Why we Need Standards for Breaking the Smart Grid

Similar documents
Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Stephen E. McLaughlin

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Goals. Understanding security testing

Standard CIP Cyber Security Systems Security Management

How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements

TRIPWIRE NERC SOLUTION SUITE

Certification Report

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Standard CIP 007 3a Cyber Security Systems Security Management

Penetration tests Risk of security loopholes in IT networks

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

NERC CIP VERSION 5 COMPLIANCE

FORBIDDEN - Ethical Hacking Workshop Duration

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Penetration Testing in Romania

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

HTExploit: Bypassing htaccess Restrictions

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Penetration Testing Scope Factors

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Web application security: automated scanning versus manual penetration testing.

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Document ID. Cyber security for substation automation products and systems

Western Australian Auditor General s Report. Information Systems Audit Report

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Loophole+ with Ethical Hacking and Penetration Testing

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Computer and Network Security Policy

Cyber Security Risk Mitigation Checklist

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

The Importance of Cybersecurity Monitoring for Utilities

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Cybersecurity. Are you prepared?

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

What is Really Needed to Secure the Internet of Things?

Certification Report

Verve Security Center

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Guidelines for Web applications protection with dedicated Web Application Firewall

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DSS Overview and Solutions. Anwar McEntee

How users bypass your security!

New PCI Standards Enhance Security of Cardholder Data

Teleran PCI Customer Case Study

PCI Compliance 3.1. About Us

Facilitated Self-Evaluation v1.0

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

External Supplier Control Requirements

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

SecurityMetrics Introduction to PCI Compliance

Cyber Security Seminar KTH

CRYPTUS DIPLOMA IN IT SECURITY

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Moving Towards the Smart Grid. Southern California Edison s Advanced Metering Infrastructure (AMI) Program

Codes of Connection for Devices Connected to Newcastle University ICT Network

8 Steps for Network Security Protection

Cybersecurity Health Check At A Glance

Cyber security measures in protection and control IEDs

Account Management Standards

William Hery Research Professor, Computer Science and Engineering NYU-Poly

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

ASDI Full Audit Guideline Federal Aviation Administration

Best Practices for DanPac Express Cyber Security

Transcription:

Why we Need Standards for Breaking the Smart Grid Stephen McLaughlin 2012 Western Energy Policy Research Conference 1

NISTIR 7628 The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system. -p 117 2

CIP-007-3 3

CIP-007-3 What about ports the Responsible Entity never knew were enabled in the first place? 4

CIP-007-3 5

CIP-007-3 Was the anti-virus software correctly configured? Can malware disable the anti-virus software? 6

CIP-007-3 7

CIP-007-3 What about the ports and accounts the vendors did not tell anyone about? 8

CIP-007-3 9

CIP-007-3 How can the auditor determine if the documentation is accurate? 10

Upshot The audit does not aim to determine how secure the system is. It aims to determine how hard the responsible entity tried to comply with the standard. In some cases, it is not clear how an auditor (or the Responsible Entity) could verify that the procedure was correctly followed. 11

Penetration Testing Tried and true means of security assessment 1. Try to break the computer system. 2. Break the computer system. 3. Fix the computer system. 4. GOTO 1. 12

An Example Computer System 13

Challenges for regulation Can pen-testing be standardized? Even on a vendor-specific basis? How can we accumulate the knowledge of professional hackers / pen-testers? Is pen-testing auditable? What is the impact of a discovered vulnerability? This is crucial for determining severity levels of a violation during an audit. Can a pen-test strategy be specified in less than 600 pages. (Say, more like 50.) 14

Attack Trees A means for pen-testing planning Tamper Measurement OR Tamper Usage Data Tamper Stored Demand (a) (b) (c) Bypass Meter AND OR Reverse Meter AND Reset Net Usage AND OR OR Physically Tamper Storage A2.3 Tamper in Network AND Intercept Communications A3.1 Inject Usage Data OR Disconnect Meter A1.1 Clear Logged Events AND Meter Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof Meter A3.3 Log In and Clear Event History A1.3 Recover Meter Passwords A2.1 15

What We Found 16

Addressing the challenges Attack trees can standardize pen-testing by combining different expert s knowledge using the AND/OR connectives. The leaves of the attack trees form an auditable list of attacks that should be attempted against a system. The root (goal) of the attack tree specifies the impact of a vulnerability. Attack trees are succinct and unambiguous. 17

Summary Existing cybersecurity standards for smart electric grids don t help determine how secure a system is. Only how hard the utility tried to secure a system Penetration testing is an alternative means of security evaluation that helps to determine how insecure a system is. By codifying pen-testing strategies into attack trees, pen tests gain the useful properties needed to for a cybersecurity standard. We have used this methodology successfully in vulnerability testing smart electric meters. 18

Thanks! Stephen McLaughlin (smclaugh@cse.psu.edu) Project : http://siis.cse.psu.edu/smartgrid.html Publications Patrick McDaniel and Stephen McLaughlin. Structured Security Testing in the Smartgrid. 5th International Symposium on Communications, Control, and Signal Processing. Rome, Italy. May 2012. Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Multi-vendor Penetration Testing in the Advanced Metering Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010. Austin, TX. Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric Meters. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August 2010. Washington, DC. Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced Metering Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September 2009. Bonn, Germany. 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information