Panel Session: Lessons Learned in Smart Grid Cybersecurity



Similar documents
Cyber Security and Privacy - Program 183

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

STATEMENT OF PATRICIA HOFFMAN ACTING ASSISTANT SECRETARY FOR ELECTRICITY DELIVERY AND ENERGY RELIABILITY U.S. DEPARTMENT OF ENERGY BEFORE THE

Information Bulletin

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

FREQUENTLY ASKED QUESTIONS

AD FERC Technical Conference February 8, 2011 Statement of Ron Litzinger. President, Southern California Edison Company

Smart Grid Security: A Look to the Future

Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010

SGIG Cyber Security Program Review Process

Securing the Electric Grid with Common Cyber Security Services Jeff Gooding

Update On Smart Grid Cyber Security

Enabling the SmartGrid through Cloud Computing

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Data Security Concerns for the Electric Grid

Smart Grid Cybersecurity Lessons Learned

IEEE-Northwest Energy Systems Symposium (NWESS)

Cyber security: Practical Utility Programs that Work

Data Management Issues associated with the August 14, 2003 Blackout Investigation

ADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D

ISACA North Dallas Chapter

CYBER SECURITY GUIDANCE

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

April 28, Dear Mr. Chairman:

Cyber Security Risk Management: A New and Holistic Approach

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

future data and infrastructure

Cyber Security & State Energy Assurance Plans

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Allen Goldstein NIST Synchrometrology Lab Gaithersburg, MD

Addressing Dynamic Threats to the Electric Power Grid Through Resilience

Industrial Control Systems Security Guide

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Hearing on Oversight of Federal Efforts to Address Electromagnetic Risks. May 17, 2016

Cybersecurity Enhancement Account. FY 2017 President s Budget

Cisco Security Optimization Service

NARUC. The Smart Grid: Frequently Asked Questions for State Commissions. The National Association of Regulatory Utility Commissioners

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Network Infrastructure Considerations for Smart Grid Strategies By Jim Krachenfels, Marketing Manager, GarrettCom, Inc.

Security in the smart grid

Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security

Preemptive security solutions for healthcare

Smart Grid Demonstration Lessons & Opportunities to Turn Data into Value

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Testimony of Patrick D. Gallagher, Ph.D. Deputy Director

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

How Much Cyber Security is Enough?

I. TODAY S UTILITY INFRASTRUCTURE vs. FUTURE USE CASES...1 II. MARKET & PLATFORM REQUIREMENTS...2

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Secure Machine to Machine Communication on the example of Smart Grids

DOE Cyber Security Policy Perspectives

APPENDIX A PG&E s Smart Grid Deployment Plan

Microsoft Services Premier Support. Security Services Catalogue

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

BSM for IT Governance, Risk and Compliance: NERC CIP

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Beyond disaster recovery: becoming a resilient business.

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

Spreading the Word on Nuclear Cyber Security

The digital future for energy and utilities.

EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013

RESEARCH CALL TO DOE/FEDERAL LABORATORIES. Cybersecurity for Energy Delivery Systems Research Call RC-CEDS

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

Agenda do Mini-Curso. Sérgio Yoshio Fujii. Ethan Boardman.

BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA ) ) ) ) ) )

SECURITY ANALYTICS & INTELLIGENCE FOR CRITICAL INFRASTRUCTURE

William Hery Research Professor, Computer Science and Engineering NYU-Poly

Accenture Cyber Security Transformation. October 2015

Resilient and Secure Solutions for the Water/Wastewater Industry

SEC STATEMENT OF POLICY ON MODERNIZATION OF ELECTRICITY GRID.

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Smart Grid and Cyber Security for Energy Assurance

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Asset Management Challenges and Options, Including the Implications and Importance of Aging Infrastructure

National Cyber Security Policy -2013

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Cyber Infrastructure for the Smart Grid

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

TUSKEGEE CYBER SECURITY PATH FORWARD

The Comprehensive National Cybersecurity Initiative

Threat and Hazard Identification and Risk Assessment

NIST Coordination and Acceleration of Smart Grid Standards. Tom Nelson National Institute of Standards and Technology 8 December, 2010

A High Performance Secure Platform for Smart Grid Research - the Internet2 Network 28 September 2015

TEXAS HOMELAND SECURITY STRATEGIC PLAN : PRIORITY ACTIONS

Executive Summary... ii

Designing Compliant and Sustainable Security Programs 1 Introduction

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

Transcription:

PNNL-SA-91587 Panel Session: Lessons Learned in Smart Grid Cybersecurity TCIPG Industry Workshop Jeff Dagle, PE Chief Electrical Engineer Advanced Power and Energy Systems Pacific Northwest National Laboratory (509) 375-3629 jeff.dagle@pnnl.gov 1

Outline Setting the context for challenges associated with control system security in the electricity sector Smart grid security considerations Defining the smart grid A discussion on synchrophasors and their security implications DOE efforts on securing ARRA smart grid investment grants The author s perspectives on security and resilience Issues for consideration 2

The Emerging Cyber Threat Industry has long history of planning for and coping with natural disasters and other reliability events Through industry standard operating procedures, there is much effort expended to reduce likelihood of cascading outages leading to widespread blackouts Historically, cyber security focused on countering unstructured adversaries e.g., individuals, untargeted malicious software, human error Very little protection against structured adversaries intent on exploiting vulnerabilities to maximize consequences e.g., terrorist groups, organized crime, hostile nation states Insider threat remains very challenging, can be used as part of structured threat vector New possibilities for widespread sustained outages resulting from cyber attack are now being contemplated Currently, most of the emphasis is on compliance to mandatory cyber security requirements, e.g., NERC CIP Some effort to expand thinking beyond minimum necessary requirements, e.g., the joint NERC-DOE effort on High Impact, Low Frequency Events 3

Smart Grid Defined A smart grid uses digital technology to improve reliability, security, and efficiency of the electric system: from large generation, through the delivery systems to electricity consumers and a growing number of distributedgeneration and storage resources. The information networks that are transforming our economy in other areas are also being applied to applications for dynamic optimization of electric system operations, maintenance, and planning. 4

Smart Grid Vision Bring digital intelligence & real-time communications to transform grid operations Demand-side resources participate with distribution equipment in system operation Consumers engage to mitigate peak demand and price spikes More throughput with existing assets reduces need for new assets Enhances reliability by reducing disturbance impacts, local resources self-organize in response to contingencies Provide demand-side ancillary services supports wind integration The transmission and bulk generation resources get smarter too Improve the timeliness, quality, and geographic scope of the operators situational awareness and control Better coordinate generation, balancing, reliability, and emergencies Utilize high-performance computing, sophisticated sensors, and advanced coordination strategies 5

Communication and Information Technology will be Central to Smart Grid Deployment NIST Framework and Roadmap for Smart Grid Interoperability Standards. Release 1.0 (Draft), September 2009 6

Smart Grid Cyber Security The same information and communication technologies that enhance the resilience of the power system may also present a new set of vulnerabilities related to the control layer of the physical infrastructure If there are common modes of failure present in these control layers, there will necessarily be challenges to achieving full degrees of resilience in future smart grid deployments Because smart grid technologies transcend the scope of the FERC/NERC jurisdiction associated with the bulk electricity system, we cannot rely on existing mandatory cyber security standards and requirements 7

North American SynchroPhasor Initiative DOE and NERC are working together closely with industry to enable wide area time-synchronized measurements that will enhance the reliability of the electric power grid through improved situational awareness and other applications April 2007 March 2012 Better information supports better - and faster - decisions. 8

Applications REAL-TIME SYNCHROPHASOR APPLICATIONS AND THEIR PREREQUISITES Wide-area Monitoring Visualization Frequency and voltage monitoring Oscillation detection Event detection Alarming Automated widearea controls Reliability Action Schemes Operator decision support Functions System protection Increase in operating transfer capacity Renewable integration Congestion management Outage avoidance Situational awareness Prerequisites TODAY FUTURE ANALYSIS Good data collection Interconnectionwide baselining Pattern detection Model validation system & elements System studies COMMUNICATIONS Interoperability standards High availability, high speed Appropriate physical & cyber-security Redundant, fault-tolerant USERS Familiarity Good visual interface Training

Security of Synchrophasors Synchrophasors are becoming part of the bulk electric system and will require physical and cyber security But these systems shouldn t be treated any differently than other forms of measurement and control telemetry Synchrophasor systems will coexist with other bulk electricity system (BES) cyber infrastructure and will have similar dependencies on common communications and network elements System designers and owners are leveraging emerging cyber-security standards and technologies Currently available phasor applications require further data analysis, software refinement and operational validation to be fully effective; many are in advanced development and testing and are not in full operational use Therefore, many of these systems are not currently considered critical cyber assets Due to nature of continuous, high-volume data flows, new technology will likely be required for measurement, communications, and applications Technology anticipated to undergo rapid change and refinement over the next several years 10

Cyber Security ARRA Activities Critical to Smart Grid Success Organized interagency group (DOE, NIST, FERC, DHS, others) for development of cyber security requirements in the funding opportunity announcement Cyber security - major factor in technical merit review Separate subject matter expert team provided independent reviews DOE s team of subject matter experts reviewed and approved the cyber security plans Annual site assessments currently underway DOE may not make an award to an otherwise meritorious application if that application cannot provide reasonable assurance that their approach to cyber security will prevent broad based systemic failures in the electric grid in the event of a cyber security breach. Smart Grid FOA 11

www.arrasmartgridcyber.net Provide a resource enabling Smart Grid Investment Grants (SGIG) and Smart Grid Demonstration Projects (SGDP) to understand the baseline principles and practices necessary to implement cyber security in the deployment of smart grid technologies 12

Cyber Security Plan ARRA projects committed to a technical approach to cyber security that included a plan to provide a summary of: the cyber security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact), cyber security criteria utilized for vendor and device selection, relevant cyber security standards and/or best practices that will be followed, and how the project will support emerging smart grid cyber security standards. A strong Cyber Security Plan will: provide commitment to the organization s cyber security assessments, evaluations, and threat analyses, provide assurance that a defensive strategy will be created, appropriate security controls, will be selected, and mitigation methodologies based on risk-informed processes will be implemented, and document that all systems are installed, tested, and operated with appropriate and diligent cyber security. 13

Identifying Risks of Implementing Smart Grid Systems (an All Hazards Approach) Complexity Introduces potential vulnerabilities More access points (increased exposure) Difficult to manage a complex system Power system would be more vulnerable to communication (or software) disruptions Denial of service (e.g., unintentional load shedding) Potential for common failure modes across connected systems Software/system integrity (e.g., firmware, logic bomb, supply chain, etc.) Intelligence gathering tool for the adversary Potential for breach of customer privacy Implementation issues Inappropriate or premature mandating of technologies that aren t appropriate for the application Potential for technology obsolescence 14

Mitigating Smart Grid Implementation Risks Develop security controls Policies, procedures, control baselines, reference architectures, conformance and interoperability testing, certification Need built-in (rather than bolt-on) security Apply good security practices Follow best practices, established standards when available Apply defense-in-depth concepts Redundancy, zones, proxies, role-based authority, etc. Instill a culture of security Training, awareness, adequate resources, management support Develop transition strategy that maximizes interoperability, security, reliability, etc. Forensics and enforcement Establish trusted technology supply chain 15

Infrastructure Resilience Ability to reduce the magnitude and/or duration of disruptive events Resilient infrastructure can anticipate, absorb, adapt to, and/or rapidly recover from a disruptive event Best when all-hazard disruptive events that were not envisioned beforehand do not create systemic failure 16

Concluding Remarks The power grid is exceptionally complex, and extraordinarily reliable Most customer outages are due to issues with radial distribution feeders vs. the networked transmission grid Hierarchal control strategy provides good tradeoff between reliability and efficiency As advanced technology is being considered for deployment, need to consider unintended consequences (e.g., cyber security) Robustness and resiliency are enhanced by considering all threats to the power system An all-hazards approach Historically little attention has been given to addressing multiple contingency scenarios Need to consider cost-effective risk mitigation solutions 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information