NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... ·...
Transcript of NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... ·...
![Page 1: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/1.jpg)
NERC CIP in the Real World on a Real Budget
11/11/16Page 1 Energy Automation
Authors:Eric Stranz, Business Development Manager, SiemensStefan Nohe, Subject Matter Expert, SiemensDr. Chan Wong Phd, Standards Engineering, Entergy
Utilizing Cost Saving Ethernet Technologies in Compliant Architectures
![Page 2: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/2.jpg)
Motivation
11/11/16 Energy AutomationPage 2
![Page 3: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/3.jpg)
NERC CIP – Cyber security for TSO and Generation
11/11/16 Energy AutomationPage 3
Generation / DER• Misuse of local administrative rights
Distribution and Transmission• Substation Configuration is manipulated via local network, wireless or remote access
Operation• Unauthorized remote service access
Market• Fraud based on falsified offers and contracts (Customer, Utilities, DNOs, …)
Customer• Consumer behavior tracking, e.g., through smart meters
• Fraud through smart meter manipulation
![Page 4: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/4.jpg)
Focus of Paper-Implement Technologies in Compliant Architectures
11/11/16 Energy AutomationPage 4
Station Level
Possible Attackers:
• Countries
• Criminalorganizations
• Script kiddies
• Insider
• Spoofing
• Malware
• Viruses
• …..
Control Center Level
Field Level
Substation Control Zone
RemoteAccess
Malware
Misuse of access rights
Unauthorized accessto network Unauthorized access
Attacks via internet
Attacks via internet
Misuse of access rightsMalware
Malware
![Page 5: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/5.jpg)
Control Center
3rdparty
device
Substation HMI
Process Bus
Station Bus MMS (data collection & controls)
Sampled Values (currents / voltages)
GOOSE (virtual wires)
IEC
61850
GOOSE (virtual wires)
Substation Data Collector & Controller
Cost Saving Technologies
![Page 6: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/6.jpg)
IEC-61850 MMS – Station Bus
IED1 IED2 IED3 IED4
61850-MMS CommunicationsRoutable Layer 3
Vendor W
Vendor X
Vendor Y
Vendor Z
CB1 CB2 CB3 CB4
![Page 7: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/7.jpg)
Data Communication using 61850 – Station BusPeer-to-peer communications
CB1
IED1
CB2 CB3 CB4
IED2 IED3 IED4
GOOSE (Generic object oriented
system-wide events) Multicast Message
Non-Routable Layer 2Vendor
WVendor
XVendor
YVendor
Z
![Page 8: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/8.jpg)
Process Bus 61850-9-2
Station Bus
Process Bus –Multicast Message
Non-Routable Layer 2
Hardwired I/O CT’s and PT’s
FiberOpticConnection
61850 9-2 Merging Units
![Page 9: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/9.jpg)
Network Segmentation – Process and Station Bus Networks
11/11/16 Energy AutomationPage 9
![Page 10: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/10.jpg)
CIP 5 Standards Consolidated FAQ Oct. 2015 # 23
IEC 61850 is not a data link or network layer protocol, thus declaring IEC 61850 to be a routable or non-routable protocol is not appropriate. Time-critical messages, such as GOOSE messages for direct inter-bay communication, typically run on a flat Layer 2 network without the need for Layer 3 IP addresses.
11/11/16 Energy AutomationPage 10
![Page 11: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/11.jpg)
IEC 61850 Deterministic Concepts –GOOSE MECHANISM
Sequence Number: 1045State Sequence: 25
Sequence Number: 1046State Sequence: 25
Sequence Number: 1047State Sequence: 25
Sequence Number: 0State Sequence: 26Starts a new sequence when the status change
Sequence Number: 1State Sequence: 26 Sequence Number: 2
State Sequence: 26Sequence Number: 3State Sequence: 26
Sequence Number: 4State Sequence: 26
A well designed Substation system can determine the health of the network by monitoring sequence or state alarms and indications for fast network diagnosis
IEC-61850 9-2 Sampled Values operates in a similar manner
![Page 12: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/12.jpg)
Cost Savings and other benefits with Ethernet Technologies
• Up to 40% cost savings with Sampled Values Technology within a substation compared to a traditional copper installation (Based on a 12 Feeder Install)
• IEC-61850 GOOSE reduces copper interconnectivity between devices which results in significant savings in some installations
• Templates, reusable engineering make IEC-61850 an attractive option
• Physical Security and Communications Security is required regardless of technology.
11/11/16 Energy AutomationPage 12
Is Nerc CIP Compliance too difficult to even consider these technologies?
![Page 13: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/13.jpg)
11/11/16Page 13 Energy Automation
1.) Assess stations designations based on the CIP -014-01 (4.1.1.2)2.) Define the (BES) Cyber System (formerly Critical Cyber Assets)3.) Define Physical Security Perimeter (PSP)4.) Define Electronic Security Perimeter(s) (ESP)5.) Provide a Cyber Security Framework to Cyber Assets per CIP Standards6.) Define Electronic Access Points into ESP(s)
In Version 5 NERC now allows for multiple ESP’s and does not restrict the ESP’s to the 6 wall approach.
![Page 14: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/14.jpg)
Physical & Cyber security
• The physical security requirements• Need of authentication before
entrance of station• Recognize and Alarm in case of
unauthorized access• Protection against unauthorized
access • Cyber security
• Mitigate misuse of access rights• Authentication of access• Prevents from outside threads
and attacks on infrastructure
11/11/16 Energy AutomationPage 14
![Page 15: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/15.jpg)
Normal NERC CIP Applicable Substations Should Already Include Physical Security Measures
Two Factor Authentication(Something you know, Something you are, Something you have)
Card Scanners, Cameras, Authentication Systems typically are already in place for a NERC CIP Station
11/11/16 Energy AutomationPage 15
The FERC Order No. 706, Paragraph 572, directive discussed utilizing two or more different andcomplementary physical access controls to provide defense in depth.
![Page 16: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/16.jpg)
ESP at the Control House
11/11/16 Energy AutomationPage 16
CameraKeypad
Card scan
Card Scan
2 Factor Authentication
Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity
Layer 2 Com’s Only
![Page 17: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/17.jpg)
ESP at the Control House
11/11/16 Energy AutomationPage 17
Electronic Security Perimeter
Direct Connection to Device (segregated Networks from Process Bus)
Communications Supervision
Merging Units
All IP services Turned off, pure Layer 2 only communications
Electronic Access Point
![Page 18: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/18.jpg)
ESP at the Substation Fence
11/11/16 Energy AutomationPage 18
CameraKeypad
Card scan
Card Scan
2 Factor Authentication
Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity
Card scan
Layer 3 or Layer 2
![Page 19: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/19.jpg)
Securing the Network
11/11/16 Energy AutomationPage 19
Encrypted Communications
Traffic Limit FirewallAuthentication
Communications Supervision
Merging Units
Communications Supervision
Enterprise Applications
![Page 20: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/20.jpg)
Disable Unused Ports
X
CIP-007-5 Table R1
XXXXX
XX
Even Ports used for testing must be disabled at the time of putting the system into service.
![Page 21: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/21.jpg)
Any Product that Prevents Hackers Access to the Network and can take immediate action to the threat• Reactive
• Can Drop the Malicious Packets• Block Traffic from the Source• Reset the Connection
• Firewalls, Anti-Virus, Malware Tools
Intrusion Prevention Systems (IPS)
![Page 22: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/22.jpg)
Antivirus and Malware (IPS)
XXX
CIP-007-5
Logged
![Page 23: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/23.jpg)
XFirewall (IPS)
CIP-007-5
Logged
![Page 24: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/24.jpg)
Any Product that can Detect an intrusion into the network and report or alarm this detection to a management station• Passive
• Monitors signatures• Alerts Operators • Creates Reports
Intrusion Detection Systems (IDS)
![Page 25: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/25.jpg)
Network Based Intrusion Detection (NIDS)
Network-Based Intrusion Detection Systems (NIDS)
Intrusion Detected –Analysis of Intrusion……
NIDS Server
![Page 26: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/26.jpg)
Host Based Intrusion Detection System (HIDS)
Intrusion Detected –Analysis of Intrusion……
Host Based Intrusion Detection System(HIDS)
![Page 27: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/27.jpg)
Security Patch Update within 35 days of update releaseCIP-007-5 Table R1
CIP-007-5 Table R1
![Page 28: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/28.jpg)
Updated LDAPàActiveDirectory
Within 24hrs of termination
Within 7 Days of leaving the position
![Page 29: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/29.jpg)
X
White List and Logging
Jim-Bob
White List1.) Bobby-Joe2.) Billy-Bob
Operations Log10:30 AM 3/17/14 Invalid Login attempt – Jim Bob
CIP-007-5 Table R1
![Page 30: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/30.jpg)
Billy-Bob
White List1.) Bobby-Joe2.) Billy-Bob
Operations Log10:30 AM 3/17/14 Changed Relay Settings– Billy-Bob
Operations Log10:30 AM 3/17/14 Logged In–Billy-Bob
White List and Logging
CIP-007-5 Table R1
![Page 31: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/31.jpg)
Turn Off all Non-Critical IP Ports
![Page 32: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/32.jpg)
Turn Off all Non Critical Services
![Page 33: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/33.jpg)
- Classify BES Cyber Systems and Assets per V5 requirements-Segment your networks-Secure unused ports and services-Implement malware and virus protection-Passwords should comply with “complex” requirements-Firewall settings properly set-Implement Intrusion Detection and Prevention Systems-Electronic Access points to the Substation should be encrypted- Provide application control software wherever possible
Best Practices
![Page 34: NERC CIP in the Real World on a Real Budgetcce.umn.edu/documents/CPE-Conferences/MIPSYCON... · NERC CIP in the Real World on a Real Budget Page 1 11/11/16 Energy Automation Authors:](https://reader034.fdocuments.net/reader034/viewer/2022042317/5f05f15e7e708231d4157fe0/html5/thumbnails/34.jpg)
Thank you for your attention!
11/11/16Page 34 Energy Automation