UTILITY CYBERSECURITY - PREPARE FOR THE WORST

Transcription

1 20 March 2012 UTILITY CYBERSECURITY - PREPARE FOR THE WORST DAN RUECKERT, P.E. ASSOCIATE VICE PRESIDENT BLACK & VEATCH GEORGE GAMBLE DIRECTOR BLACK & VEATCH

2 AGENDA Utility Landscape & Trends Regulations Looking Ahead Questions & Discussion 2

3 UTILITY LANDSCAPE & TRENDS 3

4 U T I L I T Y L A N D S C A P E & T R E N D S RECENT NEWS SETTING THE STAGE Cybersecurity and Privacy Issues related to Smart Meters Public Utilities Commissions are examining current cyber security and privacy requirements that exist under federal and state law, rules and utility policies and practices that apply to transmission and distribution utilities and identify potential regulatory gaps that may exist by examining the extent to which existing federal requirements may or may not apply to cyber security and privacy issues regarding smart meters and related systems. (December 2011) SEC Issues Guidance on the Disclosure of Cybersecurity Incidents and Costs On October 13, 2011 the U.S. Securities and Exchange Commission (SEC) issued disclosure guidance related to cybersecurity risks and costs that may have far-reaching impacts on electric utilities. For those electric utilities already subject to the North American Electric Reliability Corporation (NERC) CIP cybersecurity requirements, this guidance suggests the need for increased scrutiny of compliance costs and harms resulting from cyber incidents and potential cyber incidents to evaluate appropriate disclosure. With the pending increase in the number of assets covered by the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards, which the Federal Energy Regulatory Commission (FERC) recently proposed to approve, the costs of compliance are likely to significantly increase across the electric utilities industry, affecting a wide variety of SEC registrants subject to FERC s reliability jurisdiction. Cyber attacks on Utilities, Industries rise According to the DHS, Control System Security Program cyber experts based at the Idaho National Laboratory responded to 116 requests for assistance in 2010, and 342 so far in A senior Homeland Security cyber official, who spoke on condition of anonymity because of the sensitivity of the topic, said the Stuxnet worm exploited well-known design flaws in the Siemens SIMATIC WinCC Defalut Password Security Bypass vulnerabilities that in general can't be patched. The Stuxnet is not just another run-of-the-mill malware (worm- self contained and self reproducing), but is instead one designed to target critical infrastructure. It uses two currently unpatched vulnerabilities in windows to gain administrative rights on a system. (AP Thu, Sep 29, 2011) According to the General Accountability Office, the nation's wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people. Because the system is now connected to the outside world, it is open to attack. 4

5 U T I L I T Y L A N D S C A P E & T R E N D S CYBERSECURITY IS IN BROAD PUBLIC VIEW RECENT MEDIA Don t forget about Duqu CBS 60 Minutes - early march

6 U T I L I T Y L A N D S C A P E & T R E N D S THE ELECTRIC UTILITY LANDSCAPE A CYBERSECURITY LAYERED PERSPECTIVE RETAIL MARKETS NEIGHBORHOOD AREA NETWORK (NAN) RTO ISO GENERATION CONTROL CENTER DISTRIBUTION TRANSMISSION 6

7 U T I L I T Y L A N D S C A P E & T R E N D S EVOLVING COMPLEX ARCHITECTURES NIST IR 7628 UNIFIED LOGICAL ARCHITECTURE FOR THE SMART GRID There are only two (2) basic ways to hack computers Taking advantage of configuration problems Taking advantage of problems built into software 7

8 U T I L I T Y L A N D S C A P E & T R E N D S INDUSTRY TRENDS TECHNOLOGY CONVERGENCE Convergence of energy technologies provides a platform for driving performance 8

9 UTILITY LANDSCAPES INTEGRATED AND DEPENDENT WITH EACH OTHER Electric Power Oil Water Natural Gas Transportation Telecom 9

10 U T I L I T Y L A N D S C A P E & T R E N D S CYBERSECURITY CHALLENGES FOR THE UTILITY Increasing Threats Service Level Expectations Demands on Technology Management Regulation & Compliance Sophistication Frequency Speed Quantity Complexity Impact potential Trustworthiness Confidentiality Integrity Availability Privacy An integrated approach to risk management A holistic approach to security Proactive How to operationalize Governance (Policy & Procedures) CEO, Board-level accountability New laws and dynamic regulations Industry-specific regulations 10

11 U T I L I T Y L A N D S C A P E & T R E N D S POTENTIAL UTILITY BUSINESS IMPACTS CYBER INCIDENT Productivity Other Expenses Financial Performance (No. of employees impacted x hours) + (burdened hours + cost restoration) Temporary employees, Equipment rental, overtime costs, extra shipping costs, travel expenses Regulatory fines Cash flow, payment guarantees, lost discounts (A/P), credit rating, stock price, penalties Technology Management Analysis and Remediation Costs Hidden Costs Impacted customers and liabilities Lost opportunities Damaged Reputation Customers, suppliers, financial markets, business partners, banks, litigation & internally 11

12 U T I L I T Y L A N D S C A P E & T R E N D S UTILITY MARKET ANALYSIS CYBERSECURITY TRENDS Cyber security appears to be a market that will continue to have growth regardless of economic conditions. According to Gartner, the recession has had minimal impact on the utility security market, with the expectation for continued growth. Overall, security solutions in the United States are expected to grow approximately 9 to 13 percent annually, reaching approximately $50 billion by Current estimates on spending by utilities (i.e., water, electric and natural gas) are expected to be $15 to $18 billion through NERC is not the only security standard driving cyber security. In addition, utilities also measure themselves against Sarbanes-Oxley (SOX) and information security infrastructure against NIST. Others measure against additional industry standards such as InfoSec Assessment Capability Maturity Model (IA-CMM) that was set up by the National Security Agency (NSA). 12

13 U T I L I T Y L A N D S C A P E & T R E N D S UTILITY MARKET ANALYSIS 13

14 U T I L I T Y L A N D S C A P E & T R E N D S TOP 20 AREAS OF VULNERABILITY SANS (System Administration, Network & Security Institute) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention Additional Critical Controls (not directly supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps Working on the Top 20 would form 80% of a security foundation within your company 14

15 REGULATIONS 15

16 R E G U L A T I O N S The boss says that cybersecurity is extremely important and top priority. That is, unless it makes something inconvenient. 16

17 R E G U L A T I O N S U.S. GOVERNMENT IMPACT ON SECURITY 17

18 R E G U L A T I O N S REGULATORY LANDSCAPE MULTIPLE REGULATIONS & STANDARDS Federal Energy Regulatory Commission NERC Department of Energy NIST Department of Homeland Security U.S. CERT Nuclear Regulatory Commission CFR s Nuclear Energy Institute NEI s U.S. Government Accountability Office FISCA S Cybersecurity Act of 2012 S Strengthening Cybersecurity Pressures originate from more than one government body and the taxonomy is becoming complex 18

19 R E G U L A T I O N S FERC / NERC CIP STANDARDS EVOLUTION Risk Based Methodology Review of Critical Assets (CAs) and Critical Cyber Assets (CCAs): A letter dated April 7, 2009 from Michael Assante Vice President and Chief Security Officer of NERC expressed concerns with data recently submitted to NERC regarding Critical Asset and Critical Cyber Assets identification NERC is moving away from Risk Based Methodology to ensure protection of all Critical Assets: NERC CIP Version 4 Proposed for Approval by FERC on September 15, 2011, removes the Risk Based Methodology and establishes bright-line criteria for determining Critical Assets NERC CIP Version 5 Initial Ballot Completed and under review, removes Critical Assets and moves toward identifying Bulk Electric System (BES) Cyber Systems (i.e. based on NIST SP information systems). Ensures that ALL BES related information systems are afforded some level of protection NERC is advising all registered entities of the concern about the sufficiency of evidence supporting Critical Asset identifications where all substations and generating facilities are excluded. They believe that a finding of non-compliance is highly probable absent such evidence to the NIST Risk Assessment. 19

20 R E G U L A T I O N S NRC NUCLEAR EVOLUTION AND NEI FERC and NRC Brightline Study clarified jurisdictional delineation of Nuclear Power Plant (NPP) Systems Structures and Components (SSC) through the creation of an exemption process for excluding certain SSCs from the scope of applicable NERC Standards as provided in FERC Order No. 706-B Regulations: 10 CFR Regulatory Guide 5.71 Standards: NEI and implementation Each plant has developed a cyber security plan and implementation schedules with deadlines 20

21 R E G U L A T I O N S POWER AND INFORMATION INFRASTRUCTURE HOW TO ASSESS AND IMPLEMENT THE REGULATIONS (CURRENT STATE) Protection, SCADA, EMS, RTO, DER IEC61850, CIM, GID, Security, Network & Data Management TCP/IP, Encryption, SNMP, 1. POWER INFRASTRUCTURE 2. INFORMATION INFRASTRUCTURE Two infrastructures must be managed 21

22 R E G U L A T I O N S POWER AND INFORMATION INFRASTRUCTURE HOW TO ASSESS AND IMPLEMENT THE REGULATIONS (FUTURE STATE) 1. POWER INFRASTRUCTURE Generating Plant Step-Up Transformer Transmission 2. INFORMATION INFRASTRUCTURE Users of Power System Data Control Center Transmission Substation Distribution Substation Fuel Cell Micro- Turbine Photovotaics Batteries Diesel Genset Distribution Substation Combined Heat & Power Fuel Cell Commercial Flywheel Residential Industrial Two infrastructures must be managed in the future; not just one! Commercial 22

23 LOOKING AHEAD 23

24 L O O K I N G A H E A D Strategic Impact Market Today UTILITY EXPECTATIONS EVOLVING SMART UTILITY INFRASTRUCTURE LANDSCAPE AND MATURITY low high I. Smart Network Device Connectivity Smart Grid II. Smart Information Data Aggregation and Analysis Smart Single-Use Infrastructure Industry Average IV. Smart Infrastructure Multi-Utility Integration Physical Cyber Integration III. Smart Utility Multi-System Multi-Facility Aggregation Industry Best Industry Defining low Integration Progression high Data Information Knowledge Wisdom Convergence of energy, heating / cooling, water, waste management, communications, security, and transport is needed to support efficiency & reliability 24

25 L O O K I N G A H E A D UTILITY DEFENSE-IN-DEPTH ISSUES SMART GRID VIEW Strategy & Direction Requirements & Drivers Application Security Privacy Considerations Security & Operations Tamper Management Enterprise Organization Business Process Application Data Meter / Host Network Physical Strategic Direction Technical Execution People, Process & Technology have to work together 25

26 L O O K I N G A H E A D UNIFIED CONTROLS PROGRAM A LIFECYCLE APPROACH NIST Establish Governance NERC NEI Harmonize Controls To create Unified Control Framework Tailor Controls to determine correct baseline Assess Existing Implementation of Controls State Local DHS ITIL Plan Remediation Activities & Tools CobIT SOX ASIS ANSI/ISA Implement Remediation Actions IEEE HIPAA Treat cybersecurity like safety in our daily tasks 26

27 QUESTIONS & DISCUSSION 27

28