Information and IT Security for Power System Operation Göran Ericsson and Kun Zhu 2011-05-25
Agenda Introduction of Svenska Kraftnät - Swedish National Grid Company R&D activities in Sweden - Collaboration between SvK, KTH and FOI(Swedish Denfence Research Agency) - Viking project Conclusion
3
Missions (in brief) Provide transmission of power on the national grid level in compliance with security, efficiency and environmental requirements To perform the system operator function for electricity and natural gas cost-efficiently To promote an open Swedish, Nordic and European market for electricity and natural gas To ensure a robust nationwide supply of electricity
Research Collaboration within Sweden Vulnerability scanning - Detection and false alarms - Remediation Reflections from a Cyber Defense Exercise - How reliable is the Common Vulnerability Scoring System? - Expert assessment of the probability of successful remote code execution attacks - How good are experts and different prediction models?
Vulnerability Scanning Purpose: to identify and evaluate possible vulnerabilities of the IT systems based vulnerability scanning tools
Vulnerability Scanning Project How does it work? Network scanning Hello, what services and operating systems are you guys running? Scanner Vulnerability scanning Vulnerability analysis I am 172.18.1.3, Windows XP SP2, unpatched, with file sharing and remote desktop enabled
Vulnerability Scanning Project How does it work? Network scanning Vulnerability scanning Hmm.. XP SP2 without patches There are 17 vulnerabilitites that are applicable. Scanner Vulnerability analysis
Vulnerability Scanning Project How does it work? Network scanning Do you have default passwords or any other silly configuration flaws? Scanner Vulnerability scanning Vulnerability analysis My password is password, it is handy as no one forgets it!
Vulnerability Scanning Project How does it work? Network scanning Vulnerability scanning Vulnerability analysis
% Detection % Detection Vulnerability Scanning Project Unauthenticated scans Authenticated scans 100 100 90 90 80 80 70 Nessus 70 Nessus 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 % False Alarm % False Alarm
% Remediation % Remediation Vulnerability Scanning Project 100 90 Unauthenticated scans 100 90 Authenticated scans 5884 pages report 80 80 70 Nessus 70 Nessus 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 % Detection % Detection Automated security scanning needs to be complemeted through other efforts
Cyber Denfense Exercise
Cyber Denfense Exercise Does the vulnerability level of a system affect the time needed to compromise the system? Vulnerabilities can be measured through the Common Vulnerability Scoring System (CVSS) - Scale from 0 10 15 system-level vulnerability metrics are tested to see if any metric displayed a relation to the time needed to compromise the systems - Drawn from literature (9 metrics) and models used by the industry (6 metrics).
Cyber Denfense Exercise TTC: Time from start of attack (measured through the first alarm from the intrusion detection system Snort) until successful compromise of that host. Snort t1 = 1400.3 sec t2 = 3000.2 sec TTC = t2 t1
Research in cyber security so far Cyber Defense Exercise Statistics for the best model
Research in cyber security so far Cyber Defense Exercise A more detailed security estimation model is needed!
H. Holm, M. Ekstedt and D. Andersson Empirical analysis of system-level vulnerability metrics through actual attacks submitted to IEEE Trans on Dependable and Secure Computing.
Viking Project VIKING stands for Vital Infrastructure, Networks, Information and Control Systems Management EU financed Framework 7 Collaborative STREP Project and is part of themes 4, ICT, and 10, Security. Between 2008-11-01 and 2011-10-31 To investigate the vulnerability of SCADA systems and the cost of cyber attacks on society A consortium of industrial and academic partners - KTH, Stockholm - ETH, Zurich - University of Maryland - E.ON - ABB - Astron Informatics - MML www.vikingproject.eu
Attack Inventory Attack VIKING From security requirements System Architecture Vulnerability Models SCADA functionality manipulation: State Estimator, AGC SCADA system to societal costs Virtual T&D network simulator Power network Virtual city/citizen simulator Societal cost
Cyber-security from SvK perspective It is of paramount importance to take security into consideration in the procurement phase of new system for power grid operation and control - Architecture: is the system are composed by different zones with security concerns? - Security mechanism - Authorization: third party access The same security concern should be shared with other critical infrastructures in society, such as water, gas and transportations.
Questions? goran.ericsson@svk.se zhu.kun@ics.kth.se