Cyber security protection for synchrophasors and other grid systems

CCET Husch Blackwell Webinar Series July, August, Sept and Oct, 2014 TODAY S WEBINAR Cyber security protection for synchrophasors and other grid systems Monday, August 11, 2014

Milton Holloway, Ph.D. President & COO CCET 512.472.3800 mholloway@electrictechnologycenter.com electrictechnologycenter.com Discovery Across Texas: Technology Solutions for Wind Integration in ERCOT A CCET Smart Grid Demonstration Project

Context: Continuing Investment in Wind Generation ERCOT Wind Capacity

Context: CREZ* Build-out Completion *Competitive Renewable Energy Zones $7B cost, 3,589 miles of lines

Discovery Across Texas Project: ERCOT & Part of SPP

Discovery Across Texas - Project Team

CCET Demonstration Project: Discovery Across Texas Seven Project Components: I. Synchrophasor system with applications (ERCOT wide grid monitoring) II. Security fabric demonstration for synchrophasor systems (demonstrated at Lubbock/TTU/RTC) III. Utility-scale battery with companion wind farm (Lubbock/TTU/RTC) IV. Pricing trials at Pecan Street (Austin) V. Direct Load Control demonstration with dual communication paths (Dallas and Houston) VI. Solar community monitoring (Harmony Community in Houston and Mueller Community in Austin) VII. PEV fleet Fast Response Regulation Service demonstration (Fort Worth)

This material is based upon work supported by the Department of Energy under Award Number DE-OE0000194." Disclaimer: "This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.

CCET Demonstration Project: Discovery Across Texas Polling Question I. What is the probability in the next 10 years that a cyber attack will bring down more of the U.S. grid than has any natural disaster ever II. Answers: a. <1% b. 1-5% c. 6-10% d. 11-20% e. >20%

Lorie Wigle Vice President, General Manager IOT Security Solutions McAfee a Division of Intel Security Lorie_Wigle@McAfee.com 503.466.4405 intelsecurity.com

History of Defining Architecture Delivering a Next Generation Security Architecture Largest Dedicated Security Provider Defining innovative industry approaches for collaborative and Inventor of the world s most adaptive security Broadest security product widely used computing coverage in the industry architecture Introducing security integrations which are sustainable and Defining countless broadly Complete portfolio focused upon standards reaching used security in everyday lives ranging Developing from capabilities for new security paradigms in areas USB, WiFi, to IoT Leadership position in 6 of 8 such as Software Defined Datacenter, Cloud, and IoT Gartner Security Magic Quadrants Top 10 Most Influential Brands in the World

Energy is a Cyber Target 2014 Dragonfly - US, EU Energy 56% Critical Manufacturing Communications Commercial Facilities Water Transportation Nuclear Information Technology Government Facilities Financial Energy Incidents by Sector for fiscal year 2013, Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team

Polling Question Critical infrastructure, including the electricity grid, in the U.S. today is a. At far greater risk from physical attack than cyber attack b. Is very well protected from cyber attack c. Is somewhat vulnerable given that attacks and attackers are constantly becoming more sophisticated d. Is at grave risk because security is not a priority 13

Operators of infrastructure, particularly energy infrastructure, often believe that their need to operate the infrastructure trumps the need to keep others from mis operating it. SANS editor William Hugh Murray 14

Securing Critical Infrastructure Harden the Device Secure the Comms Manage the security Hardware enhanced security + software & services key to achieve mission 15

SF is designed to address the NIST IR 7628 Guidelines Securing the Grid: NIST IR 7628 Guidelines 1. Identity Management Ensures the device identity is established genuinely 2. Mutual Authentication Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3. Authorization Manages permission to proceed with specific operations. 4. Audit Records noteworthy events for later analysis 5. Confidentiality Encrypts sensitive data for matters of privacy. 6. Integrity Ensures that messages have not been altered and that they are nonreputable. 7. Availability Prevents denial of service attacks 16

IT/OT Differences Challenges Enterprise IT Security Industrial Systems/OT Confidentiality Integrity Availability Importance Availability Integrity Confidentiality Anti-virus Patch Deployment Network Communication Security Monitoring Common widely used Regular Scheduled Standard protocols (IP/UDP) Logs gathered, but reactive requires based on issues Updates can cause unacceptable network delays Slow to deploy/test, Unable to reboot Proprietary protocols (DNP/ICCP/Modbus ) Logging Only/Monitoring for performance/ availability Vulnerability Management Find-fix modus operandi for vulnerabilities VM scans can destroy machines

Security Connected for Critical Infrastructure: End-to-End Situational Awareness and Management Integrated Embedded Security McAfee Deep Command, Application/Change Control/Whitelisting, encryption Wind River OS/Hypervisor/IDP security/encryption Intel HW-assisted security/encryption with Secure Intelligence and Connectivity Intel Intelligent Gateways IPS/Firewalls/TLS 3 rd Party SIA Firewalls & Protocol Filters Comprehensively Monitored & Managed McAfee epolicy Orchestrator (epo) McAfee Enterprise Security Management (ESM/Nitro/SIEM)

Applying Security to the Electricity Grid Texas Synchrophasor Field Trial Electric Power Group (EPG) is adding the security fabric to their synchrophasor products and deploying them at TTU SC4CI Texas Tech University (TTU) is the site of the field trial. Synchrophasor deployment already in place at TTU under the CCET project Stand up parallel securityenhanced system Conduct testing SC4CI SC4CI SC4CI

Security Connected for Critical Infrastructure Texas Synchrophasor Field Trial Platform Details McAfee epolicy Orchestrator & Enterprise Security Manager (SIEM) Intelligent Synchrophasor Gateway EPG RTDMS Client AAA: Kerberos/AD McAfee Integrity Control C37.118 Data C37.118 Data PMUs

ICS-ALERT-14-176-02 ICS Focused Malware campaign that uses multiple vectors for infection(june 2014) Spam Email Mail GW and/or Whitelisting prevent malware execution on managed endpoints in the industrial space Exploit kits Cannot execute due to Application Whitelisting and Configuration Mgmt Malicious Updaters from compromised vendor sites Handled through secure McAfee Software Update infrastructure for Partner Companies If the malware has been installed Detect the malicious traffic before it leaves the device and notify Block with the traditional network sensors (Nextgen FW, etc) and notify Revealed in ESM, and then in the Device Mgmt Console for identification, quarantine, and remediation.

Bridging IT and OT Protection Proven Security Adapted for New Intelligent Operations Integrated Embedded Security McAfee Deep Command, Application/Change Control/Whitelisting, encryption Wind River OS/Hypervisor/IDP security/encryption Intel HW-assisted security/encryption with Secure Communication Intel Intelligent Gateways IPS/Firewalls/TLS/AAA 3 rd Party SIA Firewalls & Protocol Filters Comprehensively Monitored & Managed McAfee epolicy Orchestrator (epo) McAfee Enterprise Security Management (ESM/Analytics)

Marvin Griff Partner, Energy & Natural Resources Husch Blackwell 202.378.2311 marvin.griff@huschblackwell.com huschblackwell.com

CYBERSECURITY A CONTINUING PROBLEM Cybersecurity has been a growing focus and concern over the past decade. Power providers reported new attacks on the transmission grid: An attack on a Saudi Arabian oil company in the summer of 2012 wiped data from 30,000 computers. MISO breach in June. July study released by Unisys said 67% had at least one security compromise over the last 12 months leading to loss of confidential information or operations disruption caused by: Negligent employees (47% or respondents), many with privileged access. External attack (28% or respondents). Limited preparedness: Most said their firms cybersecurity programs had limited ability to ward off attacks. Large majority said cybersecurity not a top corporate priority within their company. Most indicated little faith in government regulations or industry standards to address risks effectively.

OVERVIEW - TEXAS Cybersecurity for the electric sector traditionally has been a concern that was addressed at the federal level by the Federal Energy Regulatory Commission (FERC) through the North American Electric Reliability Corporation s Critical Infrastructure Protection (NERC CIP) standards focus on the bulk electric system, that is, the transmission portion of the grid. The Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and FERC with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards, including those for cybersecurity for the remainder of the electric grid. Since 2009, the state of Texas has taken a significantly greater role in grid cybersecurity, with a large emphasis placed on the distribution portion of the electrical infrastructure.

OVERVIEW - FEDERAL The electric power industry is the only critical infrastructure industry in the US with mandatory and enforceable cyber standards. Protecting the grid is a mandate under the Energy Policy Act of 2005 (EPAct 2005). The Federal Energy Regulatory Commission (FERC) has the authority to oversee the reliability of the bulk power system.

EPACT 2005 AND THE ELECTRIC RELIABILITY ORGANIZATION EPAct 2005 created the Electric Reliability Organization (ERO). The North American Electric Reliability Corporation (NERC) designated as the ERO in 2006 in Order No. 672. NERC worked with electric power industry experts to develop the NERC Critical Infrastructure Protection (CIP) standards CIP-002 through CIP-009. Since 2008, the standards have been updated.

FERC AND THE ERO FERC may approve proposed reliability standards or modifications. No authority to modify proposed standards. But FERC may direct the ERO to submit a proposed standard or modification. FERC jurisdiction limited to the "bulk power system" under the Federal Power Act (FPA). Exclusions include: Facilities used for local distribution, any facilities in Alaska and Hawaii. Much of the smart grid equipment will be installed on distribution facilities and won t be under FERC's jurisdiction. Virtually all the grid facilities in certain large cities, such as New York, not covered by FERC cyber jurisdiction.

CIP RELIABILITY STANDARDS Development of reliability standards involving cyber security: The first versions of CIP standards announced in 2006. CIP 002 through CIP 009 approved by FERC in 2008 (Order No. 706). The standards have been updated to address evolving cyber threats. The CIP Standards address assets essential to the operation of identified bulk power system critical infrastructure termed Critical Cyber Assets such as: control centers control systems transmission substations generators

CIP RELIABILITY STANDARDS (continued) Identified Critical Cyber Assets must receive full CIP protections including: cyber protections. physical protections. cyber and physical access limitations. security training for appropriate personnel. development and implementation of incident response and asset recovery plans. Compliance history of CIP Reliability Standards is problematic: CIP Reliability Standards by far the most violated of Standards.

Polling Question Violations of Reliability Standards are punishable by per violation, per day fines of up to: a) $5,000 b) $50,000 c) $100,000 d) $500,000 e) $1,000,000

ORDER NO. 706 (January 18, 2008) Established eight CIP Reliability Standards (CIP-002 through CIP-009; replaced prior voluntary cyber security standards. Required "risk-based" vulnerability assessment methodology for cyber assets. Once cyber assets identified, responsible entities required to: establish plans to safeguard physical and electronic access train personnel report security incidents and be prepared for recovery actions

ORDER NO. 761 (April 19, 2012) FERC revised the standards for identifying cyber assets: [it] is a step towards full compliance with Order 706. Replaced NERC s riskbased approach with bright line criteria. Covers control centers, transmission facilities, generating facilities, flexible AC transmission systems and special protection systems. FERC established deadline for NERC to submit reliability standards fully compliant with Order 706.

Find, Fix, Track and Report ORDER (June 20, 2013) FERC accepted NERC Find, Fix, Track and Report (FFT) program. Under which: Permits informational filings of lesser-risk, remediated possible violations. Only possible violations that pose a minimal risk are eligible for FFT treatment. Allows NERC to focus resources on issues posing greater risk to reliability. Rejected proposal to remove requirement that senior officers certify completion of remediation. FFT program allowed NERC to reduce issues dating prior to 2011 by approximately 80 per cent.

Order No. 791 (November 22, 2013) Approved the Version 5 CIP Reliability Standards (CIP 002 through CIP 009). FERC rejected NERC advocated move away from zero tolerance to a more flexible standard of requiring entities to identify, assess, and correct violations. The new CIP standards will require major changes for registered entities. All Bulk Electric System (BES) Cyber Assets will receive some level of protection related to the importance of their associated facilities. Addresses Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for Bulk Electric Cyber Systems, Configuration Change Management and Vulnerability Assessments. New approach for identifying bulk electric system (BES) Cyber Systems Low, Medium, or High Impact. Level of CIP protections required by the Version 5 Standards depends on the risk classification of the relevant BES Cyber Systems. Requires, at minimum, all BES Cyber Systems to be categorized as Low Impact. High and Medium Impact asset requirements compliance by April 1, 2016; 36 months for Low Impact assets. The expansion of requirements for Low Impact systems and assets will be a time intensive task.

CYBERSECURITY FRAMEWORK (February 12, 2014) NIST unveiled the Cybersecurity Framework for reducing cyber risks to critical infrastructure. The voluntary framework is intended to reduce cybersecurity threats and vulnerabilities through a risk based approach to improve cybersecurity practices. Origins in President Obama s February 2013 Executive Order 13636 for Improving Critical Infrastructure Cybersecurity. Expected to be a first step in a continuous process to improve the nation's cybersecurity to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use.

Questions? Milton Holloway CCET mholloway@electrictechnologycenter.com Lorie Wigle McAfee a Division of Intel Security @LWigle Marvin Griff Husch Blackwell marvin.griff@huschblackwell.com

Thank You