Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Similar documents
Secure Remote Substation Access Solutions

NERC CIP Tools and Techniques

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Cyber Security and Privacy - Program 183

Summary of CIP Version 5 Standards

Cyber Security Compliance (NERC CIP V5)

NERC CIP VERSION 5 COMPLIANCE

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Document ID. Cyber security for substation automation products and systems

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Implementation Plan for Version 5 CIP Cyber Security Standards

TRIPWIRE NERC SOLUTION SUITE

Technology Solutions for NERC CIP Compliance June 25, 2015

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

SANS Top 20 Critical Controls for Effective Cyber Defense

Manage Utility IEDs Remotely while Complying with NERC CIP

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Standard CIP Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Server Installation ZENworks Mobile Management 2.7.x August 2013

How To Manage Security On A Networked Computer System

Cyber Security Standards Update: Version 5

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Safety Share Who is Cleco? CIP-005-3, R5 How What

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Server Security Checklist (2009 Standard)

Symphony Plus Cyber security for the power and water industries

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cyber Security for NERC CIP Version 5 Compliance

Open Enterprise Architectures for a Substation Password Management System

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

BSM for IT Governance, Risk and Compliance: NERC CIP

Facilitated Self-Evaluation v1.0

ISACA rudens konference

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

How To Monitor Your Entire It Environment

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Information Shield Solution Matrix for CIP Security Standards

Security Standard: Servers, Server-based Applications and Databases

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Industrial Cyber Security 101. Mike Spear

Payment Card Industry Self-Assessment Questionnaire

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

Cybersecurity Health Check At A Glance

NERC CIP Compliance Gaining Oversight with ConsoleWorks

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

RuggedCom Solutions for

GE Measurement & Control. Cyber Security for Industrial Controls

System Stability through technology

How Much Cyber Security is Enough?

AHS Flaw Remediation Standard

Securing the Electric Grid with Common Cyber Security Services Jeff Gooding

North American Electric Reliability Corporation (NERC) Cyber Security Standard

System Management. What are my options for deploying System Management on remote computers?

WHITEPAPER. Nessus Exploit Integration

Securing Distribution Automation

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

The Importance of Cybersecurity Monitoring for Utilities

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

Chapter 6 Using Network Monitoring Tools

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Obtaining Enterprise Cybersituational

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

SUPPLIER SECURITY STANDARD

NERC CIP-007 v. 5 Patch Management: Factors for Success

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Information Technology Security Procedures

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Ovation Security Center Data Sheet

A Decision Maker s Guide to Securing an IT Infrastructure

Average annual cost of security incidents

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

F-SECURE MESSAGING SECURITY GATEWAY

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Goals. Understanding security testing

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Transcription:

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! October 3, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com Utility co-chair: John Stewart, PM Grid ICT jwstewart@tva.gov

Remote Substation Access Interest Group homepage: http://www.smartgrid.epri.com/srsa.aspx 2

Agenda Review of Top Challenges/Test Scenarios - Vulnerability Testing - Device testing - Password Vault Integration NERC CIP v5 Mapping 2014 Project Plans Schedule of next meetings 3

What is a Remote Substation (IED) Access System? 4

Secure Remote Substation Access Solutions Purpose: Work with vendors and utilities to assess several products providing Interactive Remote Substation Access. Approach: Develop comprehensive list of requirements Develop use cases/scenarios Vendor deployment/development in Smart Grid Substation Lab Improved vendor products Vendor final demonstrations Presenting utility requirements with a unified voice 5

EPRI s Cyber Security Research Lab Knoxville, TN Five vendors installed in the lab: EnterpriseSERVER.NET by Subnet Solutions CrossBow by Ruggedcom, a Siemens Business SEL-3620 by Schweitzer Engineering Labs ConsoleWorks by TDi Technologies IED Manager Suite (IMS) by Cooper Power Systems Potentially others Installation in a Common Demonstration Environment 6

Assessment of Remote Access Solutions: 2012 Remote Substation Access Scenarios 1 2, 3 5 4 7

Review of Top Challenges/ Remote Access Test Scenarios 8

List of Remote Access Scenarios / Challenges 1. Vulnerability Testing 2. Remote Access Vendor IED interoperability / compatibility tests 3. Integration with a Password Vault Others: Password, Configuration, Change Management Alarm Correlation / Incident Management Coordination with Operations These top items are planned to be addressed in our 2014 project, with additional items as time and funding permit. 9

Scenario 1: Vulnerability Testing Remote Substation Access Systems can manage our IED passwords, with role based access control and supporting CIP compliance...but are they SECURE? Utilities have requested through the Interest Group for independent vulnerability tests to be performed on remote access systems. We are now planning on including this task for 2014. 10

Scenario 1: Vulnerability Testing Vulnerability Identification Databases CVSS CVE Configuration CCE CPE A search on SQL and passwords in the NIST NVD CVSS produces 472 matches. These matches range from 1998 to 2013. NESCOR Testing Guides Guide to Penetration Testing Guide to Vulnerability Scanning Tools Scanning Exploitation 11

Scenario 2: Remote Access Vendor IED interoperability / compatibility tests RA system / IEDs SEL relay GE UR relay ABB Relay Siemens Relay PQ meter DFR Other Crossbow ESNET Cooper SEL-3620 TDI Vendor X (example) Tests would be broken down into specific tasks such as: Intelligent vs. Passive proxy Ability to manage passwords File/Event retrieval Could include gateway products (RTAC, SMP, 2020, D20, SSNET) 12

Scenario 2: Specific Task function examples General Type IED Remote Access Protocol Data Acquisition Protocol Priority Advanced/ Automated Functions Login and Logout Passwords Configurations Change Get Automated Automated Device Change Backup Restore Config login logout Password in Password config Config summary gateway Firmware Advanced/ Automated Functions Events SOE Logs Discover Faceplate Data Retrieve firmware version Compare firmware Update firmware Retrieve new event files Retrieve SOE files Retrieve device logs Discover Connected devices Refresh Faceplate LEDs Retrieve device data 13

BYOD! (Bring your own device!!) 14

Scenario 3: Integration with a Password Vault What is a Password Vault? Benefits of a password management solution: - Regular password changes improve security and compliance - Control which users have access to passwords - Allow detailed auditing of each use of these passwords Some solutions offer advanced functionality including: - Password Changes - Password Verification - Password Reconciliation Automatic password management of service accounts either through push or pull approach 15

Scenario 3: Integration with a Password Vault Problem statement: Multiple password vaults, different security or logging levels for various systems, makes difficult for auditing/compliance Current IT Enterprise password vault products do not interact with substation IEDs Ideal end state: Single integrated password vault to manage all shared/service account passwords. Remote Access solution would connect to IEDs using passwords stored in Password Vault solution Potential solutions: Integrate products via API 16

Presentation: Password Vault Integration experiences: Barry Jones, PG&E 17

NERC CIP considerations: How do we be achieve remote access and remain compliant without being intrusive to the operational and maintenance activities?? 18

Remote Access to CIP v5 mapping exercise: Guide to Medium Substation Assets Credit: MidAmerican Energy and FirstEnergy DRAFT standards as of November 2012 Recirculation ballot Std R Full Text Medium Impact BES Cyber Systems (MIBCS) Medium Impact BES Cyber Systems (MIBCS) with Routable Connectivity Remote Access Tool? 007 5.1 Have a method(s) to enforce authentication of interactive user access, where technically feasible. - Yes + PCA n 007 5.2 Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s). Yes Yes + PCA y 007 5.3 Identify individuals who have authorized access to shared accounts. - Yes + PCA y 007 5.4 Change known default passwords, per Cyber Asset capability Yes Yes + PCA y 007 5.5 For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: 5.5.1. Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and 5.5.2. Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase Yes Yes + PCA y alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset. 007 5.6 Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. - Yes + PCA y 5.7 Limit unsuccessful attempts or generate alerts of unsuccessfull authentication attempts control centers only y 19

Next steps for Remote Access with respect to CIP? 20

Exciting 2014 Plans! 21

Remote Access Timeline 2012 2013 2014 2012 project: Oct Workshop June 2013 Secure Remote Access Interest Group Discussions Develop Test Scenarios Remote Access Solutions Supplemental Develop/Enhance Features Applying Test Scenarios Vulnerability Testing Solving Implementation Issues! 22

Secure Remote Substation Access Solutions 2014 plans Interest Group Free to participate, open to all utilities: Remote Access Interest Group: Discussion of challenges Presentations on related topics by peers Utility only (no vendor) participation Supplemental Webcasts Presentation by vendors Development/Integration efforts Translate Interest Group challenges into testing scenarios On-site workshop with vendors at EPRI labs. Knoxville, TN Live demonstrations, interaction with vendors Share challenges, solutions and lessons learned by peers 23

EPRI s Smart Grid Substation Lab Knoxville, TN Product testing and demonstration site: Common environment for all vendors 24

Secure Remote Substation Access Solutions Objectives and Scope Address implementation challenges identified by the Secure Remote Access Interest Group such as: Scalability Management and tracking of IED configurations Use of multiple authentication devices/gateways Provide implementation options and best practices Conduct a Secure Remote Access Workshop Value Gain new knowledge and practical guidance on a variety remote access solutions and scenarios Coordinate with vendors to advance the capabilities of remote access solutions Details and Contact Price: $40,000 Qualifies for TC and SDF Scott Sternfeld ssternfeld@epri.com 843-619-0050 SPN Number: 3002001767 Advanced October Implementation 16 th Guidance Webcast for Secure Remote 1-2pm Access Solutions EST 25

Schedule of next meetings: Remote Access Interest Group November 20 th 2013 [proposed] Review of 2014 plans Determine discussion topics participation needed System ownership discussion (any volunteers?) 2014 Schedule (quarterly meetings) February 2014 May 2014 August 2014 November 2014 26

Key Take-Aways: Remote Substation Access products are still in their infancy. You are not the first one to implement these products or run into challenges. We need to build and strengthen a community of users now! Challenge: Users span multiple organizations Work together to share technical approaches to NERC CIP Developing unified utility requirements and test scenarios can improve the market offerings. Together, we can accelerate the maturation process! 27

NERC CIP Tools and Techniques Objectives and Scope Provide guidance for transitioning to NERC CIP Version 5 Project may focus on: Configuration change management Patch management Identity access management Determination of BES cyber assets and BES Cyber Systems Value Identify gaps in current tools that have been deployed to address the CIP requirements Provide guidance and techniques for complying with CIP requirements Details and Contact Qualifies for TC and SDF Scott Sternfeld ssternfeld@epri.com 843-619-0050 SPN Number: 3002001768 October Guidance for 17 Efficiently th Webcast Meeting NERC 11-12pm CIP v5 Requirements EST 28

Upcoming meeting reminders and links Secure Remote Substation Access Solutions Introductory Webcast October 16 th Webcast 1-2pm EST Add to Calendar SPN Number: 3002001767 NERC CIP Tools and Techniques - Introductory Webcast October 17 th Webcast 11-12pm EST Add to Calendar SPN Number: 3002001768 For questions, please contact: Scott Sternfeld ssternfeld@epri.com 843-619-0050 29

Together Shaping the Future of Electricity 30

Legal Notices Please observe these Antitrust Compliance Guidelines: Do not discuss pricing, production capacity, or cost information which is not publicly available; confidential market strategies or business plans; or other competitively sensitive information Be accurate, objective, and factual in any discussion of goods and services offered in the market by others. Do not agree with others to discriminate against or refuse to deal with a supplier; or to do business only on certain terms and conditions; or to divide markets, or allocate customers Do not try to influence or advise others on their business decisions and do not discuss yours except to the extent that they are already public 31

Architectures 32

33

34

Engineering Access and File Extraction 35

Remote Substation Access System What is it? Provides for remote engineering (manual) access to all substation devices (IEDs) in a secure fashion. Optional: Integrated with (automated) file extraction as part of an overall data integration solution. Can be used as a replacement for a Windows Terminal Server (jump host). Can be used as a tool to aid in NERC CIP compliance. May also include: Password management Configuration (change) management for IEDs Asset management 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information