Substation Cyber Security Analytics IntelliSub Europe 2013 November 2013, Frank Fischer, Partner Security, Accenture

Transcription

1 Substation Cyber Analytics IntelliSub Europe 2013 November 2013, Frank Fischer, Partner, Accenture

2 The Cyber Challenge for Substations Utilities often struggle to manage threats proactively Many operators lack the required capabilities to proactively identify, understand, and respond to threats and exposures within their substation environments. Typical Issues As the threat landscape continuously evolves, substation operators struggle to scale their defenses. Standards compliance is simply not enough to combat advanced threats. Upgrades to substation infrastructure is costly and frequently behind plan leading to fragmented defenses Traditional threat defense capabilities do not scale to the volume, variety, and velocity of attacks nor do they cover both enterprise and operational IT A reactive security incident management posture has left security operations teams overwhelmed Desired Outcomes Reduce the frequency and impact of security incidents that negatively effect business service quality, employee productivity, and data confidentiality Increase the effectiveness of existing security investments to scale to meet demand beyond common standards Decrease the overall cost to serve for information security to the business, keep incremental investments at an acceptable level Improve response and preventive capabilities ahead of attacks, including active response options. Establish a defense-in-depth approach to provide a multi-layered, active defense strategy 2

3 The SmartGrid / Substation Threat Landscape - Typical attack vectors Generation Advanced Persistent Threats, focusing on SCADA and Industrial Control Systems (ICS) plugged into IP backbones Advanced Meter Infrastructure Meter tampering Meter data fraud + infusion IP-based threat vectors, partially combined with mobile attacks (if AMI leverages wireless infrastructures) Gateway-level attacks Enterprise attack vectors Coordinated infiltration Traditional enterprise attacks Full spectrum of attacks on existing IP-based (control) infrastructure, focused on weakest link in the communication chain (remote locations preferred) Substations Physical attacks on Substation Infrastructures (e.g. circuit breakers, generators) Low and slow hacking, focusing on SCADA, IEDs, substation comms lines Insider threats through onsite suppliers, contractors, key employees IED / control code hacks 3

4 The Cyber Kill Chain in a Substation Environment New threats bridge IT and OT creating new attack vectors. In order to pre-empt threats, Cyber Attackers Kill Chain has to be interrupted as early as possible. Kill Chain Phases Typical IT Attacker Activities Typical Substation Attacker Activities Guard schedules Physical Access Contractor Infiltration Site access codes Decoy activities Deploy backdoor Trojan placement Complex Out-of-band attack profiles access Blackmail admins Establish control link Botnet deployment Comm link conduits Modify Control Code IED / PLC Access Destroy Generators Gather phys. assess SCADA Interference Shutdown Circuits Tamper Comm links Multi-site Control Impact Grid Control 4

5 Cyber Capabilities are required for Substations defense Threat centric security operations maximizes security investments through multiplying effectiveness of the security operations team and enabling a focus on business critical operations. Cyber Capabilities Vulnerability Vulnerability Manage security weaknesses through comprehensive identification, analysis, reporting, and remediation. Active Defense Incident Cyber Exploratory Analytics Threat Operational Monitoring Threat Identify security threats, analyze their relevance and provide factual background for risk analysis. Operational Monitoring - Detect, analyze, report, and respond to security incidents and compliance violations across the enterprise. Exploratory Analytics Uncover indicators of advanced security attacks that are not yet widely known. Dramatically increase the effectiveness of critical incident response by using advanced data technologies. Incident - Resolve security incidents in a timely and appropriate manner, while providing clear visibility and traceability. Active Defense- Engage the adversary during all phases of an incident to achieve a deeper understanding of attack context while increasing the cost of the attacker. 5

6 Data platforms & cyber analytics enable a broader set of analytical insights for a complex substation environment Operational Analytics Production-oriented infrastructure related activities for repeatable insights/reports Includes techniques used to uncover potential threats through anomaly detection (from access to data) Also encompasses traditional enterprise data warehouse capabilities such as aggregation and summarization that feed security management decision processes. Identified gaps are pushed to Exploratory Reporting, Correlation, Trending Exploratory Analytics In-depth Analytics based on historical, multi-dimensional infrastructure events / read-outs Real-time hypothesis testing and fact-finding activities Ad-hoc in nature and require analyst insight and technical expertise Requires understanding of the domain AND the data Hypotheses confirmed during exploration go Operational Root Cause Analysis, Anomaly Detection, baseline analysis, detecting unusual behavior 6

7 Intelligent Operations take action on cyber analytics: Understanding SmartGrid issues holistically and act appropriately operations responsibilities are typically distributed across a tiered model. Higher tier teams require increased expertise and contextual understanding of the organization s business assets. Tier 1 - Monitoring SOC Monitoring Analysts 24 x 7 Tier 1 Alert and Event Monitoring Rule Based Tasks Tier 2 Change and Reporting Incident Identification Escalated Incident Resolution Tier 2 Advanced Analysis SOC Intelligence & Response Analysts 24x7 Tier 3 Problem Resolution Specialists Advanced Event Analysis and Correlation Alert and Event Monitoring and Triage Crisis Maintain Devices First Call resolution Technical Support Physical Surveillance Tier 3 Specialists Crisis, Advanced Technical Support - 8x5 Device & Substation health Monitoring Notify and Escalate 7

8 Summary of a SmartGrid / Substation Cyber Analytics Architecture Visualization Layer Mobile Device Use Cases Appliance or Software Based Web Asset Modeling Analysis Platform Processing Manager Executive Reporting Incident Response Aggregators Data Store Cyber analytics architecture Defence-in-depth Operational procedures Real-time event monitoring Appropriate response processes and procedures Collection Layer Tools Configuration Database(s) Applications Network Infrastructure Networks Identity & Access Substation Infrastructure Substation Infrastructure Copyright 2012 Accenture All Rights Reserved. 8

9 Substation Cyber Analytics Frank Fischer Copyright 2013 Accenture All rights reserved. 9