CYBER SECURITY TRENDS FOR FUTURE SMART GRID SYSTEMS. Y. Illuz* G. Wainblat S. Barda ECI Telecom ECI Telecom ECI Telecom Israel Israel Israel

Transcription

1 XVI ERIAC DECIMOSEXTO ENCUENTRO REGIONAL IBEROAMERICANO DE CIGRÉ Puerto Iguazú, Argentina 17 al 21 de mayo de 2015 D2-05 Comité de Estudio D2 - Sistemas de Información y Telecomunicaciones para Sistemas de Potencia CYBER SECURITY TRENDS FOR FUTURE SMART GRID SYSTEMS Y. Illuz* G. Wainblat S. Barda ECI Telecom ECI Telecom ECI Telecom Israel Israel Israel SUMMARY - Current power grids increasingly emerging into smart networked grids and are more accessible from the public internet which poses new cyber threats in the grid. More computer based systems are introduced into power networks in order to monitor and control the network. Future model smart grid and micro grid systems will be based on data flows for communication of system status, usage and control throughout the network infrastructure in addition to the power flow. This creates new security threats on the power grid. Instead of relying mainly on power plants for power generation, there will be a combination of multiple generation sources and at the same time wider use of electrical computer based equipment by consumers. Both increase the amount of data flows in the network as well as introduce additional vulnerable spots. Vulnerability of the power grid to cyber-attacks increases even more because of the wide use of SCADA networks. SCADA networks are more accessible to the internet and lack authentication and authorization mechanisms therefore expose the grid to threats such as DDOS, Data interception, Data alteration and additional hacking threats. The transition from present to future model has already begun and rapidly growing while it already poses new security challenges which must be attended immediately. It is essential to introduce immediately a single comprehensive security solution which will provide fast detection and prevention tools to cope with a variety of threats with different nature and from multiple sources. The solution should not be tightly coupled with each device in the network so it won t require upgrade of the devices inside the grid. The Cyber defense solution should be versatile using variety of cyber technologies such as Firewalls, anomaly detection, Big Data analytics, machine learning and more in a network wise combination. KEYWORDS - Cyber Security, Smart Grid, DDOS, Big Data * yuval.illuz@ecitele.com

2 Smart Grid and IoT Smart Grid technologies will allow for utility operators to have greatly improved situational awareness about grid operations. These systems will improve the resiliency and reliabity of the grid, as power can be quickly rerouted around damaged components, and as utilities can more quickly detect and repair affected portions of the grid. Smart Grid technologies will also allow for the connection of many appliances, systems and tools that previously remained unconnected to the grid [1]. Smart Grid customers are the Internet of Things - the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment. The growth in IoT will far exceed that of other connected devices, resulting in a population of about 26 billion units by 2020 [2]. With these innovations there are significant security challenges as these devices represent a new attack vector for malware or other disruptions. Securing these components will be vital to the health and success of widespread smart grid adoption and the use of connected smart appliances. As new renewable energy sources (e.g. wind, solar and hydropower) will become widely available in addition to traditional ones (e.g. nuclear energy and fossil energy - like oil, coal and natural gas) [3], smart grid management and security will become crucially important. However, IoT is not only about the billions of new connected objects and inspecting the staggering amount of data they are producing. While the dramatic increase in the number and types of connected objects certainly expands the attack surface and dramatically increases the diversity of threats, they are only part of the IoT security challenge. Another new challenge is the convergence of the organization s existing IT network with the Operational Technology (OT) network (e.g. manufacturing floors, energy grids, transportation systems, and other industrial control systems) [4]. Cyber Threats In general, many types of threats decorate the cyber threat landscape of the recent years: Information Warfare, Cyber Espionage, Cyber Crime, Cracking, Hacktivism and Cyber Terror [5]. Protecting the national electricity grid from cyber-attacks is a critical national security issue. Evidence collected suggests that cyber-attacks on key energy infrastructure - and on the electricity system in particular - are increasing, both in frequency and sophistication. These trends are alarming because the potential consequences of a successful large-scale cyber-attack - or combined cyber and physical attack - on the electric power sector are difficult to overstate. As previous grid failures have shown, any event that causes prolonged power outages over a large area would not only be extremely costly, it would wreak havoc on millions of people s daily lives and could profoundly disrupt the delivery of essential services, including communications, food, water, health care, and emergency response. Moreover, cyber threats, unlike traditional threats to electric grid reliability such as extreme weather, are less predictable in their timing and more difficult to anticipate and address. A cyber-attack could come from many sources and - given the size and complexity of the nation-wide electric grid - could target many potential vulnerabilities. For this reason, experts agree that the risk of a successful attack is significant, and that the system and its operators must be prepared to contain and minimize the consequences [6]. There is a substantial amount of data that flows within the Smart Grid networks, used to connect between the distributed energy sources and multiple consumers in a smart, balanced and controlled way. This information flow is sometimes accessible to the public networks (e.g. Internet), hence exposing the Smart Grid network to potential multi-layered cyber-attacks. Many typed of attacks combine several attack vectors into the target network.

3 Figure [1] - Percentage of critical infrastructure enterprise executives reporting large-scale DDoS attacks and their frequency [7] Cyber Security Protection Approach The right approach for providing a proper Cyber Security Solution is to define a holistic, intuitive and customized approach which provides safe network against multilayer cyber-attacks, including zero day attacks. Multi-layered approach in order to provide comprehensive and coherent protection, one must design and set in place defense mechanisms through layer 1 till 7 of the OSI model [8], adding Layer 8 as user's layer. The following figure depicts the conceptual multi-layered approach for Smart Grid protection. Figure [2] Graphical representation of holistic Cyber Security approach for Smart Grid networks DDOS Protection - A real-time, behavioral based attack mitigation device that protects the organization infrastructure against network and application downtime. Appropriate solution must provide distributed denial of service (DDoS) mitigation and SSL-based protection to fully protect applications and networks against known and emerging network security threats such as denial of service attacks, DDoS attacks, Internet pipe saturation, attacks on login pages, attacks behind CDNs, and SSL-based flood attacks.

4 Network Anomaly Detection - Profiles the normal behavior of the network and detects the subtle behavior deviations that could represent suspicious activity. This technology doesn't require user defined inputs (e.g. custom rules). As input, it receives mirror traffic as well as DPI results from another IDS engines while producing session based information which indicates the existence of malicious agents. Figure [3] Graphical representation of Network Anomaly Detection Big Data - Centralized mechanism for collected alarms aggregation, normalization, correlation and prioritization from distributed Cyber cards and managed devices. Cyber Management System logging module should maintain all historical occurrences of alarms/events and ability to export them sored for UI purposes. Alarms collection mechanism from all managed devices is useless unless there is a synchronization of the collected information into a singular view describing the security breach. Data Analytics - Sophisticated logical analysis of cross-data patterns to identify breaches and threats based on multiproduct and multilayer information logic: Logs/database collection from any Network Element into a data-lake Set of heuristics/algorithms to identify security attacks Tools for cross reference identification based on variety of data Figure [4] Graphical representation of Big Data Analytics Machine Learning - Use such techniques on known breaches to provide future-proof security protection (e.g. against Zero-day attacks) and anomaly behavior identification. Protection from Zero Day attacks: Develop measuring, preprocessing and learning models which based on current known patterns of behavior and produce prediction of future breaches patterns. After optimization process, one can load those patterns on IDS/IPS Cyber engines to provide future proof protection.

5 Anomaly behavior identification - Present methods for anomaly behavior identification of cyber data, alerting when suspicious and possibly malicious activity occurs. SCADA Protection in order to keep Utilities OT network out of harm's way, there is a need to use a holistic approach, comprised of several technologies: SW/HW unidirectional protection, FW for SCADA protocols and SCADA DPI (Deep Packet Inspection). 1. SW Unidirectional protection - A dual-node approach for securing the network from the outside. Recommended solution uses a two-tier deployment architecture, comprising of External Node and Internal Node. The role of the external node is to act as a front-end to all services published. This node ensures that only legitimate session data can pass through into the internal network. It operates without opening any ports within the external firewall. The role of the internal node it to pull the session data into the internal network from the external node, scan it using various application level security techniques, and then pass it on to the destination application server. 2. SCADA DPI - Fast and optimized pattern match mechanism: state-full aware, per packet deep inspection, quickly identify existence of common signatures within the packet, match to signatures based on set of rules, ability to load any rule/signature on run time with no traffic affecting, dynamically updated signatures, focus on MODBUS, DNP3, BACnet and additional SCADA protocols. Analysis process composed of two levels: 1. Quickly filters out the vast majority of traffic which is clearly harmless (looking for simple signatures at a low CPU cost). Traffic which marked as suspicious (common attack signature found), forwarded to additional analysis. 2. Seeks deeper in the packet and keeps tracking the connection to increase level of certainty and reduce false positives. 3. SCADA Unidirectional Firewall - Central Cyber NFV [9] Card located at the control center ensure first line of defense for SCADA protocol handles, such as protocol validations, user and network authentication, secure encrypted channel to other cyber cards located at the edge of the OT network (substations). Edge Cyber cards located at the substations ensures only legitimate SCADA traffic designated to the substation will pass-through: connected through the secure channel to the main cyber card, retrieve only the related sessions which finds as legitimate to be processed. Performs a set of additional, rigorous investigation rules (which complete the first set of rules) to validate completely the sessions Both engines should include Layer 3, 4 and layer 7 filtering in addition to granular content state-full inspections of industrial applications and traffic role-based validation of SCADA flows. BIBLIOGRAPHY [1] Securing the U.S. Electrical Grid (Center for the Study of The Presidency & Congress, July 2014) [2] "Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020" (Gartner, December 2013) [3] Energy.gov [4] To Succeed with Big Data, Enterprises Must Drop an IT-Centric Mindset; Securing IoT Networks Requires New Thinking (Cisco Blog, October 2014) [5] Cyber Security Threats, Dr Paul Twomey (The Lowy Institute for International Policy, September 2010) [6] Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat (Bipartisan Policy Center s Electric Grid Cybersecurity Initiative, February 2014) [7] Smart Grid - Safe, Secure, Self-Healing (IEEE Power & Energy, January 2012) [8] ISO/IEC standard :1994 [9] Network Functions Virtualization - Introductory White Paper (ETSI, October 2012)