Cyber Security and Privacy - Program 183

Transcription

1 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology and telecommunications infrastructures to ensure the reliability and security of the electric grid. Cyber security measures must be designed and implemented to protect the electrical grid from attacks by terrorists and hackers. Cyber security measures must also strengthen grid resilience against natural disasters and inadvertent threats such as equipment failures and user errors. The Electric Power Research Institute s (EPRI s) Cyber Security and Privacy program addresses the emerging threats to an interconnected electric sector through cross-sector collaborative research on cyber security technology, standards, and business processes. The program also undertakes collaborative research with industry to assess technologies and controls on data privacy for the electric grid. Research Value The rapid pace of change in the electric sector creates a challenging environment for asset owners and operators to monitor the activities of industry groups, develop an understanding of the security impacts of new technologies, and maintain the right internal resources for assessing technologies. The Cyber Security and Privacy program intends to address this challenge by providing security tools, architectures, guidelines, and testing results to its members. Participation in EPRI s Cyber Security and Privacy program may provide better understanding of industry and government collaborative efforts, and where members should "plug in" to current activities; guidance on developing cyber security strategies and selection requirements; techniques for assessing and monitoring risk; practical approaches to mitigating legacy system risk; early identification of security gaps through lab assessments of security technology; and technology to support managing cyber incidents and increasing the cyber security resiliency of the grid. The Cyber Security and Privacy program is focused on developing security requirements, creating new security technologies, and performing lab assessments of relevant technologies. Members may use the products to enhance their current cyber-security posture and increase the security of systems that are deployed in the future. Key deliverables in this program include continuous mapping of activity in the cyber security and privacy landscape, security solutions and implementation guidance for legacy systems, guidance on assessing and monitoring risk, security management tools for transmission and distribution systems, and security tools and techniques for assessing grid security and cyber security resiliency. Accomplishments The Cyber Security and Privacy portfolio has delivered several key accomplishments that have helped its members and the industry: 1

2 2 Electric Power Research Institute Portfolio 2014 National Electric Sector Cyber Security Organization Resource (NESCOR): EPRI was awarded a contract to provide research and development resources for DOE's public-private partnership NESCOR. EPRI is leading the working groups focused on vulnerability and threat identification, cyber security standards assessment, and technology testing and validation. The results of this work will be used to develop improved threat models, cyber security requirements, and security technologies. To date, NESCOR has delivered the following documents: Smart Energy Profile (SEP) 1.x Summary and Analysis: This technical white paper provides guidance to utilities, regulators, and integrators who are deploying and configuring SEP 1.x in field devices. Guide to Penetration Testing for Electric Utilities: This security test plan provides guidance to electric utilities on how to perform penetration tests in the smart grid domains of advanced metering infrastructure (AMI), demand response (DR), distributed energy resources (DER), distribution grid management (DGM), electric transportation (ET), and wide-area monitoring, protection and control (WAMPAC). Penetration testing is one of the many different types of assessments utilities can perform to evaluate their overall security posture. Draft Electric Sector Failure Scenarios and Analyses: This document includes cyber security failure scenarios and impact analysis for the electric sector. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. Legacy System Security: Within the Cyber Security and Privacy program, EPRI is addressing the challenge of reducing the security risk of existing legacy assets. Working with the program advisors, a key legacy system security issue was selected: password management for substation devices. The project focused on analyzing the password management capabilities of multiple substation remote-access vendors. Advanced password management functionality can be used to support NERC CIP compliance requirements, reduce the frequency of password updates due to employee turnover by hiding passwords from users, and reduce the risk of unauthorized access through the use of randomized passwords. Substation Security and Remote Access Implementation Strategies: Within the Cyber Security and Privacy program, EPRI also focused on challenges associated with deploying a secure remote-access solution for substations. These include maintaining security objectives, meeting organizational and operational access restrictions, and supporting NERC CIP compliance. This project developed a set of consolidated requirements for remote substation access solutions. These requirements were provided to vendors to support changing the security and feature sets of their products. Five vendors participated in a workshop at EPRI to demonstrate their products using five test-case scenarios, offering a side-by-side comparison of their capabilities. Current Year Activities In 2014, this program expects to accomplish the following objectives: Track industry and government activities and provide technical contributions to key working groups Address cyber security for select legacy systems security issues Create a security management foundation for transmission and distribution systems Improve the electric sector s ability to detect, respond, and recover from cyber incidents Create security designs and architectures for new smart grid components Develop techniques for assessing and monitoring cyber security risk Develop security metrics for the electric sector Estimated 2014 Program Funding $3.0M Program Manager Galen Rasche,, grasche@epri.com

3 3 Electric Power Research Institute Portfolio 2014 Summary of Projects PS183A Cyber Security and Privacy Technology Transfer and Industry Collaboration (072129) Project Set The landscape of cyber security and privacy activities in the electric sector involves numerous industry, government, and regulatory groups. This project set can provide members with an up-to-date view of these activities and support the technical contribution to these groups to increase the usability of their work products. Project Number Project Title P Mapping the Smart Grid Cyber Security and Privacy Activities Landscape P Cyber Security and Privacy Technology Transfer and Industry Collaboration This project will provide asset owners and operators with regular updates on smart grid cyber security and privacy activities. This project supports technical participation in industry collaboration efforts to identify cyber security and privacy issues and requirements for the smart grid, informing members and bringing the utility perspective to the efforts. P Mapping the Smart Grid Cyber Security and Privacy Activities Landscape (072128) Cyber-physical security and data privacy have become critical priorities for utilities over the past several decades. Many federal agencies, such as DOE, the Department of Homeland Security, the Department of Defense, state organizations, and various industry and academic organizations are currently leading and executing cyber security and privacy activities, research, and working groups for the smart grid. Many asset owners and operators are currently modernizing their grid systems, with matching funding from DOE under the American Recovery and Reinvestment Act and other grant programs. In addition, the National Institute of Standards and Technology (NIST), as required by the Energy Independence and Security Act, has developed an interoperability framework for the smart grid. A map of these various activities may prevent redundant effort or identify significant gaps in research areas. There are many initiatives researching and assessing the cyber security requirements of the existing electric grid and the smart grid. This project will provide ongoing updates on the status of research and development activities, federal and state policy and regulatory proposals, standards and guidance document development, and organizations that are funding and/or executing cyber security and privacy activities. This project may help asset owners and operators achieve the following: Be knowledgeable about the status of various research programs and standards and guidance development efforts. Gain an understanding of the cyber security and privacy activities currently being undertaken by industry, academic, and government groups.

4 4 Electric Power Research Institute Portfolio 2014 The information may be used by asset owners and operators to do the following: Identify specific activities that are important to the organization Select applicable committees and working groups Identify gaps in current cyber security and privacy activities Reduce the risk of redundancy in research programs Product Title & Cyber Security and Privacy Landscape Mapping Release 9: This product will be available online for all members to access. The online information will be updated regularly as new activities are identified. Cyber Security and Privacy Landscape Mapping Release 10: This product will be available online for all members to access. The online information will be updated regularly as new activities are identified. Cyber Security and Privacy Landscape Mapping Release 11: This product will be available online for all members to access. The online information will be updated regularly as new activities are identified. Cyber Security and Privacy Landscape Mapping Release 12: This product will be available online for all members to access. The online information will be updated regularly as new activities are identified. 04/01/14 07/01/14 10/01/14 12/31/14 P Cyber Security and Privacy Technology Transfer and Industry Collaboration (072130) With increased attention focused on securing the electric sector, numerous industry groups and public-private partnerships have been created to develop new security requirements and technologies. Additionally, working groups of organizations such as the North American Electric Reliability Corporation (NERC) and the Smart Grid Interoperability Panel (SGIP) will continue to have a direct impact on utility operations. These groups are addressing specific needs in the industry; however, utility staff are often unavailable to support all of these efforts. This lack of availability can lead to two key issues: First, utilities are less aware of changes that might impact the industry. Second, products being generated may lack the perspective of the utilities. This project will support active participation and contribution to collaborative efforts and interest groups such as the following: Smart Grid Interoperability Panel (SGIP) Smart Grid Security Committee (SGCC) NESCOR Design Principles Group European Network and Information Security Agency (ENISA) Department of Homeland Security Industrial Control Systems Joint Working Group (ICSJWG) OpenSG Security Nuclear Energy Institute (NEI) European Commission International Electrotechnical Commission (IEC) National SCADA Test Bed (NSTB)

5 5 Electric Power Research Institute Portfolio 2014 This project may help members benefit from cyber security and privacy collaborative efforts in the following ways: Reduce the time necessary to track industry efforts by using a single report for updates. Reduce the risk that key activities are not tracked. Increase the usability of working group products. Increase the effectiveness of security requirements and solutions that are developed. The reports developed from this project may provide a single reference point for members to track the detailed efforts of several industry groups. This project may also increase the relevance and utility of the security reports, controls, and technologies that are being developed. Product Title & Quarter 1 Electric Sector Cyber Security Activities Report: Quarterly update on the activities of the industry and government working groups Quarter 2 Electric Sector Cyber Security Activities Report: Quarterly update on the activities of the industry and government working groups Quarter 3 Electric Sector Cyber Security Activities Report: Quarterly update on the activities of the industry and government working groups Quarter 4 Electric Sector Cyber Security Activities Report: Quarterly update on the activities of the industry and government working groups 04/01/14 07/01/14 10/01/14 12/31/14 PS183B Security Technology for T&D Systems (072136) Project Set This project set will address several security challenges facing transmission and distribution (T&D) systems, such as reducing the security risk to legacy systems, developing protective measures, and managing cyber incidents to increase the resiliency of the grid. Project Number Project Title P Security Strategies and Solutions for Legacy Systems P Protective Measures for Securing T&D Systems P Managing Cyber Security Incidents for T&D Systems This project will focus on mitigating the cyber security risks to legacy systems by creating cyber security mitigation strategies and transition strategies for legacy systems. This project will focus on security architectures, tools, and procedures that provide end-to-end security and support defense-in-breadth features. This project will focus on increasing the sector s ability to respond and recover from cyber incidents (malicious or non-malicious) in a more efficient and predictive manner.

6 6 Electric Power Research Institute Portfolio 2014 P Security Strategies and Solutions for Legacy Systems (072131) Legacy systems continue to pose a security challenge for utilities. Supporting requirements such as integrity, confidentiality, and authentication can be extremely difficult when confronted with the constraints of limited communications bandwidths, lower computation capacity, and legacy protocols. System availability is a primary concern in power control systems and must be taken into account when developing security mitigation strategies. Additionally, vendor design choices such as hard-coding passwords into software also pose security risks. Given the impracticality of replacing these systems, guidance is required to mitigate cyber security risks posed by legacy systems. This project will focus on mitigating the cyber security risk of legacy systems by creating transition strategies, cyber security controls, and procedures for legacy systems. The project will begin with the project advisors prioritizing and selecting a key legacy systems security issue. Once the highest impact legacy system issue is identified, the project will accomplish the following: Develop practical and implementable solutions for existing systems Develop guidelines for implementing the solutions Provide objective estimates of the resources that will be needed to effectively implement the solutions This project may help members by mitigating the security risk to legacy systems in the following ways: Developing security technology options that account for system constraints Creating an understanding of how to implement the recommended security controls Allowing members to prioritize legacy system security projects based on the resources necessary to implement the solutions The cyber security mitigation strategies developed through this project can provide effective and implementable solutions for securing legacy systems. Product Title & Legacy System Mitigation Report: For the security issue selected, this report will provide the results of the risk assessment, risk mitigation solutions, guidelines for implementation, and estimates of technical resources required. 12/31/14 P Protective Measures for Securing T&D Systems (072132) Increasing the security of next-generation energy delivery systems will require a combination of new security architectures, tools, and procedures that provide end-to-end security and support defense-in-breadth strategies. These technologies and their communications protocols must support strong protective measures such as device and application authentication, access control, cryptography, and redundancy with failover mechanisms for continued operation.

7 7 Electric Power Research Institute Portfolio 2014 The objective of this project is to develop a security management architecture for transmission and distribution systems so that network operations centers (NOC), SCADA operations, substations, and field equipment supporting these functions have a consistent set of information security objects in place that are built on a standards-based taxonomy. This project intends to accomplish the following: Investigate available solutions for applying network management system (NMS) technology to power delivery systems. Extend EPRI's 2013 Project 183B research to focus on the implementation of IEC network security management objects. Investigate the application of emerging cyber-physical security devices for providing alerts to the NOC or other monitoring locations. This project may help members by providing the following: Vendor-agnostic measure of substation and field environment security postures Greater security operational awareness for asset owners and operators Evolution of network security management tools that are focused on power delivery systems As market-ready network management systems are available, members may apply the results of EPRI testing and demonstrations as they evaluate and deploy NMSs in their operating environment. Members may also integrate the NMS into their security monitoring systems and processes. Product Title & Guidelines for Applying Network Security Management: This report will describe a network security management architecture for power delivery systems founded on a consistent set of information security objects that are built on a standards-based taxonomy. 12/31/14 P Managing Cyber Security Incidents for T&D Systems (072133) Cyber security research for energy delivery systems has primarily focused on the prevention and detection of cyber incidents. While these efforts are important for the protection of control systems, they do not prepare for the eventuality of a cyber security incident. Energy delivery systems must also be resilient to cyber security incidents and continue to perform critical functions while under duress and during the recovery process. The first step in managing cyber security incidents involves detecting when they occur. However, the complexity of power systems often makes it difficult to detect when attacks are underway. Although individual intelligent electronic devices (IEDs) and systems may produce alerts and alarms for security events, they are often not correlated across distributed systems. Traditional intrusion detection systems (IDS) as well as security information and event management (SIEM) systems need to be tailored to understand attack profiles for power systems. This includes correlating the geographical and temporal nature of events. Additionally, events need to be correlated with the power system data to provide a complete situational awareness. Future work in this project will focus on network security visualization, decision support tools for operators, increasing grid resiliency, and improving the forensics capabilities of transmission and distribution systems.

8 8 Electric Power Research Institute Portfolio 2014 This project will develop methodologies to perform event correlation across distributed power systems and test them for robustness in EPRI s laboratories. The project may include the following steps: Survey current IDS systems for T&D systems to identify gaps Identify barriers to correlating events across disparate systems, such as a lack of standardized events Develop event correlation methodologies that include power systems features, such as geographic location and temporal properties of the event Perform tests in EPRI's event correlation test bed to verify the methodologies Examine ways to correlate event information with power system sensor data to increase situational awareness Work with IDS and SIEM vendors to incorporate findings into future products This project may help members address cyber security incidents in T&D systems by providing methods for real-time assisted detection of cyber events, creating an event correlation test bed for verifying methodologies, and increasing situational awareness by correlating events with power system sensor data. Members may be able to apply the results of this project to more effectively design, deploy, and manage their incident detection and response systems. Product Title & Distributed Cyber Security Event Correlation Methodologies: This report may include methods for correlating cyber security events from multiple operational domains and the results of testing the methods in a representative power system environment. 12/31/14 PS183D Cyber Security Design, Metrics, and Risk Assessment for Energy Delivery Systems (073556) Project Set This project set focuses on security challenges that affect multiple operational domains, such as designing security into products, developing security architectures, creating security metrics for the electric sector, and developing risk assessment methodologies that are designed for power systems. Project Number Project Title P Security Design and Architectures P Security Metrics for Energy Delivery Systems P Assessing and Monitoring Risks This project will focus on the implementation of security testing and evaluation requirements during the procurement process to reduce risks. This project intends to focus on providing metrics that measure the impact of different classes of security controls. This project intends to focus on a risk assessment process that will support the electric sector cyber security risk management maturity model developed by the DOE.

9 9 Electric Power Research Institute Portfolio 2014 P Security Design and Architectures (073557) Asset owner/operators need to deliver cost-effective and reliable power to their customers. Key components of this effort are the various operational systems and cyber assets that are deployed. To rely on these cyber assets, owner/operators must be assured that the cyber assets have been developed in a secure manner and that the necessary cyber security controls have been installed. In the same respect, owner/operators also need assurance that unnecessary or ineffective cyber security controls are not implemented. However, securing devices after they are deployed in a production environment is a difficult undertaking. The electric sector needs to establish a security requirement specification that is tailored for power delivery procurements and includes a prioritization that is related to a graded security index. This specification can be utilized during the procurement process to require suppliers to build security into their products and services. This project will focus on solutions for ensuring that procurement guidelines can be utilized by utilities as security requirements for prospective suppliers, and may include the following: Security requirement specification tailored for procurements Documentation, test, and evaluation evidence requirements needed for suppliers to show proof that they provide security in their products and services This project will help members as they procure products and services to address a more secure and modernized grid by providing: Security requirements that can be engrained in vendor products and solutions A reduced level of risk in the procurement phase for evaluated products and services This project is intended to help members acquire and deploy more secure supplier products and services to reduce security vulnerabilities that have been prevalent in the industry. Product Title & Security Requirements Specification for Suppliers: This report will include a set of security requirements for testing and evaluating suppliers and their products according to a graded security index. 12/20/14 P Security Metrics for Energy Delivery Systems (073558) While many asset owners and operators are performing self-assessments of their control systems, the methods and metrics used vary widely across the electric sector. This lack of consistent criteria and metrics makes it difficult to benchmark and compare the cyber security risk associated with energy delivery systems. It is also difficult to evaluate the impact of security efforts and calculate the return on investment for cyber security controls. Utilities are deploying a variety of tools and techniques to address current and emerging cyber security vulnerabilities and threats. A set of benchmarking criteria could be utilized to measure the effectiveness of

10 10 Electric Power Research Institute Portfolio 2014 implemented classes of security controls within energy delivery systems and the environments in which they reside. A process that measures and monitors the current state of risk-reducing controls would be very useful to the industry. The monitoring of the controls in place and the output of useful metrics can be used to benefit and improve a utility's cyber security program. Such metrics could also be used to provide senior management with an ongoing reporting process and support cyber security investment decisions in areas such as hardware, software, and personnel resources. Creating an effective set of cyber security metrics is a challenging endeavor. However, metrics may be useful in measuring the impact of different classes of security controls. They can be utilized to justify current and future investments in cyber security solutions and resources. This project will focus on developing metrics that utilities may use in assessing the classes of security controls that are implemented within their organization. A set of effective cyber security metrics may improve a utility s ability to measure the impact of different classes of cyber security controls and to understand the tradeoffs associated with cyber security investment decisions. This project may help members as they plan expenditures for cyber security resources. These metrics may be used to measure the value of continued and further investments in the overall cyber program. Product Title & Cyber Security Metrics for Implemented Security Controls: Metrics to measure the impact of different classes of security controls within the energy delivery systems environment. 12/20/14 P Assessing and Monitoring Risks (073559) Assessing and monitoring the cyber security posture for energy delivery systems is vital to understanding and managing cyber security risk. New metrics, methodologies, and tools are required to support real-time risk monitoring and decision making. A cyber security risk assessment provides the basis for determining the type, nature, and severity of cyber security risks facing a utility and provides the basis for all subsequent risk management decision making. A risk assessment includes identifying the threats, vulnerabilities, impacts, and likelihoods of cyber security events. A risk assessment process addresses malicious and non-malicious events and natural events. There are several risk assessment approaches available, but most are primarily focused on the IT and telecommunication sectors. A standardized risk-assessment approach for the electric sector is needed. DOE led an effort to develop a capability maturity model for the electric sector. This initiative defined specific criteria at several levels of maturity. This DOE model does not include criteria for assessing the implemented cyber security controls. This project will focus on developing a risk-assessment and monitoring methodology that members may use to assess the implemented security controls.

11 11 Electric Power Research Institute Portfolio 2014 This project will help members perform a cyber security risk assessment and continuous monitoring activities to determine the security posture of the utility, and identify residual risks. The cyber security risk assessment and continuous monitoring methodology developed through this project may be used to determine the security status of a utility, determine cyber security controls and measures, and identify residual risks. Product Title & Cyber Security Risk Assessment and Continuous Monitoring Methodology: A strategy for performing a risk assessment and providing results to determine the maturity level. 12/20/14

12 12 Electric Power Research Institute Portfolio 2014 NERC CIP Tools and Techniques (105241) Background, Objectives, and New Learning Supplemental Projects Cyber security standards have been developed as a result of continual threats to business and process control networks. In recent years, electric utilities that are part of the bulk electric system (BES) have established cyber security programs to ensure compliance with critical infrastructure protection (CIP) standards requirements of the North American Electric Reliability Corporation (NERC). Compliance with NERC CIP requirements is non-trivial and requires IT staff and control engineers to work together to implement and maintain a cyber security program for control systems. Version 5 of the NERC CIP Standards is currently under review by the Federal Energy Regulatory Commission (FERC) and pending their approval. Although compliance with the currently mandatory Version 3 of NERC CIP has been difficult for utilities, the upcoming Version 5 requirements will increase the scope of cyber assets that must be compliant. This will create significant challenges as new devices and systems come under the purview of CIP Version 5. Project and Summary The objective of this project is to provide techniques for transitioning to the upcoming NERC CIP Version 5 Standards. This will assist utilities in identifying gaps in current tools that have been employed to address the CIP requirements. This will lead to the development of solutions that can be used by asset owners to better validate and enhance the security posture of their critical cyber assets. The project may include topics such as: Identity access management Configuration change management Patch management Determination of BES cyber assets and BES cyber systems based on new Bright-Line Criteria Benefits This project intends to provide participants with the following benefits: Strategies and tools for transitioning existing cyber security programs from the current Version 3 to Version 5 Guidance and techniques for reaching effective regulatory compliance with Version 5 of the NERC CIP Standards

13 13 Electric Power Research Institute Portfolio 2014 Secure Remote Substation Access Solutions (105320) Background, Objectives, and New Learning There is an established need for secure remote substation access solutions that provide support for a wide range of IEDs including current, legacy and future devices, while still delivering the required level of cyber security and compliance support. Leveraging remote, interactive access capabilities with substations can provide new opportunities for data integration solutions such as fault location, asset optimization and power quality monitoring. Remote access systems may also reduce the number of times that field personnel are required to visit substations to retrieve IED configuration or event files for fault location and event analysis. However, balancing the functional requirements against cyber security and regulatory compliance requirements can be very difficult. This balance can be achieved through proper preparation, procedure implementation, and organizational support. The use of commercially available software packages can also ease these transition and implementation efforts. Guidance materials and reference standards relating to substation security, such as NERC CIP v3/4 and v5, the NISTIR 7628 and IEC 62351, should also be considered when developing remote access security requirements. The objective of this project is to investigate and address implementation challenges for Secure Remote Substation Access Security Solutions. This will enable effective application of existing solutions and foster new technology solutions. Project and Summary This project will explore and address a variety of implementation challenges facing Secure Remote Substation Access Solutions. The focus will be on solutions implemented in the electric sector for Transmission Substations, Distribution substations and remote field locations. For each identified challenge, the project team will study implementation options, best practices and capabilities/limitations regarding the challenge. This project may include the use of EPRI s Cyber Security Research Laboratory, as appropriate, to evaluate proposed solutions. EPRI will work with participants to establish and prioritize solution topics to study. A preliminary list of potential topics includes: NERC CIPv5 compliance to new or updated requirements Scalability of solutions of IEC on Remote Substation Access Solutions Universal IED tools/protocols vs. vendor proprietary tools/protocols of migration from command-line interfaces (CLI) on IEDs to web-based interfaces Use of multiple authentication devices/gateways to proxy connections Multiple user groups vs. single organizational owner Access policy/methods from outside the substation vs. inside the substation Coordination of access with operations for safety and situational awareness Asset management and maintenance correlation with Remote Substation Access tools Identification of specific devices that do not easily integrate with Remote Substation Access solutions. Management and tracking of IED configurations Patch management of IEDs

14 14 Electric Power Research Institute Portfolio 2014 EPRI will research and summarize existing industry documentation for the topics selected with a focus on implementation best practices, technology gaps, and new developments. Guidance materials and reference standards relating to substation security, such as NISTIR 7628, NERC CIPv5, IEC and others will also be utilized. The project will include an assessment of specific implementation challenges of remote substation access security solutions through laboratory testing with currently available vendor solutions. A workshop for participants will allow a hands-on approach to gain system familiarization and increased understanding of the implementation challenges discussed. Benefits Participants in this project will gain new knowledge and receive practical implementation guidance for a variety of options for establishing secure remote substation access solutions. This can improve participants abilities to address elements of cyber security standards (such as NERC CIP) through improved understanding of strategies and technology options. Participants may apply the knowledge gained from this project to derive the necessary system level requirements and more effectively implement a secure remote substation access solution.