John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

It s February 19, 2009 132 project days left to compliance Do you know where (what) your Citi Critical lcyber Assets are?

Electricity Sector Threat Advisory Levels Physical Cyber Significant Risk of Terrorist Attacks Significant Risk of Terrorist Attacks July 1, 2009 CIP compliance deadline approaching NERC audits and enforcement actions underway CIP (now) applies to Bulk Transmission System - Transmission substations and control centers Utility implementation activity accelerating

Approaches to NERC CIP A. Avoidance B. Basic Compliance C. Best Practices Cyber Champions

The Cyber Security Compliance Opportunity - User productivity - Network flexibility for new applications - Network reliability - Network and systems management - And security compliance

NERC CIP Avoidance Nothing critical today - Not part of bulk transmission system Nothing cyber today - No networked (cyber) assets involved with critical assets - No dial-up or IP routed connections Disconnect networks to remove cyber Network, but avoid Routable IP (cyber)

Non-routable CIP-002 Exemption Security perimeter SCADA Master Central Control Site Modem Bank Non-routable Serial Communications Private or Leased Analog Circuits No CCAs Modems Serial Devices RTU RTU RTU Distributed Substations 7 7

Non-routable CIP-002 Exemption SCADA Master Central Control Site Security perimeter Serial FR/TDM Mux Non-routable Serial Communications Each connection is discrete PVC Digital circuit Frame Relay / TDM Network No CCAs. No cyber security perimeter. FR/TDM Mux RTU FR/TDM Mux RTU FR/TDM Mux RTU Serial Devices Distributed Substations 8 8

NERC CIP Standards CIP-002 Citi Critical lcyber Asset tidentification CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 9

NERC CIP Standards CIP-002 Citi Critical lcyber Asset tidentification CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 10

Secure Access Manager Easy PC access to remote s from anywhere Secure Access Manager RSA Centralized security management: user profiles, authentication, session logging, reporting Secure Digital Network: Dial-up networking via IP, TDM, FR, Fiber PSTN many WAN technologies, including dial-up RTU RTU RTU Devices at substations or other critical sites

Easy-to-use Secure Access CrossBow Simple PC client Windows-like directory of authorized s Easy to organize, e.g., by location or type Fi Friendly icons and ddescriptions Click through to access Transparent to routed or dial-up network One-time authentication to central server Individual id password with central control Auto-launch local application for Easy to learn, update and use 12

Broad Device and Application Support Desktop, transparent access to almost any, from any target software application, e.g.,: Hyperterm, SEL-5010, WinECP, URPC, DisplayStation, Polycom 13

Secure Access Manager Architecture Intranet Control Center Engineering Access Secure Access Manager Router / FW Router / FW RSA Modems Internet Digital it Network: IP, TDM, FR, Fiber, Mwv, MPLS Dial-up PSTN Router/FW Router / FW Dial-up Port Switch Communications Gateway RTU RTU RTU Substations or other Critical Sites

Administrative Features Central CCA and user profile administration One-click NERC CIP reporting facility - Includes inventory and reporting of CIP assets and users Leverages existing corporate security procedures - Tie to Active Directory and/or RSA SecurID Comprehensive logging facilitates forensic analysis and gateway password management Network software updates and patch management 15

Distributed Architecture Centralized: Control Center - Profile administration Engineering Access - Enterprise security integration - Log consolidation RSA - Audits and reporting - Device management Router / FW Secure Access Manager Digital Network: IP, MPLS, TDM, FR, Fiber On-Site Access Station Access Controller Router/FW Distributed: - User authentication/authorization - Session communications path - Session detail logging RTU Substations or other Critical Sites

Elements of Utility Cyber Security Enterprise Access Control Center 6-Wall Physical Security Intranet AVP Partners/ Remote Access Internet AMS CMS IDS Electronic Security Perimeter Firewalls Network AVP: Anti-Virus Protection AMS: Access Mgt. System IDS: Intrusion Detection System CMS: Compliance Mgmt. Sys. Critical Substation RTU RTU Substation Non-critical Assets 17

End-to-end Layers of Security SSH / SSL SSH / SSL Server IP Network IPsec VPN Tunnel Stateful Firewall 18

Intranet Control Center Engineering Access Router / FW Secure Access Manager Internet Router / FW RSA Modems Secure IP-based WAN: IP, MPLS, TDM, FR, Ethernet, Fiber Dial-up PSTN SAC Router/FW Router/FW Router/FW Dial-up Port Switch RTU RTU RTU Substations or other Critical Sites

Integrated WAN Access Control Center Remote Site SCADA / EMS / DMS Metering DDS, T1/E1, Ethernet WAN IP, FR, TDM, Fiber-Ethernet MPLS-based IP, Dial-up IP/PPP Remote Device Administration Security: Surveillance and Access Control Non-operational data collection 20

The Unified WAN Shared network High speed Secure Flexible Easy to add applications WAN Fiber, TDM, FR, IP, MPLS-IP, Dial 6K 21

Ethernet-based Network Integration Management systems and HMI Remote Operations Centers Acc Video and access security Ethernet Core WAN Access Substation Wide Area Network Ethernetbased s Serial based s and consoles Station Bus 22

Northeastern US Power Company Control Center Engineering Access Secure Access Manager Router / FW RSA Modems IPsec VPN over Verizon MPLS Service w. DDS/T1 Dial-up PSTN Router/Fw Rtr/Fw SEL Comm. Processor Dialup Port Switch RTU RTU RTU RTU Substations

Northeastern US Power Company Control Center ID - SEM SCADA Engineering Access Secure Access Manager Back-up Router / FW RSA Modems IPsec VPN over Verizon MPLS Service w. DDS/T1 Dial-up PSTN Router/Fw Rtr/Fw Dial-up Port Switch Comm. Processor RTU RTU RTU RTU Substations

Mid-Atlantic Power Company Control Center Engineering Access Secure Access Manager Private SONET Fiber Network Mux Router / FW Mux RSA Modems Dial-up PSTN Router/Fw Dial up Port Switch RTU RTU Substations

Mid-Atlantic Power Company Video Surveillance Center Control Center Engineering Access Secure Access Manager Back-up Video Server Mux Router / FW Mux RSA Modems Private SONET Fiber Network Dial-up PSTN Mux Router/Fw Dial-up Eth Sw w POE Port Switch RTU RTU Video Surveillance Substations

NERC CIP Standards CIP-002 Citi Critical lcyber Asset tidentification CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 27

Defense in Depth Critical Cyber Asset Malware screening (e.g., anti-virus) Intrusion Detection (pattern analysis) User Access Control ( AAA and personal profiles) Personnel Screening Port Security (disabling physical and logical ports) Electronic Perimeter Security (firewall) Physical Security Perimeter Security process management Security configuration management Patch management

Futures in CIP More pervasive cyber security More specifics on security technologies More onerous patch management More Intrusion Detection / Intrusion Prevention Protocol-specific firewall / IDS technologies No end

Opportunities in CIP More automation not less - Simplify remote access and productivity - Add applications easily via modern infrastructure Modernized networks - Higher performance - More reliability Improved system and network management - More proactive requirements - Less reactive crises

The Cyber Security Compliance Opportunity: Become a Cyber Champion

NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com