NERC CIPC March 16, 2006 Roadmap to Secure Control Systems in the Energy Sector
description
Transcript of NERC CIPC March 16, 2006 Roadmap to Secure Control Systems in the Energy Sector
NERC CIPCMarch 16, 2006
Roadmap to Secure Control Systems in the Energy Sector
U.S. Department of EnergyOffice of Electricity Delivery and Energy Reliability
Hank Kenchington202-586-1878
CIPC Confidentiality: Public Release
SCOPEDOE multi-laboratory program jointly managed and executed by INL and SNL (other partners include PNL, ANL, NIST, other contractors)
Key program areas:– Assess and mitigate
SCADA system vulnerability– Support development of
security standards– Develop and test advanced
secure control systems technology
– Conduct outreach and awareness
INL
NIST
SNL
PNL
OBJECTIVESupport industry and government efforts to enhance control systems cyber security across the energy infrastructure
National SCADA Test Bed
Key Activities:1. SCADA System Assessments - ABB, AREVA, GE, Siemens2. Provided cyber security training to over 400 end-users3. Evaluated use of COTS IT antivirus and firewall tools in
control systems4. Working closely with electricity sector, developed mitigation
strategies for “top 10” vulnerabilities5. Conducting performance testing and cryptographic
analysis of AGA 126. Evaluated and cataloged existing SCADA Standards
National SCADA Test Bed
Results:1. New “hardened” SCADA systems now being deployed2. Software patches developed by vendors and supplied to
end-users to better secure existing systems
Enhanced SCADA systems in market
Enhanced SCADA systems are being deployed…TODAY
VendorVendor
“Public”Test
Reports
SystemPatches
Asset OwnersAsset OwnersEnhanced SCADA/Control
Systems
Test Direction
“Proprietary” Test
Reports
National SCADA Test Bed
SCADA/ ControlSystems
Lots of activities…but no coordination
DHS S&T SBIR
projects
DHS NCSD Cyber Security
Test Bed
NIST Process Control Security Requirements
Forum
DHS Process Control
Systems Forum
NSF R&D projects DOE National
SCADA Test Bed
DOE Critical Infrastructure Test Range
EPRI EIS projects
AGA 12 Standard
NERC Standards & Guidelines
DHS I3P SCADA
FERC projects
DODTSWG
Roadmap Process
Create Steering Group
Conduct Roadmap Workshop
Prepare Technology Roadmap
Implement Roadmap
Guide Roadmap
Development
Identify Needs and Priorities
Integrate into Plans
Initiate Projects and Partnerships
• Trends & Driver• Challenges &Barriers• Priorities• Action Plans
We Are
Here!
Roadmap Steering Committee
Asset Owners and Operators• Tom Flowers - CenterPoint Energy
(electricity)• Linda Nappier – Ameren (electricity)• Al Rivero – formerly w/Chevron (oil and gas)• David Poczynek – Williams Co. (oil and gas)• Tom Frobase – TEPPCO (oil and gas)• Michael Assante – formerly w/AEP and IEIA
ForumIndustry Organizations• Bill Rush – GTI• Lisa Soda – API• Kimberly Denbow – AGA• Gary Gardner – AGA• Tom Kropp - EPRI
Government• Doug Maughan – U.S. DHS• Hank Kenchington – U.S. DOE• David Darling – Natural Resources Canada
Researchers (National Laboratories)• Tommy Cabe – Sandia National Laboratories• Jeff Dagle – Pacific Northwest National
Laboratory• Bob Hill – Idaho National Laboratory
Roadmap Scope
Time Frames• Near: 0-2 yrs.• Mid: 2-5 yrs.• Long: 5-10 yrs.
Sectors- Electricity - Oil - Gas - Telecom (supporting)
People
Processes Technology
Potential Solutions
See: www.controlsystemsroadmap.net
Workshop Participants
• Led by energy sector owners and operators• Includes representatives from electricity, oil, gas, telecom industries• Engages a cross-section of stakeholders and experts
IndustryOrganizations
CommercialSuppliers
Asset Owners and Operators
Government & Labs
3015
87
ControlSystems,
15
Business and Security, 10
Operations, 5Target Participants
Roadmap Framework
VisionIn 10 years, control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of critical function.
Key Strategies1. Measure and assess security posture2. Develop and integrate protective
measures3. Detect intrusion and implement
response strategies4. Sustain security improvements
Develop andIntegrate Protective
Measures
Develop andIntegrate Protective
Measures
Detect Intrusion and Implement
Response Strategies
Detect Intrusion and Implement
Response StrategiesSustain SecurityImprovements
Sustain SecurityImprovements
Measure and Assess Security
Posture
Measure and Assess Security
PostureMilestonesMilestonesMilestones MilestonesMilestonesMilestones MilestonesMilestonesMilestones MilestonesMilestonesMilestones
♦ 50% of asset owners and operators performing self-assessments of their control systems using consistent criteria (2008)
♦ Secure connectivity between business systems and control systems within corporate network (2009)
♦ Cyber incident response is part of emergency operating plans at 30% of control systems (2008)
♦ Resolve major info protection and sharing issues between U.S. govt. and industry (2006)
♦ Fully automated security state and common response of control system networks (2015)
♦ Secure control system architectures produced with built-in, end-to-end security (2015)
♦Self-configuring control system network architectures are in production (2015)
♦ Cyber security awareness, education, and outreach programs integrated into energy sector operations (2015)
time
Next Steps• Work with Sector
Coordinating Councils to develop Roadmap Implementation Forum
• Use results to coordinate activities of government, academia, and private sector to align with roadmap
• Use roadmap to guide DOE control systems security program activities
Government
Researchers
IndustryOrganizations
Asset Owners& Operators
Commercial Entities
See: www.controlsystemsroadmap.net
ENDUS Department of Energy
Office of Electricity Delivery and Energy Reliability
Hank [email protected]
202-586-1878