Cyber Security for DER, ADR, and AMI

Transcription

1 Cyber Security for DER, ADR, and AMI EPRI Seminar: Integrated Grid Concept and Technology Development Tokyo Japan, August 20, 2015 Galen Rasche, Senior Program Manager, Cyber Security

2 Agenda Security Trends and Challenges Failure Scenarios for DER, ADR, and AMI Identifying Cyber Security Requirements 2

3 Security Trends and Challenges 3

4 The Landscape Most new generation connecting at grid edge The edge is the distribution system Distribution has least amount of utility visibility/control Distributed Energy Resources (DER) Combined Heat & Power Demand Response Home Energy Rooftop Solar Energy Storage Electric Vehicles Large-Scale Solar 4

5 Trends Impacting Security Changing regulation Attacks from nation states and terrorist organizations Connections with more business players Reliance on external communications Increased capability of field equipment 5

6 Threat Model Adversaries with intent Insiders or outsiders, groups or individuals Failure in people, processes, and technology, including human error Threat Agents Economic Criminals Malicious Criminals Recreational Criminals Loss of resources, in particular key employees or communications infrastructure Accidents Natural hazards as they impact cyber security Activist Groups Terrorists Hazards 6

7 Failure Scenarios for DER, ADR, and AMI 7

8 National Electric Sector Cybersecurity Organization Resource: Failure Scenario Report Includes malicious and non-malicious events Format: Failure scenario description Relevant vulnerabilities Impact to grid operations Potential mitigations NESCOR report includes many smart grid scenarios: AMI: 32 scenarios DER: 25 scenarios ADR: 7 scenarios Distribution grid management: 16 scenarios Electric Sector Failure Scenarios and Impact Analyses 8

9 Failure Scenarios - Continued Provide structure for modeling threats and indicators of compromise Can be leveraged as part of a risk assessment process Support cyber security tabletop exercises High-level - must be tailored to each organization 9

10 DR.4 Improper DRAS Configuration Causes Inappropriate DR Messages Description A threat agent unintentionally or maliciously modifies the DRAS configuration to send (or not send) DR messages at incorrect times and to incorrect devices. This could deliver a wrong, but seemingly legitimate set of messages to the customer system. Assumptions DRAS issues a DR message when receiving DR event information in the following ways: (1) Business Logic feeds DR event to DRAS automatically based on its analysis; (2) Authorized manager manually generates and feeds DR event to DRAS through management GUI. 10

11 DR.4 Improper DRAS Configuration Causes Inappropriate DR Messages Utility Boundary Business Logic DR data (subscribers, etc.) DR event Database DRAS DR message Subscribers (DR Client) Graphical User Interface (GUI) DR event Related Architecture Internet Authorized Manager 11

12 DR.4 Improper DRAS Configuration Causes Inappropriate DR Messages (3/4) 12 Threat Agent Gains Access to Network that hosts Business Logic system 13 Threat Agent Obtains Legitimate Credentials for Business Logic system 14 Threat agent misconfigures Business Logic to feed unauthorized DR event to DRAS 15 Threat agent creates unauthorized DR event via DRAS GUI 3 4 Threat agent misconfigures DRAS to generate unauthorized DR event DRAS host is compromised by malware 5 Unintended DR event is injected into DRAS 6 Unintended DR message is sent out to DR Client Client receives unintended DR message may continue operating at peak demand or curtails energy loads No immediate detection; Delayed diagnosis Possible peak energy demand; loss of public confidence

13 DR.4 Improper DRAS Configuration Causes Inappropriate DR Messages Potential Mitigations 1 - See common sub tree Threat Agent Gains Access to Network <specific network> 2 - See common sub tree Threat Agent Obtains Legitimate Credentials for <system or function> 3 - Generate alerts on changes to configurations on DRAS; Detect unauthorized configuration changes; Create audit log of DR messages generated; Require second-level authentication to change configuration 5, 6 - Validate inputs, specifically the reasonableness of DR event 7 - See common sub tree Threat Agent Finds Firewall Gap 8 - See common sub tree Authorized Employee Brings Malware into <system or network> 9, 11 - Require application whitelisting 11 - Conduct penetration testing; Perform security testing; Maintain patches in DRAS host; Maintain anti-virus 13

14 DR.4 Improper DRAS Configuration Causes Inappropriate DR Messages Potential Mitigations (2) 13 - See common sub tree Threat Agent Obtains Legitimate Credentials for <system or function> 14 - Use RBAC to limit generation of DR event; Generate alerts on changes to configurations on Business Logic; Detect unauthorized configuration changes; Create audit log of DR events generated 15 - Create audit log of DR events generated; Generate alarm on unexpected DR event generation 18 - Maintain patches in DRAS GUI host; Maintain anti-virus; Detect unauthorized connections to DRAS GUI; Restrict Internet access to DRAS GUI 14

15 Identifying Cyber Security Requirements 15

16 Hierarchical DER System Five-Level Architecture, in SGAM Format Level 5: Transmission and Market Interactions Distribution Energy Market Clearinghouse Transmission Energy Market Clearinghouse Level 4: Distribution Utility Operational Analysis and Control for Grid Operations System to Manage Demand Response (DR) Pricing Signals Market information Retail Energy Market Clearinghouse Retail Energy Provider (REP) and/ or DER Aggregator Market ISO/RTO/TSO Balancing Authority Geographic Information System (GIS) Outage System (OMS) Distribution System (DMS) Demand Response (DR) System Enterprise Energy System (EMS) Transmission Bus Load Model (TBLM) Utility WAN/LAN DER System (DERMS) DER SCADA System for Control & Monitoring Level 3: Utility and REP Information & Communications (ICT) REP DER & Load System Operation Level 2: Facilities DER Energy System (FDEMS) IEC over ModBus or SEP 2 IEC over DNP3 Facilities DER and Load Energy System Market information in OpenADR Facilities Site WAN/LAN Station Facilities DER Energy Systems (FDEMS) Facilities DER Energy Systems (FDEMS) Facilities Load Meter and Utility Grid PCC Level 1: Autonomous cyber-physical DER systems IEC over ModBus PV Controller PV Equipment Electric Vehicle Supply Equipment Electric Vehicle Battery Storage Controller Battery Diesel Controller Diesel Generator Facilities Site Loads Field Process Circuit breaker ECP ECP ECP ECP 16 Transmission Distribution Distributed Energy Resources (DER) Customer Premises

17 NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security What it IS May be used as a guideline to evaluate the overall cyber security risks to a Smart Grid system Each organization must develop its own cyber security strategy (including a risk assessment methodology) for the Smart Grid What it IS NOT It does not prescribe particular solutions It is not mandatory Version 1.0 Rev 1 published September

18 Risk Assessment using NISTIR 7628 Initial Phase Step 1 Identify the systems and assets Include all assets not just critical cyber assets Step 2 Specify preliminary confidentiality, integrity, and availability objectives Identify system criticality Preliminary identification of threats and impacts (consequences) Step 3 Perform a preliminary risk assessment Define security requirements Overall business assessment 18

19 DER Logical Reference Model Extended/Modified from the NISTIR 7628 Spaghetti Diagram 25 - Distributed Generation & Storage (DERMS) D Outage System (OMS) 17 - Geographic Information System (GIS) U65 U27 D07 D Load System / Demand- Response System (LM/DR) D06 29a - DER SCADA U56 U9 D Distribution System (DMS) D05 U11 U102 U ISO/RTO Operations U58 U52 D Customer Energy System (CDEMS) U Energy Market Clearinghouse U57 U20 41a - Retail Energy Provider (REP) U45 Transmission Bulk Generation Markets Domain Color Key Operations Service Providers Distribution Customer 4a - DER System Controller 4b DER Device D08 6a - Electric Vehicle Service Element (EVSE) 6b - Electric Vehicle (EV) D09 19

20 Hierarchical DER Architecture Mapped to the NISTIR 7628 Level 5: Transmission Operations 19 - Energy Market Clearinghouse Multi-Level Hierarchical DER Architecture D06 Level 4: Distribution Utility DER Operational Analysis D01 U58 U Distributed Generation & Storage (DERMS) D Distribution System (DMS) U Geographic Information System (GIS) D ISO/RTO Operations 30 - Energy System D04 U87 U27 U11 U52 41a - Retail Energy Provider (REP) Level 3: Utility and REP DER Information and Communications Technology (ICT) U92 U56 D05 U65 29a - DER SCADA D03 U9 36 -Outage System (OMS) 32 - Load System / Demand- Response System (LM/DR) U106 Level 2: Facilities DER Energy (FDEMS) 5 - Facilities Energy System (FDEMS) Level 1: Autonomous DER Generation and Storage 4a - DER System Controller U45 D08 U62 6a - Electric Vehicle Supply Equipment (EVSE) D09 Utility Grid Meter and PCC 4b DER Device 6b - Electric Vehicle (EV) Customer Site Load 20

21 NISTIR 7628 Preliminary Security Objectives 21

22 Risk Assessment using NISTIR 7628 Acquisition/Development Phase Step 4 Detailed system design Identify interfaces and interconnected systems Tailor the NISTIR 7628 diagrams Step 5 - Detailed risk assessment Expand upon initial risk assessment More detailed threat and impact assessment Vulnerability assessment Define system level risks 22

23 EPRI Cyber Security Resources Electric Sector Failure Scenarios and Impact Analyses Analysis of Selected Electric Sector High Risk Failure Scenarios Guidelines for Leveraging NESCOR Failure Scenarios in Cyber Security Tabletop Exercises Integrating Electricity Subsector Failure Scenarios into a Risk Assessment Methodology Cyber Security for DER Systems NESCOR Guide to Penetration Testing for Electric Utilities Cyber Security Strategy Guidance for the Electric Sector 23

24 Moving Forward Cyber security supports both the reliability and privacy of the Smart Grid Address interconnected systems both IT and control systems Cyber security needs to be addressed in all systems, not just critical assets Augment existing protection controls, as applicable Continuously monitor and assess the security status Acknowledge will be some security breaches Focus on response and recovery Fail secure Address both safety and security 24

25 Questions 25

26 Together Shaping the Future of Electricity 26