Smart Grid Security: Threats, Vulnerabilities & Potential Countermeasures. Everardo Trujillo, Smart Grid Principal October 4th, 2012

Transcription

1 Smart Grid Security: Threats, Vulnerabilities & Potential Countermeasures Everardo Trujillo, Smart Grid Principal October 4th, Confiden)al & Proprietary -

2 WHAT IS SMART GRID? A smart grid (SG) delivers electricity from suppliers to consumers using digital technology to save energy, reduce cost and increase reliability and transparency. It is a modernized electricity network which is being utilized as a way of addressing energy independence, global warming and emergency resilience issues. CA Energy Commission The Smart Grid will empower customers to have better control over their energy usage, increased renewable generation, integrates plug-in electric vehicles and reduced greenhouse gas emissions while maintaining and improving system reliability, operational efficiency and customer privacy. SDG&E 2

3 WHAT IS SMART GRID? A Smart Grid should have the following characteristics: Self healing from power disturbance events Enabling active participation by consumers in demand response Operating resiliently against physical and cyber attack Accommodating all generation and storage options Enabling new products, services, and markets Optimizing assets and operating efficiently 3

4 WHAT IS SMART GRID? 4 - Confiden'al & Proprietary -

5 SMART GRID BENEFITS Smart Grid technology enables us to monitor electricity consumption & more efficiently control supply to consumers. Improves power reliability & quality. Improves resilience to disruption. Enables predictive maintenance and self-healing responses to system disturbances. Expanded deployment of renewable energy resources. Automates maintenance & operation. Enables transition to plug-in electric vehicles & new energy storage options 5

6 SMART GRID THREATS Link to embedded clip: SITUATIONS LIKE THIS ONE KEEPS US SECURITY GUYS UP AT NIGHT! This same technology/system, if corrupted, could also be used to carry out real-time surveillance, determine personal behavior patterns, & possibly facilitate identity theft, consumption theft, etc. 6

7 SMART GRID THREATS United States Computer Emergency Readiness Team (US-CERT) identifies the following threat sources for Control Systems: National Governments Terrorists Industrial Spies & Organized Crime Groups Hacktivists Hackers 7

8 SMART GRID THREATS 8

9 SMART GRID THREATS 9 - Confiden'al & Proprietary -

10 SMART GRID THREATS Lack of Awareness (Utilities & Vendors) Customer data storage (ASP) Physical Threats Unintentional (earthquakes, fires, RF interference, wind, floods) Intentional (device tampering, theft) Supply Chain (rouge chips) Cyber Threats Customer Privacy (exposure to customer data) Theft (customer theft of usage) Terrorists (DoS, Backdoors) Social Engineering Spear phishing Insider threat, disgruntled employee 10

11 SMART GRID VULNERABILITIES PEOPLE Lack of understanding of security risk to control systems Not understanding the technical & security impacts of not having security policies or their implementation on Control Systems Control System owners not having cybersecurity skills needed to protect against cyber attacks. Over all security awareness (USB devices, spear phishing) PROCESS Insufficient standardization of process and regulations North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) National Institute of Standards and Technology (NISTR 7628 Volume 1) Lack of training for Control System administrators 11

12 SMART GRID VULNERABILITIES TECHNOLOGY Control networks rarely have a QA system Unsecured protocols for device management Network Communication Use of unsecured communication protocols (MODBUS, DNP3, FTP) Network Architecture not adequate for security needs Endpoint security Firmware no support for incremental security changes No formal SDLC by vendor, prevents proper implementation of security controls UI to devices Lack of Patch Management By both vendors & utilities 12

13 COUNTERMEASURES PEOPLE AWARENESS! Upper Management support (top down) PROCESS RFP evaluation of vendors should include security section Contractual language should include security section DHS Cyber Security Procurement Language for Control System (link) Utilities to formally publish internal security program (policies, guidelines, procedures) and ensure compliance NERC-CIP, currently being considered to expand to distribution Consistent security standards are needed for SG devices, sanctioned by a government agency Supply chain verification Manufacturer installing rouge chipsets, malware, etc. 13

14 COUNTERMEASURES TECHNOLOGY We can t wait Search for 3 rd party solutions to address technical deficiencies ICS Firewalls, ICS Gateways, ICS config management solution, Logging Hardening guides for end point devices Establish a relationship with vendors Regulations are needed from a Government perspective Specific regulations in regards to SG security requirements Vendors to provide anti tampering mechanisms, alerting capabilities Ruggedized devices that can withhold heat, water, dust, etc. Deploy sensors (report back to utility) Vulnerability Management Test, and re-test. 3 rd party pen testing 14

15 Questions Everardo Trujillo: - Confiden)al & 15