1. Cyber Security for Energy Delivery Systems NSTB Cyber Security Interoperability Task Force UCA Iug/OpenSG/SG Security Working Group

2. Cyber Security for Energy Delivery Systems NSTB What is Lemnos? Lemnos is a DOE funded project to provide a security interoperability framework for use in the ENERGY SECTOR Lemnos Partners –EnerNex Corporation (Prime Contractor) –Tennessee Valley Authority (Utility) –Sandia National Labs (FFRDC) –Schweitzer Engineering Laboratories (Vendor) Builds upon OPSAID which is previous DOE project Develops INTEROPERABE CONFIGURATION PROFILES for widely accepted Internet protocols –Supports the interoperability of security devices from different vendors by using a common set of device configuration parameters 2

3. Cyber Security for Energy Delivery Systems NSTB Lemnos Sponsors Office of Electricity Delivery and Energy Reliability enhancing control systems security in the energy sector NSTB National SCADA Test Bed National Energy Technology Labs

4. Cyber Security for Energy Delivery Systems NSTB Lemnos Partners and Participating Vendors

5. Cyber Security for Energy Delivery Systems NSTB Lemnos Approach 5 Define functional requirements based on asset owner needs STEP 1 Select open source specifications (IETF RFCs) to meet the identified functional requirements STEP 2 Develop interoperable configuration profiles for these specifications tailored for the energy sector control systems environment Test and validate the interoperable configuration profiles STEP 3 STEP 4

6. Cyber Security for Energy Delivery Systems NSTB 6 Lemnos – Step 1 Define Functional Requirements Requirements identified based on asset owner needs Examples include: Functional Requirement Secure communications channel Filter illegal network traffic Notification, non-repudiation, traceability, and troubleshooting Cryptography and password management Detect malicious activity by monitoring network traffic Monitor and analyze system processes Identify, neutralize, or eliminate malicious software

7. Cyber Security for Energy Delivery Systems NSTB 7 Lemnos – Step 2 Select Open Source Specifications For each functional requirement, the philosophy is to select the most commonly used, well-proven, open source solution. Examples include: Functional RequirementComponentModule Secure communications channelVirtual Private Network IPsec Notification, Non-repudiation, Traceability, Trouble Shooting Audit LogSyslog

8. Cyber Security for Energy Delivery Systems NSTB 8 Lemnos – Step 3 Develop Interoperable Configuration Profiles Define choice Within the RFCs are a myriad of choices Examples for IPsec include: Configuration Parameter Use ESP (Encapsulating Security Payload) and AH (Authentication Header) Use TUNNEL mode Use HMAC for authentication Use IKE Version 1 Use DH-5 (Diffie-Hellman Group 5)

9. Cyber Security for Energy Delivery Systems NSTB 9 Lemnos - Step 4 Test, Validate, and Demonstrate Demonstrate cyber security interoperability using the Interoperable Configuration Profiles –Long term tests to validate stability –Multi-vendor architecture –Simulated utility architecture Validate that the added security does not impact the reliability of the hosted power system applications Public demonstration of Interoperability –ISA Expo 2009 –Distributech 2010

10. Cyber Security for Energy Delivery Systems NSTB An Interoperable Configuration Profile for IPSec - Draft Specification (Rev 3) Use ESP (Encapsulating Security Payload) Use TUNNEL mode Use HMAC for authentication and integrity Use IKE Version 1 (moving to IKE Version 2 in 2011 ? ) Use DH-5 (Diffie-Hellman Group 5) Configuration Parameters ike_life: 10800s;(10,800 seconds life for key until exchange) ipsec_life: 3600s;( time till key re-negotiation) keyingtries: 3;(renegotiate keys 3 times) dpd_action: restart;(dead peer detection action) dpd_delay: 60s; (dead peer detection time “hello” interval in seconds) policy: PSK+ENCRYPT+TUNNEL+PFS+UP; Use PFS (perfect forward secrecy ); for enhanced key exchange security

11. Cyber Security for Energy Delivery Systems NSTB End User Perspective Enables End Users to choose BEST IN CLASS solutions for various facilities (versus a “one size fits all”) –For Example, an electric utility may needs to address: Communications Hub/Control Center Substation LAN Generating Plant DCS Outdoor and Pole-top Reduction in setup/deployment time and effort –Lower Total Cost of Ownership Reduction in configuration errors Lemnos Benefits

12. Cyber Security for Energy Delivery Systems NSTB Vendor Perspective Permits shortened development cycle by providing reference design –OPSAID reference design available to public –Robustness of open source versus proprietary solutions Uses configurations proven in lab and field to secure control system communications in a way that doesn’t trade of reliability Enhances the vendors ability to meet the customer’s needs –Provides a common understanding between customer and vendor Lemnos Benefits

13. Cyber Security for Energy Delivery Systems NSTB Additional Work for 2010 - 2011 Focus on: Standardizing components of Syslog messages Secure engineering access SSH/SSL Centralized authentication & authorization LDAP 13

14. Cyber Security for Energy Delivery Systems NSTB Discussion

15. Cyber Security for Energy Delivery Systems NSTB Project Contacts EnerNex Corporation Brian Smith - bpsmith@enernex.combpsmith@enernex.com Tennessee Valley Authority John Stewart - jwstewart@tva.govjwstewart@tva.gov Sandia National Laboratories Ron Halbgewachs - rdhalbg@sandia.govrdhalbg@sandia.gov Adrian Chavez - adrchav@sandia.govadrchav@sandia.gov Dave Teumim - dave431@enter.net (Sandia Contractor)dave431@enter.net Schweitzer Engineering Laboratories Rhett Smith - Rhett_Smith@selinc.comRhett_Smith@selinc.com 15