cyber security for substation automation

7/21/2019 Cyber security for substation automation

http://slidepdf.com/reader/full/cyber-security-for-substation-automation 1/27

© ABB Inc.

12/17/15 | Slide 1

Texas A&M University6t! Ann"al #$n%erence %$r r$tective 'elay (n)ineers

'e*lacin) +ear ,it! -n$,led)e #yer Sec"rity %$r

S"stati$n A"t$0ati$n r$tecti$n and #$ntr$l Syste0s

Steven A. Kunsman, April 1, 2014



S0art rid #yer Sec"rity Strate)y and'e3"ire0ents

4ISTI' 762 21



!at is #yer Sec"rity

NERC CIP$r 0aye n$t a%ter all 8



#yer Sec"rity %$r S"stati$n A"t$0ati$n!y is #yer Sec"rity an iss"e

#yer sec"rity !as ec$0e an iss"e by introu!in" Et#ernet

$%CP&IP' base !ommuni!ation proto!ols t$ ind"strial

a"t$0ati$n and c$ntr$l syste0s. e.). I(#67519 :4

;. via T#/I $r I(#615

Conne!tions to an (rom e)ternal net*or+s <e.). $%%ice

intranet= t$ ind"strial a"t$0ati$n and c$ntr$l syste0s !ave

$*ened syste0s and can e 0is"sed %$r cyer attac>s

Cyber atta!+s on inustrial automation an !ontrol systems

are real an in!reasin" leadin) t$ lar)e %inancial l$sses

tilities nee to avoi penalties d"e t$ n$nc$0*liance ,it!re)"lat$ry directives $r ind"stry est *ractices



?$, i) is t!e ris>

#yer incidents are real and cyer sec"rity %$r

ind"strial c$ntr$l syste0s 0"st e ta>en seri$"sly

but it is a c!allen)e t!at !an e 0et

Ste*!en #"00in)s direct$r $% t!e Britis!

)$vern0ent@s #entre %$r t!e r$tecti$n $%

4ati$nal In%rastr"ct"re

-Cyberterrorism is a myt#

:enial anic

'eality



#yer Sec"rity %$r S"stati$n A"t$0ati$nBac> t$ t!e asics

Sec"rity is a$"t a,areness *$licy and *r$cess

I)n$re c$0*liance at least at %irst

+$c"s $n ris> 0iti)ati$n and 0ana)e0ent

Assess y$"r 0at"rity 0$del and t!en i0*r$ve

T!ere is n$ s"c! t!in) as 1 sec"rity

Act$rs and t!reats c$nstantly c!an)in)

:e*l$y :e%ense in :e*t!

:eter :etect and :elay t!e ad )"ys

Sec"rity d$es n$t c$0e %$r %ree



!at is #yer Sec"rityBac> t$ t!e asics

T!e )$als $% #yer Sec"rity are Availability av$id denial $% service

Inte"rity av$id "na"t!$riCed 0$di%icati$n

Con(ientiality av$id discl$s"re

Aut#enti!ation av$id s*$$%in) / %$r)ery Aut#ori/ation av$id "na"t!$riCed access

Auitability av$id !idin) $% attac>s

Nonrepuiation av$id denial $% res*$nsiility

#yer Sec"rity !as (un!tional aspe!ts <e.). "ser a"t!enticati$n %ire,all antivir"s=

uality aspe!ts <e.). de%ense in de*t! testin)=



#yer Sec"rity %$r S"stati$n A"t$0ati$nT!e 0$st relevant e%%$rts

NIS%IR 32 S0art rid #yer Sec"rity Strate)y and 'e3"ire0ents

IEEE C5.240 #yer Sec"rity 'e3"ire0ents %$r S"stati$n A"t$0ati$n r$tecti$n

and #$ntr$l Syste0s

IEEE 133 I((( Standard %$r S"stati$n Intelli)ent (lectr$nic :evices <I(:s=

#yer Sec"rity #a*ailities

IEEE 111 Trial Use Standard %$r #yer Sec"rity $% Serial S#A:A Din>s and I(:

'e0$te AccessIEC 32561 :ata and #$00"nicati$ns Sec"rity

NERC CIP Sec"rity re)"lati$n %$r 4$rt! A0erican *$,er "tilities

ISE/I(# 271 in%$r0ati$n sec"rity 0ana)e0ent *r$cesses

ISA SFF Ind"strial A"t$0ati$n and #$ntr$l Syste0 Sec"rity

Criti!al In(rastru!ture Cyber Community $a+a -C Cube' 7oluntary Pro"am

ased $n (xec"tive Erder <(E= 1;6;6G

Improving Critical Infrastructure Cybersecurity and released

residential $licy :irective <:=21G Critical Infrastructure Security and Resilience!tt*G//,,,.d!s.)$v/a$"tcriticalin%rastr"ct"recyerc$00"nityc

#2B;v$l"ntary*r$)ra0

https://www.federalregister.gov/articles/2013/02/19/2013-03915/improving-critical-infrastructure-cybersecurity



http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil








'e*resentati$n $% sc$*e and c$0*leteness $% selected standards

S$"rce :TS I(# 62;511 G Sec"rity arc!itect"re )"idelines

#yer Sec"rity %$r S"stati$n A"t$0ati$n

Standards and sc$*e

IEEE C5.240



?$, d$ y$" ens"re in%$r0ati$n & net,$r> sec"rity

#yer sec"rity as an inte"ral *art $% t!e prou!t li(e!y!le %r$0 early desi)n and devel$*0ent t!r$")!

testin) t$ li%e ti0e s"**$rt service and %"t"re ada*tati$ns

t!e pro8e!t li(e!y!le ens"rin) $t! t!e delivery $% s$l"ti$ns ,it!

t!e a**r$*riate sec"rity *r$*erties as ,ell as sec"re exec"ti$n $%

t!e *r$Hect ,$r> itsel%

t!e substation li(e!y!le s"**$rtin) e%%$rts t$ $*erate and 0aintains$l"ti$ns sec"rity *r$*erties t!r$")!$"t entire $*erati$ns *eri$d

Jend$rUtility str$n) c$lla$rati$ns $r>in) cl$sely ,it! c"st$0ers K'e*lacin) +ear ,it! -n$,led)eL

artnerin) ,it! )$vern0ent $r)aniCati$ns ind"stry *artners $racade0ia

Actively drivin) standards e.). I((( 166 & I((( #;7.29

Understandin) res*$nsiility et,een Jend$r and Utility

?$listic and c$lla$rative a**r$ac!



#yer sec"rity initiatives

Sec"rity 4eed

?i)! level $% sec"rity %$r *r$d"cts & s$l"ti$ns

+ast res*$nse and reliale *artner in case $%

a cyer sec"rity incident

Jend$r res*$nsiility

#r$ss%"ncti$nal cyer sec"rity $r)aniCati$n

Instit"ti$naliCe sec"rity c"lt"re

Active *artici*ati$n in sec"rity standards

(stalis!ed sec"rity *r$cesses Sec"rity assess0ent in '&:

Sec"rity a>ed int$ t!e tec!n$l$)y

'$"stness and validati$n testin)

atc! 0ana)e0ent *r$cess

Sec"rity $r)aniCati$n & instit"ti$naliCati$n

Demand Technology ProcessesVerification Life cycle support

Standards



:esi)n and devel$*0ent re3"iresG

Understandin) t!reats

Assessin) ris>

Miti)ati$n

T!reat 0$delin) 0et!$d$l$)y a**licale t$ *r$d"ctty*e

syste0s

a**licale inde*endent $%de*l$y0ent

all$,s t!ird *arties t$ validate

ass"0*ti$ns and c$0*are res"lts

r$d"ct Di%ecycle :esi)n & I0*le0entati$nT!reat 0$delin)



:evice Sec"rity Ass"rance #enter <:SA#=

Sec"rity 4eed

'$"st and reliale *r$d"cts and

s$l"ti$ns

Jend$r 'es*$nsiility Sec"rity testin) center )"arantees a

c$00$n and est *ractice r$"stness

testin)

#$ntin"$"s re)ressi$n tests $n

*r$d"cts and syste0s ens"rin) a !i)!

level $% r$"stness a)ainst cyer

sec"rity attac>s

r$d"ct and Syste0 ?ardenin)



r$tect

Sec"rity 4eeds

(ns"re reliale syste0 $*erati$n <availaility and

*er%$r0ance=

Utility 'es*$nsiility Mal,are r$tecti$nG revent detect and re0$ve

0al,are e.). vir"ses ,$r0 8

eri0eter r$tecti$nG 'estrict access y l$c>in)

/ %ilterin) in$"nd and $"t$"nd c$nnecti$ns

Sec"re #$00"nicati$nG (ncry*ti$n t$ *revent"na"t!$riCed "sers %r$0

readin) and 0ani*"latin) data

Is 0y syste0 *r$tected a)ainst an attac>



r$tect :e%ense in :e*t!#yer sec"rity and r$"stness t!reats

!ysical Sec"rity eri0eter

(lectr$nic Sec"rity eri0eter

Net*or+ isturban!e,

mal*are, Cyber atta!+s

(lectr$nic

*eri0eter *r$tecti$n

naut#ori/ePerson

Se!urity measures

!ysical

*eri0eter *r$tecti$n

In(e!te

9obile

ata

stora"e

In(e!te

Noteboo+

:ata storm by a

;aulty :evi!e

naut#ori/e

Person

:e%ense in

de*t!



M$nit$r

Sec"rity 4eed

Alert a$"t critical sec"rity alar0s in real

ti0e t$ enale %ast c$rrective acti$ns

Utility 'es*$nsiility D$))in) & Alar0in)G All sec"rity related

events are rec$rded sever events are

alar0ed t$ t!e re0$te center

'e*$rtin) & A"ditin)G r$d"ce necessary

data re*$rts and d$c"0entati$n %$r an

a"dit

:$ I >n$, ,!at !a**ens $n 0y syste0



M$nit$r Sec"rity events l$))in) / A"dit trail

Sec"rity 4eed

Alert a$"t critical sec"rity alar0s in

realti0e t$ enale %ast c$rrective

acti$ns

Jend$r 'es*$nsiility

(vent l$)s are sec"rely retained

Sec"rity event l$)s dis*layale via

device t$$ls Aility disse0inate sec"rity events t$

external sec"rity l$) clients "sin)

sysl$)



Mana)e

Sec"rity 4eed

-ee* t!e sec"rity $% t!e syste0 "* t$ date

Utility 'es*$nsiility

atc! Mana)e0ent 'ed"ce ris> $% v"lneraility %$r ,ind$,s ased

syste0 c$0*$nents

Bac>"* & 'est$rati$n

(ns"res c$0*lete data sec"rity and enales %ast

rest$rati$n in case $% data l$ss /0ani*"lati$n

Acc$"nts & A"t!enticati$n 'estrict access t$ intended "sers $nly *r$tected

y !i)! *ass,$rd c$0*lexity

#an I s"stain t!e sec"rity $% 0y syste0



Mana)e

9inimi/e ris+

Jend$r 'es*$nsiility Cultural !#an"eG Acce*t t!at v"lnerailities exist

<!avin) a v"lneraility is acce*tale i0*r$*erly

!andlin) t!e0 is n$t=

+$r0al *r$cesses and *$licies

r$*er c$00"nicati$n at t!e ri)!t ti0e

M"st estalis! a %$r0al *r$cess and v"lneraility

res$l"ti$n ,it! "r)ency

J"lneraility !andlin) & Incident res*$nse

C o

m

m u

n i !

a t i o n

In%$r0ati$n

#$llecti$n

Tria)e

Investi)ati$n

'es$l"ti$n

'elease



#yer Sec"rity %$r S"stati$n A"t$0ati$n

S"00ary

9onitorin"

sec"rity and !ealt! activities

in realti0e

<o""in",

Alarmin"

Reportin",

Auitin"

9ana"in"

critical activities s"c! as

c$n%i)"rati$ns c!an)es and

*atc!es

Pat!#

9ana"ement

=a!+up,

Restoration

A!!ounts,

Aut#enti

!ation

Prote!tin"

a)ainst t!reats t$ s"stati$n

a"t$0ati$n syste0s

Perimeter

Prote!tion

9al*are

Prote!tion

Se!ure

Communi!ation Prou!t an

System

>arenin"



T!e #!allen)esEr)aniCati$nal

I0a)esG ,,,.)"ardianc$ns"ltants.c$."> ,e)ilant.c$0 ,,,.%l$risc0.nl l$)*$$l9t$$l.c$0

'is> Mana)e0ent A,areness

#$0*etence Mana)e0ent :isr"*tive #!an)es



(nter*rise IT vs. #$ntr$l Syste0s

A di%%erent set $% c!allen)es

Enterprise I% Control Systems

Primary ob8e!tunerprote!tion

In%$r0ati$n !ysical *r$cess

Primary ris+impa!t

In%$r0ati$n discl$s"re%inancial

Sa%ety !ealt!envir$n0ent %inancial

9ain se!urityob8e!tive

#$n%identiality Availaility

Se!urity (o!us #entral Servers<%ast #U l$ts $% 0e0$ry 8=

:istri"ted Syste0<*$ssily li0ited res$"rces=

Availabilityreuirements

F5 FF<acce*t. d$,nti0e/yearG 1.25 ;.65days=

FF.F FF.FFF<acce*t. d$,nti0e/yearG .76 !rs 6.26 minutes=

Problemresponse

'e$$t*atc!in)/"*)radeis$lati$n

+a"lt t$lerance $nlinere*air



(arly #I #$00ittee *$siti$n $n (t!ernet

4('# #I #$00ittee N"esti$ns t$ Jend$r anel <:ec27=G

-IEC 3160 $Et#ernet base' is *ie open !ommuni!ation

t#at oes not !omply *it# CIP stanars. T!ere are

0an"%act"rers *lannin) t$ c$nnect s"stati$n e3"i*0ent t$)et!er

"sin) c$ntr$l I(:s c$nnected ,it! 615. ?$, ,ill t!e 615

s"stati$n $% t!e %"t"re 0aintain c$0*lianceL

-?@e #ave etermine t#e best approa!# (or our substation!ontrol IE:Bs is to use ?nonroutable serial !ommuni!ation.

T!is re0$ves t!e need %$r I in t!e s"stati$n c$nnected t$

c$ntr$l I(:s t!"s >ee*in) t!e six ,alls $% *r$tecti$n in t!e c$ntr$l

and c$00"nicati$n centers. OeP ,ill $nly *"rc!ase c$ntr$l I(:s

t!at 0aintain t!e sec"re c$00"nicati$n t$ 0aintain c$0*liance.

!at are t!e 0an"%act"rers !earin) %r$0 $t!er c"st$0ers ,it!

re)ards t$ serial $r I c$00"nicati$n ill all $% t!e %"ncti$ns*r$vided via I c$00"nicati$n e availale "sin) serial

c$00"nicati$ns ill serial inter%aces c$ntin"e t$ e *r$vided

%$r t!e %$reseeale %"t"reL -R in NERC stans (or Reliability Preventin" realtime out(lo*

o( substation in(ormation *ill only be etrimental to t#e

overall Dri Per(orman!e an Reliability

@e #ave !ome a lon" *ay sin!e 200 Air"ap is not t#e solution



Measures taken to protect a

computer or computer system

(as on the Internet) against

unauthorized access or

attack*

translates int$

Measures taken to protect the

reliability integrity andavailability of po!er and

automation technologies

against unauthorized

access or attack

#yer Sec"rity A de%initi$n in the context of power and automation technology

*Merriam"#ebster$s dictionary



ra* "*

Sec"rity is not 8ust a matter o( te!#nolo"y it is *ri0arily

a$"t *e$*le relati$ns!i*s $r)aniCati$ns and *r$cesses,$r>in) in tande0 t$ *revent $r rec$ver %r$0 an attac>

(%%ective sec"rity s$l"ti$ns re3"ire a 8oint e((ort yvend$rs inte)rat$rs $*eratin) syste0 *r$viders and"tilities

T!ere is no sin"le solution t!at is e%%ective %$r all$r)aniCati$ns and a**licati$ns

Se!urity is a !ontinuous pro!ess n$t a *r$d"ct $r a$neti0e invest0ent

Sec"rity 0"st e addressed ,it! multiple barriers and

re3"ires prote!tion, e(erral and ete!tion 0ec!anis0s

Se!urity is about ris+ mana"ement *er%ect sec"rity isn$n existent n$r ec$n$0ically %easile



N"esti$ns

Q$nat!an $llet %$"nder $% 'ed Ti)er Sec"rity

stated K!at I advise 0$re t!an anyt!in) is t!at,e 0"st st$* s"rvivin) $n t!e Q$n B$n Q$vi

versi$n $% sec"rity 8 <ivin" on a prayer

cyber security for substation automation

Documents