Power System Cybersecurity: Threats, Challenges, and Barriers
-
Upload
nathan-wallace-phd-cssa -
Category
Engineering
-
view
212 -
download
2
Transcript of Power System Cybersecurity: Threats, Challenges, and Barriers
Power System Cybersecurity Threats, Challenges, and Barriers
NathanWallace,PhD,CSSACybersecurityResearchEngineer
05Jan.2017
PersonalBackground
Volunteering:
EEIntern
Dra$ing
EEIntern
Protec.onSe0ngs&Config
AssociateEngineer
TransmissionSystemProtec.on
ResearchAssociate VisiHngLecturer
StaffEngineer CybersecurityResearcher
Overview
• WhyStateofAffairs:Grid&CyberspaceCybersecurity=>SafetyMisconcep.ons&Challenges
• WhatarewemissingCyberawaredevicesandsystems
80–95%oftheGrid’s
CyberAssetsFallOutsideNERC-CIP
80–90%oftheGrid’s
CyberAssetsareOutsideNERC-CIP
MostViolated:NERC-CIP
&NERC-PRC
Security:“Thefacetofreliabilitythatrelatestothedegreeofcertaintythatarelayorrelaysystemwillnotoperateincorrectly.”cyberdeviceor
Na.onStates
Hackers
Vendors
Inten.onalInsider
AccidentInsider
Misconfigura.onCyberSecurity
Cybersecurity=Physical+EMI+Digital[Compu.ng&Communica.ons]
TwoInfrastructures
Residen.al IndustrialCommercial
GeneraHon Transmission
DistribuHon
• Physical• Cyber
ControlCenter
Distribu.onControlCenter
RTOs/ISO
2016TechExpo:Virtualrealityusedtofixasteamturbinethat’slocatedhoursaway.
StateofAffairs:TheGrid
MonitoringPoints ControlPoint
Markets OperaHons ServiceProvider
GeneraHon
Transmission DistribuHon
Customer
StateofAffairs:TheGrid
Communica.on
CYBER
NortheastOutage2003
ArizonaOutage2007
FPLOutage2008
UkraineAXack2016
LoadLost 61,800MW 400MW 4,300MW 230,000Customers
Intent Uninten.onal Uninten.onal Uninten.onal Inten.onal
CyberCaused Yes Yes Yes Yes
Computa.onal
“Ourexpecta.onsisthatthemodernizedelectricitygridwillbe100to1000.meslargerthantheInternet” –CISCOVP
AdvancedMetering
ElectricVehicles
DistributedGenera.on
GridModerniza.on
Distribu.onAutoma.on
StateofAffairs:TheGrid‘GridofThings’
StateofAffairsCyberspacehmp://map.ipviking.com/
• Avgpriceper0-Day:• Avgnumberofdays0-dayremainsprivate:
• Avgnumberofdays.llpatchisissued:
• Avgofnewlycreatedmalwareperday:• Avgdwell.me.lldetec.on:
USD$40,000-$160,000
151days
300,000
205days
120days
StateofAffairsCyberspace&Cyberwar
“Global Cyber Weapon Market Expected to Reach USD 522 billion in 2021.”
-GlobalNewswire,2015TransparencyMarketResearchReport
Cybersecurity=>Safety
21LinesofCodeAuroraGeneratorTest
Distribu.onSystemOperator
VirtualPowerPlant
Cybersecurity=>Safety
CommonMisconcepHons
• Wearenotatarget.
• Minimumsecurityneeded,wearelowimpact.
• WearenotconnectedtotheInternet.
Ipviking,Shodan,ICS-CERT,ForeignFTPservers
Ukraine,ChangingStandards,StateRegula.ons
Stuxnet,Repor.ngcapacitytoRTO,Firewalls
Challenges
MisconcepHon:Wearenotatarget. Ipviking,
MisconcepHon:Wearenotatarget. Ipviking,Shodan,
MisconcepHon:Wearenotatarget. Ipviking,Shodan,ICS-CERT,
0
50
100
150
200
250
300
350
2012 2013 2014 2015
Incide
nts
MisconcepHon:Wearenotatarget. Ipviking,Shodan,ICS-CERT,
• Passwords,electricaldrawings,communica.ondrawings(IP,Protocols),etc• Fileserverscontainedmaliciouscode
71Genera.onPlants
~20,000FilesGenera.on,Transmission,
Distribu.onSystems“FromNewYorktoCalifornia”
Source:APInves.ga.on:USPowerGridVulnerabletoForeignHacks.Dec.21,2015
“Digitalcluespointedtoforeignhackers.”
Sevenfile(FTP)serverswithnoauthoriza.on
FTPservers
MisconcepHon:Minimumsecurityneeded,wearelowimpact. Ukraine,
30Sta.onsDe-energized
• 7110kVsta.ons• 2335kVsta.ons• ~3to6hrstore-energize• 230,000customersimpacted• Telephonedenialofservice• Breached6monthsprior• Alteredfirmwareatsubsta.ons
“Wewereblinded”
Dec232015
ControlCenterOperator
Source:E-ISAC.AnalysisoftheCyberAmackontheUkrainianPowerGrid.March18,2016
MisconcepHon:Minimumsecurityneeded,wearelowimpact. Ukraine,ChangingStandards,
NERCPhysical
Securityv3
Voluntary Mandatory
2000MetcalfAmack
Ukraine
2015Dec
2013Apr
StuxnetDiscovered
20101stIEEE
Substa.onSecStandard
2002
EnergyPolicyAct
2005
2005
NERCupdatesAssetID
CIP-002v4
2010
FERCdesignates
NERCasERO
2007
FERCApprovesAssetID
CIP-002v4
2012 2015
NERCEffec.veAssetID
CIP-002v5.1
2017
FERCtoApprove
NERCCIPv7
‘CodemovesfasterthanPolicy’
MisconcepHon:Minimumsecurityneeded,wearelowimpact. Ukraine,ChangingStandards,StateRegula.ons
MisconcepHon:WearenotconnectedtotheInternet.
Stuxnet,
MisconcepHon:WearenotconnectedtotheInternet.
Stuxnet, Repor.ngCapacitytoRTO,
MisconcepHon:WearenotconnectedtotheInternet.
Stuxnet,Repor.ngCapacitytoRTO, Firewall
Aug13th2016,accidentalreleaseof0-dayvulnerabili.eskeptbyaGovt.(Cisco,Juniper,etc.)
Challenges NoLongerCanSetItandForgetIt
ChallengesCybersecurity:Who’sResponsibilityisit?
ITDept. OTDept.
t
- So$waretodeterminehowpowerflowsandwhenbreakersopen/closes- Apache,Telnet,SSH,MySQL,FTP,LDAP,EmbeddedLinux,Windows,etc.- VirtualPowerPlantsandprotec.onrelays,so$waredefinednetworking
Challenges ComplexityandAge
PowerGridSpaceSta.on
VS
TVIntegratedCircuit
• Ageisphysicalandhasvisualindicators
• Ageisanabstrac.onandexistsinso$ware
Challenges VendorConfusion/SalesPitchesExample1:Installsmartmeterto‘side-stepcybersecurityrequirements’Issue:Howarethevaluesbeingusedwhenreceived…
Example2:
Issue:So$wareandprotocolshaveatendencytobecome vulnerableover.me.(Poodle,Heartbleed,Shellshock,etc)
Whatarewemissing
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
Protec.veMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Near-term (0–3 years) By 2013
Mid-term (4–7 years) By 2017
Long-term (8–10 years) By 2020
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.
Near-term (0–3 years) By 2013
3.1 Capabilities to evaluate the robustness and survivability of platforms, systems, networks, and systems
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
Protec.veMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.
Near-term (0–3 years) By 2013
4.1 Tools to identify cyber events across all levels of energy delivery system networks 4.2 Tools to support and implement cyber attack response decision making for the human operator
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
Protec.veMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.
4.4Real-.meforensicscapabili.es4.5Cybereventdetec.ontoolsthatevolvewiththedynamicthreatlandscape
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
Protec.veMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
Mid-term (4–7 years) By 2017
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
Protec.veMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
2.3Toolsforreal-.mesecuritystatemonitoringandriskassessmentofallenergydeliverysystemarchitecturelevelsandacrosscyber-physicaldomains.
Long-term (8–10 years) By 2020
Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity
Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.
Strategies: BuildCultureofSecurity
AssesandMonitorRisk
Protec.veMeasurestoReduceRisk
ManageIncidents
SustainSecurityImprovements
4.7Capabili.esforautomatedresponsetocyberincidents.
Long-term (8–10 years) By 2020
BusinessLayer
Life-CycleManagementLayer
OperaHonsLayer
PhysicalLayer
Cyber-PhysicalLayer
Requirements Regula.ons Incen.ves
Design Upgrades Ops Disposal
Design
Sensors
Compu.ngPlaxorm
Models
PowerSystemState
Controller
Monitor ControlDisposal
Current New
Models
Cyber Phys.CPS
Phys.Econ.
Whatarewemissing
CyberInfrastructure(ComputaHon&CommunicaHon)
ProtecHonandControl
Detec.on,Processing,Manipula.on
PhysicalInfrastructure(FlowofPower)
Inputs:Currents,Voltages,Impedance,Status(open,close,lockout)
Output:Open/CloseBkr,+/-Vars,
Inputs:Topology,trafficflows,deeppacketinspec.on,communica.onstate,stateofphysicalpowersystem
Output:NOTHING!
Whatarewemissing
IEEE Computer Society New Orleans Chapter
MeeHngIdeas
MeeHngLocaHons
TakeourSurveyWhatareyourInterestsandIdeas?
The scope of the Computer Society shall encompass all aspects of theory, design, practice, and application relating to computer and information
processing science and technology.
hXp://sites.ieee.org/neworleans/cs-survey/