Robert Malmgren. Smart Grid. Security Challenges - Legacy and Infrastructure Burdens

Transcription

1 Robert Malmgren Smart Grid Security Challenges - Legacy and Infrastructure Burdens

2 Short bio Robert Malmgren Independent consultant that have worked with utility companies regarding IT- and info sec since mid 1990 s.! vuln assessments, audits, security reviews, etc! Worked with several government agencies related to SCADA/ infrastructure security

3 Define Smart Grid Next generation (transmission distribution local) power grid! A vision! Renewable energy! Climate smart! Prosumers! A buzzword for Pink unicorns and peace on earth

4 ENISA Smart Grid Threat Landskap - page 7

5 Picture from NISTIR 7628 page 16

6 Picture from NISTIR 7628 page 17

7 Another view of smart grid Actors list! Use cases! Business cases (utilities), new business (vendors)! Societal expectations! Government policies and strategies for energy system! Standards! APIs, information flows, system integrations

8 Smart grid, in a different perspective The old grid plus! More automation (i.e. more ICT - which is a fine word for more software, and more things reachable via an IP address ) to dynamically operate the grid more optimally! New power services (automatic metering, energy storage, distributed small-scale production, etc)! New ICT based end-user services ( my pages, scheduled load)! = Old attack surface + new attack surface

9 Hypotesises A. Creating a Smart Grid is not a binary thing - Having a dumb grid until a flick of a switch makes it a smart grid! B. Since infrastructure investments are huge, investments and re-investments will leave old infrastructure in place for many decades before being replaced! C. Lots of dependencies of ICT, and increasing: gazillions of sensors, actuators, RTU s, PLC s, etc! D. Currently, utility companies have not top quality cyber security in place.

10 Axioms A. An electrical power grid definitely are an interesting target in an armed conflict! B. An electrical power grid definitely are an interesting target for terrorists! C. An electrical power grid could be an interesting target for criminals! D. An electrical power grid could be an interesting target for hacktivists and activists! E. An electrical power grid could be an interesting target for random people with Internet access

11 Axioms A. All software have bugs! B. A security-relevant program has security bugs! C. A lot of old system and components will just have their serial ports replaced with ethernet ports! D. A device that is reachable is potentially p0wned

12 ENISA Smart Grid Threat Landskap - page 10

13 The burden of technical legacy Security is not built-in! Many of the protocols used are insecure (modbus, IEC , DNP3, Ethernet/IP, etc)! there might be an optional sub-standard that adds security, but people don t use that in the real world! Most installations have few security controls! Most installation still rely on physical security

14 The burden of technical legacy Applications and system still built upon legacy platforms

15 Vulnerabilities in platforms CVE related to Windows XP!

16 800 Vulnerabilities in platforms CVE related to SCADA Before Stuxnet 20% After Stuxnet 80%

17 2000" 1800" 1600" 1400" Vulnerabilities in platforms XP" W2k" SCADA" 1200" 1000" 800" 600" 400" 200" 0" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012" 2013"

18 The burden of technical legacy

19 The burden of technical legacy

20 The burden of knowledge legacy The CIA (Confidentiality, Integrity, Availability) triad is often flipped AIC! Confidentiality is not important in the utility business! IMNSHO - This is a a logical fallacy! M2M still need secure authentication! No use cases wrt administration of technical infrastructure (ICT: routers, servers) or power system components (PLC s, relay protection, etc)

21 The burden of knowledge legacy Some peoples mindset must be changed, or its game over! In the ICS world we never patch! These devices are to weak to have any security features, especially encryption! It will be secure if we just use a standard! Nobody would ever be interested in our assets or our company

22 The burden of business legacy Often important tasks are outsourced! General outsourcing of office ICT! automated meter reading handled by 3rd parties! Development of new back-office software (SAP adaption)! Exchange of information via 3rd parties! These will still be outsourced while switching from dumb -> smart network

23 The burden of business legacy Compare the electrical utility business with Telco s! Telco s have experiences with being in the cross hair of any and all wanting to attack them! Electrical utilities have not! Telco s have decades of experience with handling end-user info in various internet connected systems, being DOSed, hacked, doxed, etc! Electrical utilities have not! Running a smart grid is somewhat similar to being an ISP

24 The burden of business legacy To quickly summarise the business legacy issues! Handling personal information is something that is different in the utility business than in the Telco.! Handling personal information in the smart grid will be a major challenge, since there are no real culture of this in the utility companies

25 The power grid legacy Owned and runned by private sector companies! responsible for the most important infrastructure - no electrical power, no other critical infrastructure! with responsibilities for whole society! No #1 target in armoured conflict! Stuxnet show alternative to kinetic attacks! All countries now in the cyber weapons arms race

26 Mitigations: Risk transfer Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.!! Lloyd's of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.

27 Mitigations: Regulations Currently in Sweden there are very few legal regulations that have an impact on Cybersecurity and IT security in the electrical utility area:! SvKFS 2013:1 (säkerhetsskydd), SvKFS 2013:2 (elberedskap)! Personuppgiftslag & personuppgiftsförordning! but really nothing that really matters

28 Conclusions & ending remarks Having extensive legacy infrastructure will affect the level of security achieved:! old mindset, old components with new networking capabilities, old and obsolete designs, old bugs remains, attack surface is huge and growing

29 Conclusions & ending remarks One focus area is to protect the power system itself, its infrastructure and critical components!! Another area is to protect the handling of information! privacy of private customers and users! confidentiality of business customers

30 Conclusions & ending remarks Traditional risk management does not always work! There is a huge technological debt (gap) in the old grid that need to be fixed before adding new stuff! There is a need to add technical security controls! There is a need for regulatory control! When there is a new (technology gadget feature) someone will always game the system

31