1 Smart Grid Cybersecurity Exceeding cybersecurity requirements mandated by customers and regulatory agencies Abstract The world has become much more connected, with over 32 percent of the population of the planet, or 2.3 billion people, having access to the Internet. Like individuals, systems that control electric power generation and distribution are becoming more connected. Traditionally, these systems have been: Few in number Localized to a comparatively few locations (such as control rooms, generating plants and substations) Isolated from public networks, making them relatively easy to secure. It was often possible to provide a high degree of security through simple physical measures like fences and locks on doors. Smart Grid technology changes this by placing large numbers of intelligent devices into places where they are often easily physically accessible and by placing many of them onto networks that may be physically accessible, or indirectly logically accessible from public networks. Touch points between utility networks and public (or nearly public) networks will become more numerous and widespread. Systems that could once be contained within a locked six-wall room will become widely distributed, with inexpensive networked devices on individual houses and apartments. The rapid evolution of the Smart Grid promises to pose new cybersecurity challenges for at least the next several years. Point of View (POV) Executive White Paper Series These executive white papers provide valuable insight into the innovative application of technology to solve business problems that are confronting utilities, municipalities and other Smart Grid related organizations. The papers should serve as a helpful resource to aid chief financial officers (CFOs) and chief executive officers (CEOs) in discussions with institutional chief information officers (CIOs) in the exploration of new methods and processes for reducing costs. Point of View (POV) Executive White Paper Series usa.siemens.com/smartgrid
2 Executive summary Industrial control systems (ICS), particularly those used by electric and other utility companies, formerly had few, if any, connections to the world outside the corporation that owned and operated them. In response to trends like deregulation and the growth of alternative and widely distributed energy sources, data collected and used by control systems has increasingly been both obtained and exchanged via public networks. Interconnections between neighbor and partner utilities and independent system operators have also increasingly made use of public networks. Control centers and substations have traditionally been critical, physical assets. They have now become part of an increasing inventory of cyber assets which can no longer be secured simply by placing them behind fences and locked doors. Open standards are replacing proprietary hardware/software True security requires more than simple compliance with applicable standards and will require a number of actions to assist users in achieving both compliance and security. Cybersecurity is in flux, and requires more than simple compliance with applicable standards. There has been a dramatic evolution from proprietary communications protocols toward standards-based approaches. Cybersecurity for the Smart Grid is in flux. We know how to secure traditional systems like a supervisory control and data acquisition systems (SCADA), energy management systems (EMS) or distribution management systems (DMS). For these systems, familiar techniques like firewalls, role-based access controls, multi-factor authentication, and anti-malware measures can still be used to provide a high degree of security. There has been a dramatic evolution from using proprietary hardware and software toward using off-the-shelf hardware and software. There has also been an equally dramatic evolution from traditional, proprietary communications protocols toward standards-based approaches, notably DNP3 or IEC for grid control. While a cybersecurity professional will say that security through obscurity is never an appropriate defense, the reality is that the move to standard hardware and software has enabled the greater connectivity we see today. In turn, that increased connectivity can make an attacker s job easier. Effective cybersecurity must protect critical assets The world has simply become a more dangerous place for computers and networks. Today, networks are under assault from a wide variety of rogue governments and pseudo-governments, terrorists, criminals and people who see breaking into computer systems as a challenging game. The rise of the Internet and the Web have revolutionized how the world communicates, conducts business, entertains itself and participates in countless other activities no one could have even imagined a few decades ago. Internet technologies have also revolutionized the electric utility industry. Developments include: Internet technologies have revolutionized the electric utility industry. Substation equipment can now be configured from hundreds of miles away over a network. A SCADA one-line diagram can be viewed with a Web browser on a laptop in a substation or in a service truck. Information can quickly and efficiently be exchanged between companies, asset owners and partner utilities. 2
3 All of these are good things they allow electric utilities to utilize resources more efficiently, maintain them more effectively, increase business agility and be more responsive to customer needs. With improved technology comes new criminal behavior As keepers of much of the world s critical infrastructure, it is the job of the electric utility to do everything within reason to prevent malicious or accidental damage to critical resources that are in their care. Recent initiatives for international cybersecurity standards, promoted by the White House, the United States Department of Homeland Security (DHS) and governments around the world make this document relevant to the worldwide energy industry. The electric utility must do everything within reason to prevent malicious or accidental damage to critical resources. Power utilities are an important national cybersecurity concern because of the essential nature of electricity in our life. Control centers, generators and other facilities have always been critical to the delivery of electric power, and the number and the variety of these critical assets continues to increase. Security challenges What is the potential for critical infrastructure attacks or a major breach of our electrical power grid? In the cybersecurity community, despite frequently heard statements such as a well-funded, highly motivated, intelligent adversary can eventually defeat any cybersecurity, successful attacks against critical infrastructure have been rare. The attack surface of systems is dramatically increasing. Nevertheless, security professionals would most likely say that the attack surface of systems is dramatically increasing. Smart Grid benefits bring new cybersecurity challenges Smart Grid technologies and devices promise great benefits in a number of areas: reduced cost, increased reliability and even reduced environmental impact. As a result, there has been a rush to design, develop and deploy these technologies and devices. In this rush, cybersecurity has not always received the attention it deserves. Smart Grid technologies promise reduced cost, increased reliability and reduced environmental impact. How SCADA security is different from smart metering security In large part, the difference between SCADA security and smart metering security can be expressed simply as concentrated vs. distributed. A SCADA system is generally in one room (albeit with links to devices in substations, which are themselves for the most part in one room). Smart metering is everywhere and it is not possible to build a fence with a gate and a lock around everywhere. Is cybersecurity a good investment? Corporate management brings a special set of concerns toward cybersecurity. When managers are considering adding or upgrading facilities or equipment, return on investment (ROI) is a major factor in their deliberations. ROI is also a strong concern for shareholders. One of the challenges for the future is how to quantify cybersecurity investments. With cybersecurity, ROI is somewhat nebulous. While it is clear that Smart Grid technologies offer increased value, reliability and sustainability, one of the challenges for the future is how to quantify cybersecurity investments in an industry where no news is good news (in terms of cybersecurity threats). As a result, finding a clear and quantifiable answer to this question will continue to remain a challenge. 3
4 Cybersecurity challenges for utility operators There are a number of factors that make cybersecurity a complex challenge for utility operators: Modern SCADA/EMS/DMS systems are large, complex and incorporate increasingly large numbers of widely distributed components. The distributed nature of SCADA/EMS/DMS systems results in complex network architectures. SCADA/EMS/DMS systems and networks employ a wide variety of cybersecurity equipment and software. Utilities require processes to manage, monitor and maintain these assets which can be complex and resource intensive. Those who seek to harm energy delivery infrastructures continue to grow in sophistication, number and level of dedication. Operators often do not have 24/7 on-site support from an IT department. Often, especially for small to medium-sized electric utilities, SCADA/EMS/DMS operators do not have 24/7 on-site support from an IT department. It is unrealistic (and potentially dangerous) to expect that grid operators possess sufficient expertise in security related topics to recognize, analyze and deal with the variety of cybersecurity incidents that can occur in today s world. Emerging Smart Grid cybersecurity technologies Securing large, widely dispersed and easily accessible networks poses some significant challenges. Securing large, widely dispersed and easily accessible networks pose some significant challenges. For example, in a more traditional setting, support personnel are near at hand to deal with an intrusion. However, if an intrusion occurs in an inexpensive smart meter 100 miles from the nearest support technician, we are faced with an entirely new cost vs. benefit calculus: Should a service truck be sent immediately or is it better to wait? How long is too long to wait? How long might it be before an intrusion into one meter is used by an attacker to attack neighboring meters or other equipment? Smart Grid techniques need to be more compact, less expensive and more autonomous than traditional defenses. Defense in depth has long been a popular approach to securing cyber assets whereby a series of obstacles are constructed that an attacker must defeat to breach the core of a system. Defenses have traditionally been in the form of firewalls, intrusion detection systems and malware detection software. To provide defense in depth for the Smart Grid, the same types of techniques can be used, but they need to be more compact, much less expensive, more autonomous, more distributed and require less human attention. Smart meter security demands creative solutions Some amazingly creative security solutions are beginning to emerge in the Smart Grid arena. One promising example is a hardware-based intrusion detection system that could be incorporated into a single, integrated circuit that is estimated to cost less than one dollar that s cheap enough to allow one to be put into every single smart meter. The solutions are out there and new ones are emerging. The industry just needs to allow and encourage creative people to find them. 4 Smart Grid security needs to become part of the corporate culture A major key to getting serious about security is to move from an environment where the primary concern is compliance to one where the primary concern is security. The difference between compliance and security is sometimes subtle, but it can have a large impact. For example, current NERC CIP rules mandate that anti-malware software be installed and maintained on critical cyber assets. If you follow those rules, you are compliant. However, since current anti-malware solutions are notoriously ineffective at dealing with zero-day threats, compliance does not equal security in this case. A corporate culture that is concerned not only with compliance but also security will encourage better solutions.
5 Case Study Cybersecurity Manager (CSM) Cybersecurity Manager is designed to help shift the odds in the good guys favor As part of an effort to help improve the cybersecurity posture of the energy delivery infrastructure of the United States, the U.S. Department of Energy (DOE) has funded development of CSM by Siemens and the Pacific Northwest National Laboratory. CSM is not intended to replace existing tools used by IT staff. However, it is designed to provide a tool that will help an EMS operator recognize and respond to cybersecurity incidents without requiring the operator to be an expert in cybersecurity, networking, or the tools that a security professional would typically use. CSM is designed to provide a tool that will help an EMS operator recognize and respond to cybersecurity incidents without requiring the operator to be an expert in cybersecurity. Unique to CSM is its integration into an existing operator training simulator (OTS): Operators can be trained to use the tool by working through realistic simulations or a replay of real-life situations. OTS allows an administrator to use a simulation to test CSM configuration changes. Development and demonstration of a security core component The SCADA and EMS systems used by the electric utility industry to monitor and From control electric power generation, transmission and distribution are recognized today as critical components of the electric power delivery infrastructure. SCADA/EMS operators are traditionally very accomplished at managing the power grid, but are frequently not trained to manage cybersecurity aspects of today s complex equipment and networks. CSM assists operators, who are frequently not trained to manage cybersecurity aspects of today s complex equipment and networks. CSM will assist operators and provide new OTS tools that will facilitate training and practice to recognize and handle cybersecurity incidents. The Siemens cybersecurity advantage Siemens Smart Grid cybersecurity team supports our customers and Siemens internal business units. The team develops and implements tools and methodologies required to provide a secure, reliable computing and network infrastructure. Our approach emphasizes: Soliciting and understanding customer requirements and responding effectively to customer requests and concerns. Emphasizing a proactive approach, where we not only maintain a high awareness of relevant regulations and standards, but actively participate in influencing the development of those standards. Actively developing and maintaining Siemens internal processes so that cybersecurity is the responsibility of all Siemens employees, at all levels of the organization and throughout the entire product lifecycle. Developing and offering cybersecurity related products and services that are reliable and secure, enhancing our customers ability to deploy and use these products to improve the reliability and security of the energy delivery system (Illustrated in figure 1 on the next page). Siemens proactive approach enhances customers ability to improve the reliability and security of the energy delivery system. 5
6 Figure 1. The information security process Helping customers achieve compliance Compliance and security are related but not equal. Siemens thinks of compliance as a subset of the larger topic of cybersecurity. Effective security requires more than simple compliance with applicable standards in Siemens case, we have implemented a number of actions to assist our customers in achieving both compliance and security. A secure energy delivery infrastructure requires a partnership between system owners and the vendors who supply those systems. As a worldwide vendor, Siemens delivers systems to customers that are governed by a host of different security regulations. One common thread through all these regulations includes maintaining a secure energy delivery infrastructure that requires a partnership between system owners and the vendors who supply those systems. Our goal is to help our customers achieve compliance with relevant security regulations, and to help ensure that Siemens has done everything feasible (from both product and process points of view) to make sure our customers systems are both compliant and secure. Our approach is described below. A proactive cybersecurity approach Siemens is an acknowledged world leader in supplying products and services to the electric utility industry, with extensive experience in cybersecurity. We have been called twice to testify before the U.S. Congress on the topic of security in the electric utility industry. We closely follow numerous security-related standards, including the North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) , Common Criteria, International Organization for Standardization (ISO) as well as emerging standards. We offer the benefit of our technology and experience to help electric utilities achieve the level of cybersecurity that the challenges of today s world demand. We have developed a suite of security-related products and services that are directed both at owners of Siemens Spectrum Power control center products and owners of non-siemens products. 6
7 Cybersecurity standards As a supplier of a broad range of products, systems and solutions to power transmission and distribution organizations around the world, we keep a close watch on existing and emerging standards worldwide. These include: NERC CIP standards in North America ISO/International Electrotechnical Commission (IEC) (Common Criteria) ISO/IEC 27002:2005 (formerly ISO/IEC 17799) Various National Institute of Standards and Technology (NIST) and other security-related standards and recommendations Siemens Computer Emergency Readiness Team (S-CERT) employees are active in these organizations, providing industry practical insight and market feedback on the application of existing and emerging standards. Siemens CERT S-CERT provides an independent and trustworthy partner for organizations throughout Siemens to deal with cyber-security related issues. S-CERT members hold a variety of cybersecurity and other applicable industry certifications. S-CERT provides a variety of services, including: A central monitoring and notification service for security vulnerability announcements, applicable third-party tools and products used throughout Siemens. This service is integral to Siemens in its overall approach to timely announcements to our customers regarding the availability of security patches that apply to our systems. Performing thorough security assessments of Siemens products; future releases of Spectrum Power will be assessed by S-CERT. Cyber vulnerability assessments (CVA) on customer systems. S-CERT provides an independent and trustworthy partner for organizations throughout Siemens to deal with cybersecurity related issues. S-CERT s experience and expertise is an invaluable tool when responding to cybersecurity incidents and customer concerns. Software subscription agreement (SSA) The software subscription agreement (SSA) service enables customers to take advantage of Siemens continuing investment in the development of the base Spectrum Power system. Every year Siemens invests a significant amount in research and development to enhance and extend the capabilities of Spectrum Power. Our global development organization is continuously improving the Spectrum Power product line, with the intention of ensuring that system components, including third-party components, are up-to-date for security patches and updates. System improvements from R&D are generally made available on a regular basis through base system software releases. Authors Mayur Rao Head of Cybersecurity Siemens Smart Grid Division Dave Taylor Certified Information Systems Security Professional (CISSP) Siemens Smart Grid Division Andy Turke Certified Information Systems Security Professional (CISSP) Siemens Smart Grid Division 7
8 Conclusion Effective cybersecurity requires the latest and best technology and know-how in a fast-moving electric utility field. It also requires a reliable partner that: Has industry experience Understands the problems electric utilities face Has made the commitment to stay abreast of the latest developments in the field Has a commitment to train its workforce. Effective cybersecurity requires the latest and best technology and know-how in a fast-moving electric utility field. As a leading supplier to electric utilities, Siemens has developed a cohesive cybersecurity response program. The ongoing convergence of a number of trends over the past several years has led to a continuous elevation of the importance of cybersecurity in the systems that Siemens designs, develops, delivers and supports. These trends have led to a greatly heightened awareness of cybersecurity among media, politicians, standards organizations, government agencies and utilities. Because of the essential nature of electricity to our economy and lives, power utilities are an important national cybersecurity asset. Through all the details of this process, Siemens is committed to helping customers not only achieve compliance, but move toward a truly effective Smart Grid cybersecurity system. Siemens Smart Grid Division cybersecurity team Siemens Smart Grid cybersecurity team specializes in designing and building control center and substation products, systems and solutions with a strong emphasis on security. Core attributes of the team include: Team members hold Certified Information Systems Security Professional (CISSP) certifications, participate in security conferences and have attended third-party security training. The average security team member has more than 20 years of experience in the industry. The team is involved during all aspects of Siemens standard product development and deployment life cycle, including postdeployment customer support. Additionally, Siemens offers customers access to this valuable knowledge base through a broad range of consulting services. Siemens Smart Grid Division The Siemens Smart Grid Division supplies products and solutions for intelligent and flexible electrical network infrastructures. To meet growing energy needs, the networks of today and tomorrow must integrate all forms of power generation and ensure bi-directional energy and communication flows. Intelligent networks help make it possible to generate and use power efficiently and on demand. They contribute to the electrification of railroads and also supply industrial enterprises, infrastructure elements and entire cities with electricity. For more information, visit For more information about the Siemens Smart Grid division on our on our mobile website, please scan the QR code below. Siemens Industry, Inc Wayzata Boulevard, Suite 400 Minnetonka, MN usa.siemens.com/smartgrid Subject to change without prior notice All rights reserved Order No.IC1000-E220-A113-X-4AUS Printed in USA 2012 Siemens Industry, Inc. The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. All product designations may be trademarks or product names of Siemens AG or supplier companies whose use by third parties for their own purposes could violate the rights of the owners.
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Best practices for cyber security in the electric power sector Abstract With rare exceptions, utilities do an excellent job of managing traditional types of risks facing their operations. However, cyber
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
ericsson White paper Uen 307 23-3230 February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in
THE PRESIDENT S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE NSTAC Report to the President on the Internet of Things November 19, 2014 TABLE OF CONTENTS EXECUTIVE SUMMARY... ES-1 1.0 INTRODUCTION...
WHITE PAPER Cybersecurity in Modern Critical Infrastructure Environments SECURE-ICS Be in Control Securing Industrial Automation & Control Systems This document is part of CGI s SECURE-ICS family of cyber
NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan DOE Award No: DE-OE0000222 National Rural Electric Cooperative Association,
White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security
JANUARY 2013 REPORT OF THE DEFENSE SCIENCE BOARD TASK FORCE ON Cyber Security and Reliability in a Digital Cloud JANUARY 2013 Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Foreword This document, the Roadmap to Secure Control Systems in the Energy Sector, outlines a coherent plan for improving cyber security in the energy sector. It is the result of an unprecedented collaboration
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
WHITE PAPER Shifting Risks and IT Complexities Create Demands for New Enterprise Security Strategies Sponsored by: Booz Allen Hamilton Christina Richmond February 2014 Michael Versace IDC OPINION The Challenge
Outsourcing Network Support: The Surprising Strategy That Helps You Spend Less for Higher Uptime How small and medium-sized businesses (SMBs) are outsourcing network support to reduce spending, improve
Mergers, Acquisitions, Divestitures and Closures Records and Information Management Checklists By John T. Phillips March 2011 Project Underwritten by: ARMA International Educational Foundation Endowment
INDUSTRIAL CONTROL SYSTEM SECURITY CURRENT TRENDS & RISK MITIGATION Reducing Critical Infrastructure Risk An Imperative in Today s Interconnected World. Donald J. Fergus Intekras, Inc. 21515 Ridgetop Circle
BELGIAN CYBER SECURITY GUIDE PROTECT YOUR INFORMATION This Guide and the accompanying documents have been produced jointly by ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. All texts,
GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY GUIDE 2. IMPLEMENT SECURE ARCHITECTURE This guide is designed to impart good practice for securing industrial control systems such as: process control,
Cyber risk in retail Protecting the retail business to secure tomorrow s growth Table of contents Foreword 3 Four issues come to the fore 4 Compliance does not always equal risk management 5 Breach response
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
Growing Business Dependence on the Internet New Risks Require CEO Action September 2007 Business Roundtable (www.businessroundtable.org) is an association of chief executive officers of leading U.S. companies
Making Smart IT Choices Understanding Value and Risk in Government IT Investments Sharon S. Dawes Theresa A. Pardo Stephanie Simon Anthony M. Cresswell Mark F. LaVigne David F. Andersen Peter A. Bloniarz
HANDBOOK for SELF-ASSESSING SECURITY VULNERABILITIES & RISKS of INDUSTRIAL CONTROL SYSTEMS on DOD INSTALLATIONS 19 December 2012 This handbook is a result of a collaborative effort between the Joint Threat
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
Sustainability in business today: A cross-industry view Contents Foreword: Closing the gap between aspiration and action 3 About this study 6 Sustainability and the business 7 Sustainability and innovation