Intrusion Detection System for Advanced Metering Infrastructure

Size: px
Start display at page:

Download "Intrusion Detection System for Advanced Metering Infrastructure"

Transcription

1 Intrusion Detection System for Advanced Metering Infrastructure

2

3 Intrusion Detection System for Advanced Metering Infrastructure Technical Update, December 2012 EPRI Project Manager G. Rasche ELECTRIC POWER RESEARCH INSTITUTE 3420 Hillview Avenue, Palo Alto, California PO Box 10412, Palo Alto, California USA

4 DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITIES THIS DOCUMENT WAS PREPARED BY THE ORGANIZATION(S) NAMED BELOW AS AN ACCOUNT OF WORK SPONSORED OR COSPONSORED BY THE ELECTRIC POWER RESEARCH INSTITUTE, INC. (EPRI). NEITHER EPRI, ANY MEMBER OF EPRI, ANY COSPONSOR, THE ORGANIZATION(S) BELOW, NOR ANY PERSON ACTING ON BEHALF OF ANY OF THEM: (A) MAKES ANY WARRANTY OR REPRESENTATION WHATSOEVER, EXPRESS OR IMPLIED, (I) WITH RESPECT TO THE USE OF ANY INFORMATION, APPARATUS, METHOD, PROCESS, OR SIMILAR ITEM DISCLOSED IN THIS DOCUMENT, INCLUDING MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, OR (II) THAT SUCH USE DOES NOT INFRINGE ON OR INTERFERE WITH PRIVATELY OWNED RIGHTS, INCLUDING ANY PARTY'S INTELLECTUAL PROPERTY, OR (III) THAT THIS DOCUMENT IS SUITABLE TO ANY PARTICULAR USER'S CIRCUMSTANCE; OR (B) ASSUMES RESPONSIBILITY FOR ANY DAMAGES OR OTHER LIABILITY WHATSOEVER (INCLUDING ANY CONSEQUENTIAL DAMAGES, EVEN IF EPRI OR ANY EPRI REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) RESULTING FROM YOUR SELECTION OR USE OF THIS DOCUMENT OR ANY INFORMATION, APPARATUS, METHOD, PROCESS, OR SIMILAR ITEM DISCLOSED IN THIS DOCUMENT. REFERENCE HEREIN TO ANY SPECIFIC COMMERCIAL PRODUCT, PROCESS, OR SERVICE BY ITS TRADE NAME, TRADEMARK, MANUFACTURER, OR OTHERWISE, DOES NOT NECESSARILY CONSTITUTE OR IMPLY ITS ENDORSEMENT, RECOMMENDATION, OR FAVORING BY EPRI. THE FOLLOWING ORGANIZATION, UNDER CONTRACT TO EPRI, PREPARED THIS REPORT: University of Illinois at Urbana-Champaign This is an EPRI Technical Update report. A Technical Update report is intended as an informal report of continuing research, a meeting, or a topical study. It is not a final EPRI technical report. NOTE For further information about EPRI, call the EPRI Customer Assistance Center at or askepri@epri.com. Electric Power Research Institute, EPRI, and TOGETHER SHAPING THE FUTURE OF ELECTRICITY are registered service marks of the Electric Power Research Institute, Inc. Copyright 2012 Electric Power Research Institute, Inc. All rights reserved.

5 ACKNOWLEDGMENTS The following organization, under contract to EPRI, prepared this report: University of Illinois at Urbana-Champaign 1308 W. Main St. Urbana, Illinois Principal Investigator: Robin Berthier This report describes research sponsored by EPRI. EPRI would like to thank the following organizations for providing insight on the research problem and feedback on the report: UCAIug SG Security Working Group Ameren Corporation DTE Energy Exelon Corporation Oncor Southern California Edison. This publication is a corporate document that should be cited in the literature in the following manner: Intrusion Detection System for Advanced Metering Infrastructure. EPRI, Palo Alto, CA: iii

6

7 ABSTRACT The deployment of Advanced Metering Infrastructure (AMI) technology significantly increases the attack surface that utilities have to protect. As a result, there is a critical need for efficient monitoring solutions to supplement protective measures and keep the infrastructure secure. This document investigates current industrial and academic efforts to address the challenge of detecting security events across the range of AMI networks and devices. The goal of this study is to help utilities and vendors to understand intrusion detection requirements, gaps in existing approaches, and research problems that need to be solved to build and deploy a scalable and comprehensive security monitoring solution. Keywords Intrusion detection systems (IDSes) Advanced metering infrastructure (AMI) Smart meters Cyber security v

8

9 CONTENTS 1 INTRODUCTION Purpose and Scope Document Organization MONITORING REQUIREMENTS AND CURRENT APPROACHES AMI Security Threats and Monitoring Requirements Major Security Concerns Industry Solutions Academic Solutions GUIDELINES FOR A SCALABLE AND COMPREHENSIVE IDS FOR AMI Characteristics of an IDS Architecture for AMI Case Study Intrusion Detection Operations Required Monitoring Architecture Components, Topology, and Communications Alert Correlation and Aggregation CONCLUSION AND NEXT STEPS APPENDIX: REFERENCES, GLOSSARIES, AND INDEXES References Acronyms vii

10

11 LIST OF FIGURES Figure 2-1 Percentages of IDS vendors for different technologies and environments. Source: publicly available information from top 15 smart grid security solution vendors Figure 3-1 Characteristics of a scalable and comprehensive intrusion detection system for AMI Figure 3-2 AMI Network Diagram Instrumented with IDS Components (Courtesy Justin Searle, UtiliSec) ix

12

13 LIST OF TABLES Table 2-1 Overview of research publications related to IDS for AMI or SCADA environments Table 3-1 Monitoring Operations and Sensor Placement Based on Attack Consequences xi

14

15 1 INTRODUCTION 1.1 Purpose and Scope This Intrusion Detection Systems (IDSes) for Advanced Metering Infrastructure (AMI) document is a product of the EPRI AMI Incident Response Project. The document is intended to give AMI vendors and asset owners a clear understanding of the unique monitoring requirements of AMI and to identify key research challenges related to intrusion detection technology and large-scale deployment. The effective design and deployment of IDSes in a utility s AMI environment have several characteristics that differentiate them from design and deployment in traditional information technology (IT) environments. For example, simply deploying a perimeter IDS may not provide the coverage necessary for an AMI system. Since there tend to be mesh networks in addition to IP-based backhaul networks, positioning an IDS at the AMI head-end system could miss malicious activity in the mesh network. In addition, there can be scalability issues, as some utilities deploy millions of meters in their service territories. The scope of this document includes monitoring requirements for the core components of an AMI (i.e., collection engine, meter data management system, data collection unit, and meters) and does not cover the home area network (HAN) or third-party communication equipment. 1.2 Document Organization Section 2 reports on requirements for monitoring the security of AMI and on existing approaches from both industry and academia to address those requirements. This review leads to a gap analysis presented in Section 3, where key research challenges and guidelines for deploying a scalable IDS for AMI are identified. 1-1

16

17 2 MONITORING REQUIREMENTS AND CURRENT APPROACHES 2.1 AMI Security Threats and Monitoring Requirements The deployment of an AMI represents a significant increase in the attack surface that utilities have to protect. The addition of a communication infrastructure and the processing capabilities of AMI devices coupled with the physical accessibility of smart meters and even access points enable new ways to penetrate the system and could attract a wide array of threats. Among the attack motivations that are specific to AMI, we consider: Energy fraud Service disruption for the purposes of extortion (e.g., through a denial of service), vandalism, hacktivism, or terrorism (e.g., power disruption through remote disconnects) Theft of sensitive information Abuse of communication infrastructure (e.g., by creating a botnet) Malicious activities that achieve those goals could have a heavy financial impact on utilities and would likely result in major losses of customer trust and technology adoption. As a result, it is critical that utilities have a way to perform timely detection and identification of malicious actions and incidents so that local issues can be mitigated before they escalate. This objective requires the implementation of an efficient monitoring solution. The challenges to address when designing a monitoring solution for a large and complex system include: What information should be collected? Where should sensors be deployed, and how can visibility over the information required for detection be gained? Which detection technologies would be best suited to triggering alarms when malicious activity occurs? How should appropriate system operators be notified? Should a separate communication channel be used to exchange intrusion detection information and configuration? Which data aggregation and correlation techniques should be deployed to optimally differentiate malicious events from legitimate ones? The last question is crucial, because the likelihood of legitimate events that could trigger intrusion detection alerts is high. For instance, security alarms could be triggered because of operational mistakes, misconfigurations, system failures, or disruptive events such as natural 2-1

18 disasters. The misidentification of legitimate failures as malicious actions would generate false positives and lessen the efficacy of the monitoring solution. 2.2 Major Security Concerns As part of the initiative to develop common alerts and alarms for AMI, and to understand the needs for AMI cyber security incident detection and response, a questionnaire was developed and sent to utility partners. Respondents represented a diversity of environments (urban, suburban, and rural) and deployment phases (pilot planned, started, and completed). The top security concerns expressed were loss of controllability over AMI devices, followed by loss of observability due to a lack of data integrity. Cyber threats specific to AMIs included meter compromise and massive remote disconnects. Indeed, meters, along with pole-top collectors, are the components that are most vulnerable to cyber intrusion by an external entity, while the headend system and vendor access are seen as the most vulnerable to insider attacks. At a lower level, utilities expressed concerns with respect to the following security events: Unauthorized massive remote disconnect Device tampering: malware and malicious code injection (e.g., through buffer overflow attack attacks), rogue device attachment, meter tampering, access to firmware password, and zero-day attacks against AMI devices Cryptographic issues: access to decryption keys or discovery of flaws in encryption Denial of service against routers or cell relays Unauthorized modifications to system configurations and physical components This list offers an initial guide to understanding the need for a comprehensive monitoring solution and identifying where intrusion detection sensors should be deployed. For example, the importance of threats targeting devices in the field indicates that the integrity and health of AMI devices should be closely monitored. However, instrumenting and monitoring every device may be too expensive, and, as explained in the following sections, current security solutions indeed do not cover this requirement. 2.3 Industry Solutions Utilities are investing in monitoring solutions to complement the anti-tampering alarms and event-logging capabilities already offered by smart meters. As shown on Figure 2-1, a survey of the 15 leading security vendors that offer AMI monitoring solutions showed that products mostly fall into two categories: 1. Centralized network-based intrusion detection sensors, and 2. Centralized security information and event managers (SIEMs). 2-2

19 Field monitoring solution for SCADA Field monitoring solution for AMI Centralized SIEM in utility network Network-based monitoring sensor Host-based sensor for embedded device 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 2-1 Percentages of IDS vendors for different technologies and environments. Source: publicly available information from top 15 smart grid security solution vendors. Network-based IDSes are sometimes coupled with a firewall to gain intrusion prevention capabilities, and sit in the head-end behind decryption servers to have access to clear traffic. Either they perform packet header analysis only, or they also include application-level dissectors to analyze payloads. SIEMs are also installed in the utility network and receive logs from security appliances and devices using Syslog and a variety of information sources. They offer a central database to ease event aggregation, correlation, and visualization across components and over time. Those products offer a cost-effective solution to monitoring events and communication traffic from a large volume of AMI devices. Most of them were designed for SCADA monitoring, but an increasing number now integrate AMI protocol analysis capabilities and data-mining approaches to process AMI events. While those products are important for monitoring the infrastructure, the cost advantage of deploying only a centralized solution has to be weighed against the limitation of not having visibility over events that occur at the edge of the network. In particular, neighborhood area networks (NANs) are usually deployed with a wireless mesh communication infrastructure, in which a significant portion of the traffic occurs among network nodes and is invisible to monitoring devices at the head-end. As a result, threats such as unauthorized remote disconnects originating from the field cannot be detected by current centralized solutions. Indeed, utilities have expressed the need for security solutions that could provide situational awareness over all parts of the infrastructure. Another security monitoring gap emphasized by utilities has been the lack of host-based intrusion detection sensors embedded on AMI devices to permit remote checking of firmware integrity and to identify compromised devices. In addition, utilities expressed strong interest in large-scale patch management solutions for embedded devices deployed in the field. The responses to the questionnaire on AMI Incident Response Guidelines and Best Practices indicate that the main reasons for the industry s current push for centralized monitoring solutions and the lack of distributed IDSes in the field have been 1) the need for high cost efficiency, 2) the lack of maturity of AMI security (e.g., how to assess the likelihood and criticality of a smart meter compromise), and 3) the difficulty of integrating proprietary communication protocols (e.g., most mesh network communication technologies at the lower layers are proprietary). 2-3

20 2.4 Academic Solutions Research from academic institutions and national labs can be organized into three categories: 1) efforts to understand the threat environment, 2) efforts to develop security monitoring architectures, and 3) design of network- or host-based intrusion detection sensors. Those research efforts are summarized in Table 2-1 and detailed below. Table 2-1 Overview of research publications related to IDS for AMI or SCADA environments Publications Threat analysis Host IDS Network IDS AMI SCADA [1] Energy theft in the AMI (McLaughlin, 2010) [2] Multi-vendor penetration testing in the AMI (McLaughlin, 2010) [3] Cyber security issues for AMI (Cleveland, 2008) [4] Intrusion detection for AMI: requirements and architectural directions (Berthier, 2010) [5] Cumulative attestation kernels for embedded systems (LeMay, 2009) [6] An IDS for wireless PCS (Roosta, 2008) [8] Intrusion monitoring in PCS (Valdes, 2009) [9] Intrusion detection in SCADA networks (Barbosa, 2010) [10] Sophia proof of concept report (Rueff, 2010) [11] Distributed IDS in a multilayer network architecture of smart grids (Zhang, 2011) [12] Specification-based IDS for HAN (Jokar, 2011) [13] Specification-based IDS for AMI (Berthier, 2011) 2-4

21 In the first category, [3] reviewed the security requirements for AMIs and the related threats, emphasizing that encryption and authentication alone will not be sufficient security protections, and that monitoring solutions are a critical complement. [1] provided a detailed security analysis of the issue of energy theft. The authors explained that AMI would significantly increase the risk of energy theft because of the interconnected nature of the infrastructure and the large-scale deployment of identical devices, leading to an amplification of effort, a division of labor, and an extended attack surface. In [2], the same authors introduce a penetration testing method to evaluate AMI components, revealing vulnerabilities such as the sending of unencrypted passwords over optical ports, the possibility of replaying authentications, and the derivation of encryption keys from meter passwords. In the category of work on security monitoring architectures, [4] outlines the requirements for a comprehensive intrusion detection system for AMI, based on an analysis of the threat model and the information required for detection. In particular, the authors explained that specificationbased intrusion detection systems that enable the deployment of a white-listed network would offer a strong security monitoring solution in an AMI environment where communications are tightly controlled and deterministic. This assumption of well-behaved network traffic is characterized in [9], in which the authors explained how the fixed number of network devices, the limited number of protocols, and the regular communication patterns found in the SCADA environment would enable precise network traffic models that can be leveraged for intrusion detection. That notion was used to build a tool called Sophia [10] that captures network traffic in industrial control systems to build a baseline model, and then triggers alerts when deviations are detected. [8] used a combination of specifications, change detection, and statistical anomalies to monitor process control systems protocols such as Modbus and DNP3. Once again, taking advantage of the regularity of network communication patterns enables the hybrid approach to detect both known and unknown attacks. [11] described a distributed intrusion detection system for both AMI and SCADA systems that relies on anomaly-based sensors deployed in HAN, NAN, the WAN, and SCADA environments. The sensors collect security-relevant information from the communication flows, and two machine-learning algorithms, including a support vector machine and an artificial immunity approach called clonal selection, process the data to identify malicious behavior. Those algorithms offer high detection accuracies if they are correctly and sufficiently trained. Finally, in the category of work on host-based intrusion detection sensors, [5] introduces an architecture called the cumulative attestation kernel that addresses the issue of securely auditing firmware updates in embedded systems such as smart meters. The system is designed to be cost-, power-, computation-, and memory-efficient. A prototype is implemented to demonstrate the feasibility of the solution as well as to formally prove that it meets remote attestation requirements. With respect to network-based intrusion detection systems, [6] proposes a modelbased sensor working on top of the WirelessHART protocol to monitor and protect wireless process control systems. The hybrid architecture consists of a central component that collects information periodically from distributed field sensors. A set of eight detection rules working on the physical, data-link, and routing layers covers threats including signal jamming, node compromise, and packet modification. [12] presents and evaluates a specification-based intrusion detection sensor for HAN designed to monitor the physical and MAC layers of the ZigBee protocol. [13] also took advantage of a specification-based approach to monitor the ANSI 2-5

22 C12.22 protocols through dedicated sensors deployed in the NAN. That solution was unique in using formal methods to prove that specification-based checkers offer sufficient coverage with respect to an AMI security policy. 2-6

23 3 GUIDELINES FOR A SCALABLE AND COMPREHENSIVE IDS FOR AMI 3.1 Characteristics of an IDS Architecture for AMI The study of the threat model, the needs expressed by utilities, the current solutions from security providers, and the latest research efforts on AMI monitoring provide a set of key insights into the characteristics of a comprehensive IDS for AMI. Those characteristics are summarized in Figure 3-1 and described below. 1. Monitoring of AMI communications at the head-end is necessary but not sufficient. Important threats that occur at the edge of the network mean that it is also necessary to instrument field devices or to deploy sensors in the field. 2. Monitoring of embedded operating systems in devices deployed in the field with hostbased intrusion detection systems is critical. It empowers security operators to validate security alerts by checking whether the integrity of devices has been altered. This capability should be combined with an efficient patch distribution and management mechanism. 3. Network-based intrusion detection systems should leverage the deterministic nature of energy system communications through the implementation of a white-list approach in order to gain higher detection accuracy, to handle unknown attacks, and to work without the need for frequent updates. 4. IDS developers should embrace formal verification tools to validate the design of checkers for both host- and network-based intrusion detection systems. Those tools have been successfully used to check hardware design of critical systems, and they can offer strong mathematical guarantees to ensure that the stringent security requirements of AMI are met. 5. The deployment of IDS sensors in the field requires strong protection mechanisms and separate communication channels to prevent the IDS from becoming compromised. In addition, trust-building schemes such as majority voting should be implemented to ensure that attackers cannot easily forge alerts. 6. The monitoring architecture should scale to AMIs made of millions of devices. This high scalability requirement means that distributed detection technologies should be favored, in addition to smart data aggregation schemes that would enable operators to gain situational awareness without being overwhelmed by the number of alerts. 7. Finally, any security solution deployed in the smart grid environment has to be highly practical by reinforcing security layers without affecting the core mission of delivering energy. This requirement also applies to the monitoring architecture, which means that autonomous sensors and self-learning algorithms should be leveraged. 3-1

24 Figure 3-1 Characteristics of a scalable and comprehensive intrusion detection system for AMI 3.2 Case Study Based on the characteristics and requirements outlined in the previous subsection, we now illustrate the design of a scalable and comprehensive IDS architecture for AMI through an example. We assume a traditional AMI architecture made of two types of network: a back-haul connecting the utility to a set of collectors deployed in the field, and neighborhood area networks to connect meters to collectors Intrusion Detection Operations Required In order to define detection technologies and sensor placement, the first step is to translate the threat model into attack consequences. Those consequences are key to understanding the information required by an intrusion detection system for the successful identification of attacks. In Table 1, which has been updated from one provided in [4], monitoring operations are defined based on a generic but comprehensive list of attack consequences, and organized according to three detection technologies: Stateful specification-based monitoring: to track the behavior of nodes in the network over time and to compare operations to protocol specifications and security policy in order to flag deviations (e.g., by validating the sequence of C12.22 requests and responses and by monitoring the frequency of critical operations such as remote disconnects). Stateless specification-based monitoring: to verify a security property (e.g., the integrity of firmware, or the correct format of a C12.22 payload) without having to keep a state over time. Anomaly-based monitoring: again, to verify security properties, but with respect to statistical metrics (e.g., network bandwidth) rather than detailed system specifications (e.g., by monitoring the signal power level and packet losses in wireless mesh networks). The locations of sensors are defined by the information accessible at each location (head-end, collectors, or meters) and the processing capabilities available and required by the monitoring operations. Typically, stateful monitoring operations require more computations than stateless 3-2

25 operations. Finally, in the case of network-based monitoring, the rightmost column provides indications of which protocol layers of the OSI model have to be monitored. Table 3-1 Monitoring Operations and Sensor Placement Based on Attack Consequences Attack Consequences Integrity of configuration and routing protocols Illegitimate network operations Detection Goal and Operation Sensor Locations Protocol Layers (OSI Model) Stateful Specification-based Monitoring Checking of configuration and routing operations against security policy and network Collectors 3-4 configuration Stateful checking of protocol operations against Collectors and/or security policy and application configurations head-end 5-7 Stateless Specification-based Monitoring Checking of packet header against security Collectors and/or policy and network configuration head-end 3-4 Inconsistent traffic origin or destination Integrity of Checking of packet payload against protocol Collectors and/or communication specifications head-end traffic 3-7 Illegitimate use of credentials Checking of system logs against security policy Head-end 5-7 Integrity of node Operating system, application, and file integrity Meters, collectors, software or checking and head-end hardware Host Checking of protocol operations against security Unresponsive nodes Collectors policy and application configuration 2-7 Anomaly-based Monitoring High bandwidth Traffic monitoring against normal statistical Meters and/or usage profiles collectors 3-4 High signal power Checking of wireless signal against normal Meters and/or level statistical profiles collectors Monitoring Architecture Components, Topology, and Communications Following guidance on intrusion detection systems from [14], a monitoring architecture for AMI can be decomposed into the following components: Sensors: software or hardware components to capture and analyze network or system activity. In the case of an AMI, sensors should be deployed at the head-end, collectors and meters. Head-end sensors would process a large volume of traffic, while sensors in meters should have minimum computing requirements. Management server: information generated by sensors should be sent to one or several management servers. The roles of the management server are 1) to store events in a database, and 2) to run a correlation and aggregation process to detect intrusions that could not be identified locally. Database server: repository for event information recorded by sensors and management servers. The combination of the management server and the database server is often 3-3

26 called a Security Information and Event Management (SIEM). A SIEM can log security events from other sensors than the ones deployed in the AMI. Console: interface that security administrators can use 1) to configure the intrusion detection systems, 2) to monitor the security state of the AMI, 3) to visualize and explore alerts, and 4) to conduct forensics activity. Figure 3-2 presents the topology of the monitoring architecture with the locations of the various components in the AMI. Figure 3-2 AMI network diagram instrumented with IDS components (Courtesy Justin Searle, UtiliSec) Communications among IDS components should be isolated from metering traffic. At the headend and in the backhaul, that can be achieved through an encrypted VLAN. In NANs, depending on the communication medium, IDS management traffic and alerts can be carried either on a separate protocol (e.g., XML or JSON over SSL) or through the AMI communication traffic (e.g., ANSI C12.22) but with separate encryption keys. To reach high scalability, IDS sensors should preprocess collected activities and be as autonomous as possible in order to send only the most relevant information to the management server. The management server should use machine-learning algorithms to correlate and aggregate events over time with the goals of 1) translating raw sensor data into actionable information, and 2) reducing false positive rates. Correlation and aggregation techniques are described in the next subsection. Additionally, for large-scale AMIs, the management server and sensors at the head-end can be deployed in a two-tier, load-balancing architecture, such that a first set of appliances preprocess (e.g., to decrypt payloads) and route monitoring traffic to the correct server for final processing and storage. Finally, two important mechanisms enable the monitoring architecture to become more resilient: 1) reduction of the trust of individual sensors by requiring majority voting or event correlation across multiple sensors before triggering of alerts, and 2) removal of single points of failure 3-4

27 through deployment of multiple management servers and/or distribution of IDS information among sensors (e.g., using distributed hash tables) Alert Correlation and Aggregation The significant size of AMI requires deploying highly efficient security event managers in order to process large volume of alerts while providing timely information about critical events and keeping a low volume of false positives. Alert processing operations [7] are organized according to the following steps: 1. Pre-processing: a. Normalization and storage of alerts into a standard format (e.g., IDMEF). b. Organization of normalized alerts into a relational database. Tables should be created for AMI components (e.g., meters, collectors, routers, etc.) and events (e.g., C12.22 failed authentication, remote disconnect, etc.). 2. Aggregation: a. Computation of probabilistic similarity measures among alerts (e.g., across space, such as several meters reporting high numbers of packet losses in the same NAN, and across time, such as collectors reporting scanning attempts over a similar period). b. Reduction of the volume of alerts through clustering and merging following attribute analysis and similarity measures (e.g., alerts targeting the same ApTitle), or through filtering following rules learned over time (e.g., discarding C12.18 authentication alerts if related to approved maintenance operations). 3. Correlation: a. Using predefined attack scenarios, specified by experts or learned over time (e.g., an energy theft attempt would likely combine anti-tampering alerts with outage notifications). This correlation approach is only effective for known attacks. b. To complement the previous approach and handle unknown attacks, correlation of alerts can be made by linking attack steps over prerequisites and consequences of attacks (e.g., integrity violation of a meter system following a network buffer overflow exploit targeting the same meter). c. Correlation through multiple information sources, by combining knowledge about policies (e.g., maximum frequency for remote disconnect operations), maintenance operations (e.g., configuring a meter with a field device), and alerts. 3-5

28

29 4 CONCLUSION AND NEXT STEPS This document has identified a set of characteristics of a scalable and comprehensive monitoring architecture for AMI, based on the review of AMI threats, utility needs, security vendor solutions, and the research literature. Those characteristics were illustrated through a case study that presented IDS components along with a topology and a discussion about IDS communication architecture and alert correlation and aggregation techniques. The next steps in furthering this effort will be to identify a working group for review and to work with vendors and third parties to ensure the interoperability of IDS components for AMI through the identification of standard interfaces and standard communication protocols. 4-1

30

31 5 APPENDIX: REFERENCES, GLOSSARIES, AND INDEXES 5.1 References [1] S. McLaughlin, D. Podkuiko, and P. McDaniel, Energy theft in the advanced metering infrastructure, in Proceedings of the Critical Information Infrastructures Security, pp , [2] S. McLaughlin, D. Podkuiko, S. Miadzvezhanka, A. Delozier, and P. McDaniel, Multivendor penetration testing in the advanced metering infrastructure, in Proceedings of the 26th Annual Computer Security Applications Conference, ACM, 2010, pp [3] F. Cleveland, Cyber security issues for advanced metering infrastructure (AMI), in Proceedings of the Power and Energy Society General Meeting: Conversion and Delivery of Electrical Energy in the 21st Century, IEEE, 2008, pp [4] R. Berthier, W. Sanders, and H. Khurana, Intrusion detection for advanced metering infrastructures: Requirements and architectural directions, in Proceedings of the First IEEE International Conference on Smart Grid Communications (SmartGridComm), IEEE, 2010, pp [5] M. LeMay and C. Gunter, Cumulative attestation kernels for embedded systems, Proceedings of Computer Security ESORICS 2009, pp , [6] T. Roosta, D. Nilsson, U. Lindqvist, and A. Valdes, An intrusion detection system for wireless process control systems, in Proceedings of the 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems (MASS 2008), IEEE, 2008, pp [7] U. Zurutuza and R. Uribeetxeberria, Intrusion detection alarm correlation: a survey, in: Proceedings of the IADAT International Conference on Telecommunications and Computer Networks (TCN 04), Donostia, Spain, December [8] A. Valdes and S. Cheung, Intrusion monitoring in process control systems, in Proceedings of the 42 nd Hawaii International Conference on System Sciences, pp. 1 7, 2009 [9] R. Barbosa and A. Pras, Intrusion detection in SCADA networks, In Lecture Notes on Computer Sciences: Mechanisms for Autonomous Management of Networks and Services, vol. 6155, pp , Springer, 2010 [10] G. Rueff, C. Thuen, and J. Davidson, Sophia Proof of Concept Report, Idaho National Laboratory (INL), [11] Y. Zhang, L. Wang, W. Sum, I. Green, M. Alam, and others, Distributed IDS in a multilayer network architecture of smart grids, IEEE Transactions on Smart Grid, num. 99, page 1, 2011 [12] P. Jokar, H. Nicanfar, and V. Leung, Specification-based IDS for home area networks in smart grids, in Proceedings of the IEEE International Conference on Smart Grid Communication (SmartGridComm), pp ,

32 [13] R. Berthier and W. H. Sanders, Specification-based IDS for AMI, in Proceedings of the 17 th Pacific Rim International Symposium on Dependable Computing (PRDC), pp , 2011 [14] NIST SP , Guide on Intrusion Detection and Prevention Systems (IDPS), Acronyms AMI: Advanced Metering Infrastructure AMI-SEC: AMI security ANSI: American National Standards Institute ASAP-SG: Advanced Security Acceleration Project for the Smart Grid CBKE: certificate-based key exchange CSV: comma-separated value C12.18 standard: ANSI standard for type 2 optical port C12.22 standard: ANSI specification for interfacing to data communication networks DPA: differential power analysis DMZ: demilitarized zone HAN: home area network HTTP: Hypertext Transfer Protocol IDS: intrusion detection system IEC: International Electrotechnical Commission IETF: Internet Engineering Task Force IT: information technology MAC: media access control MDMS: meter data management system MIB: management information bases NAN: neighborhood area networks NESCOR: National Electric Sector Cybersecurity Organization Resources NIST: National Institute of Standards and Technology NIST CSWG: NIST Cyber Security Working Group PDU: protocol data unit RFLAN: RF local area network SGIP-CSWG: Smart Grid Interoperability Panel Cyber Security Working Group SIEM: Security Information and Event Management SOAP: Simple Object Access Protocol SPA: simple power analysis SYSLOG: IETF standard for computer data logging WG: working group XML: Extensible Markup Language ZigBee: HAN communication protocol 5-2

33

34 Export Control Restrictions Access to and use of EPRI Intellectual Property is granted with the specific understanding and requirement that responsibility for ensuring full compliance with all applicable U.S. and foreign export laws and regulations is being undertaken by you and your company. This includes an obligation to ensure that any individual receiving access hereunder who is not a U.S. citizen or permanent U.S. resident is permitted access under applicable U.S. and foreign export laws and regulations. In the event you are uncertain whether you or your company may lawfully obtain access to this EPRI Intellectual Property, you acknowledge that it is your obligation to consult with your company s legal counsel to determine whether this access is lawful. Although EPRI may make available on a case-by-case basis an informal assessment of the applicable U.S. export classification for specific EPRI Intellectual Property, you and your company acknowledge that this assessment is solely for informational purposes and not for reliance purposes. You and your company acknowledge that it is still the obligation of you and your company to make your own assessment of the applicable U.S. export classification and ensure compliance accordingly. You and your company understand and acknowledge your obligations to make a prompt report to EPRI and the appropriate authorities regarding any access to or use of EPRI Intellectual Property hereunder that may be in violation of applicable U.S. or foreign export laws or regulations. The Electric Power Research Institute, Inc. (EPRI, conducts research and development relating to the generation, delivery and use of electricity for the benefit of the public. An independent, nonprofit organization, EPRI brings together its scientists and engineers as well as experts from academia and industry to help address challenges in electricity, including reliability, efficiency, health, safety and the environment. EPRI also provides technology, policy and economic analyses to drive long-range research and development planning, and supports research in emerging technologies. EPRI's members represent approximately 90 percent of the electricity generated and delivered in the United States, and international participation extends to more than 30 countries. EPRI's principal offices and laboratories are located in Palo Alto, Calif.; Charlotte, N.C.; Knoxville, Tenn.; and Lenox, Mass. Together Shaping the Future of Electricity 2012 Electric Power Research Institute (EPRI), Inc. All rights reserved. Electric Power Research Institute, EPRI, and TOGETHER SHAPING THE FUTURE OF ELECTRICITY are registered service marks of the Electric Power Research Institute, Inc Electric Power Research Institute 3420 Hillview Avenue, Palo Alto, California PO Box 10412, Palo Alto, California USA askepri@epri.com

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

How To Manage Security On A Networked Computer System

How To Manage Security On A Networked Computer System Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Network Security 101 Multiple Tactics for Multi-layered Security

Network Security 101 Multiple Tactics for Multi-layered Security Security and Resilience for Utility Network Communications White Paper Communications networks represent a partial paradox. The very openness and ubiquity that make them powerful can also present a weakness.

More information

Update On Smart Grid Cyber Security

Update On Smart Grid Cyber Security Update On Smart Grid Cyber Security Kshamit Dixit Manager IT Security, Toronto Hydro, Ontario, Canada 1 Agenda Cyber Security Overview Security Framework Securing Smart Grid 2 Smart Grid Attack Threats

More information

Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions

Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions Robin Berthier, William H. Sanders, and Himanshu Khurana Coordinated Science Laboratory, Information

More information

AMI Threats, Intrusion Detection Requirements and Deployment Recommendations

AMI Threats, Intrusion Detection Requirements and Deployment Recommendations AMI Threats, Intrusion Detection Requirements and Deployment Recommendations David Grochocki, Jun Ho Huh, Robin Berthier, Rakesh Bobba, and William H. Sanders Information Trust Institute, Coordinated Science

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

Security Implications Associated with Mass Notification Systems

Security Implications Associated with Mass Notification Systems Security Implications Associated with Mass Notification Systems Overview Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

A Systems Approach to HVAC Contractor Security

A Systems Approach to HVAC Contractor Security LLNL-JRNL-653695 A Systems Approach to HVAC Contractor Security K. M. Masica April 24, 2014 A Systems Approach to HVAC Contractor Security Disclaimer This document was prepared as an account of work sponsored

More information

Protecting Critical Infrastructure

Protecting Critical Infrastructure Protecting Critical Infrastructure SCADA Network Security Monitoring March 20, 2015 Table of Contents Introduction... 4 SCADA Systems... 4 In This Paper... 4 SCADA Security... 4 Assessing the Security

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Cyber Security and Privacy - Program 183

Cyber Security and Privacy - Program 183 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Security and Resilience for Utility Network Communications WP-200. Ensuring reliable end-to-end communications and data integrity for AMI networks

Security and Resilience for Utility Network Communications WP-200. Ensuring reliable end-to-end communications and data integrity for AMI networks Security and Resilience for Utility Network Communications WP-200 White Paper Ensuring reliable end-to-end communications and data integrity for AMI networks Communications networks represent a partial

More information

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection for Mobile Ad Hoc Networks Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems

More information

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE0000191

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE0000191 Interim Techlogy Performance Report 3 PROJECT BOEING SGS Contract ID: DE-OE0000191 Project Type: Revision: V1 Company Name: The Boeing Company November 19, 2013 1 Interim Techlogy Performance Report 3

More information

Guideline on Firewall

Guideline on Firewall CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to

More information

Using Skybox Solutions to Achieve PCI Compliance

Using Skybox Solutions to Achieve PCI Compliance Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Ecom Infotech. Page 1 of 6

Ecom Infotech. Page 1 of 6 Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Visualize current and potential network traffic patterns

More information

NETWORK SECURITY (W/LAB) Course Syllabus

NETWORK SECURITY (W/LAB) Course Syllabus 6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline Overview The following note covers information published in the PCI-DSS Wireless Guideline in July of 2009 by the PCI Wireless Special Interest Group Implementation Team and addresses version 1.2 of the

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,

More information

AMI security considerations

AMI security considerations AMI security considerations Jeff McCullough Introduction Many electric utilities are deploying or planning to deploy smart grid technologies. For smart grid deployments, advanced metering infrastructure

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges Multi-vendor Penetration Testing in the Advanced ing Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University 1 Data

More information

Introduction p. 2. Introduction to Information Security p. 1. Introduction

Introduction p. 2. Introduction to Information Security p. 1. Introduction Introduction p. xvii Introduction to Information Security p. 1 Introduction p. 2 What Is Information Security? p. 3 Critical Characteristics of Information p. 4 CNSS Security Model p. 5 Securing Components

More information

Data Security Concerns for the Electric Grid

Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid The U.S. power grid infrastructure is a vital component of modern society and commerce, and represents a critical

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

Reference Architecture: Enterprise Security For The Cloud

Reference Architecture: Enterprise Security For The Cloud Reference Architecture: Enterprise Security For The Cloud A Rackspace Whitepaper Reference Architecture: Enterprise Security for the Cloud Cover Table of Contents 1. Introduction 2 2. Network and application

More information

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems GE Measurement & Control Top 10 Cyber Vulnerabilities for Control Systems GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used

More information

future data and infrastructure

future data and infrastructure White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal

More information

Security Threats in Demo Steinkjer

Security Threats in Demo Steinkjer Security Threats in Demo Steinkjer Report from the Telenor-SINTEF collaboration project on Smart Grids Author(s) Inger Anne Tøndel, SINTEF Martin Gilje Jaatun, SINTEF Maria Bartnes Line, SINTEF/NTNU SINTEF

More information

Facilitated Self-Evaluation v1.0

Facilitated Self-Evaluation v1.0 Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Patricia Hoffman Facilitated Self-Evaluation v1.0 Assistant Secretary Office of Electricity Delivery and Energy Reliability U.S.

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014 Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability 7 Jul 2014 1 Purpose This document is intended to provide insight on the types of tools and technologies that

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Security Information and Event Management Policy ITP Number Effective Date ITP-SEC021 October 10, 2006 Category Supersedes Recommended Policy Contact Scheduled Review RA-ITCentral@pa.gov

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/

More information

PCI Wireless Compliance with AirTight WIPS

PCI Wireless Compliance with AirTight WIPS A White Paper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Introduction Although [use

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined Niara Security Intelligence Threat Discovery and Incident Investigation Reimagined Niara enables Compromised user discovery Malicious insider discovery Threat hunting Incident investigation Overview In

More information

Network/Cyber Security

Network/Cyber Security Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security

More information

SCADA SYSTEMS AND SECURITY WHITEPAPER

SCADA SYSTEMS AND SECURITY WHITEPAPER SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Monitoring Advanced Metering Infrastructures with Amilyzer

Monitoring Advanced Metering Infrastructures with Amilyzer Submitted for publication. Author Copy - do not redistribute. Monitoring Advanced Metering Infrastructures with Amilyzer Robin Berthier and William H. Sanders Information Trust Institute and Department

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

EnergyAxis System: Security for the Smart Grid

EnergyAxis System: Security for the Smart Grid Security for the Smart Grid 2010 by Elster All rights reserved. No part of this document may be reproduced, transmitted, processed or recorded by any means or form, electronic, mechanical, photographic

More information

IBM QRadar Security Intelligence Platform appliances

IBM QRadar Security Intelligence Platform appliances IBM QRadar Security Intelligence Platform Comprehensive, state-of-the-art solutions providing next-generation security intelligence Highlights Get integrated log management, security information and event

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

SCADA Security Measures

SCADA Security Measures Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA SCADA Security Measures

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

IBM Security. 2013 IBM Corporation. 2013 IBM Corporation

IBM Security. 2013 IBM Corporation. 2013 IBM Corporation IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure

More information

Automate PCI Compliance Monitoring, Investigation & Reporting

Automate PCI Compliance Monitoring, Investigation & Reporting Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

More information

Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas

Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas Jeff McCullough Introduction This white paper was inspired by real concerns regarding smart grid electric meters

More information

SCADA/Business Network Separation: Securing an Integrated SCADA System

SCADA/Business Network Separation: Securing an Integrated SCADA System SCADA/Business Network Separation: Securing an Integrated SCADA System This white paper is based on a utility example but applies to any SCADA installation from power generation and distribution to water/wastewater

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection

More information

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Table of Contents Introduction 3 Deployment approaches 3 Overlay monitoring 3 Integrated monitoring 4 Hybrid

More information

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Foundstone Labs October, 2003 Table of Contents Table of Contents...2 Introduction...3 Scope and Approach...3

More information

2) trusted network, resilient against large scale Denial of Service attacks

2) trusted network, resilient against large scale Denial of Service attacks Sam Crooks Network Design Engineer My background is that I have worked in the gaming (as in casinos, gambling), credit card processing industries, consumer credit and related

More information

Certification Report

Certification Report Certification Report EAL 2+ Evaluation of McAfee Email and Web Security Appliance Version 5.5 Patch 2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005 SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst ESG Lab Spotlight ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst Abstract: This ESG Lab Spotlight examines the

More information

Breach Found. Did It Hurt?

Breach Found. Did It Hurt? ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many

More information

Security Issues with Integrated Smart Buildings

Security Issues with Integrated Smart Buildings Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern

More information

Database Security in Virtualization and Cloud Computing Environments

Database Security in Virtualization and Cloud Computing Environments White Paper Database Security in Virtualization and Cloud Computing Environments Three key technology challenges in protecting sensitive data Table of Contents Securing Information in Virtualization and

More information

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

WHITE PAPER SPLUNK SOFTWARE AS A SIEM SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)

More information

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC

More information

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Ensuring Security in Cloud with Multi-Level IDS and Log Management System Ensuring Security in Cloud with Multi-Level IDS and Log Management System 1 Prema Jain, 2 Ashwin Kumar PG Scholar, Mangalore Institute of Technology & Engineering, Moodbidri, Karnataka1, Assistant Professor,

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

BlackRidge Technology Transport Access Control: Overview

BlackRidge Technology Transport Access Control: Overview 2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service

More information

Cyber Security. Smart Grid

Cyber Security. Smart Grid Cyber Security for the Smart Grid Peter David Vickery Executive Vice President N-Dimension Solutions Inc. APPA National Conference June 21, 2010 Cyber Security Solutions For Cyber Security

More information