2 Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch February 4, 2010
3 Smart Grid Cyber Security Best Practice Approach to Cyber Security for the Small Rural ElectricSmart Grid Cyber Security Plan require a technical approach to cyber security.Cyber security must be addressed in every phase of the engineering lifecycle of the project, including design and procurement, installation and commissioning, and the ability to provide ongoing maintenance and support.Cyber security solutions are comprehensive and capable of being extended or upgraded in response to changes to the threat or technological environment.The technical approach to cyber security must include:Cyber Security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact).Cyber Security criteria utilized for vendor and device selection.Cyber Security Standards and/or best practices that will be followed. (NIST, ISO, COBiT, ITIL)Support of emerging smart grid cyber security standards.
4 Enterprise Security Architecture Enterprise security architecture provides the conceptual design of network security infrastructure, related security mechanisms, and related security policies and proceduresEnterprise security architecture link components of the security infrastructure as a cohesive unitThe goal of this cohesive unit is to protect organizational information including smart grid
5 Risk ManagementManaging risk requires a defined Risk Management lifecycleThe Smart Grid environment must be defined, criteria established to protect the environment, and monitoring and checks must be put into place to ensure that as the environment is challenged, appropriate indicators provide new considerations to adjust protective mechanisms to ensure stability to the Smart Grid environment.Assessment, mitigation, and evaluation represent a basic framework for a risk management approach.Example - Risk Assessment process is consistent with the NIST Special Publication , “Risk Management Guide for Information Technology Systems” risk management recommendations.
6 Defensive StrategyTo support the development of a defensive strategy The Small Rural Electric has to implement a defense strategy with measures for the following components:ThreatThreat AgentsThreat EnvironmentCyber AttackVulnerability and ExploitationAttack TreesDefensive ModelDefense-In-Depth StrategiesThreatA threat represents the capability and the intent to attack or inflict harm. With respect to modern computing systems, this definition can be refined to represent cyber threat as the capability and intent to inflict harm on computers or networked systems by a knowledgeable threat agent. Threat AgentsThreat agents conduct cyber attacks utilizing tools, tactics, and procedures in response to some sort of motivation. A threat agent may be an individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities, that may be detrimental to industrial control systems, computer systems and networks. Common examples of agents include disgruntled or former employees, script-kiddies, hackers, crackers, computer criminals, terrorists, industrial espionage agents, foreign espionage agents, and cyber warriors. Each of these categories of potential threat agents may be employed through active, passive, inside, and outside access. TALCyber AttackA cyber attack is a manifestation of a threat (e.g. assault) conducted by a threat agent against an industrial control system, digital component/device, computer system, or network. The scope of this definition covers a wide variety of events that could result in challenging the integrity, availability, or confidentiality of a system or network including, but not limited to:VirusesWormsMalwareForged dataDenial or disruption of access or serviceUnauthorized access or unintended use of system assetsTheft or destruction of hardware or dataModification of environmental conditions to negatively impact system functionalityVulnerability and ExploitationFor a threat agent to conduct successfully conduct an attack against a given target, the chosen vector of the attack must seek to exploit some inherent weakness or vulnerability contained within the target. The term vulnerability is defined to be a weakness in the physical or electronic configuration of a critical digital asset or connected digital asset that could allow an action that compromises the cyber security of the asset. If the vector of attack is poorly executed or attempts to leverage an exploit that the target itself is invulnerable to, the attack will likely prove to be unsuccessful. This basic concept holds true regardless of whether the attack takes place within theaters of the real world or within the virtual worlds of cyberspace.Attack TreesAttack trees are a mature security concept that provides a systematic method to describe threats that may exist for a given system. As an analytical tool, attack trees are a powerful technique because, unlike other forms of analyses, it requires the analyst to adopt the mindset or perspective of the threat agent. This approach also adds significant value to the identification of scenarios that attribute to an attack. The development of scenario-based attacks indicates that the cyber security specialist has paid particular attention to the what and whom is presenting a specific cyber security challenge vector. Attack trees are useful in:Identifying potential vectors of attackUnderstanding where critical points of vulnerability existUnderstanding the effectiveness of deployed countermeasuresDetermining optimal use or placement of countermeasuresFocusing risk management efforts to address the most likely vectors of attackAdding value to multiple phases of the system design lifecycleDefense-in-Depth StrategiesDefense-in-depth is a practice that employs the use of multiple layers of security to guard against failure of adjacent security components or layers. Utilizing proper application of defense-in-depth principals, a singular failure occurring within any element of a protective strategy should not result in complete failure of the security system.Defensive strategies represent a documented assortment of comprehensive and diverse technologies, administrative processes and programmatic procedures that invoke multiple layers of defense to protect critical systems. The defensive strategies devised should ensure the capability exists to detect, isolate, and neutralize unauthorized activities in a timely manner ensuring that the design-based functions and capabilities of systems and networks are maintained.Defense-in-depth protective strategies can be visualized as a series of concentric layers (established boundaries) of security in which the vulnerabilities that exist for a given layer are prohibited from existing within the adjacent layers.
7 Layered Defense Framework Corporate PerimeterCorporate NetworkNetwork ArchitectureEnergy Management SystemApplicationsHost Device SecurityRemote AccessDial-up or VPNElectronic Security Perimeter123456Communications78AMISystems9Layered Defense Framework(Defense in Depth)Corporate Perimeter - Defines the separation between the public and corporate domains.Remote Access – Methods and controls used to manage access to assets located within the corporate perimeter from locations external to that perimeter.Corporate Network – Equipment and topology used to provide the general employee population access to corporate computer resources.Host Device Security – Operating Systems, access accounts, network services, community strings and removable media capabilities.Applications – All non-operating system software.Communications – Technology and protocols used to communicate outside of a security perimeter.AMI – Contains Head-End system, Meter Data Management SystemsElectronic Security Perimeter – Device(s) used to control data flow between two security zones.Definitions:
8 Security ControlsSecurity controls are key elements supporting the overall defensive strategy and are implemented through the mechanisms and methods described within the defense-in-depth protective strategies. Security controls, as discussed in detail in NIST Special Publications Rev 3 and , “Guide to Industrial Control Systems (ICS) SecurityImplemented three types of controls:Management ControlsOperational ControlsTechnical Controls
9 Development Lifecycle It is recommended that organizations utilize a good lifecycle approach to incorporate cyber security into your infrastructure (NIST Revision 2,The following components represent some of the stages of such an approach:ConceptRequirementsDesignImplementationTestInstallation, Checkout, and Acceptance testingOperationMaintenanceRetirement
10 Policies & ProceduresTopical areas to be addressed by site-specific cyber security policies include, but are not limited to:Use of Cyber Defensive Model, defensive strategies, and a cyber security plan;Cyber Security Assessments of systems and networks;Roles and Responsibilities;Compartmentalization and Separation of Duties;Identification and Protection of Cyber Sensitive Information;Determination and Delineation of Critical Assets, Systems, and Networks;Design and Management Practices for Systems and Networks;Implementation, Design, and Management of Cyber Security Defense-In-Depth Protective measures;Cyber Security Requirements for Software and Hardware Procurement;Software Quality Assurance;Controlling Access to Systems and Networks;Monitoring of Systems and Networks;Virus/Malware Protection;Use of Wireless and Portable Computing Devices;Use of Encryption;Remote Access;Incident Response and Disaster Recovery;Response to Department of Homeland Security Threat Level Advisories;Reporting/Notification Requirements; andCyber Security Awareness, Training, and Education of Personnel
11 Cyber Security Program Roles & ResponsibilitiesCyber security program establishes clear and unambiguous roles, responsibilities, authorities, delegations, and interfaces within the organization responsible for implementing and maintaining their company’s cyber security program.