ENERGY Cyber Security Health Test Robin Massink 20-05-2014 1 DNV GL 2013 2014 20-12-2013 SAFER, SMARTER, GREENER
Cyber security issues facing the utility industry We are moving from IEC60870-5-101/ DNP3 serial to IEC60870-5-104/DNP3 Ethernet. What do we need to do regarding cyber security when introducing Ethernet components in our SCADA system? We are rolling out a new smart meter network infrastructures and we worry about privacy and security of the system, where to start? We are rolling out a new IP based SCADA system(cdma, MPLS based technologies), and we worry about the security of the system. What are the first things we need to secure? We wonder how secure our current system is. What should we do first to improve this? 2
The situation Problem owner Chief Security Officer Traditional topdown, desk based architectural risk assessment Solution Implementers Information and Competence GAP Asset Management Engineers Time pressure to deliver security is not a priority No security requirements It goes into network for 15 years 3
Challenges The fence around the assets isn t enough anymore The smart grid is moving in, and interconnecting things along the way Vendors offer an answer but is it enough? IT security companies are happy to help, but do they understand what we need? The translation form a security policy to a secure device implementation is not straightforward There are a lot of standards for guidance, but none of them complete, and all with a different scope 4
Cyber security standards and guidelines: current landscape Source: SG-CG/SGIS
Cyber security standards and guidelines: current landscape Cyber Security Health Test service
Cyber security health testing service Smart grid and security standards Testing topics 1. Functional Testing 2. Negative and Robustness testing Requirements test pack Common criteria methodology 3. Known vulnerability testing, leveraging global vulnerability database In-situ, smart grid equipment Findings and recommendations 7
Cyber security health testing service Security risk assessments and policies Top-down approach Device specific list of technical security requirements Validation of implemented security Detailed test cases and technical vulnerabilities Severity of findings Suggestions for improvements Bottom up approach Security validation by testing 8
ENERGY Global Innovation Project 2013 Cyber Security Health testing service Robin Massink 20-05-2014 9 DNV GL 2013 2014 20-12-2013 SAFER, SMARTER, GREENER
When a implementation is not validated 10
Research: standards coverage and analysis Focus: requirements for Cyber security health testing Analysis included: 7 Cyber security projects and investigations 12 National and international security standards 4 Commercial cyber security testing services 4 Common cyber security test methodologies 5 Cyber security experts within DNV GL 11
Result of research: Requirement analysis Standard Requirements Testable requirements Detailed IEC 62351 105 100% 100% 100% IEEE 1686 50 100% 90% 80% IEC 62443-2-4(WIB) 102 49% 35% 30% NERC-CIP 85 38% 25% 20% NIST IR 7628 147 35% 20% 10% Total 489 289 231 207 Testcases that can be defined
Approach, standards and methodology Unique requirements distilled from 489 requirements divided over 6 standards Divided over 15 topics 4 device categories with in total 26 device types applicable to SCADA, DA and smart metering C.c. methodology for test case definition 13
Equipment and depth Vulnerability assessment tools Penetration test tools Scan tools Robustness tools File analysers Network access tools Protocol analysers Protocol specific tools Brute force crack tools Vendor specific tools (vendor configuration tools) Measurements tools (response monitor) Include local and remote access Verify claimed features Verify relation between features (holistic) No source code assessment No chip etching or side channel analysis 14
Pilots & participants We offered a free pilot to utility companies Participating countries: USA Norway Spain Netherlands Germany Deliverable: Test report includes Implemented security features Assessment depth and findings Recommendations for mitigation Provided equipment: Protection relay Telecom equipment RTU IED SCADA system IDS system Smart meter Data concentrator 15
Findings Companies do not know what is inside their network on a deep level Not much high level requirements are facilitated by functionality in devices Multiple security functions could be circumvented Standard or bad passwords is still the biggest threat Claimed security functions are not used, or broken Configurations do not display an understanding of device capabilities Devices are easy to break: ICMP, HTTP are capable of crashing a device Requirements are not considered by the vendor as applicable for them Or vendors claim compliance to standards that not apply Utilities only consider functions they use (are not aware of other functions) Interconnection is done without considering security Usage of standard components is very common 16
Result of the global innovation project 5 successful pilot projects and a lot of findings A commercial service for cyber security device testing A public list with 78 testable requirements to be used for procurements, implementation and validation 17
Next Steps Donate testable security requirements document and methodology to IEC62351? Donate early draft test procedures for IEC62351-5? Harmonisation with EU Smart grid cyber security certification(enisa) ISO/IEC 17067 - product certification schemes Global innovation project for 2014: end-to-end cyber security testing service for Energy companies with SCADA, DA and smart meter systems 18
Thank you More info on our blog: dnvkemautilityfuture.com For further info and the public requirements test pack, please ask or email me: robin.massink@dnvgl.com +31 026 356 2586 www.dnvgl.com SAFER, SMARTER, GREENER http://www.dnvkemautilityfuture.com/dnv-gl-explains-the-importance-of-cyber-security-health-testing-of-scada-systems 19