Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons Learned in Smart Grid Cyber Security

Published byDorcas Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Lessons Learned in Smart Grid Cyber Security"— Presentation transcript:

1 Lessons Learned in Smart Grid Cyber Security
Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection

2 Agenda Smart Grid Cyber Security Challenges
IT OT Traditional Integration Challenges More Interconnectivity, Distribution and Access Points Cyber Security Vs. Compliance Smart Grid Vendor Management Challenges Software Assurance Other Observations Positive directions - things are changing

3 Smart Grid Cyber Security Issues and Challenges
System complexity is growing through expanding interconnectivity of systems and the extension of the electronic perimeter to new grid components and participants Increasingly distributed assets (AMI, HAN) Lots of legacy investments that need to be secured along side newer, unproven technologies Security upgrades to legacy systems are limited by inherent limitations of the equipment and architectures Operations and control networks previously thought to be inherently protected through private networks, serial connections and proprietary protocols are increasingly more vulnerable as networks are connected

4 Smart Grid Cyber Security Issues and Challenges
SCADA vulnerabilities and malware (Vendor access, USBs, disgruntled employees) Aurora Project proves that control networks can be penetrated Cyber threats are unpredictable and evolve faster than the sector’s ability to develop and deploy countermeasures Threat, vulnerability, incidents and mitigation information sharing is insufficient among government and industry

5 Smart Grid Cyber Security Issues and Challenges
Increasing concern for privacy issues Weak business case for cyber security investment by industry Regulatory uncertainty in energy sector cyber security DOE SGIG investments Provided a boost to cyber security awareness and enhancement, but what is next? Business drivers to change traditional IT / OT boundaries Embedded smart-grid equipment like smart meters require robust security to protect critical utility assets and data. New standards are emerging, requiring system designers to implement multiple layers of security to thwart both physical and cyber attacks.

6 IT OT Integration Challenges
Typically do not work together OT views the corporate network as vulnerable and resources inadequate OT networks and systems have different performance and reliability requirements Differing security architectures and risk management goals OT legacy systems challenging to support, upgrade and integrate Multiple support systems that do not integrate or interoperate – change management, ticketing , tracking and reporting, configuration management, patch management, audit and monitoring A new suite of cyber security tools recently demonstrated by DOE's Idaho National Laboratory includes a tool, the Sophia situational awareness software, designed to help utilities protect their network and control systems from attack. What Sophia can do is passively watch network communications and give both real-time and historical records of those communications. And it can be configured to automatically flag any unusual activity or new types of conversations that may indicate a security issue. Sophia can provide all of the information it receives for operators to evaluate, as can the other tools included in the demonstration. Typically Corporate IT is surrounded by a lot of controls and beauracracy that is needed to ensure reliability and availability. Within the non-business networks and operations area those controls traditionally haven’t existed previously and they could get away with doing things without change control, approvals, etc. But with NERC CIP controls and processes are being added to these control networks. But they can still not deem some environments not to be under NERC CIP. Classify a minimum set of assets.

7 New Technology Challenges Traditional Approaches
More Interconnectivity, distribution and access points Mobile devices Wireless network security Encryption and authentication Distributed key management Need a secure network for key management Integrated and active monitoring

8 Cyber Security Vs. Compliance
Culture of compliance, culture of security – Compatible goals? Many utilities didn’t have a centralized security function prior to NERC CIP Security modeled after NERC CIP – Process not technology oriented Risk management and security governance programs are not in place Getting management’s attention and building the business case for cyber security after NERC CIP In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is ongoing, by various means, among citizens and stakeholders. When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness. Implementing this strategy will help the sector achieve the following goal: Cyber security practices are reflexive and expected among all energy sector stakeholders. Assessing and monitoring risk gives companies a thorough understanding of their current security posture, enabling them to continually assess evolving cyber threats and vulnerabilities, their risks, and responses to those risks. Implementing this strategy will help the sector achieve the following goal: Continuous security state monitoring of all energy delivery system architecture levels and across cyber-physical domains is widely adopted by energy sector asset owners and operators. Sustain Security Improvements. Sustaining aggressive and proactive energy delivery systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders. Energy sector collaboration provides the resources and incentives required for facilitating and increasing sector resilience. Implementing this strategy will help the sector achieve the following goal: Collaboration between industry, academia, and government maintains cybersecurity advances.

9 Smart Grid Vendor Management Challenges
Without skilled resources, many utilities rely on vendors to configure device security Vendors do not know utilities cyber security requirements and do not configure to implement a defined policy or integrated architecture No linkage from vendor to vendor – Defense in depth? Vendors ship products with little or no security turned on by default Rush to bring products to market without testing to ensure that they actually work as advertised or integrate Utilities typically don’t have test environments and rely on vendors to test Technology and standards continue to evolve Vendors won’t share system certifications or provide proof of testing In a connected world, smart-grid equipment designers must consider security at the earliest stages of design. Today, this means secure microcontrollers that support multiple encryption engines, tamper reaction, and increased manufacturing and IP security. In the future, it will mean micros that do all measurement, encryption, and communications in a single chip. This integration will yield significant security benefits, avoiding unnecessary data transmission between ICs. Examples – Our vendors manage our security

10 Software Assurance Secure software development
Integrated systems testing Testing code from third-party vendors Code testing Vendor mergers and use of third-parties Built in backdoors for troubleshooting Performance/acceptance testing of new control and communication solutions is difficult without disrupting operations CIOs can reduce the risk of introducing trap-door-riddled IT by demanding proof of an explicit chain of custody from IT suppliers covering all third-party hardware and software they use in their products. They also should require their IT system providers to periodically sample and test their products; and they should procure the same equipment used by government agencies, which in some cases employ electron microscopes and chemicals to test IT components. McDonald says the spotlight on Huawei put IT supply chain risks "on the radar screen of every CIO. " Now it’s up to every CIO to act on this information.

11 Other Smart Grid Deployment Observations
Smart grids inherent goal to provide consumers with more information to make informed decisions regarding energy consumption But what about concerns for the protection and sharing of usage information and privacy information? Loss of traditional physical security perimeters with more distributed assets requiring physical and logical security to work together Aging infrastructure – many legacy smart grid assets are not being upgraded or patched Outsourced hardware and software support – many partners Anti-virus problem still not solved – integrated solutions and management Current cyber security skill set and ability to recruit Incident Management continues to evolve and integrate Other Smart Grid Deployment Observations An increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use. If customers believe a utility is itself abusing personally identifiable data, or is generally enabling the use of personal information beyond what they deem acceptable (whether or not legal), then they are likely to resist the implementation of AMI. Consumers may refuse to consent (where required), hide their data or awaken political opposition. Utilities may face customer liability claims or regulatory fines if inadequate privacy or security practices enable eavesdroppers, adversaries or bad-actors to acquire and use AMI data to a customer’s detriment. Utilities must take privacy and security concerns into account when designing AMI and must persuade consumers, regulators and politicians that privacy interests are adequately protected. 

12 Positive Directions – Things are Changing
Beginning to see a risk management Vs. pure compliance approach to security within the utilities Government, vendors, research and universities and utilities are working together Practical, business-oriented metrics and measurement mechanisms are being developed and used Increased visibility and understanding of current state and challenges, and to facilitate prioritization Beginning to describe security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability More attention to Operational-side issues

Download ppt "Lessons Learned in Smart Grid Cyber Security"

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
Cyber Security in Implementing Modern Grid Automation Systems Vijayan SR CIGRE SC D2 Tutorials & Colloquium on SMART GRID Mysore, 13 – 15 November 2013.

Cyber Security in Implementing Modern Grid Automation Systems Vijayan SR CIGRE SC D2 Tutorials & Colloquium on SMART GRID Mysore, 13 – 15 November 2013.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Smart Grid Cyber Security Framework

Smart Grid Cyber Security Framework
SMART GRID: What is it? Opportunities, and Challenges

SMART GRID: What is it? Opportunities, and Challenges
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Cyber Threats/Security and System Security of Power Sector Workshop on Crisis & Disaster Management of Power Sector P.K.Agarwal, AGM Power System Operation.

Cyber Threats/Security and System Security of Power Sector Workshop on Crisis & Disaster Management of Power Sector P.K.Agarwal, AGM Power System Operation.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.

GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.
3 Cloud Computing.

3 Cloud Computing.

Similar presentations

Ads by Google