Remote operation and security experiences from a Power Utility. Information management supporting multiple users. Stavanger November 29th 2006



Similar documents
IT Networking and Security

Securing the Service Desk in the Cloud

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

ISACA rudens konference

ICANWK406A Install, configure and test network security

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Service Asset & Configuration Management PinkVERIFY

THE TOP 4 CONTROLS.

Management Tools, Systems and Applications. Network Management

Cyber Security Survey

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

Thales Service Definition for NOC Services for Cloud

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Session 14: Functional Security in a Process Environment

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

IT Networking and Security

The CMDB at the Center of the Universe

Leveraging Regulatory Compliance to Improve Cyber Security

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

SERVICE SCHEDULE MANAGED HOSTED APPLICATIONS

Information Security Baseline (minimal measures)

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Manage A Network

NOS for Network Support (903)

MEDIAROOM. Products Hosting Infrastructure Documentation. Introduction. Hosting Facility Overview

MSP Service Matrix. Servers

13 Ways Through A Firewall

Commercial Software Licensing

Efficient remote access to machines and plants with SIMATIC

ISO Information Technology Service Management Systems Professional

Designing a security policy to protect your automation solution

NSW Government. Wireless services (WiFi) Standard

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Protecting Your Organisation from Targeted Cyber Intrusion

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Fujitsu s Approach to Cloud-related Information Security

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Ensuring security the last barrier to Cloud adoption

SERVICE SCHEDULE DEDICATED SERVER SERVICES

Customer Hosted Service Description and Service Level

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

13 Ways Through A Firewall What you don t know will hurt you

TECHNICAL SECURITY AND DATA BACKUP POLICY

Claes Rytoft, ABB, Security in Power Systems. ABB Group October 29, 2009 Slide 1

Using Tofino to control the spread of Stuxnet Malware

IT SERVICE MANAGEMENT FAQ

Information Technology Cluster

Remote Infrastructure Support Services & Managed IT Services

Introduction to Virtualization. Paul A. Strassmann George Mason University October 29, 2008, 7:20 to 10:00 PM

SERVICE SCHEDULE PUBLIC CLOUD SERVICES

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

ABB s approach concerning IS Security for Automation Systems

The Protection Mission a constant endeavor

Draft Information Technology Policy

System Security Plan University of Texas Health Science Center School of Public Health

VDI can reduce costs, simplify systems and provide a less frustrating experience for users.

IEC 61850: Communication Networks and Systems in Substations

Critical Controls for Cyber Security.

Shmeisani: Al-Hussary Street Anshasi Sq P.O. Box Amman Jordan Telephone:

ISO Information Security Management Systems Foundation

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Leveraging the PI System at Origin Generation MSC

U06 IT Infrastructure Policy

N e t w o r k E n g i n e e r Position Description

The Time has come for A Single View of IT. Sridhar Iyengar March 2011

Patch Management Policy

OPERATIONAL SERVICE LEVEL AGREEMENT BETWEEN THE CLIENT AND FOR THE PROVISION OF PRO-ACTIVE MONITORING & SUPPORT SERVICES

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Injazat s Managed Services Portfolio

Security Issues with Integrated Smart Buildings

Disaster Recovery Checklist Disaster Recovery Plan for <System One>

INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

OKHAHLAMBA LOCAL MUNICIPALITY

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Microsoft Exchange Load Balancing. Unique Applied Patent Technology By XRoads Networks

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

- Introduction to PIX/ASA Firewalls -

Guardian365. Managed IT Support Services Suite

Terms of Reference (ToR)

Network Configuration Management

How To Ensure The C.E.A.S.A

DeltaV System Cyber-Security

An Open Source SCADA Toolkit

Managing a Fibre Channel Storage Area Network

Transcription:

Remote operation and security experiences from a Power Utility Information management supporting multiple users Stavanger November 29th 2006 Jens Kristian Engstrøm / Harald Hilde Statkraft Energy AS www.statkraft.no

Content: Technical aspects. ProSam, From a Hierarchical to a Network based solution Communication network Devices on the Network Security measures Experience 05/12/2006 s. 2 Harald.Hilde@statkraft.com

Prosess Control, From To From: - 5 separate and different systems - different functionality - Serial communication - Proprietary protocols Narvik To - ProSam - ONE integrated system - common functionality - Network system - IEC standardized protocols Narvik Korgen Korgen New customer(s) WAN Gaupne Sauda tor Dale n Hovedkon Process Functionality regarding Redundancy for protocols supporting requirements from NVE - needed. Norwegian User Convention for IEC 60870-5-104 05/12/2006 s. 3 Today: Harald.Hilde@statkraft.com Included in the IS for IEC 60870-5-104 Sauda Gaup ne Hovedkon tor Process Device on a network

Communication Network Main principles used: Ring-structure (redundancy) Regional rings, RWAN, connects CC and power stations. National ring NWAN, connects cluster to power stations and CC 05/12/2006 s. 4 Harald.Hilde@statkraft.com

Device on the network. (1+1) Physical & Logic servers advanced functionality Control Centre HMI Control Centre Maintenance IED Catchments areas Hydro Power Stations Communication Network (1+1) Physical Device on Wind Power Parks the Network Process interface, real time IEC 60870-5-104 Gas (Kårstø) New Projects Total (2007): 11.300 MW / 46.700 GWh (monitor and Control) 120 stations 2007 4 parks / 250 MW / 700 GWh 400 MW / 3500 GWh 10.650 MW / 42 500 GWh (2006) (monitor) (monitor) 05/12/2006 s. 5 Harald.Hilde@statkraft.com

ICT - Zone Modell 05/12/2006 s. 6 Harald.Hilde@statkraft.com

Utilization / Services used on the network Operational systems Test system New projects Test & verification Commissioning Maintenance Remote Change / Upgrade Patches / Versions Maintenance Remote Fault Diagnosis Logs / Tests Vendor access Via Certificate IN Communication Network Device on the Network Process interface, real time IEC 60870-5-104 Maintenance services Vendor specific protocol IED Catchments areas Hydro Power stations Wind Power Parks Gas (Kårstø) New Projects 05/12/2006 s. 7 Harald.Hilde@statkraft.com

Security measures Security procedure (I-40/200) Logical measures Zone model Physical measures All process zone rooms subject to entry restrictions Organisational measures ICT responsibility Security patch management (Windows-based systems) Virus control (Windows-based systems) Release upgrade to satisfy ISO 17799 requirements ITIL (IT Infrastructure library) Error management Configuration management Change management 05/12/2006 s. 8 Harald.Hilde@statkraft.com

Change process Objectives Change of culture Work Discipline Own personnel Vendors Security in engineering / testing / commissioning Process zone specific equipment including laptops for testing, logging of network traffic and analysis Improved physical security awareness Challenges Way of thinking Across organisational boundaries The whole value chain Security awareness / procedures & principles. Avoid disruption of hot operation Handling of patches/new versions Import/export of engineering data Vendor s change management vs need to correct errors fast Use of personal laptops and memory sticks Process network and process equipment present in numerous locations 05/12/2006 s. 9 Harald.Hilde@statkraft.com

Experiences Incidences Memory sticks Once (known) inserted into process device A number of attempts stopped in time Viruses/worms A few entries by e-mail or laptops Hacking One test case No known specific attack Operational security Work in power station Awareness Consequences Zone 4 (Process network) Luckily, none None Zone 2 (Office network) Hampered Zone 2 operation Did not penetrate to Zone 3 and 4 Zone 2 Could not penetrate to Zone 3 and 4 Integrity breach Loss of communication for remote control Telecom room used as store room 05/12/2006 s. 10 Harald.Hilde@statkraft.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information