Information and IT Security for Power System Operation

Similar documents
Models for Cyber Security Analysis

Cyber Security Assessment of Enterprise-Wide Architectures

Cyber-Physical System Security of the Power Grid

The Cyber Security Modeling Language and Cyber Security research at department for Industrial Information and Control Systems

The VIKING Project: An Initiative on Resilient Control of Power Networks

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Document ID. Cyber security for substation automation products and systems

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

A quantitative evaluation of vulnerability scanning

Introduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Cyber security. Protecting critical infrastructure in a changing world

Security Standard: Servers, Server-based Applications and Databases

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

How To Use Qqsguard At The University Of Minneapolis

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Goals. Understanding security testing

Software Vulnerability Assessment

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Office of Inspector General

Best Practices for Vulnerability Management

ISSN : Asian Journal of Engineering and Technology Innovation 02 (05) 2014 (05-09) QR Code for Mobile users

Dr. György Kálmán

CDM Vulnerability Management (VUL) Capability

Guideline on Vulnerability and Patch Management

Steven Kaplan, CISSP, CISA Accuvant Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

NETWORK PENETRATION TESTING

SAST, DAST and Vulnerability Assessments, = 4

ESCoRTS A European network for the Security of Control & Real Time Systems

Information Security for the future smart grid

Vulnerability Assessment and Penetration Testing

Symphony Plus Cyber security for the power and water industries

Cyber Essentials KAMI VANIEA 2

A Review on Zero Day Attack Safety Using Different Scenarios

Cybersecurity for Energy Delivery Systems 2010 Peer Review. Dale Peterson Digital Bond, Inc. Bandolier and Portaledge

A Tool for Automatic Enterprise Architecture Modeling

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Cybersecurity Plan. Introduction. Roles and Responsibilities. Laboratory Executive Commitee (ExCom)

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Continuous Monitoring

Cyber Security for SCADA/ICS Networks

Security Implications Associated with Mass Notification Systems

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

How to Get from Scans to a Vulnerability Management Program

Pragmatic Metrics for Building Security Dashboards

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Vendor System Vulnerability Testing Test Plan

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

Beyond the Scan: The Value Proposition of Vulnerability Assessment. Damon J. Small, MSc.IA, CISSP Managing Consultant, IOActive August 6, 2015

AHS Flaw Remediation Standard

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Energy sector control centers across the nation, such as this one at Kansas City Power & Light, benefit from the system security assessments

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Server Security Checklist (2009 Standard)

WHITEPAPER. Nessus Exploit Integration

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS

Hosts HARDENING WINDOWS NETWORKS TRAINING

Cyber Security and Privacy - Program 183

Installing and Configuring Nessus by Nitesh Dhanjani

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

How to build a security assessment program. Dan Boucaut

Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose

Protecting Critical Infrastructure

EVALUATION OF TOOLS FOR CYBER SECURITY

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Managing Business Risk

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Enterprise Cybersecurity: Building an Effective Defense

Architecting and Development of the SecureCyber: A SCADA Security platform Over Energy Smart Grid

Secure Web Applications. The front line defense

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Audit Tools That Won t Break the Bank

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Introduction to Cyber Security / Information Security

Lumension Endpoint Management and Security Suite Patch and Remediation 7.0 Service Pack 1 Migration Guide

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

How To Get The Nist Report And Other Products For Free

Vulnerability Analysis of Energy Delivery Control Systems

How To Use A Policy Auditor (Macafee) To Check For Security Issues

Penetration Testing Report Client: Business Solutions June 15 th 2015

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

SANS Top 20 Critical Controls for Effective Cyber Defense

VULNERABILITY MANAGEMENT

The Importance of Vulnerability Assessment For Your Organisation

CONQUERING COMPLIANCE ISSUES WITH RHN SATELLITE AND TENABLE NESSUS SECURITY

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Understanding SCADA System Security Vulnerabilities

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Transcription:

Information and IT Security for Power System Operation Göran Ericsson and Kun Zhu 2011-05-25

Agenda Introduction of Svenska Kraftnät - Swedish National Grid Company R&D activities in Sweden - Collaboration between SvK, KTH and FOI(Swedish Denfence Research Agency) - Viking project Conclusion

3

Missions (in brief) Provide transmission of power on the national grid level in compliance with security, efficiency and environmental requirements To perform the system operator function for electricity and natural gas cost-efficiently To promote an open Swedish, Nordic and European market for electricity and natural gas To ensure a robust nationwide supply of electricity

Research Collaboration within Sweden Vulnerability scanning - Detection and false alarms - Remediation Reflections from a Cyber Defense Exercise - How reliable is the Common Vulnerability Scoring System? - Expert assessment of the probability of successful remote code execution attacks - How good are experts and different prediction models?

Vulnerability Scanning Purpose: to identify and evaluate possible vulnerabilities of the IT systems based vulnerability scanning tools

Vulnerability Scanning Project How does it work? Network scanning Hello, what services and operating systems are you guys running? Scanner Vulnerability scanning Vulnerability analysis I am 172.18.1.3, Windows XP SP2, unpatched, with file sharing and remote desktop enabled

Vulnerability Scanning Project How does it work? Network scanning Vulnerability scanning Hmm.. XP SP2 without patches There are 17 vulnerabilitites that are applicable. Scanner Vulnerability analysis

Vulnerability Scanning Project How does it work? Network scanning Do you have default passwords or any other silly configuration flaws? Scanner Vulnerability scanning Vulnerability analysis My password is password, it is handy as no one forgets it!

Vulnerability Scanning Project How does it work? Network scanning Vulnerability scanning Vulnerability analysis

% Detection % Detection Vulnerability Scanning Project Unauthenticated scans Authenticated scans 100 100 90 90 80 80 70 Nessus 70 Nessus 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 % False Alarm % False Alarm

% Remediation % Remediation Vulnerability Scanning Project 100 90 Unauthenticated scans 100 90 Authenticated scans 5884 pages report 80 80 70 Nessus 70 Nessus 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 60 50 40 30 20 10 0 Qualys NeXpose SAINT McAfee AVDS Patchlink scan 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 % Detection % Detection Automated security scanning needs to be complemeted through other efforts

Cyber Denfense Exercise

Cyber Denfense Exercise Does the vulnerability level of a system affect the time needed to compromise the system? Vulnerabilities can be measured through the Common Vulnerability Scoring System (CVSS) - Scale from 0 10 15 system-level vulnerability metrics are tested to see if any metric displayed a relation to the time needed to compromise the systems - Drawn from literature (9 metrics) and models used by the industry (6 metrics).

Cyber Denfense Exercise TTC: Time from start of attack (measured through the first alarm from the intrusion detection system Snort) until successful compromise of that host. Snort t1 = 1400.3 sec t2 = 3000.2 sec TTC = t2 t1

Research in cyber security so far Cyber Defense Exercise Statistics for the best model

Research in cyber security so far Cyber Defense Exercise A more detailed security estimation model is needed!

H. Holm, M. Ekstedt and D. Andersson Empirical analysis of system-level vulnerability metrics through actual attacks submitted to IEEE Trans on Dependable and Secure Computing.

Viking Project VIKING stands for Vital Infrastructure, Networks, Information and Control Systems Management EU financed Framework 7 Collaborative STREP Project and is part of themes 4, ICT, and 10, Security. Between 2008-11-01 and 2011-10-31 To investigate the vulnerability of SCADA systems and the cost of cyber attacks on society A consortium of industrial and academic partners - KTH, Stockholm - ETH, Zurich - University of Maryland - E.ON - ABB - Astron Informatics - MML www.vikingproject.eu

Attack Inventory Attack VIKING From security requirements System Architecture Vulnerability Models SCADA functionality manipulation: State Estimator, AGC SCADA system to societal costs Virtual T&D network simulator Power network Virtual city/citizen simulator Societal cost

Cyber-security from SvK perspective It is of paramount importance to take security into consideration in the procurement phase of new system for power grid operation and control - Architecture: is the system are composed by different zones with security concerns? - Security mechanism - Authorization: third party access The same security concern should be shared with other critical infrastructures in society, such as water, gas and transportations.

Questions? goran.ericsson@svk.se zhu.kun@ics.kth.se

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information