Smart Grid Cybersecurity



Similar documents
How the distribution management system (DMS) is becoming a core function of the Smart Grid

IEEE-Northwest Energy Systems Symposium (NWESS)

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Document ID. Cyber security for substation automation products and systems

Cyber Security and Privacy - Program 183

future data and infrastructure

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

The Importance of Cybersecurity Monitoring for Utilities

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

ICS CYBER SECURITY RKNEAL, INC. Protecting Industrial Control Systems: An Integrated Approach. Critical Infrastructure Protection

FIVE PRACTICAL STEPS

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

William Hery Research Professor, Computer Science and Engineering NYU-Poly

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Building a Business Case:

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Energy Cybersecurity Regulatory Brief

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

The Next Generation of Security Leaders

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Understanding SCADA System Security Vulnerabilities

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Cisco Security Optimization Service

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Data Security Concerns for the Electric Grid

Resilient and Secure Solutions for the Water/Wastewater Industry

Airports and their SCADA Systems. Dr Leigh Armistead, CISSP. Peregrine Technical Solutions

Safe Network Integration

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

ISACA rudens konference

Actions and Recommendations (A/R) Summary

Seven Strategies to Defend ICSs

The Four-Step Guide to Understanding Cyber Risk

NERC CIP VERSION 5 COMPLIANCE

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Symphony Plus Cyber security for the power and water industries

FINRA Publishes its 2015 Report on Cybersecurity Practices

DeltaV System Cyber-Security

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

PENETRATION TESTING GUIDE. 1

An International Perspective on Security and Compliance

Microsoft s cybersecurity commitment

Cyber Security. Smart Grid

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Internet threats: steps to security for your small business

Advanced Threat Protection with Dell SecureWorks Security Services

IBM Security QRadar Risk Manager

Securing Industrial Control Systems Secure. Vigilant. Resilient. May 2015

Application Security in the Software Development Lifecycle

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Assessing the Effectiveness of a Cybersecurity Program

Panel Session: Lessons Learned in Smart Grid Cybersecurity

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

THE TOP 4 CONTROLS.

Securing the Electric Grid with Common Cyber Security Services Jeff Gooding

Effective Use of Assessments for Cyber Security Risk Mitigation

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Keeping the Lights On

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Protecting productivity with Plant Security Services

What Risk Managers need to know about ICS Cyber Security

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

SICAM PAS - the Key to Success Power Automation compliant with IEC and your existing system

Priority III: A National Cyberspace Security Awareness and Training Program

Who s Doing the Hacking?

TRIPWIRE NERC SOLUTION SUITE

Transcription:

Smart Grid Cybersecurity Exceeding cybersecurity requirements mandated by customers and regulatory agencies Abstract The world has become much more connected, with over 32 percent of the population of the planet, or 2.3 billion people, having access to the Internet. Like individuals, systems that control electric power generation and distribution are becoming more connected. Traditionally, these systems have been: Few in number Localized to a comparatively few locations (such as control rooms, generating plants and substations) Isolated from public networks, making them relatively easy to secure. It was often possible to provide a high degree of security through simple physical measures like fences and locks on doors. Smart Grid technology changes this by placing large numbers of intelligent devices into places where they are often easily physically accessible and by placing many of them onto networks that may be physically accessible, or indirectly logically accessible from public networks. Touch points between utility networks and public (or nearly public) networks will become more numerous and widespread. Systems that could once be contained within a locked six-wall room will become widely distributed, with inexpensive networked devices on individual houses and apartments. The rapid evolution of the Smart Grid promises to pose new cybersecurity challenges for at least the next several years. Point of View (POV) Executive White Paper Series These executive white papers provide valuable insight into the innovative application of technology to solve business problems that are confronting utilities, municipalities and other Smart Grid related organizations. The papers should serve as a helpful resource to aid chief financial officers (CFOs) and chief executive officers (CEOs) in discussions with institutional chief information officers (CIOs) in the exploration of new methods and processes for reducing costs. Point of View (POV) Executive White Paper Series usa.siemens.com/smartgrid

Executive summary Industrial control systems (ICS), particularly those used by electric and other utility companies, formerly had few, if any, connections to the world outside the corporation that owned and operated them. In response to trends like deregulation and the growth of alternative and widely distributed energy sources, data collected and used by control systems has increasingly been both obtained and exchanged via public networks. Interconnections between neighbor and partner utilities and independent system operators have also increasingly made use of public networks. Control centers and substations have traditionally been critical, physical assets. They have now become part of an increasing inventory of cyber assets which can no longer be secured simply by placing them behind fences and locked doors. Open standards are replacing proprietary hardware/software True security requires more than simple compliance with applicable standards and will require a number of actions to assist users in achieving both compliance and security. Cybersecurity is in flux, and requires more than simple compliance with applicable standards. There has been a dramatic evolution from proprietary communications protocols toward standards-based approaches. Cybersecurity for the Smart Grid is in flux. We know how to secure traditional systems like a supervisory control and data acquisition systems (SCADA), energy management systems (EMS) or distribution management systems (DMS). For these systems, familiar techniques like firewalls, role-based access controls, multi-factor authentication, and anti-malware measures can still be used to provide a high degree of security. There has been a dramatic evolution from using proprietary hardware and software toward using off-the-shelf hardware and software. There has also been an equally dramatic evolution from traditional, proprietary communications protocols toward standards-based approaches, notably DNP3 or IEC 61850 for grid control. While a cybersecurity professional will say that security through obscurity is never an appropriate defense, the reality is that the move to standard hardware and software has enabled the greater connectivity we see today. In turn, that increased connectivity can make an attacker s job easier. Effective cybersecurity must protect critical assets The world has simply become a more dangerous place for computers and networks. Today, networks are under assault from a wide variety of rogue governments and pseudo-governments, terrorists, criminals and people who see breaking into computer systems as a challenging game. The rise of the Internet and the Web have revolutionized how the world communicates, conducts business, entertains itself and participates in countless other activities no one could have even imagined a few decades ago. Internet technologies have also revolutionized the electric utility industry. Developments include: Internet technologies have revolutionized the electric utility industry. Substation equipment can now be configured from hundreds of miles away over a network. A SCADA one-line diagram can be viewed with a Web browser on a laptop in a substation or in a service truck. Information can quickly and efficiently be exchanged between companies, asset owners and partner utilities. 2

All of these are good things they allow electric utilities to utilize resources more efficiently, maintain them more effectively, increase business agility and be more responsive to customer needs. With improved technology comes new criminal behavior As keepers of much of the world s critical infrastructure, it is the job of the electric utility to do everything within reason to prevent malicious or accidental damage to critical resources that are in their care. Recent initiatives for international cybersecurity standards, promoted by the White House, the United States Department of Homeland Security (DHS) and governments around the world make this document relevant to the worldwide energy industry. The electric utility must do everything within reason to prevent malicious or accidental damage to critical resources. Power utilities are an important national cybersecurity concern because of the essential nature of electricity in our life. Control centers, generators and other facilities have always been critical to the delivery of electric power, and the number and the variety of these critical assets continues to increase. Security challenges What is the potential for critical infrastructure attacks or a major breach of our electrical power grid? In the cybersecurity community, despite frequently heard statements such as a well-funded, highly motivated, intelligent adversary can eventually defeat any cybersecurity, successful attacks against critical infrastructure have been rare. The attack surface of systems is dramatically increasing. Nevertheless, security professionals would most likely say that the attack surface of systems is dramatically increasing. Smart Grid benefits bring new cybersecurity challenges Smart Grid technologies and devices promise great benefits in a number of areas: reduced cost, increased reliability and even reduced environmental impact. As a result, there has been a rush to design, develop and deploy these technologies and devices. In this rush, cybersecurity has not always received the attention it deserves. Smart Grid technologies promise reduced cost, increased reliability and reduced environmental impact. How SCADA security is different from smart metering security In large part, the difference between SCADA security and smart metering security can be expressed simply as concentrated vs. distributed. A SCADA system is generally in one room (albeit with links to devices in substations, which are themselves for the most part in one room). Smart metering is everywhere and it is not possible to build a fence with a gate and a lock around everywhere. Is cybersecurity a good investment? Corporate management brings a special set of concerns toward cybersecurity. When managers are considering adding or upgrading facilities or equipment, return on investment (ROI) is a major factor in their deliberations. ROI is also a strong concern for shareholders. One of the challenges for the future is how to quantify cybersecurity investments. With cybersecurity, ROI is somewhat nebulous. While it is clear that Smart Grid technologies offer increased value, reliability and sustainability, one of the challenges for the future is how to quantify cybersecurity investments in an industry where no news is good news (in terms of cybersecurity threats). As a result, finding a clear and quantifiable answer to this question will continue to remain a challenge. 3

Cybersecurity challenges for utility operators There are a number of factors that make cybersecurity a complex challenge for utility operators: Modern SCADA/EMS/DMS systems are large, complex and incorporate increasingly large numbers of widely distributed components. The distributed nature of SCADA/EMS/DMS systems results in complex network architectures. SCADA/EMS/DMS systems and networks employ a wide variety of cybersecurity equipment and software. Utilities require processes to manage, monitor and maintain these assets which can be complex and resource intensive. Those who seek to harm energy delivery infrastructures continue to grow in sophistication, number and level of dedication. Operators often do not have 24/7 on-site support from an IT department. Often, especially for small to medium-sized electric utilities, SCADA/EMS/DMS operators do not have 24/7 on-site support from an IT department. It is unrealistic (and potentially dangerous) to expect that grid operators possess sufficient expertise in security related topics to recognize, analyze and deal with the variety of cybersecurity incidents that can occur in today s world. Emerging Smart Grid cybersecurity technologies Securing large, widely dispersed and easily accessible networks poses some significant challenges. Securing large, widely dispersed and easily accessible networks pose some significant challenges. For example, in a more traditional setting, support personnel are near at hand to deal with an intrusion. However, if an intrusion occurs in an inexpensive smart meter 100 miles from the nearest support technician, we are faced with an entirely new cost vs. benefit calculus: Should a service truck be sent immediately or is it better to wait? How long is too long to wait? How long might it be before an intrusion into one meter is used by an attacker to attack neighboring meters or other equipment? Smart Grid techniques need to be more compact, less expensive and more autonomous than traditional defenses. Defense in depth has long been a popular approach to securing cyber assets whereby a series of obstacles are constructed that an attacker must defeat to breach the core of a system. Defenses have traditionally been in the form of firewalls, intrusion detection systems and malware detection software. To provide defense in depth for the Smart Grid, the same types of techniques can be used, but they need to be more compact, much less expensive, more autonomous, more distributed and require less human attention. Smart meter security demands creative solutions Some amazingly creative security solutions are beginning to emerge in the Smart Grid arena. One promising example is a hardware-based intrusion detection system that could be incorporated into a single, integrated circuit that is estimated to cost less than one dollar that s cheap enough to allow one to be put into every single smart meter. The solutions are out there and new ones are emerging. The industry just needs to allow and encourage creative people to find them. 4 Smart Grid security needs to become part of the corporate culture A major key to getting serious about security is to move from an environment where the primary concern is compliance to one where the primary concern is security. The difference between compliance and security is sometimes subtle, but it can have a large impact. For example, current NERC CIP rules mandate that anti-malware software be installed and maintained on critical cyber assets. If you follow those rules, you are compliant. However, since current anti-malware solutions are notoriously ineffective at dealing with zero-day threats, compliance does not equal security in this case. A corporate culture that is concerned not only with compliance but also security will encourage better solutions.

Case Study Cybersecurity Manager (CSM) Cybersecurity Manager is designed to help shift the odds in the good guys favor As part of an effort to help improve the cybersecurity posture of the energy delivery infrastructure of the United States, the U.S. Department of Energy (DOE) has funded development of CSM by Siemens and the Pacific Northwest National Laboratory. CSM is not intended to replace existing tools used by IT staff. However, it is designed to provide a tool that will help an EMS operator recognize and respond to cybersecurity incidents without requiring the operator to be an expert in cybersecurity, networking, or the tools that a security professional would typically use. CSM is designed to provide a tool that will help an EMS operator recognize and respond to cybersecurity incidents without requiring the operator to be an expert in cybersecurity. Unique to CSM is its integration into an existing operator training simulator (OTS): Operators can be trained to use the tool by working through realistic simulations or a replay of real-life situations. OTS allows an administrator to use a simulation to test CSM configuration changes. Development and demonstration of a security core component The SCADA and EMS systems used by the electric utility industry to monitor and From control electric power generation, transmission and distribution are recognized today as critical components of the electric power delivery infrastructure. SCADA/EMS operators are traditionally very accomplished at managing the power grid, but are frequently not trained to manage cybersecurity aspects of today s complex equipment and networks. CSM assists operators, who are frequently not trained to manage cybersecurity aspects of today s complex equipment and networks. CSM will assist operators and provide new OTS tools that will facilitate training and practice to recognize and handle cybersecurity incidents. The Siemens cybersecurity advantage Siemens Smart Grid cybersecurity team supports our customers and Siemens internal business units. The team develops and implements tools and methodologies required to provide a secure, reliable computing and network infrastructure. Our approach emphasizes: Soliciting and understanding customer requirements and responding effectively to customer requests and concerns. Emphasizing a proactive approach, where we not only maintain a high awareness of relevant regulations and standards, but actively participate in influencing the development of those standards. Actively developing and maintaining Siemens internal processes so that cybersecurity is the responsibility of all Siemens employees, at all levels of the organization and throughout the entire product lifecycle. Developing and offering cybersecurity related products and services that are reliable and secure, enhancing our customers ability to deploy and use these products to improve the reliability and security of the energy delivery system (Illustrated in figure 1 on the next page). Siemens proactive approach enhances customers ability to improve the reliability and security of the energy delivery system. 5

Figure 1. The information security process Helping customers achieve compliance Compliance and security are related but not equal. Siemens thinks of compliance as a subset of the larger topic of cybersecurity. Effective security requires more than simple compliance with applicable standards in Siemens case, we have implemented a number of actions to assist our customers in achieving both compliance and security. A secure energy delivery infrastructure requires a partnership between system owners and the vendors who supply those systems. As a worldwide vendor, Siemens delivers systems to customers that are governed by a host of different security regulations. One common thread through all these regulations includes maintaining a secure energy delivery infrastructure that requires a partnership between system owners and the vendors who supply those systems. Our goal is to help our customers achieve compliance with relevant security regulations, and to help ensure that Siemens has done everything feasible (from both product and process points of view) to make sure our customers systems are both compliant and secure. Our approach is described below. A proactive cybersecurity approach Siemens is an acknowledged world leader in supplying products and services to the electric utility industry, with extensive experience in cybersecurity. We have been called twice to testify before the U.S. Congress on the topic of security in the electric utility industry. We closely follow numerous security-related standards, including the North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) 002-009, Common Criteria, International Organization for Standardization (ISO) 17799 as well as emerging standards. We offer the benefit of our technology and experience to help electric utilities achieve the level of cybersecurity that the challenges of today s world demand. We have developed a suite of security-related products and services that are directed both at owners of Siemens Spectrum Power control center products and owners of non-siemens products. 6

Cybersecurity standards As a supplier of a broad range of products, systems and solutions to power transmission and distribution organizations around the world, we keep a close watch on existing and emerging standards worldwide. These include: NERC CIP standards in North America ISO/International Electrotechnical Commission (IEC) 15408 (Common Criteria) ISO/IEC 27002:2005 (formerly ISO/IEC 17799) Various National Institute of Standards and Technology (NIST) and other security-related standards and recommendations Siemens Computer Emergency Readiness Team (S-CERT) employees are active in these organizations, providing industry practical insight and market feedback on the application of existing and emerging standards. Siemens CERT S-CERT provides an independent and trustworthy partner for organizations throughout Siemens to deal with cyber-security related issues. S-CERT members hold a variety of cybersecurity and other applicable industry certifications. S-CERT provides a variety of services, including: A central monitoring and notification service for security vulnerability announcements, applicable third-party tools and products used throughout Siemens. This service is integral to Siemens in its overall approach to timely announcements to our customers regarding the availability of security patches that apply to our systems. Performing thorough security assessments of Siemens products; future releases of Spectrum Power will be assessed by S-CERT. Cyber vulnerability assessments (CVA) on customer systems. S-CERT provides an independent and trustworthy partner for organizations throughout Siemens to deal with cybersecurity related issues. S-CERT s experience and expertise is an invaluable tool when responding to cybersecurity incidents and customer concerns. Software subscription agreement (SSA) The software subscription agreement (SSA) service enables customers to take advantage of Siemens continuing investment in the development of the base Spectrum Power system. Every year Siemens invests a significant amount in research and development to enhance and extend the capabilities of Spectrum Power. Our global development organization is continuously improving the Spectrum Power product line, with the intention of ensuring that system components, including third-party components, are up-to-date for security patches and updates. System improvements from R&D are generally made available on a regular basis through base system software releases. Authors Mayur Rao Head of Cybersecurity Siemens Smart Grid Division Dave Taylor Certified Information Systems Security Professional (CISSP) Siemens Smart Grid Division Andy Turke Certified Information Systems Security Professional (CISSP) Siemens Smart Grid Division 7

Conclusion Effective cybersecurity requires the latest and best technology and know-how in a fast-moving electric utility field. It also requires a reliable partner that: Has industry experience Understands the problems electric utilities face Has made the commitment to stay abreast of the latest developments in the field Has a commitment to train its workforce. Effective cybersecurity requires the latest and best technology and know-how in a fast-moving electric utility field. As a leading supplier to electric utilities, Siemens has developed a cohesive cybersecurity response program. The ongoing convergence of a number of trends over the past several years has led to a continuous elevation of the importance of cybersecurity in the systems that Siemens designs, develops, delivers and supports. These trends have led to a greatly heightened awareness of cybersecurity among media, politicians, standards organizations, government agencies and utilities. Because of the essential nature of electricity to our economy and lives, power utilities are an important national cybersecurity asset. Through all the details of this process, Siemens is committed to helping customers not only achieve compliance, but move toward a truly effective Smart Grid cybersecurity system. Siemens Smart Grid Division cybersecurity team Siemens Smart Grid cybersecurity team specializes in designing and building control center and substation products, systems and solutions with a strong emphasis on security. Core attributes of the team include: Team members hold Certified Information Systems Security Professional (CISSP) certifications, participate in security conferences and have attended third-party security training. The average security team member has more than 20 years of experience in the industry. The team is involved during all aspects of Siemens standard product development and deployment life cycle, including postdeployment customer support. Additionally, Siemens offers customers access to this valuable knowledge base through a broad range of consulting services. Siemens Smart Grid Division The Siemens Smart Grid Division supplies products and solutions for intelligent and flexible electrical network infrastructures. To meet growing energy needs, the networks of today and tomorrow must integrate all forms of power generation and ensure bi-directional energy and communication flows. Intelligent networks help make it possible to generate and use power efficiently and on demand. They contribute to the electrification of railroads and also supply industrial enterprises, infrastructure elements and entire cities with electricity. For more information, visit www.usa.siemens.com/smartgrid. For more information about the Siemens Smart Grid division on our on our mobile website, please scan the QR code below. Siemens Industry, Inc. 10900 Wayzata Boulevard, Suite 400 Minnetonka, MN 55305 1-888-597-2566 smartgrid.energy@siemens.com usa.siemens.com/smartgrid Subject to change without prior notice All rights reserved Order No.IC1000-E220-A113-X-4AUS Printed in USA 2012 Siemens Industry, Inc. The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. All product designations may be trademarks or product names of Siemens AG or supplier companies whose use by third parties for their own purposes could violate the rights of the owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information