Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Transcription

1 Utility Telecom Forum Robert Sill, CEO & President Aegis Technologies February 4,

2 Agenda Asked to describe his job, Mike Selves, director of Emergency Management and Homeland Security in Johnson County, Kan., recalls what he once told county commissioners who also posed the question. My job, he said, is to tell you things you don t want to hear, asking you to spend money you don t have for something you don t believe will ever happen. Page 2 2

3 Agenda Current communications networks Issues facing the industry Case Study: Integration into production environment at Utility Page 2 3

4 Typical Communication Network Page 3 4

5 Industry Parallel: Banking Banking sector Relatively secure islands until networking technology introduced in the 1980 s and 1990 s Beginning of modern IT Security, vulnerability protection Energy Sector Discovering that Utilities are already connected, vulnerabilities exist NERC compliance is the first step towards complete cyber security Heading toward federally-influenced completely secure systems as in banking Page 4 5

6 Increasing Complexity of Systems Increased demand on Control System networks has outpaced spending on communication infrastructure upgrades Communication infrastructure limitations may prevent new control devices from being effectively added Bit-oriented protocols still utilized by Utility, but new devices may not support Lack of understanding of bit protocols Reliability can become jeopardized Page 7 6

7 Current Options for System Upgrade Industry and Government moving in different directions Smart-Grid and Substation Automation Interconnectivity NERC it or disconnect it Routable protocols must have security measures in place Replacement costs associated with new technology are high Technology available is limited and incomplete Upgrade process is time-consuming Budget limitations may cause upgrades to be done in pieces over time Supplier industry moving towards IP networks Consideration must be given to security, reliability, and cost of upkeep Page 8 7

8 Convergence of Technologies Serial: designed for reliability IP: designed for information sharing Non-guaranteed delivery (without TCP) Shared bandwidth Neither system designed for security Page 9 8

9 Effects of an IP Network IP is and will be ever more expensive to secure 30+ years of developed hacking experience 25,000+ known IP network vulnerabilities (CVE list) Some of these bugs are in currently deployed security patches Annual Hacking Conferences Millions upon millions are and will be spent on defending against these IP vulnerabilities More vulnerabilities discovered every day Page 10 9

10 Division Between Control Center and the Field Who s responsibility is this? Control Center responsibility Field responsibility Page 11 10

11 Network Vulnerabilities are Across the Entire System Page 12 11

12 Division Between Control Center and the Field Lack of understanding of entire communication network Network is segmented with specialized expertise/knowledge Collaboration between those in the control center and those in the field is minimal Vendors are specialized in one area and don t necessarily look at the big picture Makes implementing upgrades to the system very difficult Page 13 12

13 Influence of Aging Workforce on Electric Industry Baby Boomers make up 1/3 of US workforce Two biggest challenges facing the Power Industry* loss of critical knowledge inability to find replacements with utility-specific skills Number of Electrical Engineering degrees is declining Inadequate Knowledge transfer/documentation passed down to new workforce *According to the APPA research report Work Force Planning for Public Power Utilities Page 14 13

14 Thousands Workforce Maturation Billions KWH *2010 *2015 Year baby boomers % of workforce Demand for Energy Degrees in EE (thousands) Degrees in IT (thousands) Sources: U.S. Bureau of Labor Statistics U.S. Dept of Education Energy Information Administration Page 15 14

15 Changing Environment Control networks are now more connected, more complex, and more expensive to maintain Replacement costs are high Influence of IP on Control Systems Choice between reliable serial vs. TCP/IP with vulnerabilities NERC, Routable protocols Specialized expertise no comprehensive understanding of the system. Fewer Electrical Engineers, more IT NERC influencing utilities to disconnect their systems Page 16 15

16 What can you do? An Actual Case Study Investor Owned Utility: Co-developer Design considerations Life extension of current system by utilizing proven technology to provide performance improvement Improve troubleshooting capabilities to increase reliability and response time while reducing maintenance costs Operate with a vastly improved cyber security system Improve and secure control systems now and expand capabilities as new technology and standards emerge Cannot effect SCADA traffic, must operate between data scans Latency must be minimal Page 17 16

17 Smarter, Faster, Safer SCADA Odyssey Product Series operational benefits Make the system smarter with: troubleshooting tools such as event logging, byte by byte data captures, and control from the Host (not the field) Make the system faster with: self-optimizing compression and bit and byte-oriented protocol compatibility Extend the life of your system, and in the process, secure your communications and achieve NERC CIP compliance Page 18 17

18 Installed in the system Page 19 18

19 Actual 19 Rack Mount Installation At Operations Center: Host installs next to EMS/DMS At the Substation: RSM, RMD next to RTU, IEDs Page 20 19

20 Appl Appl Appl SW RSM Communication Communication Communication Appl Appl Appl Communication SW RSM HW RSM Optionally Manages SCADA OCPs Too Control Network RMD Dial-Up Modem AMI Data AMI Data ooo oo Residential Meter AMI Data AMI RSM EMS Odyssey Web & DB ICCP AMI Data RTU Control Network ooo oo Residential Meter Optional connection to To RTU AMI Data OCP Odyssey Authentication Server Collection Point Meter ooo oo Residential Meter Embedded OCP Software SCADA SCADA Video Communication Audio SCADA SCADA Card RTU RSM Multifunction RSM/RMD RTU Standalone RMD IED IED RTU IED RMD Dial-Up Modem Dial-Up Modem Dial-Up Modem Complete Security Perimeter Generation Plant SCADA Control Center Pole Top Substation #1 UNIT 1 PLC RSM DCS Network DCS Network UNIT 2 d Remote PLC Over Short-Range Wireless Link Internet Remote Access Corporate WAN Remote Access FEP FEP SCADA Communications Cloud Substation #2 Operations LAN Substation #3 Odyssey Host Web/DB Server OCP Security Measures Plant Security: Authenticates all application traffic, point to point Blocks virus and other unauthorized traffic between servers OCP isolates Units and Operations LAN, for maximum protection Detailed event logging Remote Link Security Authenticates all remote user and WAN access Authenticates traffic from remote PLC s Generation Plant Network Remote Access Security T&D Network Security Measures T&D Network: Encrypt and compress SCADA traffic Device Authentication Central Management and Troubleshooting Remote Access Defense: Real-time access control of dial-up lines Authenticates against Odyssey Web & DB RMDs centrally managed Enterprise WAN To SCADA Network AMI Control Center Security Measures Metering Office: Encrypt telecom Authenticate that readings are from an authorized collection point Substation: Encrypt telecom connection to T&D SCADA Field Meter: Authorized metering source Encrypt meter readings Prevent & alert on tampering AMI Server Odyssey Web & DB Comm. Server OCP Comm. Server AM I Network AMI Communications Cloud Smart RSM Substation ooo oo A variety of communications formats may be present, such as: PSTN (telephone lines) Serial Leased Lines Serial RF Links Comm. Over Power Lines Satellite Page 21 20

21 Defense in Depth 2048-bit streaming encryption Eliminates latency associated with block encryption Supports TCP and serial links Authentication Device to device User authentication Configurable role-based user permission settings Centralized password management Dialup Remote Modem Defense RMD Hardened field unit installs at the substation Authenticates users dialing into IEDs Central management of dial-in users and passwords Real-time reporting of modem activity, alerts Page 23 21

22 Case Study Summary Life of existing communication infrastructure extended through: Improved system performance Effective troubleshooting tools Central control of remote devices Utility Operational system after Odyssey installation: Devices with serial maintenance ports configured from control center Errors in communication diagnosed from control center Comprehensive cyber-security perimeter Event logging capabilities for efficient troubleshooting Extensive data monitoring/forensics Able to send byte-oriented Conitel data to substation Improved communication speeds with compression and bit to byte capabilities Page 24 22

23 Your Aging Communications Infrastructure Extend the life of your existing system Effective troubleshooting tools can reduce maintenance costs and increase efficiency Speeding up communication can allow more data to be transmitted, more devices to be added, and increase reliability Securing the system ensures longevity Questions? Page 25 23