Cyber security protection for synchrophasors and other grid systems Monday, August 11, 2014

CCET ‐ Husch Blackwell Webinar Series ‐ July, August, Sept and Oct, 2014TODAY’S WEBINAR 

Discovery Across Texas:Technology Solutions for Wind Integration in ERCOTA CCET Smart Grid Demonstration Project

Milton Holloway, Ph.D.President & COOCCET

mholloway@electrictechnologycenter.com512.472.3800

electrictechnologycenter.com

Context: Continuing Investment in Wind Generation ERCOT Wind Capacity

Context: CREZ* Build-out Completion

*Competitive Renewable Energy Zones$7B cost, 3,589 miles of lines

Discovery Across Texas Project: ERCOT & Part of SPP

Discovery Across Texas - Project Team

CCET Demonstration Project: Discovery Across Texas

I. Synchrophasor system with applications (ERCOT wide grid monitoring)II. Security fabric demonstration for synchrophasor systems (demonstrated at

Lubbock/TTU/RTC)III. Utility-scale battery with companion wind farm (Lubbock/TTU/RTC)IV. Pricing trials at Pecan Street (Austin)V. Direct Load Control demonstration with dual communication paths (Dallas and

Houston)VI. Solar community monitoring (Harmony Community in Houston and Mueller

Community in Austin)VII. PEV fleet Fast Response Regulation Service demonstration (Fort Worth)

Seven Project Components:

This material is based upon work supported by the Department of Energy under Award Number DE-OE0000194."

Disclaimer: "This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.

CCET Demonstration Project: Discovery Across Texas

Polling QuestionI. What is the probability in the next 10 years that a cyber attack will bring

down more of the U.S. grid than has any natural disaster ever

II. Answers:a. <1%b. 1-5%c. 6-10%d. 11-20%e. >20%

Lorie WigleVice President, General Manager IOT Security SolutionsMcAfee a Division of Intel Security

Lorie_Wigle@McAfee.com503.466.4405

intelsecurity.com

History of DefiningArchitecture

– Inventor of the world’s most widely used computing architecture

– Defining countless standards used in everyday lives ranging from USB, WiFi, to IoT

– Top 10 Most Influential Brands in the World

Largest Dedicated Security Provider 

– Broadest security product coverage in the industry

– Complete portfolio focused upon security

– Leadership position in 6 of 8 Gartner Security Magic Quadrants

Delivering a Next Generation Security Architecture

– Defining innovative industry approaches for collaborative and adaptive security

– Introducing security integrations which are sustainable and broadly reaching

– Developing capabilities for new security paradigms in areas such as Software Defined Datacenter, Cloud, and IoT

Critical ManufacturingCommunicationsCommercial FacilitiesWaterTransportationNuclearInformation TechnologyGovernment FacilitiesFinancialEnergy

Energy 56%

Incidents by Sector for fiscal year 2013, Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team

Energy is a Cyber Target

2014“Dragonfly”- US, EU

Polling Question

13

Critical infrastructure, including the electricity grid, in the U.S. today is…a. At far greater risk from physical attack than cyber attackb. Is very well protected from cyber attackc. Is somewhat vulnerable given that attacks and attackers

are constantly becoming more sophisticatedd. Is at grave risk because security is not a priority

14

“Operators of infrastructure, particularly energy infrastructure, often believe that their need to operate the infrastructure trumps the need to keep others from mis‐operating it.” SANS editor William Hugh Murray

Securing Critical Infrastructure

15

Harden the 

Device

Secure the 

Comms

Manage the 

security

Hardware‐enhanced security + software & services key to achieve mission

4. Audit Records noteworthy events for later

analysis

5. Confidentiality Encrypts sensitive data for matters of

privacy.

6. Integrity Ensures that messages have not been

altered and that they are non-reputable.

7. Availability Prevents denial of service attacks

1. Identity Management Ensures the device identity is

established genuinely

2. Mutual Authentication Allows both the Device Node and the

Controller to verify the trustworthiness their identity to each other.

3. Authorization Manages permission to proceed with

specific operations.

16

SF is designed to address the NIST IR 7628 GuidelinesSecuring the Grid:  NIST IR 7628 Guidelines 

IT/OT Differences

Confidentiality

IntegrityIntegrity

Availability

Availability Confidentiality

Impo

rtanc

e

Challenges Enterprise IT Security

Industrial Systems/OT

Anti-virus Common widely used

Updates can cause

unacceptable network delays

Patch Deployment Regular Scheduled

Slow to deploy/test,

Unable to reboot

Network Communication

Standard protocols (IP/UDP)

Proprietary protocols

(DNP/ICCP/Modbus)

Security Monitoring

Logs gathered, but reactive

requires based on issues

Logging Only/Monitoring for performance/

availability

Vulnerability Management

“Find-fix” modus operandi for

vulnerabilities

VM scans can destroy machines

Security Connected for Critical Infrastructure:End-to-End Situational Awareness and Management

Integrated Embedded Security… • McAfee Deep Command, Application/Change

Control/Whitelisting, encryption• Wind River OS/Hypervisor/IDP security/encryption• Intel HW-assisted security/encryption

with Secure Intelligence and Connectivity…

• Intel Intelligent Gateways• IPS/Firewalls/TLS• 3rd Party SIA Firewalls & Protocol Filters

Comprehensively Monitored & Managed• McAfee ePolicy Orchestrator (ePO)• McAfee Enterprise Security Management

(ESM/Nitro/SIEM)

Applying Security to the Electricity GridTexas Synchrophasor Field Trial

Electric Power Group (EPG) is adding the security fabric to their synchrophasor products and deploying them at TTU

Texas Tech University (TTU) is the site of the field trial. Synchrophasor deployment already in place at TTU under the CCET projectStand up parallel security-enhanced systemConduct testing

SC4CI

SC4CI

SC4CI

SC4CI

C37.118Data

EPG RTDMS Client

C37.118Data

PMUs

Intelligent Synchrophasor Gateway

AAA: Kerberos/AD

McAfee ePolicy Orchestrator &Enterprise Security Manager (SIEM)

McAfee Integrity Control

Security Connected for Critical InfrastructureTexas Synchrophasor Field Trial Platform Details

ICS-ALERT-14-176-02 ICS Focused Malware campaign that uses multiple vectors for infection(June 2014)

Spam Email Mail GW and/or Whitelisting prevent malware execution on managed

endpoints in the industrial space Exploit kits

Cannot execute due to Application Whitelisting and Configuration Mgmt Malicious Updaters from compromised vendor sites

Handled through secure McAfee Software Update infrastructure for Partner Companies

If the malware has been installed Detect the malicious traffic before it leaves the device and notify Block with the traditional network sensors (Nextgen FW, etc) and notify Revealed in ESM, and then in the Device Mgmt Console for

identification, quarantine, and remediation.

Bridging IT and OT ProtectionProven Security Adapted for New Intelligent Operations

Integrated Embedded Security… • McAfee Deep Command, Application/Change

Control/Whitelisting, encryption• Wind River OS/Hypervisor/IDP

security/encryption• Intel HW-assisted security/encryption

with Secure Communication…• Intel Intelligent Gateways • IPS/Firewalls/TLS/AAA• 3rd Party SIA Firewalls & Protocol Filters

Comprehensively Monitored & Managed• McAfee ePolicy Orchestrator (ePO)• McAfee Enterprise Security Management

(ESM/Analytics)

Marvin GriffPartner, Energy & Natural ResourcesHusch Blackwell

202.378.2311marvin.griff@huschblackwell.comhuschblackwell.com

CYBERSECURITY –A CONTINUING PROBLEM Cybersecurity has been a growing focus and concern over the past

decade. Power providers reported new attacks on the transmission grid:

An attack on a Saudi Arabian oil company in the summer of 2012 wiped data from 30,000 computers.

MISO breach in June.

July study released by Unisys said 67% had at least one security compromise over the last 12 months leading to loss of confidential information or operations disruption caused by: Negligent employees (47% or respondents), many with privileged access. External attack (28% or respondents). Limited preparedness: Most said their firms’ cybersecurity programs had limited ability to ward off attacks. Large majority said cybersecurity not a top corporate priority within their company.

Most indicated little faith in government regulations or industry standards to address risks effectively.

OVERVIEW - TEXAS

Cybersecurity for the electric sector traditionally has been a concern that was addressed at the federal level by the Federal Energy Regulatory Commission (FERC) through the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards focus on the bulk electric system, that is, the transmission portion of the grid.  

The Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and FERC with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards, including those for cybersecurity for the remainder of the electric grid. 

Since 2009, the state of Texas has taken a significantly greater role in grid cybersecurity, with a large emphasis placed on the distribution portion of the electrical infrastructure.

OVERVIEW - FEDERAL

The electric power industry is the only critical infrastructure industry in the US with mandatory and enforceable cyber standards.

Protecting the grid is a mandate under the Energy Policy Act of 2005 (EPAct 2005).

The Federal Energy Regulatory Commission (FERC) has the authority to oversee the reliability of the bulk power system.

EPACT 2005 AND THE ELECTRIC RELIABILITY ORGANIZATION

EPAct 2005 created the Electric Reliability Organization (ERO).

The North American Electric Reliability Corporation (NERC) designated as the ERO in 2006 in Order No. 672.

NERC worked with electric power industry experts to develop the NERC Critical Infrastructure Protection (CIP) standards CIP-002 through CIP-009.

Since 2008, the standards have been updated.

FERC AND THE ERO

FERC may approve proposed reliability standards or modifications.  

• No authority to modify proposed standards.  • But FERC may direct the ERO to submit a proposed standard or modification.

FERC jurisdiction limited to the "bulk power system" under the Federal Power Act (FPA).  

Exclusions include:

• Facilities used for local distribution, any facilities in Alaska and Hawaii.  Much of the smart grid equipment will be installed on distribution facilities and won’t be under FERC's jurisdiction.

• Virtually all the grid facilities in certain large cities, such as New York, not covered by FERC cyber jurisdiction.  

CIP RELIABILITY STANDARDSDevelopment of reliability standards involving cyber security: • The first versions of CIP standards announced in 2006.  • CIP‐002 through CIP‐009 approved by FERC in 2008 (Order No. 706).

• The standards have been updated to address evolving cyber threats.

The CIP Standards address assets essential to the operation of identified bulk‐power system critical infrastructure ‐ termed “Critical Cyber Assets” ‐ such as: • control centers• control systems• transmission substations • generators 

CIP RELIABILITY STANDARDS (continued)

Identified “Critical Cyber Assets” must receive full CIP protections 

including: 

• cyber protections. • physical protections.• cyber and physical access limitations. 

• security training for appropriate personnel. 

• development and implementation of incident response and asset recovery plans.

Compliance history of CIP Reliability Standards is 

problematic: 

• CIP Reliability Standards by far the most violated of Standards. 

Polling Question

Violations of Reliability Standards are punishable by per violation, per day fines of up to:

a) $5,000b) $50,000 c) $100,000d) $500,000e) $1,000,000

ORDER NO. 706 (January 18, 2008)

Established eight CIP Reliability Standards (CIP-002 through CIP-009; replaced prior voluntary cyber security standards.

Required "risk-based" vulnerability assessment methodology for cyber assets.

Once cyber assets identified, responsible entities required to: establish plans to safeguard physical and electronic access train personnel report security incidents and be prepared for recovery

actions

ORDER NO. 761 (April 19, 2012)

FERC revised the standards for 

identifying cyber assets:  “[it] is a step 

towards full compliance with 

Order 706.”

Replaced NERC’s risk‐based approach with “bright‐line” criteria.  • Covers control centers, transmission facilities, generating facilities, flexible AC transmission systems and special protection systems. 

FERC established deadline for NERC to submit reliability standards fully compliant with     Order 706.  

“Find, Fix, Track and Report” ORDER (June 20, 2013) FERC accepted NERC Find, Fix, Track and Report (FFT) program.

Under which: Permits informational filings of lesser-risk, remediated possible

violations. Only possible violations that pose a minimal risk are eligible for

FFT treatment. Allows NERC to focus resources on issues posing greater risk to

reliability. Rejected proposal to remove requirement that senior officers

certify completion of remediation. FFT program allowed NERC to reduce issues dating prior to 2011 by

approximately 80 per cent.

Order No. 791 (November 22, 2013)Approved the Version 5 CIP Reliability Standards (CIP‐002 through CIP‐009).

FERC rejected NERC‐advocated move away from “zero tolerance”  to a more flexible standard of requiring entities to “identify, assess, and correct” violations.

The new CIP standards will require major changes for registered entities. 

All “Bulk Electric System (BES) Cyber Assets” will receive some level of protection related to the importance of their associated facilities. • Addresses Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for Bulk Electric Cyber Systems, Configuration Change Management and Vulnerability Assessments. 

• New approach for identifying bulk electric system (BES) Cyber Systems ‐‐ Low, Medium, or High Impact.• Level of CIP protections required by the Version 5 Standards depends on the risk classification of the relevant BES Cyber Systems.

• Requires, at minimum, all BES Cyber Systems to be categorized as Low Impact.

High and Medium Impact asset requirements compliance by April 1, 2016; 36 months for Low Impact assets.

The expansion of requirements for Low Impact systems and assets will be a time‐intensive task. 

NIST unveiled the Cybersecurity Framework for reducing cyber risks to critical infrastructure. 

The voluntary framework is intended to reduce 

cybersecurity threats and vulnerabilities through a risk‐based approach to improve cybersecurity 

practices. 

Origins in President Obama’s February 2013 Executive Order 13636 for  

Improving Critical Infrastructure Cybersecurity. 

Expected to be a first step in a continuous process to 

improve the nation's cybersecurity to keep pace with changes in 

technology, threats and other factors, and to incorporate lessons learned from its use. 

CYBERSECURITY FRAMEWORK (February 12, 2014)

Questions?Milton HollowayCCETmholloway@electrictechnologycenter.com

Lorie WigleMcAfee a Division of Intel Security@LWigle

Marvin GriffHusch Blackwellmarvin.griff@huschblackwell.com

Thank You