Cyber Security for the Smart Grid: A R&D Perspective

Transcription

1 NATO Advanced Institute on Energy Security Antalya, Turkey, October 4-11, 2015 Cyber Security for the Smart Grid: A R&D Perspective Manimaran Govindarasu Dept. of Electrical and Computer Engineering Iowa State University [email protected] 1

2 Outline Basics of cyber security concepts Cyber Security of WAMPAC - overview Cyber Risk Assessment - overview Cyber Security Testbeds - overview Cyber Security Standards & Best practices AMI Security & Privacy Conclusion 2

3 Smart Grid: A Cyber-Physical System Source: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0, February

4 Smart Grid: A Cyber-Physical System Source: 4

5 SCADA Control Network 5

6 Cyber Threats Landscape (DOE/NERC HILF Report) 6

7 Cyber Threats to Critical Infrastructures Cyber-Based Attacks Protocol Attacks Routing Attacks Intrusions Worms / Spyware/ Malware Denial of Service (DoS) Insider Threats [General Accounting Office, CIP Reports, 2004 to 2010]; [NSA Perfect Citizen, 2010]: Recognizes that critical infrastructures are vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders. 7

8 Power Grid Cyber Security Roadblocks Legacy systems Geographically disperse Insecure remote connections Long system deployments Limited physical protections Adoption of standardized technologies with known vulnerabilities Connectivity of control systems to other networks No fail-closed security mechanisms Widespread availability of technical info 8

9 Securing system is difficult Open and interoperable protocols Security vs. performance tradeoff Security vs. usability tradeoff Security is expensive Attackers enjoy breaking into a system Security had been not a design criteria Threat landscape is dynamic and continuously evolving. 9

10 1.3 Information & Network Security concepts 10

11 Confidentiality: Security Properties Message content should be accessed by authorized users only Achieved by using encryption Integrity: Making sure that message was not altered (in transit, or later) without detection Achieved by using hashing Availability: services must be accessible and available to authorized users Authentication: Sender, receiver want to confirm identity of each other Achieved by using digital signatures Non-Repudiation: The actual sender can not claim that he did not send the message Achieved by using digital signature 11

12 Symmetric Key Encryption 12

13 Asymmetric Key Encryption 13

14 Authentication Digital Signatures 14

15 Security Properties Priorities Traditional IT Systems Industrial Control Systems Confidentiality Availability/Integrity Integrity Integrity/Availability Availability Confidentiality Power Grid Applications Sample Cyber Security Requirements Power Grid Applications Information & Infrastructure Security Application Security AMI I, AT, C I, N DMS I, A, AT I, AT EMS I, A, AT I, AT WAMPAC I, A, AT, C I, A Power Markets I, A, AT, C I, N Confidentiality (C), Integrity (I), Availability (A), Authentication (AT), Non-repudiation (N) 15

16 Network Security Firewalls Firewalls control flows of network traffic between networks or hosts based on security policies. Recommendations for improving effectiveness and security of firewalls Create firewall policies that specifies how firewalls should handle inbound and outbound network traffic. Create rule sets that implement the organization s firewall policy while supporting firewall performance. Identify all requirements that should be considered when determining which firewall to implement. Manage firewall architecture, policies, software, and other components throughout the life of the firewall solutions. Source: Guidelines on Firewalls and Firewall Policy, NIST Special Publication , September

17 Network Security Firewalls Firewall Technologies Packet Filtering Stateful Inspection Application Firewalls Application-Proxy Gateways Dedicated Proxy Servers Virtual Private Networking Network Access Control Unified Threat Management Web Application Firewalls Firewalls for Virtual Infrastructures Firewall Policies Policies based on IP Addresses and Protocols IP addresses and IP characteristics IPv6 TCP and UDP ICMP IPsec protocols Policies based on Applications Policies based on User Identity Policies based on Network Activity Source: Guidelines on Firewalls and Firewall Policy, NIST Special Publication , September

18 Network Security IDS Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents. Intrusion prevention is the process for performing intrusion detection and attempting to stop detected possible incidents. Types of Intrusion Detection and Prevention Systems Network-Based monitors network traffic for suspicious activity Wireless monitors wireless network traffic for suspicious activity Network Behavior Analysis examines traffic to identify threats that generate unusual traffic flows, e.g. DDoS attacks, malware, policy violations Detection Methodologies Signature-Based Detection Anomaly-Based Detection Stateful Protocol Analysis Host-Based monitors characteristic of a single host and events occurring for suspicious activity Source: Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication , February

19 Network Security IDS A robust IDPS solution can be achieved using a combination of these 4 IDPS technologies. Source: Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication , February

20 Network Security WLAN Security WLAN s are extensions to wired LAN s based on IEEE standard. Fundamental architecture of WLAN consists of Access Points (AP), client devices, and Distribution Systems (DS) that connect to wired LAN s. Steps to minimize risk: 1. Password Policies & management 1. Encrypt data using standards like WPA2 1. Restrict access using security controls 1. Mac address filtering 2. Disable appropriate network interfaces, bridging traffic 1. Configure host-based network security tools like firewalls, IDS Source: Guidelines for Securing Wireless Local Area Networks (WLANs), NIST Special Publication , February

21 Smart Security = Info + Infra + System Information Security Infrastructure Security Control Systems Security N E E D S Information Protection Message Confidentiality Message Integrity Message Authenticity Infrastructure protection Routers DNS servers Links Internet protocols Service availability Generation control apps. Transmission control apps. Distribution control apps. Real-Time Energy Markets M E A N S Encryption/Decryption Digital signature Message Auth.Codes Public Key Infrastructure Traffic Monitoring Statistical analysis Authentication Protocols Secure Protocols Secure Servers Attack-Resilient Control Algos Model-based Algorithms - Anomaly detection - Intrusion Tolerance - Bad data elimination Risk modeling and mitigation Cyber Attacks: Deter, Prevent, Detect, Mitigate, be Resilient, Attribution 21

22 Summary SCADA and automation concepts Cyber Threat landscape, Coordinated attacks on WAMPAC, and consequences Information security concepts Symmetric and asymmetric key cryptography, digital signatures Network security concepts Firewalls, IDS, WLAN Security 22

23 Overview of WAMPAC Security 23

24 Control Systems Attack Model Generic Control System Model Control Signal Cyber System Physical System Sensing Signal Types of Attacks Data integrity Replay Denial of service De-synchronization and timing-based Signal Integrity Attack DoS Attack Yu-Hu. Huang, Alvaro A. Cardenas, S. Amin, S-Z. Lin, H-Y. Tsai, and S. Sastry, Understanding the Physical and Economic Consequences of Attacks on Control Systems, International Journal of Critical Infrastructure Protection, 2(3):72-83, October

25 Cyber attack classification Timing attacks Denial of Service attacks e.g. flood communication network and affect command information flow Data integrity attacks Attacks on measurements or controls e.g., block instead of trip, VAR increase instead of decrease. Coordinated attacks Attacks coordinated in space, and/or time e.g. attack on SPS of major transmission line followed by attack on sub-transmission and distribution feeders 25

26 Attacks-Cyber-Control-Physical 26

27 Beyond IT Security Why? Legacy Infrastructure Limited encryption capabilities Poor patch management Software bugs Security not design criteria Encrypted comm. can also be tampered Replay attacks Denial Of Service attacks Timing attacks E.g., Heartbleed bug Evolving Vulnerability and Threat landscape Secure system today Vulnerable system tomorrow Information and infrastructure security secure the entry points Application security identifies anomalies in data when IT and infrastructure security fails 27

28 Smart Security = Info + Infra + System Information Security Infrastructure Security Control Systems Security N E E D S Information Protection Message Confidentiality Message Integrity Message Authenticity Infrastructure protection Routers DNS servers Links Internet protocols Service availability Generation control apps. Transmission control apps. Distribution control apps. Real-Time Energy Markets M E A N S Encryption/Decryption Digital signature Message Auth.Codes Public Key Infrastructure Traffic Monitoring Statistical analysis Authentication Protocols Secure Protocols Secure Servers Attack-Resilient Control Algos Model-based Algorithms - Anomaly detection - Intrusion Tolerance - Bad data elimination Risk modeling and mitigation Cyber Attacks: Deter, Prevent, Detect, Mitigate, be Resilient, Attribution 28

29 WAMPAC Applications Wide-Area Measurements (SCADA and PMU network) Monitoring Control Protection State Estimation (SE) Automatic Generation Control (AGC) Remedial Action Schemes (RAS) Situational Awareness Generation/Load balance Prevent system instability 29

30 Cyber physical security of WAMPAC 1 Research areas Vulnerability Assessment R&D Methodology Attack model Attack classification Attack Impact metrics Impact analysis Mitigation development Experimental validation Attack vectors Impact Analysis Attack Mitigation Attack/Defense Evaluation 30

31 Synchrophasors Phasors Magnitude Angle Synchrophasors Common measurement time-stamp using GPS 31

32 SCADA data: Voltage & Current Magnitudes Data rate Every 2-4 seconds (per sample) SCADA vs. PMU data SCADA DATA PMU data: Voltage & Current Magnitudes Phase angles Frequency Rate of change of frequency Time synchronized (using GPS Satellite) Data rate samples per second PMU DATA 32

33 PMU deployment worldwide (2009) Source: Chakrabarti, Kyriakides, Bi, Cai and Terzija, Measurements Get Together, IEEE Power & Energy magazine, Jan/Feb

34 CPS Security Defense in Depth 34

35 Risk Assessment and Risk Management Process 35

36 Risk Assessment & Mitigation Risk = Threat x Vulnerability x Impacts 36

37 Risk Assessment Risk = Threat x Vulnerability x Impacts System Vulnerability System Vulnerability Scenario Vulnerability Scenario Vulnerability Access point Vulnerability Access Point Vulnerability Hierarchical Risk Modeling Real-Time Monitoring Threat & Vulnerability Analysis Impact Analysis low risk high risk Defense measures 37

38 Risk Management Process Source: Risk Management Guide, DOE Jan

39 Hierarchical Risk Management Model Source: ELECTRICITY SUBSECTOR CYBERSECURITY RISK MANAGEMENT PROCESS, DOE May

40 Qualitative Risk Analysis Matrix Combines the probability and consequence of a risk to identify a risk rating for each individual risk. Risk ratings Represents a judgment as to the relative risk to the project Categorizes each risk as Low Moderate High 40

41 Qualitative Risk Analysis Matrix Source: Risk Management Guide, DOE Jan

42 Risk Assessment - Quantitative Mitigation of Coordinated Attacks Offline: Risk Modeling and Mitigation Online: Alert Correlation and Mitigation Approach 1: Risk Modeling and Mitigation Cyber System Definition (Topology, Security) Attack Template Power System Definition (Control, Protection) Cyber System Modeling (Petri Nets) Power System Modeling (DIgSILENT, PSSE) Attack Probability risk Impact E.g. - Modify settings, Add security Offline Mitigation if risk > threshold E.g. - Increase transmission capacity 42

43 Qualitative vs. Quantitative Property Qualitative Quantitative To be viable Relies on Expert Knowledge Data sets, probabilities Benefit Coarse-grain analysis Fine-grain analysis Analyzability Subjective? Verifiable if assumptions hold Security investment High-level Detailed analysis Who uses Industry Academic Both are complimentary! Threat modeling is not well understood - more of an art than science Vulnerability assessment is subjective assumptions on cyber system Impact analysis is well understood physical/economic consequences 43

44 Mission Oriented Risk and Design Analysis (MORDA) 44

45 Attack Trees Attack Tree for HILF Coordinated Cyber Attack Source: NERC Cyber Attack Task Force report, May 2012 ( 45

46 NERC CATF Risk Mitigation Framework Source: NERC Cyber Attack Task Force report, May 2012 ( 46

47 Cyber-Physical Security Testbeds Adam Hahn, Aditya Ashok, Siddharth Sridhar, Manimaran Govindarasu, Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid, IEEE Transactions on Smart Grid, vol 4, no. 2, June

48 Need for Testbeds Vulnerability Analysis Impact Analysis Mitigation Research Cyber-Physical Metrics Data and Model Development Security Validation Interoperability Cyber Forensics Operator Training 48

49 CPS Testbed A Layered View EMS, SAS, RTUs, IEDs Routing infrastructure, Network protocols, Routers, Firewalls Defenses Information/Control Layer Communication Layer Cyber attacks Power System Simulators (RTDS, Power factory) Physical Layer Aditya Ashok, Adam Hahn, and Manimaran Govindarasu, A cyber-physical security testbed for smart grid: system architecture and studies, Proceedings of the Cyber Security and Information Intelligence Research (CSIIRW '11). 49

50 Cyber Security Testbeds National SCADA test bed Idaho National Lab Virtual Control System Sandia National Lab SCADA Security Pacific Northwest National Lab PowerCyber Security Iowa State University SCADA Security Washington State University, Pullman Virtual Power System test bed University of Illinois, Urbana Critical Infrastructure Security Mississippi State University CRUTIAL CESI RICERCA, Italy Cyber Security for the Smart Grid: A R&D Perspective

51 Iowa State s PowerCyber Testbed Adam Hahn, Aditya Ashok, Siddharth Sridhar, Manimaran Govindarasu, Cyber-Physical Security Testbeds: Architecture, Application, and Evaluation for Smart Grid, IEEE Transactions on Smart Grid, Vol. 4, June

52 CPS Testbed Federation for Security Experimentation USC/ISI DETER Testbed ISU PowerCyber Testbed Visualization 52

53 Cyber Security Compliance & Best practices 53

54 Cyber and Control Systems Security Standards for Electric Power Systems Organizations for Cyber Security Standards IEEE Institute of Electrical and Electronics Engineers IEC International Electro-technical Commission NERC North American Electric Reliability Council CIGRE International Council on Large Energy Systems FERC Federal Energy Regulatory Commission PSRC Power Systems Reliability Committee Protocol Scope IEEE 1402 Cyber Security Electric Standards Power Substation for Electric Physical Power and Systems Electronic Security IEC Data and Communication Security NERC 1300 FERC SSEMP NISTIR 7628 Cyber Security Standards (CIP Standards) [ Security Standards for Electric Market Participants Smart Grid Cyber Security 54

55 NISTIR 7628 Guidelines for Smart Grid Cybersecurity Vol. 1 Security Strategy, Architecture and High-Level Requirements Applicability of CIA in the smart grid environment Access control, Cryptography and key management Risk management and assessment Vol. 2 Privacy and the Smart Grid New privacy concerns and classification of privacy Laws and regulations with respect to privacy Vol. 3 Supportive Analysis and References Vulnerability definition and classification Bottom-up Security Analysis Security requirements Device security Cryptography and key management Network security System security architectures 55

56 NIST Smart Grid Interoperability Panel NIST Smart Grid Scope Research Standards Development Energy management and Metering Smart-grid Architecture and Operations Wide-Area Monitoring and control Communication protocols and cybersecurity Electric vehicles and storage Interoperability standards Cybersecurity standards [NISTIR 7628 Guidelines for Smart Grid Cyber Security] 56

57 NISTIR 7628 Smart Grid Cyber Security Strategy 1. Use case analysis Top-down analysis (inter-component/domain) Bottom-up analysis (vulnerability classes) 2. Risk Assessment Identify assets Vulnerabilities Threats Impacts Privacy Assessment 3. High-level security requirements 4a. Security Architecture 4b. Smart Grid Standards Assessment Existing standards (IEEE, CIP, etc.) 5. Conformity Assessment 57

58 NERC Critical Infrastructure Protection (CIP) Objective: Physical, cyber and operational security for bulk power system Identify vulnerabilities and countermeasures Vulnerability and risk assessment Cyber and physical countermeasures Threat response NERC CIP Scope Communications Support operation and protection Facility and field equipment Physical security Protecting sensitive data IT/Cyber security Deterrence, prevention, detection and correction Production, storage, transmission and disposal 58

59 CIP NERC CIP Standards (Version 5) BES Cyber System Categorization Security Management Controls CIP CIP Personnel & Training Electronic Security Perimeter(s) CIP CIP Physical Security of BES Cyber Systems CIP CIP Systems Security Management Incident Reporting and Response Planning Recovery Plans for BES Cyber Systems Configuration Change Management and Vulnerability Assessments Information Protection CIP CIP CIP

60 Cyber security Best Practices Defense in Depth approach Protect network boundaries Protect computing environment Firewalls Limit inbound and outbound connections Authorize appropriate outbound connections Filter malicious traffic Intrusion Detection Systems Analyze network traffic in near real-time Based on signatures, anomaly based Regular OS patching and updating OS Hardening Periodic Anti-virus updates Use of Host based Firewalls Routine Vulnerability Scanning Use of Proxy servers and Web content filters attachment filtering Monitoring logs Authorize devices on LAN Source: Malware Threats and Mitigation Strategies, US-CERT Informational Whitepaper, May

61 ICS-CERT best practices Minimize network exposure for all control system devices. Firewall and isolate control network Secure remote access using VPN s Account lockout policies Password management policies Access control management policies Patch management policies Source: 61

62 Vulnerability Lifecycle Vendor mistake in design/development process (Vendor/Coordinator/Rese archer) disclose the vulnerability to utilities and/or general public Utilities/System integrators work on testing, deploying patch Creation Discovery Notification Mitigation Released Mitigation Applied Vulnerability discovered by (Vendor/ Utility/Security Researcher/Attacker) Vendor provides patch and/or configuration strategy to mitigate the issue 62

63 Vulnerability Assessment Inspect weaknesses in industry standards, software platforms, network protocols and configurations Common activities include Vulnerability Scanning Cryptography Analysis Software fuzz testing Common tools Nmap a security scanner to discover hosts and services on a network Wireshark a network packet sniffer & analyzer tool Intrusion Process Footprinting Scanning Enumerating Exploit! Nessus a comprehensive vulnerability scanning program 10/6/15 63 Cyber Security for the Smart Grid: A R&D Perspective

64 Multiple layers & Multiple vendors Heterogeneous environment with both industryspecific and traditional IT software Application Traditional IT Web Database Industry SCADA EMS WAMS SPS Network Infrastructure Ethernet TCP/IP SSL NTP DNP3 IEC-TC57 Modbus Operating System Microsoft Unix Linux IOS VXworks Embedded Must be able to flexibly manage vulnerabilities discovered in both domains 64

65 Vulnerability Disclosure ICS-CERT Advisory An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. ( NERC ES-ISAC Facilitates sharing of information pertaining to physical and cyber threats, vulnerabilities, incidents, potential protective measures, and practices. ( 65

66 ICS CERT Advisory A typical ICS-CERT Advisory contains: Affected products Impact Background Vulnerability Characterization Vulnerability Overview Vulnerability Details Exploitability Existence of Exploit Difficulty Mitigation 66

67 AMI Security and Privacy 67

68 Need for Advanced Metering Infrastructure (AMI) System Operation Benefits Customer Service Benefits Financial Benefits Reduction in peak loads Billing accuracy and flexible billing cycle Reduced equipment and maintenance costs Improved Monitoring and control Time based rate options Reduced support expenses Improved efficiency and reliability Custom energy profiles for Energy Efficiency Faster outage restoration Cost reduction Demand Response Improved inventory management 68

69 Advanced Metering Infrastructure Digital hardware and software Interval data measurement capability Two-way remote communications 69

70 AMI in Modern Grid vision Advanced Metering Infrastructure, National Energy Technology Laboratory, U.S Department of Energy, Office of Electricity Delivery and Energy Reliability, February

71 Basic AMI architecture Customer Data Collection Communication Network Utility/ Third Party Data Reception and Management Electricity Meter Gas Meter Data Transmission Network (BPL,PLC, RF, Public Networks) AMI Host server Meter Data Management System (MDMS) Water Meter Source: 71

72 AMI communication architecture Advanced Metering Infrastructure, National Energy Technology Laboratory, U.S Department of Energy, Office of Electricity Delivery and Energy Reliability, February

73 AMI security issues Cleveland, F.M.;, "Cyber security issues for Advanced Metering Infrastructure (AMI)," Power and Energy Society General Meeting - Conversion and Delivery of Electrical Energy in the 21st Century, 2008 IEEE, vol., no., pp.1-5, July

74 Conclusion Cyber-Physical Security of Power Grid is a national priority Smart Grid Security = Info Sec + Infra Sec + Application Security Defense-in-Depth & End-to-end Security & Attack-resilient Systems Cyber-Physical Security Testbeds & Experimentations Standards development and Industry adoption are critical Education and workforce development are very important Synergistic collaboration between Industry-University-National Labs International Collaboration is important! 74

75 THANK YOU Acknowledgements: U.S. National Science Foundation (NSF) U.S. Department of Homeland Security (DHS) U.S. Department of Energy (DOE) U.S. NSF IU/CRC Power Engr. Research Center (PSERC) Iowa State Univ., Electric Power Research Center (EPRC) Graduate Students: Aditya Ashok (ISU) Collaborators: Prof. Chen-Ching Liu, Washington State University (WSU) Prof. Venkat Ajjarapu, Iowa State University (ISU) Dr. Adam Hahn, MITRE Dr. Jianhui Wang, PNNL Dr. C. W. Ten, Michigan Tech. Professional: IEEE PES - PSACE CAMS Cyber Security Task Force 75