cyber security for energy applications - epri

Cyber Security for Energy Applications - EPRI

David Terry ASERTTI Executive Director

June 17, 2013

Energy Applications and Cloud Computing Webinar Series

ASERTTI

• ASERTTI's mission is to increase the effectiveness of energy research efforts in contributing to economic growth, environmental quality, and energy security.

• ASERTTI promotes applied research and technology commercialization in energy efficiency and renewable energy through state, federal, and private collaboration on emerging technologies. ASERTTI works to:

– Foster cooperative relationships among its members

– Advocate for policies that support clean energy research, development, demonstration, and deployment (RDD&D)

www.asertti.org

ASERTTI Overview ASERTTI Members Upcoming Activities

ASERTTI Members

ASERTTI’s membership includes state energy agencies, university

energy centers, national laboratories, non-profit organizations,

utilities, and other public interest technology organizations.

www.asertti.org


Upcoming Activities

• ASERTTI Webinar Series: Energy Applications and Cloud Computing

– Data Driven Energy Management (ETC Group)

July 15, 2013

– Irrigation Efficiency: Integrated Data Reporting for Decision Support Solutions (NEEA)

August 19, 2013

– Smart Manufacturing: Cloud Data and Computation Services for Performance

Management Modeling (SMLC and EPRI)

September 16, 2013

• ASERTTI Fall Meeting: October 2-4, 2013 – Raleigh, NC

Integrating Smart Grid Technologies for Buildings, Industry, and Vehicles

www.asertti.org


Annabelle Lee

Senior Technical Executive

[email protected]

Cyber Security Update

June 17, 2013

6 © 2013 Electric Power Research Institute, Inc. All rights reserved.

EPRI is a company that…

…brings together great people…

…with new and exciting ideas…

…to help energize the world!

Introducing EPRI…

“Together…Shaping the Future of Electricity”


Our History…

• Founded in 1973

• Independent, nonprofit center for

public interest energy and

environmental research

• Collaborative resource for the

electricity sector

• Major offices in Palo Alto, CA;

Charlotte, NC; Knoxville, TN

– Laboratories in Knoxville,

Charlotte and Lenox, MA

Chauncey

Starr

EPRI

Founder


Our Members…

• 450+ participants in more than 40

countries

• EPRI members generate more

than 90% of the electricity in the

United States

• International funding of more than

18% of EPRI’s research,

development and demonstrations

• Programs funded by more than

1,000 energy organizations


Our Mission…

To conduct research on

key issues facing the

electricity sector…on behalf

of its members, energy

stakeholders, and society.


Current Environment


Interconnectedness of the Grid


Smart Grid = Electrical Grid + Intelligence

Combining

electrical and

communication

grids requires

interoperability

2-way flow of electricity and information


Current Grid Environment

• Legacy SCADA systems

• Limited cyber security controls

currently in place

– Specified for specific domains –

bulk power distribution, metering

• Vulnerabilities might allow an

attacker to…

– Penetrate a network,

– Gain access to control software, or

– Alter load conditions to destabilize the grid in unpredictable

ways

• Even unintentional errors could result in destabilization of the

grid


Threats to the Grid

• Deliberate attacks

– Disgruntled employees

– Industrial espionage

– Unfriendly states

– Organized crime

– Terrorists

• Inadvertent threats

– Equipment failures

– User/Administrator errors

• Natural phenomena

– Weather – hurricanes, earthquakes

– Solar activity


Cyber Security Impact on Electric Operations

Malicious Remote Operations

Sleeper Agent – Stuxnet Support Systems Disabled

Malicious Mass Disconnects


Cyber Survivability

Cyber attack on substation

communication Cyber attack corrupts EMS

Can the grid operate in a degraded mode during

isolation and recover from the cyber attack?


Cyber Resiliency of the Electric System

Cannot be the primary

strategy Prevention

Assume that breach will

happen Detect, Respond

and Recover

Can the grid operate

while recovering? Survivability

Opportunity To Improve All Three Aspects of Resiliency Through

Integrating New and Existing Technologies


Trends Impacting Security

• Open protocols

– Replacing vendor-specific proprietary

communication protocols

• Connections with enterprise networks to

obtain productivity improvements and

information sharing

• Reliance on external communications

– Increasing use of public telecommunication

systems, the Internet, and wireless for

control system communications

• Increased capability of field equipment

– “Smart” sensors and controls with enhanced

capability and functionality


• For IT systems, confidentiality and

integrity are the major objectives

• For control systems, availability and

integrity are the major objectives

• Limited bandwidth and processing capability

• Potential loss of life impact if there is a major

compromise

• IT system life cycle varies from 6 months to 2 years

• Control systems life cycle varies from 15 to 40 years

• Availability

– Delays usually accepted in IT systems

– Control systems typically run 24/7/365

IT and Control Systems – Differences…


EPRI Programs


EPRI Cyber Security Collaboration

Trade

Organizations

Vendors Policy/

Regulators

Research

Organizations

Standards

Bodies

EPRI in collaboration

with utilities

Representing Utilities Through Coordination and Collaboration


EPRI Cyber Security and Privacy Program

Industry

Coordination

and Technology

Transfer

Security for

Transmission

and

Distribution

Cross-Domain Cyber Security Tools,

Architectures, and Techniques


National Electric Sector Cybersecurity

Organization Resource (NESCOR)

Build an industry collaboration

– Public/private partnership funded by DOE

• Participating organizations – 120

• Participants – 180

– Utilities, vendors, academia, consultants, regulators

Approach

– Address critical industry needs

Multi-year effort

– Identify key research topics and develop

products


Team 1: Threat and Vulnerability

Assessment and Mitigation Group

Team 2: Cyber

Security

Requirements and

Standards

Assessment Group

NESCOR Program Structure

Team 3: Technology Testing and Validation

Team 4: Design

Principles Group


Government Activities


Electric Subsector Cybersecurity Capability Maturity

Model (ES-C2M2)

• A DOE Public-Private Partnership

• Document published May 2012


Assess Your Cyber Security Posture


Presidential Policies

• Announced in February 2013

1) Executive Order 13636: Improving Critical Infrastructure

Cybersecurity

2) Presidential Policy Directive – 21: Critical Infrastructure

Security and Resilience

• Replaces Homeland Security Presidential Directive-7


NIST and the Cybersecurity Framework

• Cybersecurity Framework

• Risk management practices

• Use of frameworks, standards, and

best practices

• Developing a Framework to Improve

Critical Infrastructure Cybersecurity

– Current risk management practices

– Use of frameworks, standards, and best practices

– Specific industry practices


Moving Forward…

• Cyber security supports both the reliability and

privacy of the Smart Grid

• Address interconnected systems – both IT and

control systems

– Cyber security needs to be addressed in all

systems, not just critical assets

– Augment existing reliability controls, as applicable

• Consider the lifecycle of IT/telecomm systems

versus control systems

– Patch management/update cycles

– Product life cycle

– Develop new models/paradigms for the two

communities

• Continuously assess the security status


Moving Forward… (2)

• Acknowledge there will be some security breaches

– Focus on response and recovery

• For example, isolate/quarantine infected devices

– Fail secure

• Address both safety and security

• Build security in!

– Confidentiality, integrity and availability –

implement best practices

• Apply IT/telecomm security lessons-learned from

the past 40 years

• Train and educate

– Address advanced persistent threats (APTs)

• Compliance DOES NOT equal security


Discussion

Annabelle Lee [email protected] 202.293.6345

mailto:[email protected]


Together…Shaping the Future of Electricity

cyber security for energy applications - epri

Documents