Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. PID# Four Layers of Smart Grid Security Session: Energy Cybersecurity II Ernie Hayden CISSP CEH Managing Principal – Critical Infrastructure Protection/Cyber Security Verizon Risk Team Feb 13, 2013

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.2 Smart Grid Security: Who’s Worried and Why? “Layers” of Concern – Physical Layer – Cyber Layer – Privacy Layer – Storage Layer Just What To Do? Question & Answer

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.3

4 Acknowledged by: – European Network and Information Security Agency (ENISA) – National Institute of Standards and Technology (NIST) – North American Electric Reliability Corporation (NERC) – Department of Homeland Security (DHS) – Department of Energy (DOE) – Federal Energy Regulatory Commission (FERC) – Government Accountability Office (GAO) – Selected Nations and US State Public Utility Commissions

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.5 Increasing Complexity of the Grid Interconnected Networks Can Introduce Common Vulnerabilities Increasing Vulnerabilities to Communications Introduction of Malicious Software Increased Number of Entry Points and Paths for Potential Adversaries to Exploit Potential for Compromise of Data Confidentiality, Including Breach of Customer Privacy

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.6

7 Physical Cyber Privac y Storage

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.8 Natural Disasters – Snow Storms – Hurricanes – Solar Flares – Geomagnetic Storms – Earthquakes – Flooding – Volcanoes Recognize that Location of the Smart Grid Components Can Be Affected by the Surrounding Environment US Case – Overheating Meters

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.9 The Biggest Opportunity for Trouble “The Last Mile” Issues Remember – Added Complexity Causes Concerns

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.10 Broadband Power Line Systems Power Line Carrier Systems Public Switched Telephone Network (PSTN) Cat5/6 Network Connection Radio Frequency – WiMax – ZigBee – 6LoWPAN – x – Cellular (CDMA/EVDO, GSM, LTE)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.11 Remember C I A – Confidentiality Attacks Reading, “Sniffing” the data – Integrity Attacks Changing the Data – Availability Attacks Denial of Service – Prevent Use of Service

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.12

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.13 Very Emotional Discussion State of California – Smart Grid and IOU’s Theoretical Impacts But…Demographic Data has Value

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.14 “Data Avalanche!” – Numerous Data Fields and Classes Simple Data Fields – KWH Used Since Last Reading Read Every ~15 Minutes or More Frequently Minimal Data Accumulation Automatic ReadingRead Monthly (or Less Frequently) “Smart” Digital Meters & “Smart” Sensors Analog Meters or Simple Digital Meters Manually Read or Use “Drive By” Reading The Future Smart Grid Today’s Environment Microsoft Clip Art Online Used with Permission – E N Hayden

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.15 Lux Research: Utilities Manage 9x Current Data if Go to Smart Grid (Boston: Jan 26, 2011) Types of Data from Smart Meters – Broadcast Data – Billing Interval Data – Detailed Consumption Data – Aggregate Statistical Data Predictions – Prediction for U.S. by 2019  100M Meters  100 Petabytes generated during the next 10 years (West Coast Utility) – Utilities spent $356M on Smart Grid data analytics tools in 2010  $4.2B in 2015 (Pike Research) – 300 TB per year of meter data by 2012 (Southeast U.S. Utility) (as of 2011) pic.jpg 1 Petabyte is 1000 Terabytes!

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.16 #1: Start with the NISTIR 7628 and ENISA #2: Begin with Security in Mind #3: Work with Your Meter Vendors #4: Establish Incident Response Team and Practice #5: Include Security Experts in Design, Build and Operate Phases #6: Have a Dedicated Security Team for SG #7: Monitor Regulations Affecting the SG #8: Ensure Code Includes Security (Ref: OWASP) #9: Beware of Remote Connections #10: Ultimate Job: Protect the Data!

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.17

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.18 Ernie Hayden CISSP CEH Managing Principal Critical Infrastructure Protection/Cyber Security Verizon Risk Team