NERC CIP in the Real World on a Real Budget Utilizing Cost Saving Ethernet Technologies in Compliant Architectures

Transcription

1 NERC CIP in the Real World on a Real Budget Utilizing Cost Saving Ethernet Technologies in Compliant Architectures Authors: Eric Stranz, Business Development Manager, Siemens Stefan Nohe, Subject Matter Expert, Siemens Dr. Chan Wong Phd, Standards Engineering, Entergy Page 1 11/11/16 Energy Automation

2 Motivation Page 2 11/11/16 Energy Automation

3 NERC CIP Cyber security for TSO and Generation Generation / DER Misuse of local administrative rights Distribution and Transmission Substation Configuration is manipulated via local network, wireless or remote access Customer Consumer behavior tracking, e.g., through smart meters Fraud through smart meter manipulation Market Fraud based on falsified offers and contracts (Customer, Utilities, DNOs, ) Operation Unauthorized remote service access Page 3 11/11/16 Energy Automation

4 Focus of Paper-Implement Technologies in Compliant Architectures Control Center Level Possible Attackers: Remote Access Station Level Countries Criminal organizations Script kiddies Attacks via internet Malware Insider Substation Control Zone Attacks via internet Spoofing Malware Misuse of access rights Misuse of access rights Malware Viruses.. Malware Unauthorized access to network Unauthorized access Field Level Page 4 11/11/16 Energy Automation

5 Cost Saving Technologies Control Center Substation Data Collector & Controller Substation HMI I E C Station Bus MMS (data collection & controls) GOOSE (virtual wires) Process Bus 3rd party device Sampled Values (currents / voltages) GOOSE (virtual wires)

6 IEC MMS Station Bus MMS Communications Routable Layer 3 IED1 IED2 IED3 IED4 Vendor W Vendor X Vendor Y Vendor Z CB1 CB2 CB3 CB4

7 Data Communication using Station Bus Peer-to-peer communications IED1 Vendor W IED2 IED3 IED4 Vendor X Vendor Y Vendor Z GOOSE (Generic object oriented system-wide events) Multicast Message Non-Routable Layer 2 CB1 CB2 CB3 CB4

8 Process Bus Station Bus Process Bus Multicast Message Non-Routable Layer 2 Hardwired FiberOpticI/O CT s Connection and PT s Merging Units

9 Network Segmentation Process and Station Bus Networks Page 9 11/11/16 Energy Automation

10 CIP 5 Standards Consolidated FAQ Oct # 23 IEC is not a data link or network layer protocol, thus declaring IEC to be a routable or non-routable protocol is not appropriate. Time-critical messages, such as GOOSE messages for direct inter-bay communication, typically run on a flat Layer 2 network without the need for Layer 3 IP addresses. Page 10 11/11/16 Energy Automation

11 IEC Deterministic Concepts GOOSE MECHANISM Sequence Number: 4 State Sequence: 26 Sequence Number: 1045 State Sequence: 25 Sequence Number: 1047 State Sequence: 25 Sequence Number: 1046 State Sequence: 25 Sequence Number: 0 State Sequence: 26 Starts a new sequence when the status change Sequence Number: 1 State Sequence: 26 Sequence Number: 2 State Sequence: 26 Sequence Number: 3 State Sequence: 26 A well designed Substation system can determine the health of the network by monitoring sequence or state alarms and indications for fast network diagnosis IEC Sampled Values operates in a similar manner

12 Cost Savings and other benefits with Ethernet Technologies Up to 40% cost savings with Sampled Values Technology within a substation compared to a traditional copper installation (Based on a 12 Feeder Install) IEC GOOSE reduces copper interconnectivity between devices which results in significant savings in some installations Templates, reusable engineering make IEC an attractive option Physical Security and Communications Security is required regardless of technology. Is Nerc CIP Compliance too difficult to even consider these technologies? Page 12 11/11/16 Energy Automation

13 1.) Assess stations designations based on the CIP ( ) 2.) Define the (BES) Cyber System (formerly Critical Cyber Assets) 3.) Define Physical Security Perimeter (PSP) 4.) Define Electronic Security Perimeter(s) (ESP) 5.) Provide a Cyber Security Framework to Cyber Assets per CIP Standards 6.) Define Electronic Access Points into ESP(s) In Version 5 NERC now allows for multiple ESP s and does not restrict the ESP s to the 6 wall approach. Page 13 11/11/16 Energy Automation

14 Physical & Cyber security The physical security requirements Need of authentication before entrance of station Recognize and Alarm in case of unauthorized access Protection against unauthorized access Cyber security Mitigate misuse of access rights Authentication of access Prevents from outside threads and attacks on infrastructure Page 14 11/11/16 Energy Automation

15 Normal NERC CIP Applicable Substations Should Already Include Physical Security Measures The FERC Order No. 706, Paragraph 572, directive discussed utilizing two or more different and complementary physical access controls to provide defense in depth. Two Factor Authentication (Something you know, Something you are, Something you have) Card Scanners, Cameras, Authentication Systems typically are already in place for a NERC CIP Station Page 15 11/11/16 Energy Automation

16 ESP at the Control House Card Scan 2 Factor Authentication Keypad Camera Card Scan to Retrieve Key for Breakers Door switch triggers alarm where camera monitors activity Card scan Layer 2 Com s Only Page 16 11/11/16 Energy Automation

17 ESP at the Control House Electronic Security Perimeter Electronic Access Point Direct Connection to Device (segregated Networks from Process Bus) Communications Supervision All IP services Turned off, pure Layer 2 only communications Page 17 Merging Units 11/11/16 Energy Automation

18 ESP at the Substation Fence Card Scan 2 Factor Authentication Keypad Card scan Camera Card Scan to Retrieve Key for Breakers Door switch triggers alarm where camera monitors activity Card scan Layer 3 or Layer 2 Page 18 11/11/16 Energy Automation

19 Securing the Network Enterprise Applications Encrypted Communications Traffic Limit Firewall Authentication Communications Supervision Merging Units Communications Supervision Page 19 11/11/16 Energy Automation

20 Disable Unused Ports CIP Table R1 X X X XXX Even Ports used for testing must be disabled at the time of putting the system into service. XX

21 Intrusion Prevention Systems (IPS) Any Product that Prevents Hackers Access to the Network and can take immediate action to the threat Reactive Can Drop the Malicious Packets Block Traffic from the Source Reset the Connection Firewalls, Anti-Virus, Malware Tools

22 Antivirus and Malware (IPS) X Logged CIP X X

23 Firewall (IPS) X Logged CIP-007-5

24 Intrusion Detection Systems (IDS) Any Product that can Detect an intrusion into the network and report or alarm this detection to a management station Passive Monitors signatures Alerts Operators Creates Reports

25 Network Based Intrusion Detection (NIDS) NIDS Server Intrusion Detected Analysis of Intrusion Network-Based Intrusion Detection Systems (NIDS)

26 Host Based Intrusion Detection System(HIDS) Intrusion Detected Analysis of Intrusion Host Based Intrusion Detection System (HIDS)

27 CIP Table R1 Security Patch Update within 35 days of update release CIP Table R1

28 Updated LDAPàActive Directory Within 724hrs Days of leaving termination the position

29 White List and Logging White List 1.) Bobby-Joe 2.) Billy-Bob X Jim-Bob CIP Table R1 Operations Log 10:30 AM 3/17/14 Invalid Login attempt Jim Bob

30 White List and Logging White List 1.) Bobby-Joe 2.) Billy-Bob Billy-Bob Operations Log 10:30 AM 3/17/14 Logged In Billy-Bob CIP Table R1 Operations Log 10:30 AM 3/17/14 Changed Relay Settings Billy-Bob

31 Turn Off all Non-Critical IP Ports

32 Turn Off all Non Critical Services

33 Best Practices - Classify BES Cyber Systems and Assets per V5 requirements -Segment your networks -Secure unused ports and services -Implement malwareand virus protection -Passwords should comply with complex requirements -Firewall settings properly set -Implement Intrusion Detection and Prevention Systems -Electronic Access points to the Substation should be encrypted - Provide application control software wherever possible

34 Thank you for your attention! Page 34 11/11/16 Energy Automation