Cyber Security Engineering Consulting Research Modeling Simulation Security Doug Houseman Doug@Enernex.com The Practical Grid Visionaries TM
Warnings The costs given are based on prior projects They may not reflect your local market Items in the lists are based on prior projects They may not reflect everything required Staffing levels are based on prior projects They may not reflect actual needs Experts differ on specifics of security practice You should consult several before accepting any solution Security experts tend to land on the side of more is better
Key Documents IEEE Salary Survey updated annually ieeeusa.org/careers/salary/ SANS 20 sans.org/critical-security-controls/ NERC CIP nerc.com/pa/stand/pages/cipstandards.aspx Organizational Models for Computer Security Incident Response Teams (CSIRTs) resources.sei.cmu.edu/asset_files/handbook/2003_002_001_14099.pdf Common Sense Guide to Mitigating Insider Threats, 4th Edition resources.sei.cmu.edu/asset-view.cfm?assetid=34017 NISTIR 7628: Guidelines for Smart Grid Cyber Security, Revision 1 released September 2014 Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), v1.1 released February 2014 NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0 - released February 2014
Things to Remember Security is never DONE the hackers continue to find new ways to get in Security is both a capital exercise and an O&M exercise A chain saw can do as much damage as a hacker but with far more risks of getting caught Insiders cause far more damage than outsiders Most government programs share information but only if you have the right clearance and a need to know Most security staffs work day-shift, hackers know this is true Hackers don t have budget cycles or approval processes for new gear Utilities do
Staffing Security position 24/7 in the control center(s) Transmission, Distribution, Meter Operations all can have control centers Each position takes 5 full-time employees and a supervisor There are a range of roles that need security people: 1. Physical security 2. Network security 3. Communications 4. Security trainer 5. Incident response 6. Information analysis 7. Security architecture 8. Device and system penetration 9. Software testing and verification 10. Device configuration management 11. Access control and monitoring 12. Vendor security management 13. Firewall support 14. Cryptography 15. Intrusion detection 16. Logistics and supply chain 17. Security team administration 18. Record keeping 19. Standards development 20. Personnel reliability program 21. Device maintenance 22. Investigation 23. Literature monitoring 24. Sweeping & the list keeps growing
Staffing Costs Average cost of security management staff is around $165,000 Average senior staff salary is around $108,000 Average staff salary is around $80,000 Average benefits is around $60,000 (health, training, retirement, etc.) Security clearance $5-8,000 + wait time (3 to 15 months) Wall Street hired Neil Greenfield for more than $1 million a year from AEP Other key industry specialists have been hired for 3 to 5x the industry average salary Turnover for security people is higher than in most utility jobs
Cyber Security Equipment Categories Hardware 1. Firewalls 2. Intrusion detection devices 3. Sniffers 4. Sweepers 5. Secure communications modules 6. Secure radios/telephones/tablets Software 1. Packet inspection 2. Element managers 3. Manager of managers (MOM) 4. Key management 5. Virus protection 6. Monitoring (several types) 7. Risk and Vulnerability analysis 8. Security design (both physical and cyber) 9. Automated testing systems
Cyber Security Equipment Categories Hardware 1. Firewalls - $50,000 to $250,000 each 2. Intrusion detection devices - $12,000 to $250,000 each 3. Sniffers - $1,500 to $4,500 (handheld, mobile) 4. Sweepers - $250 to $5,000 (handheld, mobile) 5. Secure communications modules - $200 to $10,000 each 6. Secure radios/telephones/tablets typically 2 to 4 times non-secure (NOTE: you can buy non-secure and add software the labor to do so tends to make the decision a wash financially)
Cyber Security Equipment Categories Software (software only cost hardware & installation is extra) 1. Packet inspection Free to $350,000 per connection 2. Element managers Free to $5 per node 3. Manager of managers (MOM) - $20,000 to $250,000 4. Key management - $ 1/mo/device - $1 million 5. Virus protection Free to $ 10/mo/device 6. Monitoring (several types) Free to $50,000 per monitoring system 7. Risk and vulnerability analysis $10,000 to $500,000 8. Security design (both physical and cyber) - $20,000 per seat 9. Automated testing systems Free to $2,200,000
Other Security Related Issues Secure Communications The FCC is allowing Telecomm companies to drop copper (POTS) lines and Frame Relay The FCC is refusing to provide new frequencies for use by utilities and forcing movement to alternate frequencies, and narrow-banding of radio channels This means that utilities will have to find alternative ways of communicating Primarily this is resulting in decisions to deploy Fiber Optics at roughly $200K per mile So far telecomm companies have been unwilling to sign up for the QoS and longevity required to make utilities comfortable Physical Security NERC CIP-006 and NERC CIP 014-1 and other mandates for physical security are also driving the need for more communication Cabinet and door lock monitors, biometrics, cameras, etc. All need monitoring and backhaul communications this folds back on the secure communications above
Other Security Related Issues Distributed Generation and Storage At some point the amount of DG and DS will become significant and a key to system reliability The vast majority of this equipment is in the hands of customers The new IEEE 1547 interconnect standards, the new IEC standards (Europe primarily) and the new California Rule 21 requirements all require communications Distribution Automation/Substation Automation/AMI Programs designed to improve the operation of the grid, given the changing generation and usage environment Workforce Automation Changes in workforce (e.g. higher turnover, younger workers, etc.) and safety regulations, as well as smaller staffs, and FCC rules