Preview:
Citation preview
NERC CIP in the Real World on a Real Budget
11/11/16Page 1 Energy Automation
Authors:Eric Stranz, Business Development Manager, SiemensStefan Nohe, Subject Matter Expert, SiemensDr. Chan Wong Phd, Standards Engineering, Entergy
Utilizing Cost Saving Ethernet Technologies in Compliant Architectures
Motivation
11/11/16 Energy AutomationPage 2
NERC CIP – Cyber security for TSO and Generation
11/11/16 Energy AutomationPage 3
Generation / DER• Misuse of local administrative rights
Distribution and Transmission• Substation Configuration is manipulated via local network, wireless or remote access
Operation• Unauthorized remote service access
Market• Fraud based on falsified offers and contracts (Customer, Utilities, DNOs, …)
Customer• Consumer behavior tracking, e.g., through smart meters
• Fraud through smart meter manipulation
Focus of Paper-Implement Technologies in Compliant Architectures
11/11/16 Energy AutomationPage 4
Station Level
Possible Attackers:
• Countries
• Criminalorganizations
• Script kiddies
• Insider
• Spoofing
• Malware
• Viruses
• …..
Control Center Level
Field Level
Substation Control Zone
RemoteAccess
Malware
Misuse of access rights
Unauthorized accessto network Unauthorized access
Attacks via internet
Attacks via internet
Misuse of access rightsMalware
Malware
Control Center
3rdparty
device
Substation HMI
Process Bus
Station Bus MMS (data collection & controls)
Sampled Values (currents / voltages)
GOOSE (virtual wires)
IEC
61850
GOOSE (virtual wires)
Substation Data Collector & Controller
Cost Saving Technologies
IEC-61850 MMS – Station Bus
IED1 IED2 IED3 IED4
61850-MMS CommunicationsRoutable Layer 3
Vendor W
Vendor X
Vendor Y
Vendor Z
CB1 CB2 CB3 CB4
Data Communication using 61850 – Station BusPeer-to-peer communications
CB1
IED1
CB2 CB3 CB4
IED2 IED3 IED4
GOOSE (Generic object oriented
system-wide events) Multicast Message
Non-Routable Layer 2Vendor
WVendor
XVendor
YVendor
Z
Process Bus 61850-9-2
Station Bus
Process Bus –Multicast Message
Non-Routable Layer 2
Hardwired I/O CT’s and PT’s
FiberOpticConnection
61850 9-2 Merging Units
Network Segmentation – Process and Station Bus Networks
11/11/16 Energy AutomationPage 9
CIP 5 Standards Consolidated FAQ Oct. 2015 # 23
IEC 61850 is not a data link or network layer protocol, thus declaring IEC 61850 to be a routable or non-routable protocol is not appropriate. Time-critical messages, such as GOOSE messages for direct inter-bay communication, typically run on a flat Layer 2 network without the need for Layer 3 IP addresses.
11/11/16 Energy AutomationPage 10
IEC 61850 Deterministic Concepts –GOOSE MECHANISM
Sequence Number: 1045State Sequence: 25
Sequence Number: 1046State Sequence: 25
Sequence Number: 1047State Sequence: 25
Sequence Number: 0State Sequence: 26Starts a new sequence when the status change
Sequence Number: 1State Sequence: 26 Sequence Number: 2
State Sequence: 26Sequence Number: 3State Sequence: 26
Sequence Number: 4State Sequence: 26
A well designed Substation system can determine the health of the network by monitoring sequence or state alarms and indications for fast network diagnosis
IEC-61850 9-2 Sampled Values operates in a similar manner
Cost Savings and other benefits with Ethernet Technologies
• Up to 40% cost savings with Sampled Values Technology within a substation compared to a traditional copper installation (Based on a 12 Feeder Install)
• IEC-61850 GOOSE reduces copper interconnectivity between devices which results in significant savings in some installations
• Templates, reusable engineering make IEC-61850 an attractive option
• Physical Security and Communications Security is required regardless of technology.
11/11/16 Energy AutomationPage 12
Is Nerc CIP Compliance too difficult to even consider these technologies?
11/11/16Page 13 Energy Automation
1.) Assess stations designations based on the CIP -014-01 (4.1.1.2)2.) Define the (BES) Cyber System (formerly Critical Cyber Assets)3.) Define Physical Security Perimeter (PSP)4.) Define Electronic Security Perimeter(s) (ESP)5.) Provide a Cyber Security Framework to Cyber Assets per CIP Standards6.) Define Electronic Access Points into ESP(s)
In Version 5 NERC now allows for multiple ESP’s and does not restrict the ESP’s to the 6 wall approach.
Physical & Cyber security
• The physical security requirements• Need of authentication before
entrance of station• Recognize and Alarm in case of
unauthorized access• Protection against unauthorized
access • Cyber security
• Mitigate misuse of access rights• Authentication of access• Prevents from outside threads
and attacks on infrastructure
11/11/16 Energy AutomationPage 14
Normal NERC CIP Applicable Substations Should Already Include Physical Security Measures
Two Factor Authentication(Something you know, Something you are, Something you have)
Card Scanners, Cameras, Authentication Systems typically are already in place for a NERC CIP Station
11/11/16 Energy AutomationPage 15
The FERC Order No. 706, Paragraph 572, directive discussed utilizing two or more different andcomplementary physical access controls to provide defense in depth.
ESP at the Control House
11/11/16 Energy AutomationPage 16
CameraKeypad
Card scan
Card Scan
2 Factor Authentication
Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity
Layer 2 Com’s Only
ESP at the Control House
11/11/16 Energy AutomationPage 17
Electronic Security Perimeter
Direct Connection to Device (segregated Networks from Process Bus)
Communications Supervision
Merging Units
All IP services Turned off, pure Layer 2 only communications
Electronic Access Point
ESP at the Substation Fence
11/11/16 Energy AutomationPage 18
CameraKeypad
Card scan
Card Scan
2 Factor Authentication
Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity
Card scan
Layer 3 or Layer 2
Securing the Network
11/11/16 Energy AutomationPage 19
Encrypted Communications
Traffic Limit FirewallAuthentication
Communications Supervision
Merging Units
Communications Supervision
Enterprise Applications
Disable Unused Ports
X
CIP-007-5 Table R1
XXXXX
XX
Even Ports used for testing must be disabled at the time of putting the system into service.
Any Product that Prevents Hackers Access to the Network and can take immediate action to the threat• Reactive
• Can Drop the Malicious Packets• Block Traffic from the Source• Reset the Connection
• Firewalls, Anti-Virus, Malware Tools
Intrusion Prevention Systems (IPS)
Antivirus and Malware (IPS)
XXX
CIP-007-5
Logged
XFirewall (IPS)
CIP-007-5
Logged
Any Product that can Detect an intrusion into the network and report or alarm this detection to a management station• Passive
• Monitors signatures• Alerts Operators • Creates Reports
Intrusion Detection Systems (IDS)
Network Based Intrusion Detection (NIDS)
Network-Based Intrusion Detection Systems (NIDS)
Intrusion Detected –Analysis of Intrusion……
NIDS Server
Host Based Intrusion Detection System (HIDS)
Intrusion Detected –Analysis of Intrusion……
Host Based Intrusion Detection System(HIDS)
Security Patch Update within 35 days of update releaseCIP-007-5 Table R1
CIP-007-5 Table R1
Updated LDAPàActiveDirectory
Within 24hrs of termination
Within 7 Days of leaving the position
X
White List and Logging
Jim-Bob
White List1.) Bobby-Joe2.) Billy-Bob
Operations Log10:30 AM 3/17/14 Invalid Login attempt – Jim Bob
CIP-007-5 Table R1
Billy-Bob
White List1.) Bobby-Joe2.) Billy-Bob
Operations Log10:30 AM 3/17/14 Changed Relay Settings– Billy-Bob
Operations Log10:30 AM 3/17/14 Logged In–Billy-Bob
White List and Logging
CIP-007-5 Table R1
Turn Off all Non-Critical IP Ports
Turn Off all Non Critical Services
- Classify BES Cyber Systems and Assets per V5 requirements-Segment your networks-Secure unused ports and services-Implement malware and virus protection-Passwords should comply with “complex” requirements-Firewall settings properly set-Implement Intrusion Detection and Prevention Systems-Electronic Access points to the Substation should be encrypted- Provide application control software wherever possible
Best Practices
Thank you for your attention!
11/11/16Page 34 Energy Automation
Recommended