2

PNNL Control System Security Innovation

David Manz, PhDCyber Security ScientistNov. 14th 2018APPA cyber security summitAustin TX

Topics

3

TestbedspowerNETcyberNET

Applied researchPACIFICSSASS-E

Transition to operationsTrainingCommercialization

Science of Cyber Security

4

Problem: Treating as applied science without fundamental science foundationApproach:

Theories for the field to begin building a body of knowledge ANSWERSMethods for performing rigorous scientific experimentation and testing TESTBuild upon successful research to identify key technology DEVELOP

Impact: Move toward symmetry for defenderEnable metrics – ability to measureSupport decision making

Vision for a Testbed

5

Experiment-basedFidelity and repeatability

Simulated environmentsLow-level access to equipment

ScalableEmulation and simulation

Dynamic and flexibleUser-friendlyCommon library of scenario templatesReset to known between configurations

Multi-user capabilityExperiment and data separationAccess controls

Modular and expandableFederation capable

Self supported user community

Cloud technology based orchestration with web based user portalNetwork Emulation

Emulate LAN/WAN communication characteristics. Examples:

Dedicated LineDial-upWireless

SCADA environmentsReal equipment to model ~2 substations

ABB, GE, Siemens, SEL, …Software simulation of dozens of SCADA equipmentSupport for legacy communications

PNNL powerNET Facilities

powerNET Facilities (cont.)

Physical Process EmulationHardware-in-the-loop modelingOpal-RT Large scale simulation

Synchrophasors9 PMUs from variety of vendors

1 PMU Development Platform1 Hardware PDC

(Many software PDCs possible)

Up to ~1000 general purpose virtual nodes possible

XenServer hypervisorEnergy Management System

Alstom System

7

PNNL cyberNET Facilities

8

Facility investment by PNNLScientific experimentationReal world scenariosCyber security metrics

LeveragesCommodity hardwareCommercial and open source software

Citrix XenServer, OpenStackAgent platform for user emulation

PNNL modifications for scienceRepeatability, sensoring, control…

cyberNET Facilities (cont.)

9

Combination of simulation, virtualization, and real equipmentRepository for storage/retrieval of experiment data

120TBSupport development of “gold standard”test datasets

Multi-user/multi-project supportShare resourcesQuick setup/configuration

Simulate up to ~4000 virtual nodesCurrently 28 nodes (32 core, 256GB)

ApproachProblem

Proactive Adaptive Cybersecurity for Control (PACiFiC)

• Operational technology (OT), [control systems & their environment], are in use in our high consequence infrastructures.

• Current OT is insecure, out of date, static, and targeted by our adversaries

• Define secure design and development principles that apply to all OT systems

• Develop and test adaptive cyber defenses holistically• Include human, cyber, communications, and process

physics

10

PACiFiC in a Nutshell

11

PACiFiC Microgrid (PµG) Model

PµG topology specifications 37-node feeder Controllable Generation

• 2*Solar farms -• 3*Roof-top solar -• 2*Battery storage units -

Controllable Load• n*Simulated buildings –• 1*Real-world building -

12

PACiFiC Progress

Microgrid and Building Sandbox

Sensor Fusion

1. Operating Context2. Threat-Based Response

Risk-Informed Action

1. Deception2. Operational Segmentation

13

PACiFiC Progress

14

Outcomes

PACiFiC Impact

• Demonstrations of measurably more secure, reliable, robust, and resilient control systems retaining performance

• Facilities for next generation OT testing, evaluation and experimentation

• Prototype technologies for analysis and defense of OT environment

• Drive new & secure products to market• Enable vendors to compete on security• Promote testing and independent certification• Enhanced national capability in measuring, testing,

and demonstrating OT cyber security

Deliverables FY 19

15

Protect• Digital Ants• SSCP• Cyber Security Component

Manager• GPS Security• Secure Power System

Professionals• IEC 61850 Cybersecurity

Acceleration• Facilitate Secure ICCP• Secure Coding• Load Drop Study• SIEgate• Substation Watchdog• SPIDERS

Detect• Cybersecurity for EMS Decision

Support• SCI-FI• CRISP• CLIQUE• Traffic Circle• Scalable Reasoning System

Respond• NERC E-ISAC GridEx• FedSec• LiveWall• CORE• Incident Response

PNNL Grid Cyber Security at a Glance

Collaboration with Academia, National Labs,

Utilities, and Vendors.

Identify• ARRA SGIG• Procurement Language• ES-C2M2 / Pilot Analytics• NIST Framework & ES-C2M2 Mapping• NERC CSSWG Support

Recover• EDS Forensics

Build a Culture of Security

Assess & Monitor Risk Develop & Implement

New Protective Measures to Reduce Risk

Sustain Security Improvements Manage

Incidents

The PNNL Mission supports DOE with Incident Response, Exercises, Assessments, and Grid Cyber Research

16

SSASS-E: Safe, Secure Autonomous Scanning Solution for Energy Delivery Systems An Innovative Solution for Real-Time Vulnerability Discovery and Monitoring

► Goal: This solution will develop, validate and verify innovative safe scanning methodology, models, architectures and produce a prototype to transform the most widely deployed vulnerability scanner in the IT space to secure operational technology (OT) installed in critical energy infrastructure.

► Technical Approach: Leverage, validate, verify and improve methodologies and technology supporting Tenable’s IT/OT platform, which is the world’s most widely deployed vulnerability, configuration, and compliance assessment product in order to:► Improve the state of the art in asset discovery and vulnerability identification of EDS for active, passive, intermittent and

continuous scanning approaches► Validate and verify methodologies for automatic safe scanning of legacy EDS, IT, OT and web

applications to accurately identify vulnerabilities

► Outcomes/Impacts: Autonomous detection of vulnerabilities targeting EDS.

Partners: Tenable Security, Chelan County PUD, National Rural Electric Cooperative Association (NRECA), University of Illinois at Urbana-Champaign (UIUC), and Siemens.

Safe and Secure Autonomous Scanning Solution for Energy Delivery Systems

17

Hands on Training

Tailored content and format for audienceWorked with utility industry on human factors

Provided 1,3,4 day training for USG analystsOn site and remote training options as wellMulti-directorate team

18

National Collegiate Cyber Defense Competition

Fabricated 10 physical SCADA models

3 Raspberry Pi + Codesys PLCs1 Arduino ground truthLights, displays, etc

Developed 10 virtual substation environments

Wonderware HMITriangleMicroworksSCADA DatagatewayAudit, log, IDS servers

Real world protocols, architectures and applications19

Problem: R&D has little value if it is not transitioned into operational environments150+ companies trace origins to PNNLTechnology Transfer

Secure SCADA Communication ProtocolSerial Tap

Commercializing Science and Technology

20

Designed and developed with industry guidanceMeets control system security objectives

ConfidentialityIntegrityAvailability

SSCP is going to ballot as IEEE standard 1711.2

SSCP Overview

21

Bump-in-the-wire tap sits in front of legacy devices

Extends vision into field locationsPassive failure for no impact on operationsTransmit in form easily digestible by enterprise tools

Light processing at edge; centralization of data for high resource analyticsCynash licensed https://cynash.com/

Available now

Serial Tap

22

New Opportunities

Custom testing/ experimentation environments for assurance and evaluation

Assurance before technology is deployedScientifically based, collaborative processes for validation and verification

Evaluate consequences and risk for critical assetsTailored training and education

For desirable cyber-physical intersections

23

24

David Manz, PhDSenior Cyber Security ScientistNational Security Directorate

david@pnnl.gov

pacific.pnnl.gov

24