Claes Rytoft, ABB, 2009-10-27 Security in Power Systems October 29, 2009 Slide 1
A global leader in power and automation technologies Leading market positions in main businesses 120,000 employees in about 100 countries $35 billion in revenue (2008) Formed in 1988 merger of Swiss and Swedish engineering companies Predecessors founded in 1883 and 1891 Publicly owned company with head office in Switzerland October 29, 2009 Slide 2
How ABB is organized Five global divisions Power Products Power Systems Automation Products Process Automation Robotics $11.9 billion 34,000 employees $6.9 billion 16,000 employees $10.3 billion 36,000 employees $7.8 billion 27,000 employees $1.6 billion 5,000 employees 2008 revenues (US$) and employees per division ABB s portfolio covers: Electricals, automation, controls and instrumentation for power generation and industrial processes Power transmission Distribution solutions Low-voltage products Robots and robot systems October 29, 2009 Slide 3
What is a Power System? And why is security a concern? October 29, 2009 Slide 4
Evolution of grid design From traditional to future Smart grids traditional grids Centralized power generation One-directional power flow Generation follows load Operation based on historical experience future grids Centralized and distributed power generation Intermittent renewable power generation Multi-directional power flow Load adapted to production Operation based on real-time data October 29, 2009 Slide 5
Cyber Security for Power Systems The Power System is dependent on IT! Isolated devices Point to point interfaces Proprietary networks Standard IP-based networks Interconnected systems Distributed systems Modern Power Systems: leverage standard IT components (e.g. MS Windows, Internet Explorer) use IP based communication protocols ( Internet technolgoy ) are connected to external networks Modern Power Systems are specialized IT Systems October 29, 2009 Slide 6
Cyber Security for Power Systems Solution approach - differences to enterprise environments Primary object under protection Primary risk impact Main security objective Security focus Availability requirements Problem response Enterprise IT Information Information disclosure, financial Confidentiality Central Servers (fast CPU, lots of memory, ) 95 99% (accept. downtime/year: 18.25-3.65 days) Reboot, patching/upgrade, isolation Control Systems Physical process Safety, health, environment, financial Availability Distributed System (possibly limited resources) 99.9 99.999% (accept. downtime/year: 8.76 hrs 5.25 minutes) Fault tolerance, online repair October 29, 2009 Slide 7
Cyber Security for Power Systems Global concern USA/Canada biggest security concern, mainly driven by regulation and Smart Grid initiatives Europe less security demand, main drivers Germany, Sweden, UK Rest of the World Other priorities October 29, 2009 Slide 8
Cyber Security for Power Systems Statements from the US government May 29, 2009 May 29, 2009 REMARKS BY THE PRESIDENT REMARKS BY THE PRESIDENT ON SECURING OUR NATION'S CYBER INFRASTRUCTURE ON SECURING OUR NATION'S CYBER INFRASTRUCTURE In short, America's economic prosperity in the 21st century will depend on cyber security. In short, America's economic prosperity in the 21st century will depend on cyber security. And And this this is is also also a a matter matter of of public public safety safety and and national national security. security. We We count count on on computer computer networks networks to to deliver deliver our our oil oil and and gas, gas, our our power power and and our our water. water. We We rely rely on on them them for for public public transportation transportation and and air air traffic traffic control. control. Yet Yet we we know know that that cyber cyber intruders intruders have have probed probed our our electrical electrical grid grid and and that that in in other other countries countries cyber cyber attacks attacks have have plunged plunged entire entire cities cities into into darkness. darkness. October 29, 2009 Slide 9
NERC CIP Regulation for USA and Canada Covers operational and technical requirements Compliance required for Utilities Vendors can / have to support NERC CIP compliance Auditable compliance starts in 2009 fines of up to 1Million $ per day per site It is a performance based standard (no technical details) Has made (almost) everyone aware of the situation October 29, 2009 Slide 10
The Idaho National Laboratory A DOE National Laboratory 890 square mile site with facilities located in Idaho Falls National and Homeland Security Protecting the Nation s Infrastructure October 29, 2009 Slide 11
The Idaho National Laboratory Cyber Security Test Bed SCADA Test Bed SCADA, EMS, Control Systems: RTUs, IEDs, Relays, PLCs Power Grid Test Bed 61 miles of 138 kv Isolatable substation Communications Test Bed Wireless: Cellular, HF, Microwave, 802.11 Network: Copper, Fiber, RF October 29, 2009 Slide 12
Hollywood supports..die Hard 4 On the July 4th holiday, an attack on the vulnerable United States infrastructure begins to shut down the entire nation! But as New York City police detective John McClane delivers old-school justice to a new breed of terrorist when a massive computer attack on the U.S. infrastructure threatens to shut down the entire country over Independence Day weekend! October 29, 2009 Slide 13
Cyber Security for Power Systems Actual incidents Expert: Hackers Penetrating Control Systems Grant Gross, IDG News Service Grant Gross, IDG News Service Thursday, March 19, 2009 12:40 PM PDT Thursday, March 19, 2009 12:40 PM PDT The networks powering industrial control systems have been breached more than 125 times in the The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday. past decade, with one resulting in U.S. deaths, a control systems expert said Thursday. CIA: CIA: Hackers demanding cash cash disrupted power power Electrical utilities in multiple overseas cities affected Electrical utilities in multiple overseas cities affected By Ted Bridis By Ted Bridis The Associated Press updated The Associated 6:06 p.m. ET, Press Fri., Jan. 18, 2008 updated 6:06 p.m. ET, Fri., Jan. 18, 2008 WASHINGTON - Hackers literally turned out the lights in multiple cities after breaking into electrical WASHINGTON - Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference. utility engineers at a trade conference. October 29, 2009 Slide 14
Cyber Security for Power Systems How big is the risk? Stephen Cummings, director of the British government's Centre for the Protection of National Infrastructure, Cyberterrorism is a myth Denial Panic Reality Cyber incidents are real and cyber security for Power Systems must be taken seriously but it is a challenge that can be met October 29, 2009 Slide 15
Cyber Security for Power Systems What are the risks? Electronic attacks Untargeted attacks (Virus, Worms, Trojans, ) Deliberate, untargeted attacks (Spamming, Botnets, ) Targeted attacks (Hackers, Cyber-Terrorism, ) Physical attack Likelihood Consequences Human failure Configuration errors Operation errors October 29, 2009 Slide 16
Main Challenges for Utilities Assessment of existing systems Operation and management of security architecture Continuous monitoring of the infrastructure Regular analysis of log files Regular reevaluation of security architecture Continuous threat modeling & risk management Development of IT-security policies and processes Training of employees and compliance to NERC CIP in NAM October 29, 2009 Slide 17
Main Challenges for Vendors Different, sometimes contradictory requirements, coming from Customers Regulators Various working groups and standards Definition of new product requirements and service offerings Verification and improvement of security offerings Security assessments Testing (internal and external) Supporting customers in setting up security programs There is no control system on the market that is 100% secure. Vendors are actively working to maximize cyber security in their offerings. October 29, 2009 Slide 18
ABB s position on Cyber Security As technology leader, ABB fully understands the importance of and its responsibility in Cyber Security for industrial control systems. ABB is actively anticipating the security challenges imposed by the changing landscape of the markets. ABB is constantly adapting its systems to the latest developments in security and is engaging with external partners for security testing and consulting. ABB has been involved in cyber security for control systems for over a decade long before the hype. October 29, 2009 Slide 19
Conclusions Security is not just a matter of technology, it is primarily about people, relationships, organizations and processes working in tandem to prevent an attack Effective security solutions require a joint effort by vendors, integrators, operating system providers and end users. There is no single solution that is effective for all organizations and applications. Security is a continuous process, not a product or a one-time investment Security must be addressed with multiple barriers and requires both protection and detection mechanisms Security is about risk management - perfect security is neither existent nor economically feasible October 29, 2009 Slide 20
October 29, 2009 Slide 21