DNV GL © 2014 10-03-2014 SAFER, SMARTER, GREENER DNV GL © 2014

28-03-2014

ENERGY

Cyber Security for the energy industry

1

DNV GL © 2014 10-03-2014 10-03-2014 2

DNV GL © 2014 10-03-2014 10-03-2014 3

DNV GL © 2014 10-03-2014

Challenges

Utilities are thinking they are ok!

The fence around the assets isn’t enough anymore

The smart grid is moving in, and interconnecting things along the way

Vendors offer an answer but is it enough?

IT security companies are happy to help, but do they understand what we need?

The translation form a security policy to a secure device implementation is not

straightforward

There are a lot of standards for guidance, but none of them complete, and all with

a different scope

4

DNV GL © 2014 10-03-2014

Cyber security questions currently facing the utility industry

We are moving from IEC60870-5-101/ DNP3 serial to IEC60870-5-104/DNP3

Ethernet. What do we need to do regarding cyber security when introducing

Ethernet components in our SCADA system?

We are rolling out a new smart meter network infrastructures and we worry about

privacy and security of the system, where to start?

We are rolling out a new IP based SCADA system(CDMA, MPLS based

technologies), and we worry about the security of the system. What are the first

things we need to secure?

We wonder how secure our current system is. What should we do first to improve

this?

5

DNV GL © 2014

Risk Assessment

• Security awareness • Implementation • Requirements • Procedures • Processes

Residual risks

Our approach to a cyber secure End to End infrastructure

6

Component Health Testing

E2E Test Verification E2E secure?

Programs / projects

Weighted risks

Roadmap

Test reports • Verification results

Evaluate

System Standards Legislation

DNV GL © 2014

Security challenges

7

Chief Security Officer

Information and Competence GAP

Asset Management

Engineers

Problem owner

Solution Implementers

The issue:

DNV GL © 2014

Recently done and running projects

Cyber risk and threat analysis on SCADA system for a Gas company

Requirements for cyber security certification of smart grid components for ENISA

Security management for a company in middle east

Risk analysis for SCADA DMS project in middle east

Risk analysis on 104 communication infrastructure, and procurement cyber

security requirements for substations at a European TSO

ENCS Topsectoren: cyber security testing workstream with TNO, Alliander, KPN,

Security matters

GIP2013 cyber security health check

– Cyber security component and system tests: Tennet, Statkraft, Westland, GNF,

Alliander

GIP2014 cyber security end to end test service launch

8

DNV GL © 2014 10-03-2014

When a design is not validated…

9

DNV GL © 2014 10-03-2014

The Cyber security health testing service

10

Requirements

test pack

Smart grid

and security

standards

In-situ,

smart grid

equipment

1. Functional Testing

2. Negative and

Robustness testing

3. Known vulnerability

testing, leveraging

global vulnerability

database

Findings and

recommendations

Common

criteria

methodology

Testing topics

DNV GL © 2014 10-03-2014

Pilots & participants

We performed 6 pilots at TSO’s, DNO’s and

power generation companies

Participating countries:

USA

Norway

Spain

Netherlands

Germany

Deliverable: Test report includes

Implemented security features

Assessment depth and findings

Recommendations for mitigation

11

Provided equipment:

SCADA system

Protection relay

Telecom equipment

RTU, IED

Smart meter

Data concentrator

DNV GL © 2014 10-03-2014

Findings

Security officers do not know what is inside their network on a deep level

Not much high level requirements are facilitated by functionality in devices

Multiple security functions could be circumvented

Standard or bad passwords is still the biggest threat

Claimed security functions are not used, or broken

Configurations do not display an understanding of device capabilities

Devices are easy to break: ICMP, HTTP are capable of crashing a device

Requirements are not considered by the vendor as applicable for them

Or vendors claim compliance to standards that not apply

Utilities only consider functions they use (are not aware of other functions)

Interconnection is done without considering security

Usage of standard components is very common

12

DNV GL © 2014 10-03-2014

SAFER, SMARTER, GREENER

www.dnvgl.com

Thank you More info on our blog: dnvkemautilityfuture.com

13

For further info and the public requirements test pack, please ask or email me: robin.massink@dnvgl.com

+31 026 356 2586

http://www.dnvkemautilityfuture.com/dnv-gl-explains-the-importance-of-cyber-security-health-testing-of-scada-systems