NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com
It s February 19, 2009 132 project days left to compliance Do you know where (what) your Critical Cyber Assets are?
Electricity Sector Threat Advisory Levels Physical Cyber Significant Risk of Terrorist Attacks Significant Risk of Terrorist Attacks July 1, 2009 CIP compliance deadline approaching NERC audits and enforcement actions underway CIP (now) applies to Bulk Transmission System - Transmission substations and control centers Utility implementation activity accelerating
Approaches to NERC CIP A. Avoidance B. Basic Compliance C. Best Practices Cyber Champions
The Cyber Security Compliance Opportunity - User productivity - Network flexibility for new applications - Network reliability - Network and systems management - And security compliance
NERC CIP Avoidance Nothing critical today - Not part of bulk transmission system Nothing cyber today - No networked (cyber) assets involved with critical assets - No dial-up or IP routed connections Disconnect networks to remove cyber Network, but avoid Routable IP (cyber)
Non-routable CIP-002 Exemption Security perimeter SCADA Master Central Control Site Modem Bank Non-routable Serial Communications Private or Leased Analog Circuits No CCAs Modems Serial Devices Distributed Substations 7 7
Non-routable CIP-002 Exemption SCADA Master Central Control Site Security perimeter Serial FR/TDM Mux Non-routable Serial Communications Each connection is discrete PVC Digital circuit Frame Frame Relay Relay / / TDM TDM Network Network No CCAs. No cyber security perimeter. FR/TDM Mux FR/TDM Mux FR/TDM Mux Serial Devices Distributed Substations 8 8
NERC CIP Standards CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 9
NERC CIP Standards CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 10
Secure Access Manager Easy PC access to remote s from anywhere Secure Access Manager RSA Centralized security management: user profiles, authentication, session logging, reporting Secure networking via many WAN technologies, including dial-up Digital Network: Digital Network: IP, TDM, FR, Fiber IP, TDM, FR, Fiber PSTN PSTN Devices at substations or other critical sites
Easy-to-use Secure Access CrossBow Simple PC client Windows-like directory of authorized s Easy to organize, e.g., by location or type Friendly icons and descriptions Click through to access Transparent to routed or dial-up network One-time authentication to central server Individual password with central control Auto-launch local application for Easy to learn, update and use 12
Broad Device and Application Support Desktop, transparent access to almost any, from any target software application, e.g.,: Hyperterm, SEL-5010, WinECP, URPC, DisplayStation, Polycom 13
Secure Access Manager Architecture Intranet Intranet Control Center Engineering Access Secure Access Manager Internet Internet Router / FW Router / FW RSA Modems Digital Digital Network: Network: IP, IP, TDM, TDM, FR, FR, Fiber, Fiber, Mwv, Mwv, MPLS MPLS PSTN PSTN Router/FW Router / FW Communications Gateway Port Switch Substations or other Critical Sites
Administrative Features Central CCA and user profile administration One-click NERC CIP reporting facility - Includes inventory and reporting of CIP assets and users Leverages existing corporate security procedures - Tie to Active Directory and/or RSA SecurID Comprehensive logging facilitates forensic analysis and gateway password management Network software updates and patch management 15
Distributed Architecture Centralized: - Profile administration - Enterprise security integration - Log consolidation - Audits and reporting - Device management Control Center Engineering Access Router / FW RSA Secure Access Manager Digital Digital Network: Network: IP, IP, MPLS, MPLS, TDM, TDM, FR, FR, Fiber Fiber On-Site Access Station Access Controller Router/FW Distributed: - User authentication/authorization - Session communications path - Session detail logging Substations or other Critical Sites
Elements of Utility Cyber Security Enterprise Access Control Center 6-Wall Physical Security Intranet Intranet Partners/ Remote Access Internet Internet Firewalls AVP Network Network AMS CMS IDS Electronic Security Perimeter AVP: Anti-Virus Protection AMS: Access Mgt. System IDS: Intrusion Detection System CMS: Compliance Mgmt. Sys. Critical Substation Substation Non-critical Assets 17
End-to-end Layers of Security SSH / SSL SSH / SSL Server IP Network IPsec VPN Tunnel Stateful Firewall 18
Intranet Intranet Router / FW Control Center Engineering Access Secure Access Manager Internet Internet Router / FW RSA Modems Secure Secure IP-based IP-based WAN: WAN: IP, IP, MPLS, MPLS, TDM, TDM, FR, FR, Ethernet, Ethernet, Fiber Fiber PSTN PSTN SAC Router/FW Router/FW Router/FW Port Switch Substations or other Critical Sites
Integrated WAN Access Control Center Remote Site SCADA / EMS / DMS Metering DDS, T1/E1, Ethernet WAN IP, FR, TDM, Fiber-Ethernet MPLS-based IP, IP/PPP Remote Device Administration Security: Surveillance and Access Control Non-operational data collection 20
The Unified WAN Shared network High speed Secure Flexible Easy to add applications WAN WAN Fiber, Fiber, TDM, TDM, FR, FR, IP, IP, MPLS-IP, Dial Dial 6K 21
Ethernet-based Network Integration Management systems and HMI Remote Operations Centers Acc Video and access security Ethernet Core WAN Access Substation Wide Area Network Ethernetbased s Serial based s and consoles Station Bus 22
Northeastern US Power Company Control Center Engineering Access Secure Access Manager Router / FW RSA Modems IPsec IPsec VPN VPN over over Verizon Verizon MPLS MPLS Service Service w. w. DDS/T1 DDS/T1 PSTN PSTN Router/Fw Rtr/Fw SEL Comm. Processor Dialup Port Switch Substations
Northeastern US Power Company Control Center ID - SEM SCADA Engineering Access Secure Access Manager Back-up Router / FW RSA Modems IPsec IPsec VPN VPN over over Verizon Verizon MPLS MPLS Service Service w. w. DDS/T1 DDS/T1 PSTN PSTN Router/Fw Rtr/Fw Comm. Processor Port Switch Substations
Mid-Atlantic Power Company Control Center Engineering Access Secure Access Manager Private Private SONET SONET Fiber Fiber Network Network Mux Router / FW Mux RSA Modems PSTN PSTN Router/Fw Dial up Port Switch Substations
Mid-Atlantic Power Company Video Surveillance Center Control Center Engineering Access Secure Access Manager Back-up Video Server Mux Router / FW Mux RSA Modems Private Private SONET SONET Fiber Fiber Network Network Mux PSTN PSTN Router/Fw Eth Sw w POE Port Switch Video Surveillance Substations
NERC CIP Standards CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 27
Defense in Depth Critical Cyber Asset Malware screening (e.g., anti-virus) Intrusion Detection (pattern analysis) User Access Control ( AAA and personal profiles) Personnel Screening Port Security (disabling physical and logical ports) Electronic Perimeter Security (firewall) Physical Security Perimeter Security process management Security configuration management Patch management
Futures in CIP More pervasive cyber security More specifics on security technologies More onerous patch management More Intrusion Detection / Intrusion Prevention Protocol-specific firewall / IDS technologies No end
Opportunities in CIP More automation not less - Simplify remote access and productivity - Add applications easily via modern infrastructure Modernized networks - Higher performance - More reliability Improved system and network management - More proactive requirements - Less reactive crises
The Cyber Security Compliance Opportunity: Become a Cyber Champion
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com