Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com1
19Sept2016
Power Systems Cybersecurity Why, what are we missing, and
when is it enough?
NathanWallace,PhD,[email protected]@ieee.org@NathanSWallace
Overview
• WhyStateofAffairs:Grid&CyberspaceCybersecurity=>SafetyMisconcepSons&Challenges
• WhatarewemissingCyberawaredevicesandsystems
• Whenisitenough
Yourthoughts?
80–95%oftheGrid’s
CyberAssetsFallOutsideNERC-CIP
80–90%oftheGrid’s
CyberAssetsareOutsideNERC-CIP
MostViolated:NERC-CIP
&NERC-PRC
2006 2015
• LicensedEngineeringFirm• SubstaSonEngineering• Relay/SCADA/CommunicaSon• T&DLineEngineering• EPC/Design-Build/Turnkey• ProjectDevelopment
• LicensedEngineeringFirm• CyberDesignEngineering• RiskAssessments• Vulnerability/PatchManagement• InternalCybersecurityResearch• Patent-PendingEfforts
CreaSngasafe,secure,andreliablegrid
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com2
Threads
EngineeringServices
CyberAssetManagement
Security:“Thefacetofreliabilitythatrelatestothedegreeofcertaintythatarelayorrelaysystemwillnotoperateincorrectly.”cyberdeviceor
NaSonStates
Hackers
Vendors
IntenSonalInsider
AccidentInsider
MisconfiguraSonCyberSecurity
Cybersecurity=Physical+EMI+Digital[CompuSng&CommunicaSons]
TwoInfrastructures
ResidenSal IndustrialCommercial
GeneraAon Transmission
DistribuAon
• Physical• Cyber
ControlCenter
DistribuSonControlCenter
RTOs/ISO
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com3
StateofAffairs:TheGrid
MonitoringPoints ControlPoint
Markets OperaAons ServiceProvider
GeneraAon
Transmission DistribuAon
Customer
StateofAffairs:TheGrid
CommunicaSon
CYBER
NortheastOutage2003
ArizonaOutage2007
FPLOutage2008
UkraineANack2016
LoadLost 61,800MW 400MW 4,300MW 230,000Customers
Intent UnintenSonal UnintenSonal UnintenSonal IntenSonal
Cyber Yes Yes Yes Yes
ComputaSonal
StateofAffairsCyberspace&Cyberwarhlp://hp.ipviking.com/
• Avgpriceper0-Day:• Avgnumberofdays0-dayremainsprivate:
• AvgnumberofdaysSllpatchisissued:
• Avgofnewlycreatedmalwareperday:• AvgdwellSmeSlldetecSon:
USD$40,000-$160,000
151days
300,000
205days
120days
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com4
StateofAffairsCyberspace&Cyberwar
“Global Cyber Weapon Market Expected to Reach USD 522 billion in 2021.”
-GlobalNewswire,2015TransparencyMarketResearchReport
Cybersecurity=>Safety
21LinesofCodeAuroraGeneratorTest
DistribuSonSystemOperator
VirtualPowerPlant
Cybersecurity=>Safety
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com5
CommonMisconcepAons
• Wearenotatarget.
• Minimumsecurityneeded,wearelowimpact.
• WearenotconnectedtotheInternet.
Ipviking,Shodan,ICS-CERT,ForeignFTPservers
Ukraine,ChangingStandards,StateRegulaSons
Stuxnet,ReporSngcapacitytoRTO,Firewalls
Challenges
MisconcepAon:Wearenotatarget. Ipviking,
MisconcepAon:Wearenotatarget. Ipviking,Shodan,
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com6
MisconcepAon:Wearenotatarget. Ipviking,Shodan,ICS-CERT,
0
50
100
150
200
250
300
350
2012 2013 2014 2015
Incide
nts
MisconcepAon:Wearenotatarget. Ipviking,Shodan,ICS-CERT,
• Passwords,electricaldrawings,communicaSondrawings(IP,Protocols),etc• Fileserverscontainedmaliciouscode
71GeneraSonPlants
~20,000FilesGeneraSon,Transmission,
DistribuSonSystems“FromNewYorktoCalifornia”
Source:APInvesSgaSon:USPowerGridVulnerabletoForeignHacks.Dec.21,2015
“Digitalcluespointedtoforeignhackers.”
Sevenfile(FTP)serverswithnoauthorizaSon
FTPservers
MisconcepAon:Minimumsecurityneeded,wearelowimpact. Ukraine,
30StaSonsDe-energized
• 7110kVstaSons• 2335kVstaSons• ~3to6hrstore-energize• 230,000customersimpacted• Telephonedenialofservice• Breached6monthsprior• AlteredfirmwareatsubstaSons
“Wewereblinded”
Dec232015
ControlCenterOperatorSSlloperaSnginrecoverymode.
Source:E-ISAC.AnalysisoftheCyberAlackontheUkrainianPowerGrid.March18,2016
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com7
MisconcepAon:Minimumsecurityneeded,wearelowimpact. Ukraine,ChangingStandards,
NERCPhysical
Securityv3
Voluntary Mandatory
2000MetcalfAlack
Ukraine
2015Dec
2013Apr
StuxnetDiscovered
20101stIEEE
SubstaSonSecStandard
NERCPhysicalSecurityGuidance
2002
EnergyPolicyAct
2005
2005
NERCupdatesAssetID
CIP-002v4
2010
FERCdesignates
NERCasERO
2007
FERCApprovesAssetID
CIP-002v4
2012 2015
NERCEffecSveAssetID
CIP-002v5.1
2017
FERCtoApprove
NERCCIPv7
MisconcepAon:Minimumsecurityneeded,wearelowimpact. Ukraine,ChangingStandards,StateRegulaSons
MisconcepAon:WearenotconnectedtotheInternet.
Stuxnet,
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com8
MisconcepAon:WearenotconnectedtotheInternet.
Stuxnet,ReporSngCapacitytoRTO,
MisconcepAon:WearenotconnectedtotheInternet.
Stuxnet,ReporSngCapacitytoRTO,Firewall
Aug13th,releaseof0-dayvulnerabiliSeskeptbyGovt.Agency.(Cisco,Juniper,etc.)
Challenges NoLongerCanSetItandForgetIt
HMI
LeasedLinePhone,Fiber,DSL,Cable
AreaNetwork
EngineeringWorkstaSons
EMSServers
SCADAHistorian
Sub/Swtyd1Sub/Swtyd2Sub/SwtydN
LDAP/RADIUSServers
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com9
Challenges Complexity
PowerGridSpaceStaSon
VS
TVIntegratedCircuit
Challenges Complexity
***
GDB Server http_server bzip2 openldap openssh openssl openvpn postgresql proftpd ntp sssdd-bus libevent libcapker
beros e2fs progs expat fcgi systemd glib glibc iproute2 libarchive curl libpng linux-pam wireshark util-linux Tcpdump jplayer
udevs trace samba pypam pyopenssl pygresql pycryptomako beaker paramikonet-snmpm getty nano bash Python Cracklib
45ofthe~120third-partysovwaremodulesfoundtobevulnerable
AuthorizaAon
Accountability
IncidentResponsePlanning
VulnerabilityManagement
Patch/FirmwareManagement
CyberEngineering
SecurityMonitoring
CyberRiskManagement
WhatarewemissingCyberRiskManagement
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com10
CyberRiskManagementAuthorizaAon
Whatarewemissing
Devices
People
• Robust&SecureNetworkDesign• DeviceConfiguraSon• DeviceandSystemCheckout/Commissioning
• Who(Operators,vendors,contractors…)• What(Devices,rolesandresponsibiliSes)• When(Date,Sme,duraSon)• How(FTP,Telnet,Web,Serial,TCP/IP)
CyberRiskManagementAccountability
Whatarewemissing
Devices
People
Vendors
• Configuredtorecordandreport(via:HMIs,Syslog,DCcontacts,Email)
• AcSvevulnerabilitydiscoveryandpatchingprocess• Securedesignandcode• Builtinsecurityfeatures
• Uniqueusers• Appointedsecuritypersonnel
VulnerabilityManagement
CVE-2016-4524Summary:ABBPCM600andbefore2.7improperlystoresIEC61850passwordsallowinguserstogainaccesstocontrolledIEDs.Published:06/09/2016 CriAcality:6.5
CVE-2016-5814Summary:RockwellautomaSonRSLogix500andRSLogixMicroPLCsovwareallowsforabufferoverflowcondiSonallowingforcodeexecuSonwhenopeningmalformedsezngs.Published:09/15/2016 CriAcality:8.6
CVE-2016-2310Summary:GEML800,ML1200,ML2400,ML810,ML3000,ML3100switcheshavehardcodedcredenSals,whichallowsalackerstoremotelymodifyconfiguraSonsezngs.Published:06/10/2016 CriAcality:9.8
WhatarewemissingCyberRiskManagement
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com11
Patch/FirmwareManagement
SEL-2241-R133-V0-Z001001-D20141103Summary:ResolvedavulnerabilityinOpenSSLthatcouldallowunauthorizedaccess.
SEL-735-R115-V0-Z008005-D20150519Summary:CorrectedanissuewherethemeterrestartedorstoppedoperaSngduringfiletransfersinthepresenceofasaturatednetwork.
SEL-3530-R136-V0-Z001001-D20160624Summary:UpdatedSSHclientandservertoaddressCVE-2013-4421andCVE-2013-4434CVE-2013-4421:AllowsremotealackerstocauseaDoS.
WhatarewemissingCyberRiskManagement
SecurityMonitoring
WhatarewemissingCyberRiskManagement
HMIExample
CyberEvent
PhyEntryAlarmRiverRoadSub.091920161230
CyberAwareDevicesandSystems
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com12
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com13
IncidentResponsePlanning
WhatarewemissingCyberRiskManagement
Devices
People
• Backups• Configuredandeventreadydevicesandsystems• CyberLockoutExample
• Training• Policies&Procedures• DigitalForensicsAnalysis• Wheretolook…
CyberEngineering
WhatarewemissingCyberRiskManagement
Design
Analysis
• n-1conSngencyforcyber• ImpactdrivenunderstandingandprioriSzaSonofprotecSvemeasures• IncidentResponse
• IntegratedsecurityandconfiguraSons• Enabledandcontextdrivenmonitoring,logging,andalarming• Incidentreadydevicesandsystems• $$$Reducescompliancecosts$$$
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com14
AuthorizaAon
Accountability
IncidentResponsePlanning
VulnerabilityManagement
Patch/FirmwareManagement
CyberEngineering
SecurityMonitoring
CyberRiskManagement
WhatarewemissingCyberRiskManagement
Whatarewemissing
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Near-term (0–3 years) By 2013
Mid-term (4–7 years) By 2017
Long-term (8–10 years) By 2020
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com15
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
Near-term (0–3 years) By 2013
3.1 Capabilities to evaluate the robustness and survivability of platforms, systems, networks, and systems
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
Near-term (0–3 years) By 2013
4.1 Tools to identify cyber events across all levels of energy delivery system networks 4.2 Tools to support and implement cyber attack response decision making for the human operator
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
4.4Real-SmeforensicscapabiliSes4.5CybereventdetecSontoolsthatevolvewiththedynamicthreatlandscape
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Mid-term (4–7 years) By 2017
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com16
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
2.3Toolsforreal-Smesecuritystatemonitoringandriskassessmentofallenergydeliverysystemarchitecturelevelsandacrosscyber-physicaldomains.
Long-term (8–10 years) By 2020
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
3.5CapabiliSesthatenablesecuritysoluSonstoconSnueoperaSonduringacyberalack
Long-term (8–10 years) By 2020
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcriScalfuncSons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
ProtecSveMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
4.7CapabiliSesforautomatedresponsetocyberincidents.
Long-term (8–10 years) By 2020
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com17
BusinessLayer
Life-CycleManagementLayer
OperaAonsLayer
PhysicalLayer
Cyber-PhysicalLayer
Requirements RegulaSons IncenSves
Design Upgrades Ops Disposal
Design
Sensors
CompuSngPla{orm
Models
PowerSystemState
Controller
Monitor ControlDisposal
Current New
Models
Cyber Phys.
CPS
Phys.Econ.
Whatarewemissing
CyberInfrastructure(ComputaAon&CommunicaAon)
ProtecAonandControl
DetecSon,Processing,ManipulaSon
PhysicalInfrastructure(FlowofPower)
Inputs:Currents,Voltages,Impedance,Status(open,close,lockout)
Output:Open/CloseBkr,+/-Vars,
Inputs:Topology,trafficflows,deeppacketinspecSon,communicaSonstate,stateofphysicalpowersystem
Output:NOTHING!
Whatarewemissing
Whenisitenough?
Safety?
hlp://hp.ipviking.com/
IEEEPowerandEnergySocietyNewOrleansChapterLunchTechTalk
09/19/2016
Copyright2016,Cybirical,LLCAllrightsreserved.
www.cybirical.com18
QuesSons?
NathanWallace,PhD,[email protected]@ieee.org@NathanSWallace