Embed Size (px)
Citation preview
CYBERSECURITY AND RURAL ELECTRIC POWER SYSTEMS
Paul R. Kaster, Jr., LtCol, USAF, MS, MA, EIT, PhD Candidate
Department of Electrical Engineering and Computer Science
Advisor: Dr. P.K. Sen, PE, IEEE Fellow
2015 IEEE Rural Electric Power Conference, Ashville, North Carolina
Overview
‣Cyber Security Basics
‣Critical Infrastructure Protection (CIP) Standards
‣National Institute of Standards and Technology (NIST) Interagency Report (NISTIR) 7628
‣Future Research
Fundamentals: The Cyber Threat
‣Russian invasion of Georgia (2008)
‣Stuxnet
‣Markey and Waxman report (May 2013)
Fundamentals: Confidentiality, Integrity, Availability
Term Definition
ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
Availability Ensuring timely and reliable access to and use of information
Source: 44 U.S.C., SEC. 3542
Fundamentals:Potential Impact LevelsAttribute Failure Impact Level
ConfidentialityUnauthorized disclosure
Low: Limited impactModerate: Serious impactHigh: Severe or catastrophic impact
IntegrityUnauthorized modification or destruction
Low: Limited impactModerate: Serious impactHigh: Severe or catastrophic impact
AvailabilityDisruption of Access Low: Limited impact
Moderate: Serious impactHigh: Severe or catastrophic impact
Source: NISTIR 7628
“CIA”
Analyses
Fundamentals:Cyber Security Core Functions
Term DefinitionIdentify Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities.
Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
Respond Develop and implement the appropriate activities to take action regarding a detected cyber security event.
Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity
Fundamentals:Risk Assessment (Subjective)
‣Most Dangerous Course of Action (MDCOA)– Potential cyber event that has the greatest impact on
operations
‣Most Likely Course of Action (MLCOA)– Potential cyber event that is most likely to occur
‣Minimum: Identify threat, target, and consequences
Fundamentals:Risk Assessment (Quantified)
‣R: Risk (money or time)
‣T: Threat (probability)
‣V: Vulnerability (probability)
‣C: Consequence (money or time)
Term DefinitionRisk
potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences
Threatnatural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property
Vulnerabilityphysical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard
Consequence effect of an event, incident, or occurrence
Source: DHS Risk LexiconSource: Department of Homeland (DHS) Risk Assessment Methodology: Evolution, Issues, and Options for Congress
Fundamentals: Adversaries
Nation States
HackersTerrorists
Organized Crime
Other Criminal Elements
Industrial Competitors
Disgruntled Employees
Careless Employees
Political FinancialChaos
InternalSource: NISTIR 7628
Fundamentals: Controls
‣ Inventory of authorized and unauthorized devices
‣ Inventory of authorized and unauthorized software
‣ Incident response and management
‣ Security skills assessment and appropriate training to fill gaps
‣ Controlled access based on need to know
‣ Boundary defense
‣ Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
‣ Continuous vulnerability assessment and remediation
‣ Malware defenses
‣ Application software security
‣ Wireless access control
‣ Data recovery capability
‣ Secure configurations for network devices such as firewalls, routers, and switches
‣ Limitation and control of network ports, protocols, and services
‣ Controlled use of administrator privileges
‣ Maintenance, monitoring, and analysis of audit logs
‣ Account monitoring and control
‣ Data protection
‣ Secure network engineering
‣ Penetration tests and red team exercises
Administrative
Physical
Technical
Source: SANS Institute
Fundamentals: Example
‣“CIA” Analysis– Low Confidentiality
– High Integrity
– Low Availability
‣Core Functions: Identify– Subjective Risk Analysis
MLCOA: power thief attacking single meter for up to a year
MDCOA: disgruntled employee corrupting data preventing accurate billing
Metering system for rural electric provider
Fundamentals: Example (Continued)
‣Core Functions: Identify– Quantitative Risk Analysis
– Known historical data
– Two known threats
‧ Power Thief (T=2%)‧ Disgruntled Employee (T=0.25%)
– Two known vulnerabilities
‧ Individual meters (V=1% for thief, 20% for employee)
‧ Database (V=0.001% for thief, 25% for employee
– Two estimated consequences
‧ Meters: $500‧ Database: $100,000
Threat Database Risk
MeterRisk
Thief $0.02 $0.10
Employee $62.50 $0.25
𝑹=𝑻 ∗𝑽 ∗𝑪
Fundamentals: Example (Continued)
‣Core Functions: Protect– Physical Controls:
Sealed metal boxes at meters, junctions
Limited access to equipment, operations rooms
– Administrative Controls:
Two person authentication for network access
Limited administrator privileges
– Technical Controls:
Internal network equipment capability
Lock down unused ports Off site data backup
Fundamentals: Example (Continued)
‣Core Functions: Detect– Physical Controls:
Tamper tags Random visual
inspections for metal boxes
– Administrative Controls
Inspection policies– Technical Controls:
Network logging, monitoring
‣Core Functions: Respond and Recover– Administrative Controls:
Policies, procedures, drills
– Technical controls
Off-site data backup
CIP Standards: Overview
‣ North American Electric Reliability Corporation (NERC) standards for cybersecurity
‣ Ten standards, Version 5 becomes effective on/about July 2015 CIP-002-5.1 Bulk Electric System (BES) Cyber System Categorization
CIP-003-5 Cyber Security-Security Management Controls
CIP-004-5.1 Cyber Security-Personnel and Training
CIP-005-5 Cyber Security-Electronic Security Parameter(s)
CIP-006-5 Cyber Security-Physical Security of BES Cyber Systems
CIP-007-5 Cyber Security-System Security Management
CIP-008-5 Cyber Security-Incident Reporting and Response Planning
CIP-009-5 Cyber Security-Recovery Plans for BES Cyber Systems
CIP-010-1 Cyber Security-Configuration Change Management and Vulnerability Assessment
CIP-011-1 Cyber Security-Information Protection
CIP Standards: Applicability
‣Functional/Responsible Entities– Balancing Authority
– Generator Operator
– Generator Owner
– Interchange Coordinator/Interchange Authority
– Reliability Coordinator
– Transmission Operator
– Transmission Owner
– Distribution providers that own:
‧ Under frequency load shedding (UFLS) or under voltage load shedding (UVLS) systems that perform automatic load shedding of at least 300MW or are part of a larger load shedding program subject to NERC or Regional Reliability Standards.
‧ Any of the following that are subject to NERC or Regional Reliability Standards: Special Protection Scheme
Remedial Action Scheme
Transmission Protection System (other than UFLS or UVLS)
Cranking Path or Group of Elements required for Blackstart Resources
CIP Standards: Applicability (continued)
‣ CIP standards applicable to all facilities owned by a functional entity except for:– Distribution providers only
responsible for those areas described above
– Facilities owned by Canadian Nuclear Safety Commission
– Communication links between Electronic Security Parameters (i.e. only responsible for assets within your own ESP)
– Anything regulated by the Nuclear Regulatory Commission
‣Evidence of compliance must be maintained for 3 calendar years. Records from the last audit must be maintained until the next audit.
CIP-002-5.1 BES Cyber System Categorization
‣Background:– The Responsible Entity has
flexibility to “determine the level of granularity” when defining systems.
– Limited to “BES Cyber Systems that would impact the reliable operation of the BES.”
– BES Cyber Assets:
‧ Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”
‣Requirements:– Identify high, medium,
and low impact BES Cyber Systems
‧ Provides specific guidance to identify level
– Review those identifications every 15 months and document even if no identified items
NISTIR 7628: Overview
‣597 pages of best practices Vol. 1: Smart Grid Cyber Security Strategy,
Architecture, and High-Level Requirements
Vol. 2: Privacy and the Smart Grid
Vol. 3: Supportive Analyses and References
NISTIR 7629: Domains
NISTIR 7628: Interface CategoriesNumber Description Confidentiality Integrity Availability
1-4 Communications between control systems and equipment L H H/M5 Interface between control systems within an organization L H H6 Interface between control systems within different organizations L H M7-8 Interface between back office systems H M L9 Business to Business (B2B) connections involving financial/market
transactionsL H H/M
10 Interface between control systems and other systems L H M11 Interfaces between environmental sensors L M M12 Interface between sensor networks and control systems L M M13 Advanced Metering Infrastructure (AMI) H H L14 High Availability AMI H H H15 Systems using customer site networks L M M16 Interface between external systems and the customer site H M L17 Mobile field crew equipment L H M18 Metering equipment L H L19 Operations decision support systems L H M20 Engineering/maintenance for control equipment L H M21 Vendor maintenance and support for control systems L H L22 Security/network/system management consoles H H H
NISTIR 7628: Actors
NISTIR 7628: Security Requirements
‣180 High-level requirements Governance, Risk,
Compliance (GRC)
Common technical requirements
Unique technical requirements
Applied to each interface category
19 CategoriesAccess Control (21) Media Protection (6)
Awareness/Training (7) Physical/Environmental Security (12)
Audit/Accountability (16) Planning (5)
Security Assessment/ Authorization (6)
Program Management (8)
Configuration Management (11) Personnel Security (9)
Continuity of Operations (11) Risk Management/Assessment (6)
Identification/Authentication (6) IS and Services Acquisition (11)
Information/Document Management (4)
IS and Communication Protection (30)
Incident Response (11) IS and Information Integrity (9)
Information System (IS) Development/Maintenance (7)
NISTIR 7628: Security Requirements (continued)
NISTIR 7628: Security Requirements (continued)
NISTIR 7628: Use Case Scenarios
‣Advanced Metering Infrastructure (AMI) (8)
‣Demand Response (6)
‣Customer Interfaces (6)
‣Electricity Market (3)
‣Distribution Automation (7)
‣Plug-in Hybrid Electric Vehicles (4)
‣Distributed Resources (2)
‣Transmission Resources (4)
‣RTO/ISO Operations (1)
‣Asset Management (4)
Future (Ongoing) Research
‣Cyber Security Quantification!!!– Objective: metric that is usable by industry to evaluate and
compare the security of different networks
‧ Must quantify a measurable value (e.g. time, cost)‧ Must correlate with real world data‧ Must be tailored to the power industry
– Several (flawed) models proposed in literature
– Two proposed metrics
‧ Mean Time Between Security Incidents (MTBSI)‧ Estimated Annual Security Incident Impact (EASII)
– Modeling and Simulation
– Analysis of real world data
Conclusion
‣Cyber Security Basics
‣Critical Infrastructure Protection (CIP) Standards
‣National Institute of Standards and Technology (NIST) Interagency Report (NISTIR) 7628
‣Future Research
