1 Making the most out of substation IEDs in a secure, NERC compliant manner Jacques Benoit, Product Marketing Manager, Cybectec Inc. Jean-Louis Pâquet, Chief of Technology, Cybectec Inc. Abstract An increasing number of sophisticated electronic devices are finding their way to the substation. These include traditional devices such as RTUs, DFRs and SERs, as well as newer devices such as PLCs, protection relays, equipment monitoring devices, metering devices and power quality meters. Utilities are just beginning to appreciate the value of the information these Intelligent Electronic Devices (IED) can provide. The benefits that can be achieved by implementing an integration solution that provides immediate access to operational and non-operational data have been described at length in previous articles and presentations. So has the interest of providing remote access to devices for maintenance and configuration. However, many of these IEDs must now be considered critical cyber-assets and must be secured in compliance with NERC CIP through CIP Cyber Security Standards (formerly 1300). While the easiest way to achieve NERC compliance is to isolate IEDs from the outside world and operate them in standalone mode, this option is increasingly unattractive for the reasons mentioned above. Utilities that wish to achieve secure access to their substation devices will need to confront numerous technologies traditionally reserved for corporate Information Technology (IT) applications. Because of conflicting goals and requirements, the results of the confrontation between automation and control engineers, vendors, and security experts from corporate IT groups can easily result in less than perfect solutions that fail to meet the potential benefits. This presentation will discuss strategies now being implemented by major utilities in order to achieve the benefits of IED integration, while meeting NERC Cyber Security Standards. For each major NERC requirement, we will discuss the benefits and tradeoffs of various solutions at the IED level, the substation level and the enterprise level. 1 Introduction Utilities are currently installing a large number of new IEDs for protection and equipment monitoring purposes. In many cases, the IEDs are installed in a standalone manner, preventing the utility from benefiting from all the capabilities of these devices. New protection relays can provide data such as events and waveforms that can be quite valuable for protection engineers and outage management groups. Equipment monitoring devices produce data, such as gas concentration trends, that can be quite valuable for asset management, engineering and maintenance groups. Thus, the goal of IED integration solutions is therefore to make the substation data available to all interested parties. To meet this goal, many utilities are working with their Information Technology (IT) group to extend or replace the existing SCADA architecture with a new modern communications infrastructure based on standard networking technology. While such new architectures promise to provide unlimited connectivity, we will see that if they are not correctly applied, the result is a more complex system that does not bring the expected
2 benefits. Furthermore, networking technologies extend the security weaknesses of the corporate network to the control network. 1 Corporate networks and their technologies are based on the premise that performance is paramount and outages, while undesirable, are acceptable. This is clearly not true for a control system. Even where security is well defined, the primary goal in the corporate network is to protect the central server and not the edge client. In process control, the edge device, such as the PLC or smart drive controller, is considered far more important than a central host such as a data historian server. 2 SCADA vulnerabilities Up to now, the SCADA architecture had been considered secure because it used dedicated communication lines and proprietary technologies. The threats were mostly internal, with accidents, inappropriate employee activity, and disgruntled employees accounting for most of the documented problems. However, this situation is changing with the increased use of IT solutions in the field of process control. A report by the British Columbia Institute of Technology (BCIT) 2 indicates that from 2001 to 2003, the source of 70% of incidents was external. The BCIT analysis of the SQL Slammer Worm incident identifies the infiltration paths of this threat in control systems, some of which were in the power sector 3 : The Davis-Besse nuclear power plant process computer and safety parameter display systems were infected via a contractor s T1 line A power SCADA system was infected via a VPN A petroleum control system was infected via a laptop A paper machine HMI was infected via a dial-up modem Even if the Slammer worm was not targeted specifically at SCADA, it resulted in the complete paralysis of the affected control networks. The SCADA architecture was designed to provide safe and reliable process control, without any consideration for cyber security. The protocols used in the power industry include a number of features such as data quality, timestamps, and select-before-operate command functions that ensure the safety of the network and its operators. However, SCADA protocols are quite vulnerable to attack. If an attacker can gain access to the process network, it is a rather simple feat to disable a device or even to perform illegitimate control operations 4. The vulnerabilities of the power network were highlighted by the August 2003 blackout. While the blackout was not caused by a cyber incident, it clearly demonstrated what the results of an attack could be, prompting regulatory agencies to implement drastic measures to ensure the security of the network. In August 2003, the North American Electric Reliability Council (NERC) issued the NERC 1200 Urgent Action Cyber Security Standard in order "To reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets (computers, software and communication networks) that support those systems."
3 The NERC 1200 standard evolved into NERC 1300, and is now known as NERC CIP to CIP Cyber Security Standards. These standards describe measures that utilities will have to implement, as well as a strict timeline for implementation. 3 NERC Cyber Security Standards The NERC Critical Infrastructure Protection standards require utilities to define critical assets in general, and critical cyber-assets in particular. Utilities must also implement a complete security policy that will protect these assets from different types of potential attacks. The standard is subdivided into 8 sub-standards that are labeled CIP to CIP CIP Critical Cyber-Assets Utilities must define, maintain and document a list of all critical assets in general, and of all critical cyber-assets in particular. Critical cyber-assets are defined as being cyber-assets that are directly or indirectly accessible via routable protocols (networks) or via dial-up mechanisms (modems). Many, if not most, of the new IEDs now being installed must be considered critical cyber-assets. CIP Security Management Controls Utilities must have a master plan to manage all security related aspects of all critical assets, as defined in part CIP CIP Personnel and Training All persons having access to critical assets shall be assessed for risk, properly trained to be aware of the risks, and familiar with the security policies that have been put in place. CIP Electronic Security Utilities must define, implement, document and manage: Electronic security perimeters around critical cyber-assets Effective Access Control mechanisms at all access points to the perimeters Strong procedural or technical controls to ensure authenticity of the accessing party Controls for logging authorized access, detecting unauthorized access (intrusions), and attempts at unauthorized access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. Of all the NERC CIP sub-standards, Electronic Security is the one that most directly addresses substation integration and automation systems. CIP Physical Security Utilities must define, implement, document and manage: Physical security perimeters around all critical assets Physical Access control mechanisms at all physical access points Processes and tools to monitor accesses to the perimeter CIP Systems Security Management Utilities must define, implement, document and manage an overall System Security Management Program. The objective is to prevent, or at least minimize, the risk of failure or compromise from misuse or malicious cyber activity. Elements of compliance include account and password management, security patch management, access log management, test procedures, access reviews, integrity software, identification and documentation of vulnerabilities, change control and configuration management, backup and recovery tools, status monitoring tools, and so on. CIP-008 Incident Response Planning This part of the standard specifies that utilities must have established mechanisms for dealing with security related incidents. Incidents must be
4 monitored, classified, logged and reported. Actions must be taken to prevent similar incidents in the future. Roles and responsibilities related to these issues must be defined within the organization. It is considered that compliance with this requirement could be quite expensive and requires the hiring of full-time security analysts, or the use of external MSSP (managed security service provider) services 5. CIP-009 Recovery Plans - Utilities shall have appropriate recovery plans for all critical cyberassets and shall exercise these plans at least annually. Such plans must be defined, documented, tested, maintained up to date, and communicated to all personnel responsible for the operation of the critical Cyber assets. In the sections that follow we will describe how substation devices are being integrated and the vulnerabilities in the solutions being applied. We will also outline strategies for dealing with these vulnerabilities. 4 Integrating Substation Devices There are two important aspects to integrating a device. First, its information should be made available to all interested parties throughout the organization. Second, the device should be accessible locally and remotely for maintenance and configuration. As we have already mentioned, some data is used by SCADA. However, the greatest benefit is realized when the other types of data, such as event recordings, are made available to the parties that are best equipped to put the data to good use. Substation integration brings the following technical challenges There is a large variety of devices, produced by different manufacturers Substation devices use a variety of communication links: TCP/IP, RS-232, RS-422 or RS-485 Each device typically uses a proprietary communications protocol Typical devices use one communications port for data, and a separate port for maintenance and access to non-operational data Most devices support a single data link and cannot connect to multiple clients There are numerous parties interested in substation data: SCADA, EMS, OMS, maintenance, engineering, and asset management, to name the most common. There are two major approaches to device integration. The first approach uses traditional IT networking solutions. In this approach, all substation devices are connected to a port switch, terminal server or Frame Relay Access Device (FRAD). These devices provide the ability to connect a serial device to a TCP/IP network and make it accessible to any computer on the corporate network.
5 Figure 1: Integrating devices using a port switch Port switches provide a cost effective way to access remote serial devices from the enterprise level. However, this architecture has a number of limitations Typical port switches are designed for office environments and are not substation-grade equipment. Each device still only supports a single connection. Data cannot be distributed simultaneously to a number of interested parties. In effect, the port switch extends the cable from the device to a remote computer. Each application on each remote computer must be able to handle the variety of protocols used by the substation devices. While it is conceivable that a port switch could manage authentication through the use of a password, it will not manage access permissions. The user will have to know the access password for each remote device. A second approach to device integration is based on the use of an intelligent substation gateway that acts as a front-end processor and effectively processes and concentrates the data at the substation level. Since there is no equivalent off-the-shelf IT technology, intelligent substation gateways are generally provided by manufacturers of substation equipment or by specialized vendors.
6 Figure 2: Integrating devices using an intelligent gateway Intelligent substation gateways typically provide the following functions Connect serial devices using RS-232, RS-422 or RS-485, to a TCP/IP LAN. Poll each connected device using the device's own protocol, at the most appropriate rate, and store the data in the internal database. Perform data normalization. Convert data in proprietary formats to standard formats. Let remote systems access data from the gateway's internal database, at the most appropriate rate, using the most appropriate protocol. Make device data available simultaneously to multiple systems. Act as a port server and let remote users access any connected device for maintenance and engineering purposes. As we will see in the sections that follow, intelligent substation gateways can be used to solve many of the integration challenges, including enforcing security at the substation level. 4.1 Accessing Substation Devices Typical IEDs support two types of connections. The first is used by SCADA to retrieve data and perform control functions. The second is the device maintenance port used to configure the device and retrieve data, such as waveforms, that is not supported by the SCADA architecture. The maintenance port is most often accessed directly, using a laptop computer, or indirectly using a dialup modem. Most gateways implement a passthru capability to provide remote device access to corporate users.
7 USER 5 REMOTE ACCESS THROUGH CORPORATE LAN USER 6 REMOTE MODEM ACCESS TO CORPORATE LAN USER 7 REMOTE ACCESS THROUGH INTERNET INTERNET CORPORATE LAN WAN SUBSTATION LAN USER 4 REMOTE MODEM ACCESS TO GATEWAY USER 3 REMOTE ACCESS THROUGH SUBSTATION LAN USER 2 REMOTE MODEM ACCESS TO DEVICE USER 1 DIRECT ACCESS THROUGH DEVICE MAINTENANCE PORT Figure 3: Device access scenarios The figure above represents 7 different device access scenarios User 1 is in the substation and connects directly to the IED. In this scenario, the user has been granted access to the physical perimeter, but the electronic perimeter must be implemented by the device itself. In many cases, this will not be sufficient to meet NERC requirements. In the subsequent sections, we will discuss how this scenario should be replaced by the User 3 scenario. User 2 is outside the substation and uses a dialup modem to connect to the IED. This scenario is the most vulnerable. NERC recommends that modem access be disabled by default. User 3 is in the substation, connected to the LAN, and uses the gateway passthru capability to connect to the device. At first glance, this scenario is similar to the User 1 scenario. However, if the gateway implements true authentication, access control, logging and auditing, an electronic perimeter is effectively created, protecting all the devices connected to the gateway. User 4 is outside the substation and connects to the gateway using a dialup modem. As in scenario 3, the gateway implements an effective electronic perimeter. Furthermore, it can secure the modem access by performing caller ID validation, encrypting the communications link, and implementing SCADA-controlled modem enabling and disabling.
8 User 5 is connected to the corporate LAN. This type of connection is similar to scenario 3, except that the connection is from outside the substation. The gateway can enforce authentication and use a VPN to encrypt the communications link. Firewalls, routers and managed switches can be used to restrict access to certain computers only. However, we will show later on how this type of access can be eliminated almost completely by implementing an enterprise gateway. Users 6 and 7 are connected to the corporate LAN via a MODEM or Internet connection. These scenarios are extensions of scenario 5. Standard IT solutions are available to implement secure remote access for roaming employees. 4.2 IED Vulnerabilties Operating IED outputs, changing IED protection settings, or modifying IED control logic can have disastrous consequences when performed by unauthorized personnel. Yet, existing IEDs have very few, if any, inherent security related capabilities Data links are not encrypted and are vulnerable. Unauthorized parties can eavesdrop on data exchanges, disable devices or perform control functions. No support for true user authentication. Passwords are used to control access to different configuration levels, but do not identify the user accessing the device. No logging of successful and failed access attempts. At best, there is an alarm output and lockout capability when unsuccessful access attempts are detected. Maintenance and configuration functions are performed using vendor specific tools, through an unencrypted LAN or serial connection. In many cases, all data is exchanged in clear, using a terminal emulation program and a simple ASCII command language. The large number of devices being installed also introduces numerous organizational challenges Many IEDs are considered critical cyber-assets. To meet NERC CIP requirements, these devices must be identified, managed and secured. It is impossible for anyone to remember a different address and password for each IED in each substation. As a result, passwords tend to be the same for all IEDs. Anybody who knows one password knows them all. It is virtually impossible to change all the passwords in all the IEDs at any given time to revoke access for a single user. In the next section, we will describe how an intelligent substation gateway can be used to overcome most of these difficulties. 4.3 Using an Intelligent Substation Gateway to Secure IEDs Since it is impossible to secure each individual IED, we suggest using an intelligent gateway to manage all data and maintenance communication with the IED. As we mentioned previously, IEDs usually provide separate data and maintenance communication links. Both of these links are connected to the gateway, which then becomes the single point of access to the device Connect each IED to the gateway only. Block access to all other IED ports via appropriate IED configuration. Block any other features that are not required (IED control operations are a good example).
9 If it is deemed necessary, use a serial link encryption device to protect data exchanges between the IED and the gateway. Give each IED a unique and strong password. Further on, we will see how the gateway can be used to manage the passwords. Eliminate the need for users to connect to the IED. Use the gateway to collect all IED information that may be needed by external users or applications, including both operational and non-operational information. Channel remaining IED access requirements through the gateway s passthru mechanisms. Do not let users connect directly to the IED for maintenance. Most of the benefits of the above solution are derived from the additional intelligence that can be provided by an intelligent gateway. In the subsequent sections, we will analyze the functions that a gateway must support in order to make this possible. 4.4 Required Substation Gateway Capabilities In order to secure access to the substation IEDs, the gateway must effectively create an electronic perimeter that protects all included devices. To create this perimeter, the gateway needs to implement the following capabilities Perform true authentication with user names and passwords. Set up true authorization by assigning users to groups with well-defined privileges. Provide passthru connections to and from any IED for maintenance and configuration. These connections can be used locally in the substation, or remotely through the WAN or dial-up connection to the intelligent gateway. Grant passthru connection rights to authorized users only. Log all successful or failed passthru attempts in a tamper-proof log. Manage the passwords of all connected devices. Reveal the passwords to authorized users only. Whenever possible, automatically manage the login without revealing the password. Encrypt all passthru connections that span the WAN and/or dial-up connection. If required, encrypt all data communications with SCADA or other control centers. Provide the SCADA with internal data points to indicate the state of passthru connections, globally or to any specific IED. Provide the SCADA with internal control points to enable or disable passthru access, globally or to any specific IED. Provide the SCADA with the state of each device link, to detect device failure or tampering. Monitor passthru connections and block specific IED commands to unauthorized users, if possible. Log all operations performed using passthru connections. With these capabilities, the gateway becomes the single point of access for substation devices. In the next section, we will see how the gateway implements these capabilities.
10 4.4.1 Authentication As we have mentioned, most IEDs offer only a limited form of authentication using passwords. However, this is not sufficient to meet NERC CIP accountability requirements. If the gateway is to effectively limit access to authorized users and maintain a comprehensive log of all operations, each person or system accessing the gateway, or one of the connected IEDs, must be unambiguously identified. Users identify themselves uniquely by producing credentials that consist of something Only they know a secret password Only they have a smart-card, a token, a certificate, etc. Only they are a face, an iris, a fingerprint, etc. The gateway can validate the provided credentials in different ways. Decentralized (or distributed) authentication The simplest solution, adequate for small networks, is to store a list of all users in the gateway itself. This is the same type of security that is used when you set up user accounts on a home computer. However, this approach has serious limitations when there are multiple gateways to manage When a change occurs, each gateway must be updated. Unless an automatic synchronization mechanism is available, it is very difficult to remove or change a user within a limited time period. NERC CIP requires that access be revoked within 24 hours for any personnel terminated for cause. The fact that each computer must be updated whenever a change occurs generally precludes the possibility of using individual user accounts and of letting users change their own passwords. As we will see, even with these limitations, decentralized (or distributed) authentication is often the only feasible approach. Centralized authentication Centralized authentication removes the limitations mentioned above. In this type of authentication, the gateway connects to a trusted authentication server to validate the user credentials. This is the type of security implemented in corporate environments. The main advantage of centralized authentication is, of course, that the user list is managed in a single central location, often managed by the IT group. Changes to the user list become effective immediately, or at least the next time the gateway validates user credentials. With this approach, users can have a single corporate account that they can use to log in to all systems to which they have been granted access. However, there are difficulties with this approach Each gateway needs to establish an initial trust relationship with the authentication server. This process is usually supported by the operating system and must be performed by a person with network administrative privileges.
11 Each gateway needs to maintain access to the central authentication server to validate credentials. Access to an authentication server, such as Windows Active Directory, may require opening a large number of ports in firewalls, thereby increasing other vulnerabilities. Local access is not possible if contact is lost with the authentication server. While the application server can maintain a cache of valid credentials, the validity of this information must be limited in time to prevent unauthorized access by a user whose access has been revoked. An alternate means of authentication must be provided to ensure local access in the event of network loss. Since centralized authentication is part of all standard PC operating systems such as Windows XP or Linux, it is tempting to use these systems in the substation. However, hackers are constantly looking for new vulnerabilities in these systems, potentially making them more vulnerable to virus or worm attacks. Centralized authentication is the logical choice for services implemented at the enterprise level. In most utilities, network security is already implemented by the IT group, and users already have logins to access their files and mail. As we have seen, there still remain technical challenges to extending this solution to the substation Authorization Authorization consists of granting well-defined privileges to users that have been previously authenticated, and ensuring that all implicated parties know and enforce these privileges. To simplify management, privileges are usually assigned to groups. Users are then assigned to these groups, which define their privileges. For instance, users could be assigned to groups such as System Management manage all device configuration settings, including hardware configuration, networking, etc. Security Management manage device security settings Configuration Management manage device settings Device Maintenance view system logs and statistics Monitoring view real-time data Operation perform control operations Remote Access access device remotely using dialup modem or passthru connections As with authentication, groups and privileges are best managed in a centralized manner. The user provides credentials, and the authentication server responds with the group memberships, which define permissions. However, centralized authorization is subject to the same technical difficulties as those described for centralized authentication.
12 4.4.3 Encryption We mentioned previously that all communications between the IEDs and the gateway, as well as between the gateway and the control centers, are vulnerable. Encryption ensures the confidentiality of data exchanges, and up to a certain point, their integrity. If necessary, data exchanged on a serial link between the IEDs and the gateway can be secured by encryption devices. To secure data exchanges with control centers and remote users, the substation gateway will use two forms of encryption SSL (Secure Socket Layer) is an encryption technology used to create a secure communication channel between two systems. IEC TC57 Working Group 15 is currently defining standards for the security of the protocols used in the power industry. While they consider that it does not offer complete protection, they recommend using SSL to encrypt data exchanges 6. VPN (Virtual Private Network) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level. 4.5 Securing the Network All the benefits of IED integration are made possible by the TCP/IP networks being installed to connect the substation to the enterprise. The network and external modems are the privileged intrusion paths through which substation devices can be compromised. The network must be carefully designed to protect the gateway and other network devices. Industry best practices must be understood and applied 7. Firewalls and routers should be used to isolate devices. Managed switches should be used to set up VLANs and filter network traffic so that data can only be exchanged among authorized devices. The gateway should have a built-in firewall that limits access to only those ports required for connecting to control centers, and managing the gateway itself. Whenever possible, the use of standard TCP/IP services (FTP, TFTP, SNMP, HTTP, SMTP) should be avoided since they are often the source of vulnerabilities. If necessary, these services can be accessed through a secure VPN tunnel. The combination of an intelligent gateway and networking best practices can help put together a secure substation integration system that meets NERC CIP requirements. However, as long as users can access devices, there still remain some difficulties. In the next sections, we will see how we can set up services at the enterprise level to improve security and facilitate the management of the large number of IEDs installed in utilities. 5 Providing Enterprise-Wide Access to Substation Data The goal of substation integration is to make device data available to all interested parties throughout the organization. However, it is simply not practical to provide every single user and computer application with access to every single field device. Besides being incredibly insecure, the applications resulting from such a solution would be unwieldy and unmanageable.
13 But, do users really need to access IEDs? In many cases, users are connecting to devices to retrieve data that is not otherwise available. We mentioned earlier that new IEDs can produce data types such as waveform recordings, sequence of events and transformer oil analysis data, that cannot be handled by the existing SCADA architecture. Often, the only way to retrieve this type of data is by connecting to the IED maintenance port. To surmount this difficulty, the substation gateway should be capable of retrieving all the data types produced by the devices in the substation. Very few standard protocols support the retrieval of event files. The gateway manufacturer should go beyond simply supporting protocols, and provide complete data retrieval capability for all supported devices. With such capability, the substation gateway truly becomes the single access point to the substation. It then becomes possible to apply at the enterprise level, the strategy that was applied at the substation level. That is, as the substation gateway concentrates and processes data from all connected devices, the enterprise gateway could concentrate and process all substation data produced by all the substation gateways. The enterprise gateway would then become the single point of access at the enterprise level. The enterprise gateway could also be used to manage remote access to the substation gateways, when required for maintenance and configuration. Figure 4: Proposed enterprise architecture 5.1 Enterprise Gateway Functions In most utilities, there already exists a network infrastructure that provides secure access to corporate data and shared services such as . The security of this network is already assured by a central authentication and authorization service, such as Active Directory. An enterprise gateway service integrates into the corporate information infrastructure and provides the following services
14 Act as a front-end processor and manage communication with all substation gateways, using a variety of communication links. Some substations may be connected to the enterprise with high-bandwidth fiber connections, while remote substations may only be accessible through on-demand dialup access. The enterprise gateway must ensure reliable data exchange for all enterprise applications, whatever the communications link. Retrieve data from the substation gateways and make it available to various enterprise applications. Real-time data may be retrieved by continuous polling or by scheduled connections. Substation gateways may be configured to push up event files as soon as they are available. Perform data normalization. Most data produced by substation devices is in proprietary format. The substation and enterprise gateways convert data to standard formats. For instance, event files can be made available in industry-standard COMTRADE format. Retrieve gateway security logs and make them available for further analysis. Provide authorized users with passthru access to substation devices. 5.2 Enterprise Applications By providing enterprise-level access to substation data, the enterprise gateway becomes the infrastructure on which high-level enterprise applications can be developed. The following applications come to mind An event management application would use the enterprise gateway to retrieve files from protection relays, Digital Fault Recorders (DFR) and Sequence of Event Recorders (SER). The application could manage a database of events, notify the appropriate users when an event occurs, and make the data easily available through web-based access. A historian application or service would use the enterprise gateway to retrieve metering and state information from all substations, without any of the usual device interfacing and protocol conversion difficulties. Such an application would manage a historical database and would be useful for energy management, asset management and maintenance. An IED management application would use the enterprise gateway to manage all substation devices. The application could provide a central repository of device settings, software versions, and passwords, helping to meet NERC CIP requirements. The application could also maintain a history of version changes and offer a dashboard-like functionality, providing a high-level view of the state of all connected devices. A passthru application would provide authorized users with the ability to connect to any substation device for maintenance and configuration, in a secure, encrypted, manner. Lastly, the enterprise gateway would provide corporate and third-party application developers with an open, secure and well-documented interface to substation data. 6 Conclusion As we have seen, utilities can benefit by making better use of the data that is available in the new devices being installed in substations. However, providing access to these devices exposes
15 them to an unacceptable level of risk. NERC has recognized this situation and established guidelines to protect critical cyber-assets. In this paper, we have exposed a strategy for providing secure access to substation data. In short, the strategy consists of providing a technological infrastructure to retrieve substation data, with a minimum of human intervention. Intelligent gateways are used at the substation and enterprise levels to perform data acquisition and normalization. The substation network infrastructure can be secured and communication limited to machine-to-machine data exchanges through encrypted channels. Data is made available at the corporate level through enterprise applications. These applications can directly benefit from the secure infrastructure already deployed by IT departments in most utilities. 1 Common vulnerabilities in critical infrastructure control systems, Jason Stamp, John Dillinger, William Young, Jennifer DePoy, Sandia National Laboratories, 2 nd Edition, revised November 11, 2003, 2 The Myths and Facts behind Cyber Security Risks for Industrial Control Systems Eric Byres, British Columbia Institute of Technology, Justin Lowe, PA Consulting Group, 3 "SQL Slammer Worm Lessons Learned For Consideration By The Electricity Sector", North American Electric Reliability Council, Princeton NJ, June 20, SCADA Exposed, Mark Grimes, ToorCon 7 Conference, 5 The Compliance Cost of NERC Attack Prevention Standards, By Doug Howard, Counterpane Internet Security, and Dale G. Peterson, Digital Bond Inc., New Power Executive, May 2, 2005, 6 IEC TC57 Security Standards for the Power System s Information Infrastructure Beyond Simple Encryption, Frances Cleveland, Xanthus Consulting International, er%205.pdf 7 NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, British Columbia Institute of Technology,
How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework Jacques Benoit, Cooper Power Systems Inc., Energy Automations Solutions - Cybectec Robert O Reilly, Cooper
Meeting IED Integration Cyber Security Challenges Jacques Benoit Manager Cybectec Product and Technology Training Cooper Power Systems Jacques.Benoit@cybectec.com INTRODUCTION The Nature of the Risk Utilities
Secure Substation Automation for Operations & Maintenance Byron Flynn GE Energy 1. Abstract Today s Cyber Security requirements have created a need to redesign the Station Automation Architectures to provide
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: firstname.lastname@example.org Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
CIGRÉ Canada 21, rue d Artois, F-75008 PARIS (154) Conference on Power Systems http : //www.cigre.org Toronto, October 4-6, 2009 Open Enterprise Architectures for a Substation Password Management System
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The
Section Requirement CIP-002-1 Cyber Security Critical Cyber Asset Identification R3, M3 the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the
NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 email@example.com It s February 19, 2009 132 project days left to compliance Do you know where (what)
Utilities WHITE PAPER May 2013 INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Table of Contents Introduction...3 Problem Statement...4 Solution Requirements...5 Components of an Integrated
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 firstname.lastname@example.org It s February 19, 2009 132 project days left to compliance Do you know where (what)
SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional
Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise
The Advantages of an Integrated Factory Acceptance Test in an ICS Environment By Jerome Farquharson, Critical Infrastructure and Compliance Practice Manager, and Alexandra Wiesehan, Cyber Security Analyst,
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
Page 1 of 6 My FreeScan Vulnerabilities Report Print Help For 22.214.171.124 on Feb 07, 008 Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not the
State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel
ABB s approach concerning IS Security for Automation Systems Copyright 2006 ABB. All rights reserved. Stefan Kubik email@example.com The problem Most manufacturing facilities are more connected (and
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us
Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
Fundamentals of Network Security - Theory and Practice- Program: Day 1... 1 1. General Security Concepts... 1 2. Identifying Potential Risks... 1 Day 2... 2 3. Infrastructure and Connectivity... 2 4. Monitoring
Understanding SCADA System Security Vulnerabilities Talking Points Executive Summary Common Misconceptions about SCADA System Security Common Vulnerabilities Affecting SCADA Networks Tactics to Strengthen
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
Network Security in Power Systems Maja Knezev and Zarko Djekic Introduction Protection control Outline EMS, SCADA, RTU, PLC Attacks using power system Vulnerabilities Solution Conclusion Introduction Generator
1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
Practical Considerations for Security Steven Hodder GE Digital Energy, Multilin 1. Introduction This paper has been prepared to outline some practical security strategies for protection & control engineers
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
WISE-4000 Series WISE IoT Wireless I/O Modules Bring Everything into World of the IoT WISE IoT Ethernet I/O Architecture Public Cloud App Big Data New WISE DNA Data Center Smart Configure File-based Cloud
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
ICAWEB423A Ensure dynamic website security Release: 1 ICAWEB423A Ensure dynamic website security Modification History Release Release 1 Comments This Unit first released with ICA11 Information and Communications
Decrease your HMI/SCADA risk Key steps to minimize unplanned downtime and protect your organization. Are you running your plant operations with serious risk? Most industrial applications lack recommended
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable
Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data
Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity) Abstract Strong identity management enforced with digital authentication mechanisms
IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control