Secure Integration of Industrial Control Systems

Secure Integration of Industrial Control Systems Matthew J. Ossi, P.E., C.E.M. August 28, 2014 2014 Energy Systems Group, LLC 2014 Energy Systems Group, LLC 1

Agenda Definition Industrial Control System (ICS) Security Federal Market Drivers DoD Programs Challenges Energy Management with ICS Integration Creating Savings Sustaining Savings Options Discussion 2014 Energy Systems Group, LLC 2

Definition - Industrial Control Systems (ICS) Computer-controlled electro-mechanical systems that ensure installation infrastructure services are delivered when and where required to accomplish a mission Open/Close Valves Open/Close Switches Open/Close Doors SCADA DDC DCS AMI 2014 Energy Systems Group, LLC 3

ICS Security Network Interconnections: No longer isolated systems Interface with business IT systems Reporting Monitoring Billing Command and Control Remote Access Creates vulnerability and increases need to secure ICS 2014 Energy Systems Group, LLC 4

Vision for Integrated ICS Source: Smart Grid Program Update for 4 th Military & Commercial Microgrids Summit, Ms. Donna Carson-Jelley, Utility & Energy Systems Director, Naval Facilities Engineering Command Headquarters Public Works, 18 June 2014 2014 Energy Systems Group, LLC 5

Executive Drivers for Secure Integration of ICS Executive Direction Energy Policy Act of (EPAct) 2005 Energy Independence and Security Act (EISA) 2007 Executive Order (EO) 13423, Strengthening Federal Environmental, Energy, and Transportation Management. Executive Order (EO) 13514, Federal Leadership in Environmental, Energy, and Economic Performance NIST Special Publication (SP) 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-82, Guide to ICS Security National Defense Authorization Act (NDAA) 2010, Subtitle D Energy Security 2014 Energy Systems Group, LLC 6

OSD Drivers for Secure Integration of ICS DoDI 4170.11, Installation Energy Instruction DoD Directive 8500.1, Cybersecurity, 14 Mar 2014 DoDI 8510.01, Risk Management Framework for DoD Technology, 14 Mar 2014 DoD Directive 3020.40 Defense Critical Infrastructure Program (DCIP) Unified Facilities Guide Specifications (UFGS) CNSSI 1253 Security Control Overlays for Industrial Control Systems OSD ATL Memo, Real Property Related ICS Security, 19 Mar 2014 2014 Energy Systems Group, LLC 7

ICS Security General Considerations From Platform IT Interconnect (PITI) to Platform IT (PIT) No Outside Network Connections No Backdoors Data Transport VLAN (Logical Separation) Wired/Wireless (Physical Separation) Network & Physical Security - Encryption, Access Controls, Authentication Secure Interconnection of Installation Servers DDC/AMI Data Transport Across WAN (PSNet, NIPRNet, etc.) Data Integration: Centralized Monitoring Business IT System(s) Interface Energy Modules for Monitoring & Control 2014 Energy Systems Group, LLC 8

Air Force Requirement Drivers for Secure Integration of ICS U.S. Air Force Energy Strategic Plan Reduce built infrastructure energy and water consumption Ensure installed facility electricity, gas, & steam smart meters are integrated with the appropriate computer network by 2016 Decrease energy demand from process and cyber operations AFGM 2.1 to AFI 33-210 (SAF/CIO A6) mandates risk management of Platform IT (ICS, Medical, C2, Weapons, etc.) 24AF Policy Memo, Remove AF Net Backdoors (24AF/CC), 27 Jan 12 2014 Energy Systems Group, LLC 9

Air Force ICS Initiatives Advanced Meter Reading System (AMRS) contract Metering rollout to 80 bases Enterprise tools to monitor and manage energy consumption CE VLAN Platform IT (PIT) Logical separation (VLAN) NexGen IT Incorporates IBM TRIRIGA software to automate management of buildings, vehicles, runways and other infrastructure TRIRIGA energy assessment tools enable users to obtain predefined, automated operational procedures and processes to monitor and reduce energy consumption AFCEC / 24AF MOA (June 2014) Initiative to strengthen security of ICS supporting critical AF infrastructure 2014 Energy Systems Group, LLC 10

Air Force - Advanced Meter Reading Systems (AMRS) Architecture 2014 Energy Systems Group, LLC 11

Air Force - CE ICS VRF/VLAN v1.0 Architecture Goal Move unaccredited ICS off the NIPR Protect ICS behind the base firewall Apply McAfee whitelisting software Accredited topology before AMRS install ICS at bases into CE DAA accreditation boundary with clear demark Virtual Routing and Forwarding allows separate ICS routing table Blue (NIPR) traffic only sees Blue Green (ICS) traffic only sees Green ICS traffic to Blue network via base firewall Controlled separation of networks Whitelisting S/W runs on CE enclave Controlled by a ICS epo server 2014 Energy Systems Group, LLC 12

Navy Requirement Drivers for Secure Integration of ICS NAVFAC HQ (SEEP 2012) Reduce energy consumption & expenditures Utilize alternative energy sources Utilize environmentally sustainable technologies Deliver secure, reliable, efficient energy ashore N3 (DoD O-200-12-H) Reduce threat & monitor assets Decrease Response Time & Reduce Manpower OPNAVINST 4100.5E, Shore Energy Management Navy /Marine Corps Smart Grid CDD 2014 Energy Systems Group, LLC 13

Navy ICS Initiatives Advanced Meter Infrastructure (AMI) contract Program initial efforts began with DoD metering plan executed in 2006 by NAVFAC NBVC Pilot Project installed in 2009 Developed SOW and awarded a 5 year, $250M IDIQ (120 naval bases at 10 Navy regions worldwide) NDW Smart Shore Initiative Foundational Technologies (Initial Smart Grid through AMI Connectivity) Integration with Shore Operations Optimization of Shore Operations (Future) Resilient and Sustainable Shore Operations (Future) Certification & Accreditation using Risk Management Framework by Fleet Cyber Navy Shore Geospatial Energy Module (NSGEM) Add greater visualization of energy usage CNIC Energy Program, Introduction to Navy Shore Geospatial Energy YouTube video https://www.youtube.com/watch?v=qapfik05nl4 Published 16 January 2014 2014 Energy Systems Group, LLC 14

Navy Prototype Architecture 2014 Energy Systems Group, LLC 15

Army Requirement Drivers for Secure Integration of ICS Army Energy and Water Campaign Plan Eliminate energy waste in existing facilities Increase energy efficiency in new construction and renovations Conserve water resources Improve energy security Army Energy Security & Implementation Strategy (AESIS) Installation Management Energy Portfolio - Army Energy Vision 2017 AR25-2, Information Assurance AR 420-1 Army Energy Program, Chapter 22 Army Energy and Water Management Program (AEWMP) 2014 Energy Systems Group, LLC 16

Army ICS Initiatives Army Central Metering Program. Includes: Meter facilities where practicable Facilities 29K sq ft or greater; $35K or greater annual energy cost Electric meters 100% complete by 30 September 2013 Meter natural gas, steam, and water Working with ACSIM on development of FRAGO 2 Phase II meter criteria Natural gas and water meters complete NLT 30 September 2018 Steam meters deferred until FY2015 when criteria for capturing usage is defined Utility Monitoring and Control System (UMCS) Design, procure, install services of electronic data acquisition and control systems: UMCS, SCADA, HVAC, BAS, etc. Operations and maintenance, and technical oversight Commissioning and retro-commissioning Application of approved IA measures for connectivity solutions 2014 Energy Systems Group, LLC 17

Army Central Meter Program Architecture 2014 Energy Systems Group, LLC 18

Challenges Limited Resources Funding Manpower Legacy Equipment Disparate, proprietary HVAC controls in buildings Building Level Controllers lacking security attributes Network Limitations AMI and HVAC Control Systems Segregated PIT Restrictions Physical or logical separation from AF-GIG/NIPRNet/PSNet No Remote Monitoring or Internet Connection Robust Security Controls - Firewalls, Access, Authentication, Physical Security 2014 Energy Systems Group, LLC 19

Integrating Disparate DDC Systems Reuse legacy field controllers where possible New building-level controllers (Middleware) Software drivers for communication with downstream legacy controllers and devices Open platform architecture for communication with front-end computer station Robust security attributes Physical security Encrypted network communication Firewall & Network Access Control at building level 2014 Energy Systems Group, LLC 20

Enterprise Energy Management ICS Integration, HVAC Controls, SCADA & AMI Near-Real Time Consumption Data COTS Energy Management Software Detect Anomalies Develop Performance Metrics Monitoring Alarms /Notification Actionable Information Reporting Create and Sustain Savings 2014 Energy Systems Group, LLC 21

Creating Savings through Energy Management Basic Strategies Temperature Set Points Unoccupied Set Back Reset Schedules Equipment Scheduling, Optimized Start/Stop Retro-& Re- Commissioning Complex Strategies Tariff Optimization (TOU, RTP, Load Curtailment, etc.) Load Shedding Peak Shaving On-Site Generation 2014 Energy Systems Group, LLC 22

Creating Savings through Energy Management 18.000 RTP Rate Profile Summer Rate Spikes 16.000 14.000 12.000 10.000 8.000 2008 2009 2010 2011 2012 6.000 4.000 Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Avg Min Max Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec 2014 Energy Systems Group, LLC 23

Creating Savings (RTP Set Back Strategy) Level 0 Level 1 Level 2 Level 3 < $0.092/kWh $.092 - $.12/kWh > $.15/kWh Cooling and Htg Cooling Htg Cooling Htg Cooling Htg Bldg Group Cooling Humidity Heating Cooling Humidity Heating Cooling Humidity Heating A NC +2 70% -5 +5 70% -8 +5 70% -8 B NC N/C N/C N/C 2 70% 5 +5 70% -8 C NC N/C N/C N/C N/C N/C N/C +2 70% -5 2014 Energy Systems Group, LLC 24

Creating Savings through Energy Management 78 Building 104 77 76 75 74 73 72 13:00 17:00 21:00 1:00 5:00 9:00 13:00 17:00 21:00 1:00 5:00 9:00 13:00 17:00 21:00 1:00 5:00 9:00 13:00 17:00 21:00 1:00 5:00 9:00 13:00 17:00 21:00 1:00 5:00 9:00 13:00 17:00 21:00 1:00 5:00 9:00 13:00 17:00 21:00 1:00 5:00 9:00 13:00 2014 Energy Systems Group, LLC 25

Air Force Project Example Funded Project Secure Infrastructure Energy Conservation $7.2 Million Project Cost $10+ Million Cost Savings Over 2 ½ Years More than 1,600 Meters 117 Buildings on DDC New Network (Migrate off NIPR Net) DDC Middleware New AMI hardware/software EMS Software DDC & AMI Data Integration New Override Controls Set Back/Set Up based on occupancy Rate Tariff Change (RTP) Load Shedding 2014 Energy Systems Group, LLC 26

Navy Energy Return on Investment (eroi) Strategy Maximize eroi Financial Benefits Minimize Energy Consumption Provide Reliable Energy to Critical Infrastructure Achieve Regulatory Compliance and Stakeholder Expectations Develop Enabling Infrastructure Cost Savings Minimize Energy Consumption Criticality of Infrastructure Meet Legal and Mandatory Mandates Improve Energy Production and Consumption Data Cost Avoidance Maximize Energy Efficiency, Carbon Neutrality, Emissions Reductions Reliance on Energy Enhance the Quality of Life and Quality of Service for Navy Develop Flexible Energy Infrastructure Frequency and Duration of Outages Enhance Navy s Public Perception Demonstrate and Enable New Energy Technology Adoption Incremental Backup Power 2014 Energy Systems Group, LLC 27

Savings Sustainment Why Do Savings Disappear? Controls Overridden / Disrepair Inadequate Maintenance / Data Quality Mission Changes Lack of Focus Still Need People Automation to a point Staff Reductions EMCS only a tool Retro- and Re-commissioning a must! 2014 Energy Systems Group, LLC 28

Financing Options Third Party Financing Energy Savings Performance Contract Utility Energy Services Contract Combination Appropriated Funds 2014 Energy Systems Group, LLC 29

Benefits from 3 rd Party Financing Approach Helps overcome current funding constraints Starts making improvements and delivering value NOW Can be implemented incrementally Can be part of an Energy Conservation Measure (ECM) bundle Sustainment of system and benefits can be achieved via M&V and O&M Directly supports Air Force goals: ESPCs enable the Air Force to improve energy performance while addressing aging infrastructure concerns and reducing consumption. ETL 13-13 Energy Saving Performance Contracts (ESPC) Can be a key part in establishing a compliant security infrastructure framework and roadmap 2014 Energy Systems Group, LLC 30

Things to Consider Build on investments you have already made to the greatest extent possible Choose systems and technologies that are as Open (non-proprietary) as possible Develop a strategy that looks forward and can be implemented over time without having to backtrack The system must be maintained and data /information must be utilized to achieve and sustain desired benefits Facilities and Communications/IT Groups will need to develop a high level of collaboration and communication 2014 Energy Systems Group, LLC 31

Questions or Comments? Please contact me to learn more about ESG insights regarding Secure Integration of Industrial Control Systems Matthew J. Ossi, P.E., C.E.M. mossi@energysystemsgroup.com 904-610-7542 2014 Energy Systems Group, LLC 32

Reference Material Air Force: HQ USAF/A7C Policy on Energy Savings Performance and Utility Energy Service Contracts (ESPC/UESC), available as Attachment 1 AFPD 32-10, Installations and Facilities, http://www.e-publishing.af.mil/ Executive Order (E.O.): E.O. 13423, Strengthening Federal Environmental, Energy, and Transportation Management, http://www.archives.gov/federal- register/executive-orders/2007.html E.O. 13514, Federal Leadership in Environmental, Energy, and Economic Performance, http://www.archives.gov/federal-register/executive- orders/2009- obama.html Public Law: P.L. 109-58, Energy Policy Act of 2005, August 8, 2005, http://www.gpo.gov/fdsys/browse/collection.action?collectioncode=p LAW P.L. 110-140, Energy Independence and Security Act of 2007, December 19, 2007, http://www.gpo.gov/fdsys/browse/collection.action?collectioncode=p LAW 2014 Energy Systems Group, LLC 33

Reference Material United States Code: 10 U.S.C. 2911, Performance Goals and Plans for Department of Defense 10 U.S.C. 2912, Availability and Use of Energy Cost Savings 10 U.S.C. 2913, Energy Savings Contracts and Activities 31 U.S.C. 1301, Purpose Act 42 U.S.C. 8287, National Energy Conservation Policy Act (NECPA) 42 U.S.C. 8253, Energy Policy Act of 1992 All US Codes are available at http://www.gpo.gov/fdsys/browse/collectionuscode.action?collectioncod e=uscode ESPC Training ESPC Contract Training and DOE ESPC IDIQ contract is available at http://www1.eere.energy.gov/femp/financing/espcs_training.html. 2014 Energy Systems Group, LLC 34