Zone Principles as Cyber Security Architecture Element for Smart Grids

Size: px
Start display at page:

Download "Zone Principles as Cyber Security Architecture Element for Smart Grids"

Transcription

1 1 Zone Principles as Cyber Security Architecture Element for Smart Grids Jens Zerbst, Vattenfall AB, Martin Schaefer, Vattenfall AB, and Iiro Rinta-Jouppi, Vattenfall AB 1 Abstract Today there is no single Smart grid in existence, but rather a conglomeration of different legacy systems paired with new technologies and architectural approaches, based on different standards and regulations that all need to be amalgamated into a communication network to support the challenges of the future electricity network. To support this objective, Zoning principles, as an element of the Cyber Security architecture for Smart Grids, are being presented on the basis of cyber security and architecture requirements, dependency on legacy installations, and present regulations and industry standards. Zoning principles provide a method of classifying functions and systems in a future Smart Grid communication network, and structuring them into a multilayered Defense in Depth architecture. Furthermore it introduces a structured method for defining security controls and thus enabling the further development of a compliance process with regard to trusted connectivity in a Smart Grid. Index Terms Communication system security, Computer security, Risk analysis, Smart Grid, Security Architecture, Zone Model, Zone principles, O I. INTRODUCTION NE of the challenges in the development of Smart Grids today is the introduction and expansion of a communication network for the electricity network in order to support the following aspects, among others: Intelligent control and connection of the different domains: customer, markets, service provider, operation, bulk generation, transmission and distribution [1] Time-critical adaptation for power balancing [2] Recovery after faults and self-healing functions [2] Highly user-orientated services [2] Higher quality and economic efficiency of electricity supply [2] The integration of large- and small-scale renewable energy sources [2] - Priorities for Regulation Increasing complexity [3] Increasing communication requirements [2] The fulfillment of local targets to reduce greenhouse gases and increase the share of renewable energies [4][5] However, the current challenge of a communication J. - T. Zerbst is with Vattenfall AB, Stockholm, Sweden ( M. Schaefer is with Vattenfall AB, Stockholm, Sweden ( I. Rinta-Jouppi is with Vattenfall AB, Stockholm, Sweden ( network to support the vision of a future Smart Grid is to develop an architecture to integrate different kinds of legacy systems with new technologies and architectural approaches, and to ensure at the same time security and reliability, as well as compliance with different standards and regulations. To achieve these objectives, basic technological, architectural and organizational principles have to be developed and standardized to support the communication network. Different initiatives and forums (e.g. European Electricity Grid Initiative - EEGI [6], European Regulators Group for Electricity & Gas - ERGEG [7], and National Institute of Standards and Technology - NIST [8]) are currently developing and aligning principles, methodology and standards for the communication network, and in so doing defining a road map and strategies. The scope of these initiatives includes, for example, the discussion of communication protocols, architectural principles, risk assessment methods, etc. The purpose of this paper is to discuss the Cyber Security architecture requirements of a communication network supporting a Smart Grid. The discussion focuses on the Defense in Depth methodology, and demonstrates ways of introducing it by applying "Zone principles" as an architectural element on a generic level. The paper summarizes these in an outline for a solution statement, and concludes with a call for the need to introduce the "Zone principles" as an element of Cyber Security architecture for a Smart Grid in connection with existing industrial standards and best practices, for example in the nuclear industry (compare therefore NRC s Regulatory Guide 5.71 [9] and IAEA s Technical Framework [10]) or industrial standards such as ANSI/ISA /IEC [11]. II. METHODS The starting point for the derivation of "Zone principles" as an element of Cyber Security architecture for Smart Grids is the identification and definition of: Architecture and Cyber Security requirements Dependency of the legacy installations and architecture Present regulations and industry standards Best practice approaches Present knowledge of developments, accomplishments and requirements in the Smart Grid discussion. The requirements and pre-conditions are clustered into the areas of Architecture and Cyber Security, and are limited to the relevant scope of "Zone principles". To ensure

2 2 compatibility and interoperability with the different Smart Grid characteristics, discussions and evaluations, the requirements are defined on a generic level Furthermore, it is necessary to base the discussion on the current existing installations (including generation, transmission and distribution), prerequisites and principles to provide an appropriate transition path from the existing legacy environment to the target architecture of a future Smart Grid and to ensure appropriate compatibility and integration. During the process, it is important to understand that a Smart Grid is more than a simple grid upgrade [12] or a detached architecture development simply based on the vision of a Smart Grid [13]. A theoretical discussion without any connection to the current setup is neither realistic nor affordable. Life length of the physical assets in the network is years which makes it slow to adapt to the new requirements. A. Architectural requirements Architecture in relation to IT is "the study, design, development, implementation, support or management of computer-based systems, particularly software applications and computer hardware" [14]. As regards the relationship between the communication network and the electricity network, architecture should furthermore provide a common understanding of the communication network, including designs, standards, demonstrations and implementation [13]. In order to define architectural requirements as input to the process for developing "Zone principles" as an element of the Cyber Security architecture for a Smart Grid, the following elements are discussed: The current status of relevant standards and best practice The identification of requirements 1) Status Different kinds of standard organizations (e.g. NIST [8]), international (e.g. CEER&ERGEG [15]) and national organizations (e.g. German Federal Ministry for Economic and Technology [16]) as well as regional communities (e.g. European Technology Platform for the Electricity Network of the Future [17]) are currently in the process of developing different architectural approaches and standards to address the future challenges of the Smart Grid communication network. Examples include: NIST's Framework and Roadmap for Smart Grid Interoperability Standards [1], which provides a wide overview of Smart Grid and defines a vision, and uses cases, an action plan as well as a road map. Furthermore, the document summarizes existing standards and best practices. The Strategic Deployment Document issued by the European technology platform for the European Electricity Network of the future [18], which defines and suggests deployment priorities, a Smart Grid road map, funding options, communication strategies and next steps. IEC's Smart Grid Framework, which provides Smart Grid project guidelines, a collection of standards for generic use cases and standards for technical design and specification. [19] ERGEG Position Paper on Smart Grids [2], which is an initiative to align the vision and view of the European electric power systems and markets. Challenges, opportunities and drivers are discussed. European Strategic Energy Technology plan (SET plan) includes agreed roadmaps, action- and implementation plans for for the European Electricity Grid Initiative (EEGI). In this program there are a number of functional projects that show in large scale the possibility to reach European targets. Parts of the criteria for the projects are the cyber security policy and open standards and interoperability policy. [20] IEEE P2030 Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), and End- Use Applications and Loads provides a guideline for smart grid interoperability, which discusses alternate approaches to good practices for the Smart Grid. [21] Additional local initiatives discuss and develop, among other aspects, action plans and road maps such as: Roadmap Smart Grids Austria [22] California Smart Grid Infrastructure [23] Smart Grids United Kingdom [24] Furthermore, Industrial Automation and Control Systems (IACS) and commercial IT architecture approaches and standards serve as a basis for different kinds of developments in the area of Smart Grid architecture. 2) Requirements The various challenges and use cases for Smart Grids make new demands on the communications network, which have to be solved in the architecture of the communication network. Table 1 gives an overview of various demands made on the communication network, and maps them to architecture requirements. The examples emphasize the various architectural requirements. TABLE 1 DEMANDS ON THE COMMUNICATION NETWORK, MAPPED TO ARCHITECTURE REQUIREMENTS AND UNDERLINED BY AN EXAMPLE Demands on the communication network An increasingly diverse range of generating technologies will need to be connected in efficient ways without endangering the quality and reliability of other network users. An increasing number of entry points and paths for potential adversaries [25] Time-critical communication Architectural requirements capacity expansion/planning modularity clear interfaces reliable flows flexibility, clear interfaces, multi-layer security strategy availability, reliability, intelligent flow Example There are no commonly agreed rules for integrating DER to the network. DER is not controlled from Balance perspective Smart Meter Device, rapidly rising number of telecontrolled disconnectors energy balancing (automatic real time adjustment of consumption and production)

3 3 Information accessibility An increasing number of smart grid actors [1] Disturbance prevention/compensation availability, intelligent management confidentiality integrity scalability, clear interfaces intelligent flow/routing scalability modularity interoperability time-critical management Decentralized energy modularity, storage [18] and electricity availability, supply reliability, interoperability, intelligent/timecritical management Bi-directional power flow handling [18] Support island mode operation interoperability, intelligent/timecritical management Layered functionality, modularity, real-time- / off-line functionality Compatible with the interoperability, current installation and availability, architecture principles [18] reliability real time consumption measurement, demand side participation Small-scale, decentralized energy generation (small scale wind power, solar panels etc.) increasing number of energy access points (e.g. multi-storey car parks car charging points) Compensate for energy peaks or generation/network outages small-scale storage of energy energy re-introduction, energy balancing, offshore generation, micro generation micro energy production, use case: car as an energy buffer, Solar panels on buildings, etc. Network areas willingly moving to island operation mode integration of new technology into current grid compatibility of technological developments (standards) 3) Conclusion To summarize, for the architectural requirements in the context of the development of "Zone principles", the following requirements could be adopted as input into the continued process: Ensuring the interoperability and connectivity between different domains, power plants and facilities as well as different parties Independence from certain entities such as protocols, applications or vendors Scalability and modularity to enable interoperability and connectivity between (n:m) parties Supporting connectivity between parties, which do not maintain or support the same or any kind of zone principle? Defining clear interfaces and responsibilities Establishing reliability to ensure an adequate energy supply B. Cyber Security requirements Compared to the architecture of a classic energy grid, new Smart Grid architecture challenges will increase the Cyber Security requirements and introduce new areas of cyber security, such as enhanced privacy controls. 1) Status The current specific discussion of Cyber Security in Smart Grid applications focuses mostly on topics such as: Cyber Security Risk Management Framework [13] Risk Management for SCADA systems [26], [27] Privacy of customer data [25] AMI Security [28] Protocol for the mapping of different players in different domains [13] A holistic and predictive discussion, as conducted in the general architecture, is currently lacking in the area of Cyber Security architecture. A sustainable and persistent Cyber Security concept is needed as an orientation during the various iterative development stages and opportunities for a Smart Grid. However, the robust development of general Cyber Security in Critical Infrastructure and Industrial Automation and Control Systems (IACS) supports the specific discussion of Cyber Security in Smart Grids, and needs to be closely connected. Relevant standards and best practices, which are associated with the application of "Zone principles" are, for example: ANSI/ISA Manufacturing and Control Systems Security [11] NERC CIP series [29] IEC Data and Communication Security [30] DHS Catalog of Control Systems Security [31] AMI System Security Requirements v1.01 [28] U.S. Nuclear Regulatory Commission (NRC) - Regulatory Guide Cyber Security Program for Nuclear Facilities [9] 2) Risks In addition to the vulnerabilities and threats of Information Technology, IACS and the enterprise integration of IACS, Smart Grid introduces another level of vulnerabilities and impact, which leads to an enhanced set of risks. To develop "Zone principles" as a risk mitigating element of a Cyber Security architecture, the definition of dedicated risks should serve as the basis for the further development of a Cyber Security architecture element. In this context, risk will be defined and split as a result of (threats x vulnerability x impact) 2. a) Threats In general, threats facing the communications network of a Smart Grid are comparable to the threats that are currently discussed in the Cyber Security of IACS and critical 2 NIST defines risks as a function of the likelihood of a given threatsource s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization [48]

4 4 infrastructure. However, the vulnerability and impact may differ due to the characteristics of a Smart Grid communications network. Threats could be categorized into intentional and unintentional paired with malicious and nonmalicious threats [32], [33]. Table 2 shows an abstract of possible threat types. TABLE 2 MATRIX OF POSSIBLE THREAT TYPES UNDERLINED WITH AN EXAMPLE malicious non-malicious intentional unintentional Criminal groups Terrorists Spyware/maleware authors Example: A hacker develops a worm that can jump across smart meters and black out neighborhoods, for example, or can k bl Foreign intelligence services Insiders Industrial spies Cyber espionage Example: A disgruntled employee or outsourcing vendor intentionally manipulates sensor data or entire control systems and causes shut down. Bot-network operators Phishers Spammers Example: Identity theft and thus access to critical infrastructure. DoS attacks performed via spamming. [46] equipment failure human failure untrained staff fire, water, disaster Example: An employee is unaware of current procedures and e.g. does not perform a proper change. Equipments function can fail and lead to e.g. wrong sensor data or incorrect data processing. [47] b) Vulnerabilities In addition to common vulnerabilities in Information Technology [34] or IACS, vulnerabilities could be specified which are based on the characteristics of Smart Grids [32]. Examples include 3 : Use of insecure legacy devices [12] Potential larger scale communication network [12] Increasing amount of customer data [1] Increasing technical complexity [1] "Security by obscurity" security culture background [12] No aligned common standards [12], [35] Interconnected networks can introduce common vulnerabilities [1] Lacking physical access restriction to, for example, field devices [36] Exposure of critical infrastructure due to connectivity reasons Introduction of new technologies and protocols Exposure of sensitive customer data Huge amount of devices with homogeneous technology (e.g. Smart Meter), which could be affected by a single disruption [1] Connectivity to untrustworthy partners that can not be selected (customers, other market actors) c) Impact Energy supply has a critical role in society and is vital for everyday life. Industries, health care and the Internet are all dependent on reliable energy supply. Minor network or energy production disruptions could cascade and result in huge impacts as recent incidents, such as the Northeast Blackout 3 A detailed vulnerability analysis is presented in the Report to NIST on Smart Grid Interoperability standards Roadmap [13] Appendix E. [37], have shown. The huge complexity, interconnectivity and homogeneity of Smart Grid components increase the possibilities of cascading effects. For instance, a huge amount of similar Smart Meter, which are malfunctioning could introduce misleading control and could seriously impact the power balancing function of a Smart Grid. The possible cascading effect of such incidents could spread over a larger grid, as investigated in a research paper concerning cascade-based attack vulnerability on the U.S. power grid [38]. This cascade could have a dramatically higher impact than the current "one directional power supply grid. 3) Conclusion The new characteristics of the Smart Grid communication network introduce new vulnerabilities with enhanced impact, thereby also introducing a new level of risk. Awareness and the cost-effective mitigation of these risks to an appropriate level is one of the key success factors of the Smart Grid. To develop "Zone principles" as one element in mitigating this future risk, the following security requirements could be stipulated: Maintenance of and support for the existing security architecture and architectural controls of the different domains (including the maintenance of "Defense in Depth/ Zone Principles" integrity in critical infrastructures) Maintenance of and support for valid Best Practices, Standards and Regulations Enablement of a platform for an appropriate secure connection between different parties Protection of critical infrastructure or co-operation with downstream systems Definition of clear controls based on zone classification Persistence security concepts for the different life cycle of the Smart Grid development C. Best Practices approach, Defense in Depth In the general security discussion Defense in Depth is defined as "An approach to security in which multiple levels of security and methods are deployed to guard against failure of one component or levels." [9]. In the Information and Information System security, Defense in Depth" became a standard security control principle that is applied on different levels, e.g. in the system design [11], software design [39], security architecture, or security control design [40]. In the current Cyber Security discussion of Smart Grids, Defense in Depth" is recognized as a possible Cyber Security control for Smart Grids [25], but detailed analysis and structured implementations are essentially missing. In the context of "Zone principles", the discussion of Defense in Depth" is limited to a multi-layered architecture approach, which has to be supported by different security controls to provide multiple, redundant and independent layers of protection. The objectives are as follows: Efficient elimination of single-point vulnerabilities or failures on architecture, infrastructure or system level. Deficiency of individual technical or organizational

5 5 controls regarding error-proneness [41] and vulnerabilities makes a multi-layered protection approach necessary. Custom fulfillment of various protection requirements in different zones of IACS, IT services and Defense in Depth principle and the use of multiple zones make it possible for an accurate separation of the architecture, such as business function, responsibilities and technology. Flexibility of controls in different zones without weakening the protection level. One disadvantage of the "Defense in Depth" methodology introduced as a security architecture element is the higher grade of complexity and cost of the architecture [42]. D. Zone principles in the general Cyber security discussion In the general Cyber security discussion, "Defense in Depth" methodology, as a multi-layered architecture approach, is often introduced as a "Zone model" [9] or "Level structure" [11], and is mostly supported by a classification model and dedicated security controls. To ensure the compatibility to the different domains of the Smart Grids, legacy environmental, or local regulations the different "Zone models" or Level structures" are normalized in a 6-Zone principle with the Zones: Zone 0 - Process Zone 1 - Critical Automation/Basic Control Zone 2 - Critical Operation control/ Supervisory Control Zone 3 - Operation Support/Management Zone 4 - Business Automation/Logistics Zone 5 - External Partner/Connections Figure 1 describes a normalized 6-Zone principle example based on mapping of the different industrial standards and best practices. However, the mapping gives only an indication of a general mapping, and could at any time be enhanced with other standards or regulations. Fig.1. Mapping of standards against a normalized Zone model III. RESULTS The result shows a possible attempt to introduce "Zone principles" as an element of the Cyber security architecture for Smart Grid architecture. The different functions and potentials of "Zone principles" are described briefly, and should provide a basic outline of an elaboration. Furthermore, the value creation based on the identified challenges and requirements of these principles are discussed. A. Zone principles in a context of a Smart Grid architecture Figure 2 shows a classification and segmentation of smallsample Smart Grid architecture on a generic level. The sample consists of two different companies (1 and 2) as well as three domains (Transmission/Distribution, Plant Entity and Market). Based on the normalized "Zone Principles", the functional and technical life cycles are classified to the different zones (Zone 1 to Zone 5) according to the legacy installations in a horizontal direction. The vertical direction shows the connectivity of functions and systems between different domains and/or companies. Figure 2 also shows that not all domains need the installation of all zones (cf. Domain C, missing Zones 1 and 2). Different zones could also be used by different domains of one company (cf. Company 2, Zones 4 and 5 are used in Domains B and C.). The application of "Zone principles" could serve to realize the following benefits: Classification of functions and system into different zones according to defined and aligned criteria and attributes. Introduction of an "inter-connection area" as an integration and connectivity platform, which enables and controls connections to other domains or companies. Basis for the standardized definition of interfaces and connectivity of different domains and/or companies. Presentation and differentiation of the domains, companies and/or legal entities Methods to illustrate different attributes, characteristics, and dependencies of and between the various zones, e.g. responsibilities, business functionality, security requirements or architecture. Methods to implement different security controls, frameworks or legal requirements for different zones. Definition of critical IT systems and functions (Zones 1 and 2) Introduction of a higher level of flexibility to define and apply controls, which is a basis for standardized controls for different levels of security requirements Normalization on a generic layer to enable compatibility with different architectural standards Applicable in an n:m -scenario in the dimensions of company, domain and function Multi-level defense strategy to isolate incidents and reduce impact B. Zone instances To ensure the flexibility, modularity and scalability of the Zone principles, the introduction of Zone instances as an additional element of a Zone is necessary. Based on the classification criteria of a Zone, different systems and functions could be classified to one zone. However, due to differences in locations, requirements or technical design, it may not be beneficial to handle all these functions or systems under one common control rule set (e.g. responsibility, physical security or system security). Therefore, the zone instances are used to differentiate and group different systems

6 6 Zone 1 Zone 2 Zone 3 Zone 4 Zone 5 Process Critical Automation / Basic Control Critical Operation Control / Supervisory Control Operations Support / Mgmt Inter-connection area Business Automation / Logistics External Partner Connection Company 1 Domain A Process Process Plant Block A: Critical Automation Plant Block B: Critical Automation Plant Block A; Supervisory Control Plant Block B; Supervisory Control Operations Support / Mgmt Inter-connection area Business Automation / Logistics External Partner Connection Company 2 Domain B Operations Support / Mgmt Inter-connection area Business Automation / Logistics External Partner Connection Domain C Fig.2. Zoning principles as an element of Cyber security architecture, including different zone instances and functions into one zone. Figure 2 shows zone instances in Company 2- Domain B and in all entities in Zone 3. C. Classification to the Zone principle The classification of the different systems and functions into the various zones is based on the defined criteria and requirements of the different zones (see also [43]). A system which is classified to a certain zone must meet the specific zone requirements. Zone requirements could in further discussion be adapted to the different characteristics of the various domains. Special requirements or exceptions can be handled using zone instances. If a system provides different functions, which are classified to different zones, the system should be assigned to the more stringent zone. D. Security controls To bring the "Zone principles" into effect, it is important not only to implement a multi-layer network schema, but also to implement and maintain security controls that assess, protect, respond to, prevent, detect and mitigate threats [9]. In this context, the security controls shall not be reduced to network controls or technical controls only, but should cover the different disciplines of security to guarantee an integrated protection and follow up, including technical controls, operational controls, management controls or physical controls. The security controls must be adapted to the different zones and zone instances, and reflect the various characteristics, such as domain affiliation, risk and threat scenarios, application, connection type, flows or ownership. The objective of the "Zone Principle" is not to define or provide different security controls, but to provide an additional framework to assign security controls or control families, e.g. regulation requirements, in a structured and traceable way to zones and zone instances. With the introduction of such a framework, compatibility with the different standards and regulations, but also to the iterative evolution of a Smart Grid, is safeguarded. A standardization of mandatory basic security controls in relation to the different zones and zone instances could deliver a set of requirements as a prerequisite for establishing connection between domains and companies, and could lead finally to a compliance process in the area of Smart Grids. E. "Inter-connection" area as zone instance of Zone 3 The "inter-connection area" of Zone 3 enables and supports the connectivity and interoperability of different domain entities and companies, and represents one of the core functions of a Smart Grid communication network. The introduction of an "inter-connection area" is a functional enhancement to current known "Zone principles. However, it could be compared to Level 3 of the "Assumed hierarchical computer control system structure for an industrial plant" in ANSI/ISA /IEC [44]. Unlike Zone 5 (external partner connection), which allows traditional transfers between companies and customers, the "inter-connection area" of Zone 3 supports time- or security-critical connectivity between Smart Grid functions and components. To ensure the necessary security of the various systems and functions in Zone 3, different kinds of security control have to be defined for the zone, zone instances and flows. The definition of standardized set the basis for the introduction of minimum requirement and compliance measures to enable connectivity and interoperability between domains, companies and assets. The objective could be a standard catalogue of controls for different kinds of connectivity and flows in order to build up a reliable level of trust between different entities in the Smart Grid. The possibility of encapsulating the different systems and functions in Zone 3 by introducing zone instances, the modularity, scalability and thus the flexibility of the principle is guaranteed. F. Mapping example of the Zone principle To visualize and prove the applicability and effectiveness of the "Zone principles", the scenario entitled "Electric Storage (ES)" of the "Unified Logical Architecture for the Smart Grid" [25] has been mapped to the "Zone principles". Owing to the generic character of the "Zone principles", other architectural approaches such as "P2030 Smart Grid Comms Reference Architecture" [45] could also be used and applied.

7 7 The mapping (Figure 3) provides a classification of the different systems and functions of the "Electric Storage (ES)"- scenario to different zones. However, in this example a hypothetic classification model was applied to map the different systems and functions to the different Zones. This example includes no applied security controls, but shall merely indicate the mapping procedure for the communication systems of any given use case example to the Zone principles of Smart Grid architecture. To bring the "Zone principles" up to full effect, a catalogue of security controls has to be defined for every zone, zone instance and flow. To present the various possibilities for system mapping, middleware components are included for different functions. G. Zone principles supporting non-security objectives The introduction of Zone principles as an element of Smart Grid architecture provides, in addition to the security objectives, further value to the operation and maintenance of a Smart Grid communication network. The following examples outline various possibilities: Basic structure and templates for SLA and OLA specifications according to zones and zone instances Definition of clear responsibilities Classification of interfaces, protocols and conductivities Classification of assets in terms of regulation or technical implications Zone 1 Zone 2 Zone 3 area Zone 4 Zone 5 PLC IED Market A Critical IT systems Operation A 8 Service Provider C Inter connection Customer Fig.3. Zoning principles applied to the "Electric Storage (ES)" of the "Unified Logical Architecture for the Smart Grid" [25]. 1 - Energy Market Clearinghouse; 2 - Middleware Energy Market Clearinghouses; 3 - ISO/RTO Operations; 4 - Bulk Storage Management; 5 - Distribution SCADA; 6 - Middleware Distribution SCADA; 7 - Aggregator / Retail Energy Provider; 8 - Distribution/Generation/Storage Mgmt System; 9 - Middleware Billing System; 10 - Billing System; 11 - Energy Service Interface; 12 - Customer Energy Management System (EMS); 13 - Meter; 14 - Customer DER: Generation and Storage IV. CONCLUSION Smart Grid is developing rapidly, with incumbent players 1 10 and new start-ups, innovative technologies, integration challenges, new business and use cases. With this, the risk of ad-hoc solutions, isolated architecture, and ineffective security controls is increasing. The impact could be incompatibility, isolated solutions, integration failure or ineffective or wrong prioritized security. The "Zone principles", as an element of the Cyber Security architecture of Smart Grids, introduce a "Defense in Depth" approach to defining and implementing security controls. Consequently, it serves as the basis for a platform of trust between the different parties making up a Smart Grid. As a consequence of its generic, modular and scalable character, the "Zone principle" is an element that provides stability throughout the different iterative evolution phases of the Smart Grid. "Zone principles" is based on proven industrial standards and best practices, thereby ensuring compatibility with the current installation. Furthermore, the development of this "Zone principles" approach transfers knowledge to the new challenges and requirements of a Smart Grid communication network. There is no single Smart Grid available at present, but rather a wide range of different systems that all need to be tied together. "Zone principles", as an element of a Cyber Security architecture, is a supporting element to structure this challenge in an efficient way. V. REFERENCES [1] National Institute of Standards and Technology (NIST), Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 Appendix, Jan 2010 [2] European Regulators Group for Electricity & Gas (EREG), Position Paper on Smart Grids Ref: E09-EQS-30-04, Dec 2009 [3] Chris Thomas and Bruce Hamilton, ADICA, LLC, White Paper The Smart Grid and the Evolution of the Independent System Operator, 2009 [4] Official Journal of the European Union, DIRECTIVE 2009/28, 29, 30, 31/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, Apr [5] The White House - Office of the Press Secretary, President Obama Sets Greenhouse Gas Emissions Reduction Target for Federal Operations, Available at: (last visited 5th May 2010) [6] European Electricity Grid Initiative (EEGI), Available at: (last visited 12th May 2010) [7] European Regulators Group for Electricity & Gas (ERGEG), Available at: (last visited 12 th May 2010) [8] National Institute of Standards and Technology (NIST), Available at: (last visited 12 th May 2010) [9] U.S. Nuclear Regulatory Commission (NRC), Regulatory Guide Cyber Security programs for Nuclear Facilities, pp. 35, Jan 2010 [10] International Atomic Energy Agency (IAEA), Technical Areas, Available at: (last visited 14th May 2010) [11] American National Standards Institute (ANSI), International Electro technical Commission (IEC), International Society of Automation (ISA), ANSI/ISA , IEC Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, 2007 [12] CISCO Whitepaper, Securing Smart Grid, 2009, Available at: (last visited 12 th May 2010)

8 8 [13] Electric Power Research Institute (EPRI), Report to NIST on the Smart Grid Interoperability Standards Roadmap, Jun 2009 [14] Information Technology Association of America (ITAA), Available at: Definitions.pdf (last visited 12 th May 2010) [15] European Energy Regulators CEER&ERGEG, Available at: (last visited 5 th May 2010) [16] German Federal Ministry for Economics and Technology, Available at: (last visited 5 th May 2010) [17] European Technology Platform for the Electricity Network of the Future, Available at: (last visited 5 th May 2010) [18] European Technology Platform for the Electricity Network of the Future, Strategic Deployment Document for Europe s Electricity Networks of the Future, Available at: _FINAL_APRIL2010.pdf (last visited 5th May 2010) [19] International Electro technical Commission (IEC), IEC Global Standards for Smart Grids, Available at: (last visited 5 th May 2010) [20] European Electricity Grid Initiative (EEGI), Roadmap and Detailed Implementation Plan , May 2010, Available at: _plan_may% pdf [21] IEEE, IEEE P2030 Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), and End-Use Applications and Loads, Available at: index.html (last visited 5th May 2010) [22] Smartgrids Austria, Roadmap Smartgrid Austria - Der Weg in die Zukunft der elektrischen Stromnetze!, 2009 [23] Electric Power Research Institute (EPRI), Integrating new and emerging technologies into the California smart grid infrastructure - A report on a Smart Grid for California [24] Department of Energy Climate Change, Developing a UK Smart Grid, Available at: uk_supply/network/smart_grid/ smart_grid.aspx (last visited: 5th May 2010) [25] National Institute of Standards and Technology (NIST), Smart Grid Cyber Security Strategy and Requirements, Draft NISTIR 7628, Feb 2010 [26] International Society of Automation (ISA), CS2SAT - Control System Cyber Security Self-Assessment Tool, 2007 [27] Trusted Information Sharing Network for Critical Infrastructure Protection, Generic SCADA RISK Management Framework, Dec 2006 [28] AMI-SEC Task Force and AMI Security Acceleration Project (ASAP), AMI Security Implementation Guide V1.01, 2009 [29] North America Electric Reliability Corporation (NERC), Critical Infrastructure Protection series (CIP-001 CIP-009), 2009 [30] International Electro technical Commission (IEC), Power systems management and associated exchange - Data and communications security, Available at: Openform&key=62351&sorting=&start=1 (last visited 5 th May 2010) [31] Department of Homeland Security (DHS), Catalog of Control Systems Security: Recommendations for Standards Developers, Sep 2009 [32] National Institute of Standards and Technology (NIST), Guide to Industrial Control Systems (ICS) Security (NIST ), Sep 2008 [33] Department of Energy (DOE) Cyberspace Policy Review - Assuring a trusted and Resilient Information and Communication Infrastructure", May 2009 [34] National Institute of Standards and Technology (NIST), National Vulnerability Database, Available at: (last visited 5th May 2010) [35] Katie Fehrenbacher, Close to 80 Smart Grid Standards Revealed, Available at: (last visited 5 th May 2010) [36] Department of Homeland Security (DHS), Control Systems Cyber Security: Defense in Depth Strategies, May 2006 [37] Blackout 2003 USA, Available at: (last visited 5th May 2010) [38] Jian-Wei Wang, Li-Li Rong, Cascade-based attack vulnerability on the US power grid, Available at: doc/ /cascade-based-attack-vulnerability-on-the-us-power- Grid (last visited 5th May 2010) [39] International Standard Organisation (ISO), International Electrotechnical Commission (IEC), ISO/IEC Information Technology Basis Reference Model: The Basic Model, 1994 [40] Trusted Information Sharing Network for Critical Infrastructure Protection, Defense in depth, June 2008 Available at: SecurityPublications (last visited 5 th May 2010) [41] Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, Jun 2004, pp. 62 [42] Eric Byres, Defense in Depth, Jun 2008, Available at: (last visited 5th May 2010) [43] National Institute of Standards and Technology (NIST), SECURITY CATEGORIZATION OF INFORMATION AND INFORMATION SYSTEMS NIST Volume II Revision 1, 2008, Available at: Rev1.pdf [44] American National Standards Institute (ANSI), International Society of Automation (ISA), ANSI/ISA , Enterprise-Control System Integration, Part 1: Models and Terminology, [45] IEEE, Validating the IEEE P2030 TF3 Smart Grid Comms Reference Architecture By Mapping Utilities Architectures, Available at: https://mentor.ieee.org/2030/dcn/10/ validatingp2030-tf3-sg-comms-reference-architecture-by-mapping-utilitiesarchitectures.pdf (last visited: 15th May 2010) [46] The No Network is 100% Secure series - The Aurora Power Grid Vulnerability - A White Paper, Available at: (last visited 5th May 2010) [47] Cyber Incident Blamed for Nuclear Power Plant Shutdown, Available at: (last visited 5th May 2010) VI. BIOGRAPHIES J. T. Zerbst graduated in computer science. Today he is responsible for the IT Security in the Vattenfall Group. M. Schaefer graduated in computer science. Since 2008 he works for Vattenfall AB as a consultant for IT Security and Green IT. I. Rinta-Jouppi graduated in electronics and computer hardware, is engaged in the areas of Smart Grids, IT and IT security. Today he is responsible for development in Vattenfall Distribution Nordic.

Cyber Security and Privacy - Program 183

Cyber Security and Privacy - Program 183 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

More information

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Panel Session: Lessons Learned in Smart Grid Cybersecurity PNNL-SA-91587 Panel Session: Lessons Learned in Smart Grid Cybersecurity TCIPG Industry Workshop Jeff Dagle, PE Chief Electrical Engineer Advanced Power and Energy Systems Pacific Northwest National Laboratory

More information

Information Bulletin

Information Bulletin Public Policy Division Impact of NIST Guidelines for Cybersecurity Prepared by UTC Staff 1. Introduction... 3 2. Cybersecurity Landscape... 3 3. One Likely Scenario... 5 4. Draft NISTIR 7628, Guidelines

More information

Development of a Conceptual Reference Model for Micro Energy Grid

Development of a Conceptual Reference Model for Micro Energy Grid Development of a Conceptual Reference Model for Micro Energy Grid 1 Taein Hwang, 2 Shinyuk Kang, 3 Ilwoo Lee 1, First Author, Corresponding author Electronics and Telecommunications Research Institute,

More information

future data and infrastructure

future data and infrastructure White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal

More information

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security Boeing Defense, Space & Security Ventures Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security Tristan Glenwright - Boeing BOEING is a trademark of Boeing Management Company. The

More information

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit Page 1 of 10 Events Partners Careers Contact Facebook Twitter LinkedIn Pike Research Search search... Home About Research Consulting Blog Newsroom Media My Pike Logout Overview Smart Energy Clean Transportation

More information

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE0000191

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE0000191 Interim Techlogy Performance Report 3 PROJECT BOEING SGS Contract ID: DE-OE0000191 Project Type: Revision: V1 Company Name: The Boeing Company November 19, 2013 1 Interim Techlogy Performance Report 3

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

ISACA rudens konference

ISACA rudens konference ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial

More information

Update On Smart Grid Cyber Security

Update On Smart Grid Cyber Security Update On Smart Grid Cyber Security Kshamit Dixit Manager IT Security, Toronto Hydro, Ontario, Canada 1 Agenda Cyber Security Overview Security Framework Securing Smart Grid 2 Smart Grid Attack Threats

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

More information

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved. Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

More information

Feature. SCADA Cybersecurity Framework

Feature. SCADA Cybersecurity Framework Feature Samir Malaviya, CISA, CGEIT, CSSA, works with the Global Consulting Practice-GRC practice of Tata Consultancy Services and has more than 17 years of experience in telecommunications, IT, and operation

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Cyber Security Seminar KTH 2011-04-14

Cyber Security Seminar KTH 2011-04-14 Cyber Security Seminar KTH 2011-04-14 Defending the Smart Grid erik.z.johansson@se.abb.com Appropriate Footer Information Here Table of content Business Drivers Compliance APT; Stuxnet and Night Dragon

More information

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage. Executive Summary Statement of Nadya Bartol Vice President, Industry Affairs and Cybersecurity Strategist Utilities Telecom Council Before the Subcommittee on Oversight and Subcommittee on Energy Committee

More information

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS http://dx.doi.org/10.5516/net.04.2012.091 AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS JAE-GU SONG *, JUNG-WOON LEE, GEE-YONG PARK, KEE-CHOON KWON,

More information

Cyber Security for SCADA/ICS Networks

Cyber Security for SCADA/ICS Networks Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And

More information

Demand Response Management System Smart systems for Consumer engagement By Vikram Gandotra Siemens Smart Grid

Demand Response Management System Smart systems for Consumer engagement By Vikram Gandotra Siemens Smart Grid Demand Response Demand Response Management System Smart systems for Consumer engagement By Vikram Gandotra Siemens Smart Grid siemens.com/answers The Siemens Smart Grid Suite DRMS part of Grid Application

More information

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What

More information

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies

More information

NIST Coordination and Acceleration of Smart Grid Standards. Tom Nelson National Institute of Standards and Technology 8 December, 2010

NIST Coordination and Acceleration of Smart Grid Standards. Tom Nelson National Institute of Standards and Technology 8 December, 2010 NIST Coordination and Acceleration of Smart Grid Standards Tom Nelson National Institute of Standards and Technology 8 December, 2010 The Electric Grid One of the largest, most complex infrastructures

More information

SCOPE. September 25, 2014, 0930 EDT

SCOPE. September 25, 2014, 0930 EDT National Protection and Programs Directorate Office of Cyber and Infrastructure Analysis (OCIA) Critical Infrastructure Security and Resilience Note Critical Infrastructure Security and Resilience Note:

More information

INFORMATION TECHNOLOGY PROGRAM DESCRIPTIONS OPERATIONAL INVESTMENTS

INFORMATION TECHNOLOGY PROGRAM DESCRIPTIONS OPERATIONAL INVESTMENTS EB-0-0 Exhibit D Schedule - Page of INFORMATION TECHNOLOGY PROGRAM DESCRIPTIONS OPERATIONAL INVESTMENTS SCADA SECURITY, GOVERNANCE AND OPERATIONS Program Overview Within THESL s operations, there is a

More information

Secure Machine to Machine Communication on the example of Smart Grids

Secure Machine to Machine Communication on the example of Smart Grids Corporate Technology Secure Machine to Machine Communication on the example of Smart Grids 10.ITG Fachtagung Zukunft der Netze 2011, Steffen Fries Siemens AG, CT T, GTF IT Security : +49 89 636 53403 :

More information

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment The Advantages of an Integrated Factory Acceptance Test in an ICS Environment By Jerome Farquharson, Critical Infrastructure and Compliance Practice Manager, and Alexandra Wiesehan, Cyber Security Analyst,

More information

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios Lucie Langer and Paul Smith firstname.lastname@ait.ac.at AIT Austrian Institute of Technology ComForEn Workshop Monday 29 th September,

More information

Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security

Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security The Smart Grid Interoperability Panel Cyber Security Working Group September 2010 Table of Contents Table of Contents...2 1. Introduction

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY GUIDE 2. IMPLEMENT SECURE ARCHITECTURE This guide is designed to impart good practice for securing industrial control systems such as: process control,

More information

STATEMENT OF PATRICIA HOFFMAN ACTING ASSISTANT SECRETARY FOR ELECTRICITY DELIVERY AND ENERGY RELIABILITY U.S. DEPARTMENT OF ENERGY BEFORE THE

STATEMENT OF PATRICIA HOFFMAN ACTING ASSISTANT SECRETARY FOR ELECTRICITY DELIVERY AND ENERGY RELIABILITY U.S. DEPARTMENT OF ENERGY BEFORE THE STATEMENT OF PATRICIA HOFFMAN ACTING ASSISTANT SECRETARY FOR ELECTRICITY DELIVERY AND ENERGY RELIABILITY U.S. DEPARTMENT OF ENERGY BEFORE THE COMMITTEE ON ENERGY AND NATURAL RESOURCES UNITED STATES SENATE

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

Cyber Security & State Energy Assurance Plans

Cyber Security & State Energy Assurance Plans Cyber Security & State Energy Assurance Plans Michigan Cyber Summit 2011 Friday, October 7, 2011 Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials What is Energy

More information

Enabling the SmartGrid through Cloud Computing

Enabling the SmartGrid through Cloud Computing Enabling the SmartGrid through Cloud Computing April 2012 Creating Value, Delivering Results 2012 eglobaltech Incorporated. Tech, Inc. All rights reserved. 1 Overall Objective To deliver electricity from

More information

How can the Future Internet enable Smart Energy?

How can the Future Internet enable Smart Energy? How can the Future Internet enable Smart Energy? FINSENY overview presentation on achieved results Prepared by the FINSENY PMT April 2013 Outline Motivation and basic requirements FI-PPP approach FINSENY

More information

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE0000191

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE0000191 Interim Techlogy Performance Report 1 PROJECT BOEING SGS Contract ID: DE-OE0000191 Project Type: Revision: V2 Company Name: The Boeing Company December 10, 2012 1 Interim Techlogy Performance Report 1

More information

Implementing the Smart Grid: Enterprise Information Integration

Implementing the Smart Grid: Enterprise Information Integration Implementing the Smart Grid: Enterprise Information Integration KEMA, Inc. ali.ipakchi@kema.com Keywords: Smart Grid, Enterprise Integration, s, Utility Applications, Systems Implementation ABSTRACT This

More information

Network Infrastructure Considerations for Smart Grid Strategies By Jim Krachenfels, Marketing Manager, GarrettCom, Inc.

Network Infrastructure Considerations for Smart Grid Strategies By Jim Krachenfels, Marketing Manager, GarrettCom, Inc. Network Infrastructure Considerations for Smart Grid Strategies By Jim Krachenfels, Marketing Manager, GarrettCom, Inc. The Smart Grid is having a decided impact on network infrastructure design and the

More information

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Implementation of Cyber Security for Yara Glomfjord Speaker profile Olav Mo ABB

More information

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Utilities WHITE PAPER May 2013 INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Table of Contents Introduction...3 Problem Statement...4 Solution Requirements...5 Components of an Integrated

More information

Which cybersecurity standard is most relevant for a water utility?

Which cybersecurity standard is most relevant for a water utility? Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:

More information

Consulting International

Consulting International NIST Cyber Security Working Group (CSWG) NISTIR 7628: NIST Guidelines for Smart Grid Cyber Security Frances Cleveland Xanthus Consulting International Xanthus Consulting International fcleve@xanthus-consulting.com

More information

Cyber security: Practical Utility Programs that Work

Cyber security: Practical Utility Programs that Work Cyber security: Practical Utility Programs that Work Securing Strategic National Assets APPA National Conference 2009 Michael Assante Vice President & CSO, NERC June 15, 2009 The Electric Grid - Challenges

More information

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM Don Dickinson Phoenix Contact USA P.O. Box 4100 Harrisburg, PA 17111 ABSTRACT Presidential Executive Order 13636 Improving

More information

IEEE-Northwest Energy Systems Symposium (NWESS)

IEEE-Northwest Energy Systems Symposium (NWESS) IEEE-Northwest Energy Systems Symposium (NWESS) Paul Skare Energy & Environment Directorate Cybersecurity Program Manager Philip Craig Jr National Security Directorate Sr. Cyber Research Engineer The Pacific

More information

This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high

This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high priority, active initiative within the utility industry.

More information

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

White Paper An Enterprise Security Program and Architecture to Support Business Drivers White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security

More information

Secure SCADA Summit. Dan Mintz, CTO. Civil Health Services Group dmintz@csc.com. Twitter: technogeezer, December 2009

Secure SCADA Summit. Dan Mintz, CTO. Civil Health Services Group dmintz@csc.com. Twitter: technogeezer, December 2009 Secure SCADA Summit Dan Mintz, CTO Civil Health Services Group dmintz@csc.com Twitter: technogeezer, December 2009 For 50 years, CSC Has Helped Clients Ride Every Major Business- Driven Technology Wave

More information

Help for the Developers of Control System Cyber Security Standards

Help for the Developers of Control System Cyber Security Standards INL/CON-07-13483 PREPRINT Help for the Developers of Control System Cyber Security Standards 54 th International Instrumentation Symposium Robert P. Evans May 2008 This is a preprint of a paper intended

More information

Preparing for Distributed Energy Resources

Preparing for Distributed Energy Resources Preparing for Distributed Energy Resources Executive summary Many utilities are turning to Smart Grid solutions such as distributed energy resources (DERs) small-scale renewable energy sources and energy

More information

Roadmaps to Securing Industrial Control Systems

Roadmaps to Securing Industrial Control Systems Roadmaps to Securing Industrial Control Systems Insert Photo Here Mark Heard Eastman Chemical Company Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick

More information

THE FUTURE OF SMART GRID COMMUNICATIONS

THE FUTURE OF SMART GRID COMMUNICATIONS THE FUTURE OF SMART GRID COMMUNICATIONS KENNETH C. BUDKA CTO STRATEGIC INDUSTRIES MAY 2014 THE GRID OF THE FUTURE WIDE-SCALE DEPLOYMENT OF RENEWABLES INCREASED ENERGY EFFICIENCY PEAK POWER REDUCTION, DEMAND

More information

Industrial Defender, Inc.: Recipient of the 2008 Global Risk Management Process Control & SCADA Company of the Year Award

Industrial Defender, Inc.: Recipient of the 2008 Global Risk Management Process Control & SCADA Company of the Year Award F R O S T & S U L L I V A N 2008 Industrial Defender, Inc.: Recipient of the 2008 Global Risk Management Process Control & SCADA Company of the Year Award Todd Nicholson (left), Chief Marketing Officer,

More information

Industrial Control Systems Security Guide

Industrial Control Systems Security Guide Industrial Control Systems Security Guide Keith Stouffer, Engineering Lab National Institute of Standards and Technology NIST SP 800-82, Rev 2 and ICS Cybersecurity Testbed Keith Stouffer Project Leader,

More information

A Concise Model to Evaluate Security of SCADA Systems based on Security Standards

A Concise Model to Evaluate Security of SCADA Systems based on Security Standards A Concise Model to Evaluate Security of SCADA Systems based on Security Standards Nasser Aghajanzadeh School of Electrical and Computer Engineering, Shiraz University, Shiraz, Iran Alireza Keshavarz-Haddad

More information

White Paper. Convergence of Information and Operation Technologies (IT & OT) to Build a Successful Smart Grid

White Paper. Convergence of Information and Operation Technologies (IT & OT) to Build a Successful Smart Grid White Paper Convergence of Information and Operation Technologies (IT & OT) to Build a Successful Smart Grid Contents Executive Summary... 3 Integration of IT and OT... 4 Smarter Grid using Integrated

More information

SCADA Security: Challenges and Solutions

SCADA Security: Challenges and Solutions SCADA Security: Challenges and Solutions June 2011 / White paper by Metin Ozturk, Philip Aubin Make the most of your energy Summary Executive Summary... p 2 Protecting Critical Infrastructure Includes

More information

Three Simple Steps to SCADA Systems Security

Three Simple Steps to SCADA Systems Security Three Simple Steps to SCADA Systems Security Presented by: Gabe Shones, PE / Gilbert Kwan, PE Insert Photo Here Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL

More information

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends Frost & Sullivan s Aerospace, Defence & Security Practice Global Industrial Cyber Security Trends Presented by Philipp Reuter Director Frost & Sullivan, Turkey 1 Worth over $ 50 Billion globally in 2014

More information

William Hery (whery@poly.edu) Research Professor, Computer Science and Engineering NYU-Poly

William Hery (whery@poly.edu) Research Professor, Computer Science and Engineering NYU-Poly William Hery (whery@poly.edu) Research Professor, Computer Science and Engineering NYU-Poly Ramesh Karri (rkarri@poly.edu) Associate Professor, Electrical and Computer Engineering NYU-Poly Why is cyber

More information

Smart Grid Information Security

Smart Grid Information Security CEN-CENELEC-ETSI Smart Grid Coordination Group Date: 2014-12 Secretariat: CCMC CEN-CENELEC-ETSI Smart Grid Coordination Group M490-SGCG-SGIS-Intermediate-Report-V1.pdf 1 Contents Page 2 3 4 5 6 7 8 9 10

More information

Conquering Data and Analytics Obstacles in Smart Utilities. Copyright 2010 SAS Institute Inc. All rights reserved.

Conquering Data and Analytics Obstacles in Smart Utilities. Copyright 2010 SAS Institute Inc. All rights reserved. Conquering Data and Analytics Obstacles in Smart Utilities Copyright 2010 SAS Institute Inc. All rights reserved. The Panel Kate Rowland Editor-in-Chief of Intelligent Utility Magazine Energy Central Alyssa

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security

More information

TECHNOLOGIES: KEY MARKET FORECASTS: GEOGRAPHIES:

TECHNOLOGIES: KEY MARKET FORECASTS: GEOGRAPHIES: Smart Grid Cyber Security System Reliability, Defense-in-Depth, Business Continuity, Change Management, Secure Telecommunications, Endpoint Protection, Identity Management, and Security Event Management

More information

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and

More information

The Dow Chemical Company. statement for the record. David E. Kepler. before

The Dow Chemical Company. statement for the record. David E. Kepler. before The Dow Chemical Company statement for the record of David E. Kepler Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President before The Senate Committee

More information

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Announcement of a new IAEA Co-ordinated Research Programme (CRP) Announcement of a new IAEA Co-ordinated Research Programme (CRP) 1. Title of Co-ordinated Research Programme Design and engineering aspects of the robustness of digital instrumentation and control (I&C)

More information

What Risk Managers need to know about ICS Cyber Security

What Risk Managers need to know about ICS Cyber Security What Risk Managers need to know about ICS Cyber Security EIM Risk Managers Conference February 18, 2014 Joe Weiss PE, CISM, CRISC, ISA Fellow (408) 253-7934 joe.weiss@realtimeacs.com ICSs What are they

More information

Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives

Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document

More information

A Detailed Strategy for Managing Corporation Cyber War Security

A Detailed Strategy for Managing Corporation Cyber War Security A Detailed Strategy for Managing Corporation Cyber War Security Walid Al-Ahmad Department of Computer Science, Gulf University for Science & Technology Kuwait alahmed.w@gust.edu.kw ABSTRACT Modern corporations

More information

Cybersecurity Risk Assessment in Smart Grids

Cybersecurity Risk Assessment in Smart Grids Cybersecurity Risk Assessment in Smart Grids Lucie Langer, Paul Smith, Thomas Hecht firstname.lastname@ait.ac.at AIT Austrian Institute of Technology ComForEn Symposium 2014 Sept 30, 2014 1 Risk Assessment:

More information

Smart Grid Cyber Security

Smart Grid Cyber Security WHITE PAPER Cyber Security Smart Grid Cyber Security Smart Grid Deployment Requires a New End-to-End Security Approach EXECUTIVE SUMMARY Alstom Grid, Intel, and McAfee have joined their expertise to deliver

More information

Asset Management Challenges and Options, Including the Implications and Importance of Aging Infrastructure

Asset Management Challenges and Options, Including the Implications and Importance of Aging Infrastructure Asset Management Challenges and Options, Including the Implications and Importance of Aging Infrastructure Presentation to the U.S. Department of Energy by the IEEE Joint Task Force on QER Trends: Resilience

More information

Smart Meters Executive Paper

Smart Meters Executive Paper Smart Meters Executive Paper Smart infrastructure overview The ever growing global demand for energy, combined with increasing scarcity of resources and the threat of climate change, have prompted governments

More information

Designing Compliant and Sustainable Security Programs 1 Introduction

Designing Compliant and Sustainable Security Programs 1 Introduction Designing Compliant and Sustainable Security Programs 1 Introduction The subject of this White Paper addresses several methods that have been successfully employed by DYONYX to efficiently design, and

More information

Hybrid Risk Management for Utility Networks

Hybrid Risk Management for Utility Networks Hybrid Risk Management for Utility Networks Hermann de Meer hermann.demeer@uni-passau.de Computer Networks and Computer Communications Lab (CNACC) University of Passau CNACC: Introduction People Prof.

More information

Network Security Landscape

Network Security Landscape Cole p01.tex V3-07/28/2009 3:46pm Page 1 Network Security Landscape COPYRIGHTED MATERIAL IN THIS PART Chapter 1 State of Network Security Chapter 2 New Approaches to Cyber Security Chapter 3 Interfacing

More information

Chair Mays, Co-Vice Chair Fox, Co-Vice Chair Whitfield and Members of the Committee:

Chair Mays, Co-Vice Chair Fox, Co-Vice Chair Whitfield and Members of the Committee: National Association of Regulatory Utility Commissioners (NARUC) Winter Committee Meeting SGIP Report to Committee on Critical Infrastructure Sunday, February 9, 2014 Chair Mays, Co-Vice Chair Fox, Co-Vice

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

Integrating the customer experience through unifying software - The Microsoft Vision

Integrating the customer experience through unifying software - The Microsoft Vision VAASAETT - RESPOND 2010 Integrating the customer experience through unifying software - The Microsoft Vision Principal Author Andreas Berthold- van der Molen, Microsoft EMEA Contents The New Energy Ecosystem

More information

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems GE Intelligent Platforms Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems Overview There is a lot of

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

The digital future for energy and utilities.

The digital future for energy and utilities. Digital transformation has changed the way you do business. The digital future for energy and utilities. Digital is reshaping the landscape in every industry, and the energy and utilities sectors are no

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

DeltaV System Cyber-Security

DeltaV System Cyber-Security January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations

More information

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014 NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission

More information

Security in the smart grid

Security in the smart grid Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable

More information

Data Security Concerns for the Electric Grid

Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid The U.S. power grid infrastructure is a vital component of modern society and commerce, and represents a critical

More information

RESILIENCE AGAINST CYBER ATTACKS Protecting Critical Infrastructure Information

RESILIENCE AGAINST CYBER ATTACKS Protecting Critical Infrastructure Information www.wipro.com RESILIENCE AGAINST CYBER ATTACKS Protecting Critical Infrastructure Information Saritha Auti Practice Head - Enterprise Security Solutions, Wipro Table of Contents 03... Abstract 03... Why

More information

EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013

EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013 EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013 1 AGENDA Why Cybersecurity? A Few Helpful Cybersecurity Concepts Developing Expertise:

More information

SCADA Security Training

SCADA Security Training SCADA Security Training 1-Day Course Outline Wellington, NZ 6 th November 2015 > Version 3.1 web: www.axenic.co.nz phone: +64 21 689998 page 1 of 6 Introduction Corporate Background Axenic Ltd Since 2009,

More information

Industrial Cyber Security 101. Mike Spear

Industrial Cyber Security 101. Mike Spear Industrial Cyber Security 101 Mike Spear Introduction Mike Spear Duluth, GA USA Global Operations Manager, Industrial Cyber Security Mike.spear@honeywell.com Responsible for the Global Delivery of Honeywell

More information

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012 Tofino Security exida Consulting LLC White Paper Version 1.0 Published February 16, 2012 Contents Executive Summary... 1 Step 1 Assess Existing Systems... 1 Step 2 Document Policies & Procedures... 3 Step

More information

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually

More information

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com Oil and Gas Industry A Comprehensive Security Risk Management Approach www.riskwatch.com Introduction This white paper explores the key security challenges facing the oil and gas industry and suggests

More information

Claes Rytoft, ABB, 2009-10-27 Security in Power Systems. ABB Group October 29, 2009 Slide 1

Claes Rytoft, ABB, 2009-10-27 Security in Power Systems. ABB Group October 29, 2009 Slide 1 Claes Rytoft, ABB, 2009-10-27 Security in Power Systems October 29, 2009 Slide 1 A global leader in power and automation technologies Leading market positions in main businesses 120,000 employees in about

More information