National Institute of Building Sciences Provider Number: G168

Facility Energy Security: Cybersecuring the Energy Lifecycle Course Number

Michael Chipley, PhD GICSP PMP LEED AP President mchipley@pmcgroup.biz 12-28-2016

Credit(s) earned on completion of this course will be reported to AIA CES for AIA members. Certificates of Completion for both AIA members and non-AIA members are available upon request. This course is registered with AIA CES for continuing professional education. As such, it does not include content that may be deemed or construed to be an approval or endorsement by the AIA of any material of construction or any method or manner of handling, using, distributing, or dealing in any material or product. ___________________________________________ Questions related to specific materials, methods, and services will be addressed at the conclusion of this presentation.

The Internet of Things (IoT), Cloud, Mobile computing and the convergence of information technology (IT) and operational technology (OT) is evolving at such a rapid pace that the conventional IT cybersecurity practices can no longer ensure these converged systems can be properly cybersecured. Energy security is fundamental to every aspect of modern life; loss of power, variations in power quality, physical damage, loss of life and injury, and major economic damage can now be accomplished by a remote actor with malicious intent. The session will examine Cybersecuring the Energy Lifecycle, from the national utility grid, to the regional and campus microgrid, and down to building and vehicle nanogrids, as the nation is moving rapidly to achieve Net-Zero Energy (NZE) facilities. To cybersecure these highly connected and internet-exposed systems will require new design, operations and machine-to-machine complex interactions that are able to identify, contain, eradicate and recover from malware and exploits. The session will illustrate some of the current legacy vulnerabilities such as Aurora Attacks, Operation Cleaver, Operation Dust Storm, HAVEX and Black Energy, and then examine new and emerging technologies, such as passive optical networks (PONS), Host Identity Protocol (HIP), end-point device encryption and real-time threat analysis tools that can be used in a systems engineering approach to cybersecuring the facility energy supply chain and lifecycle.

Course Description

Learning Objectives

1. Understand Operational Technologies Versus Information Technologies

2. Understand the evolving Smart Grid and Net Zero Energy

3. Understand energy control systems cybersecurity vulnerabilities and exploits

4. Understand the cybersecurity mitigations for energy control systems

At the end of the this course, participants will be able to:

Smart Grid, City, Building, Car, Appliances…

http://blogs.salleurl.edu/networking-and-internet-technologies/files/2010/04/smartgrid-graphic1.jpg

In the Beginning….DoD 2010

A great idea rudely interrupted by reality…CIO AMI ATO denial and Stuxnet

OT IP Controllers are in Everything

Information Technology Operational Technology

Purpose

Process transactions, provide information

Control or monitor physical processes and equipment

Architecture

Enterprise wide infrastructure and applications (generic)

Event-driven, real-time, embedded hardware and software (custom)

Interfaces GUI, Web browser, terminal and keyboard

Electromechanical, sensors, actuators, coded displays, hand-held devices

Ownership

CIO, IT Engineers, technicians, operators and managers

Connectivity

Corporate network, IP-based Control networks, hard wired twisted pair and IP-based

Role Supports people Controls machines

IT Versus OT

UFCs and ETLs provide the detailed “How To” guidance for the A&E’s, contractors, vendors and builders

Shodan Site = Locates CS

Many CS systems directly connected to internet with no protection, http (clear text)

CS Monitoring and Network Attack Points

Host Based Security Systems Scanning (Active) Windows, Linux HTTP, TCP, UDP

Intrusion Detection Systems (Passive) PLC, RTU, Sensor Modbus, LonTalk, BACNet, DNP 3

Client Side Attacks

Server Side Attacks

Network Attacks

Hardware Attacks

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A

DHS ICS-CERT HAVEX Alert 2014 (Energy Systems)

HAVEX F-Secure Analysis (OPC Service Targeted)

http://www.f-secure.com/weblog/archives/00002718.html

It turns out that OPC stands for OLE for Process Control, and it's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze.

This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial control sectors. This document provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

800-82 Rev was released May 14, 2015 - has 800-53 Rev 4 Families of Security Controls

NIST SP 800-82R2 Guide to Industrial Control Systems (ICS) Security

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

UFC Cybersecurity of Facility-Related CS Released Sep 2016

http://www.wbdg.org/ffc/dod/unified-facilities-criteria-ufc/ufc-4-010-06

Any organization can use the UFC for their CS

UFC Cybersecurity of Facility-Related CS – Notional Energy Reference Architecture

The scope of the ACI TTP includes all DoD ICS. DoD ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations, such as skid-mounted programmable logic controllers (PLC) are typical configurations found throughout the DoD. ICS are often used in the DoD to manage sectors of critical infrastructure such as electricity, water, wastewater, oil and natural gas, and transportation.

ACT TTP for DoD ICS

Any organization can use the TTP’s for any IT and/or OT

http://www.wbdg.org/files/pdfs/jbasics_aci_ttp_2016.pdf

3. How to Use These TTP This ACI TTP is divided into essentially four sections: • ACI TTP Concepts (chapters 2 through 4) • Threat-Response Procedures (Detection, Mitigation, Recovery)

(enclosures A, B, and C) • Routine Monitoring of the Network and Baselining the Network

(enclosures D and E) • Reference Materials (enclosures F through I and appendix A through D)

ACT TTP for DoD ICS

ACT TTP for DoD ICS - Detection

Server/Workstation Anomalies A.2. Event Diagnostic Procedures A.2.2 Server/Workstation: Log File Check: Unusual Account Usage/Activity A.2.3 Server/Workstation: Irregular Process Found A.2.4 Server/Workstation: Suspicious Software/Configurations A.2.5 Server/Workstation: Irregular Audit Log Entry (Or Missing Audit Log) A.2.6 Server/Workstation: Unusual System Behavior A.2.7 Server/Workstation: Asset Is Scanning Other Network Assets A.2.8 Server/Workstation: Unexpected Behavior: HMI, OPC, and Control Server

Information Assurance Guideline For Facility-Related CS

Any organization can use for their CS

https://www.serdp-estcp.org/Investigator-Resources/ESTCP-Resources/Demonstration-Plans/Cybersecurity-Guidelines

The IA Guideline has several key sections that establish new RMF contractual and deliverable requirements:

• Hybrid/Converged CS • Project Roles and Responsibilities • Requirements For Subject Matter Experts • Test And Development Environment and Tools • Required Submittals • Applicable ESTCP CS Templates (FAT & SAT, PenTest) • Typical Sequence Of Cs Design And Construction Activities

Information Assurance Guideline For Facility-Related CS Hybrid/Converged System

A CS MAY be a hybrid, or converged, system of traditional IT products and Operational Technologies (OT) products that must now be considered an exploit vector that can be used to penetrate into the larger DoDIN network. These hybrid systems contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA), or Payment Card Industry (PCI) information/data. Examples of systems that may be hybrid, or converged, systems include:

• Access control/alarm systems that use badges/PIV Cards and Active Directory for keyless entry (contain PII).

• Keyless entry/keypad systems that use Active Directory (contain PII). • Meter data management systems that interconnect with a local utility with real time demand

and response (if the meter data is determined to contain PCII). • Patient Monitoring and Wandering Systems (contain PII, HIPAA). • Patient Comfort Systems (contain PII, HIPPA) • Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI). • Computerized maintenance management systems/work order systems that interconnect with

control system back-end controllers and devices (if the system is determined to contain PCII or PII).

IF the CS is determined to be a Hybrid/Converged system, then the RMF package will consist of both the NIST SP 800-53R4 and NIST SP 800-82R2 Security Controls.

Control Systems Cybersecurity Specialist: The Control Systems Cybersecurity specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Global Industrial Cyber Security Professional (GISCP) or Certified Information Systems Security Professional (CISSP). Information and Communication Technology Specialist: The Information and Communication Technology specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Registered Communications Distribution Designer (RCDD®). System Integration Specialist: The System Integration specialist shall have a minimum of five years’ experience in control system network and shall maintain current certification as a Certified System Integrator (CSI) for the products they are integrating and/or be Control System Integrators Association (CISA) Certified.

Information Assurance Guideline For Facility-Related CS – Subject Matter Experts

Information Assurance Guideline For Facility-Related CS – Test And Development Environment

For new or major modernization projects, the Systems Integrator will establish a Test and Development Environment (TDE) that replicates the Production Environment to the highest degree possible starting with the Level 4 Workstations, Servers, software and with at least one of each of the Level 3-0 major components, devices, and actuators. At approximately the 50-75% construction complete, the TDE will be used to perform Factory Acceptance Testing (FAT) of the project to ensure the project has end-to-end functionality, has been properly configured using the Security Content Automation Protocol (SCAP) tool and the Security Technical Implementation Guides (STIGS), all patches (OS and CS) are installed and properly configured, and begin creating the artifacts for the draft System Security Plan.

At approximately 95-100% construction complete, the TDE will be used to conduct Site Acceptance Testing of the complete CS, and if required, Penetration testing. The SAT artifacts will be included in the final System Security Plan, FMC and Jump-Kit (if required).

Information Assurance Guideline For Facility-Related CS – TDE Tools

The following tools are available for the ESTCP Project Team, designer, construction and systems integrators to use in the creation of the Test and Development Environment (TDE) and Production CS. • Belarc Advisor Tool • Cyber Security Evaluation Tool (CSET) • GrassMarlin Passive Network Discovery Tool • Security Content Automation Protocol (SCAP) Tool • Samurai Software Testing For Utilities Tool • Kali Linux Tool • Glasswire Tool • MalwareBytes Tool • Mandiant Redline Tool • Microsoft SysInternals Suite Tool • OSForensics Tool

Information Assurance Guideline For Facility-Related CS – FAT & SAT Checklist

Based on DHS ICS-CERT ICS Procurement Language Energy Systems

http://www.pmcgroup.biz/services/cybersecurityresources.html

Information Assurance Guideline For Facility-Related CS – PenTest Checklist

http://www.pmcgroup.biz/services/cybersecurityresources.html

EPRI Smart Grid and AMI Pentest Guide

Information Assurance Guideline For Facility-Related CS – Design & Construction Sequence

Telecommunications and Networking Guideline For Facility-Related CS

1.1 PURPOSE AND SCOPE This document defines the IT Telecommunications and Network Standards for ESTCP Facility-Related Control System (CS) projects. The intention of this document is to provide a general outline and guide to ensure the IT Telecommunications and Network Transport Backbone, cabling, wireless, firewalls, routers, switches and end-point devices are properly installed, configured and tested to meet DoD CIO, DISA and service/agency connectivity requirements. 1.2 BACKGROUND The DoD follows industry and DISA best practices and guidance for designing and operating Telecommunications and Networks. Currently, the DoD is transitioning to the Joint Information Environment (JIE) as defined by Department of Defense Instruction 8530 Cybersecurity Activities Support to DoD Information Network Operations March 2016.

Telecommunications and Networking Guideline For Facility-Related CS – Notional JIE

Segment OT/CS networks into Enclaves, protect boundaries

Telecommunications and Networking Guideline For Facility-Related CS

1.12 OPERATIONS CENTER (OC) The is the central point for all monitoring, controlling, programming, and service for all CS systems. The OC and CS HMI operators console provides the Continuous Monitoring capability, and is divided into the Production System, and the Test and Development Environment. All patches, requests for configuration changes, and verification of SCAP/ACAS scans are completed in the TDE before deploying to the Production system. This Guideline covers both the legacy Telecommunications and Networks, and the next generation Gigabit Passive Optical Networks (GPONs). The Unified Facility Criteria 3-580-01 Telecommunications Interior Infrastructure Planning And Design June 2016, provides the primary criteria; this chapter provides supplemental guidance related to cybersecuring the exterior and interior networks that transmit CS data.

Telecommunications and Networking Guideline For Facility-Related CS – GPONS

Host Identity Protocol

• The Host Identity Protocol (HIP) is a host identification technology for use on Internet Protocol (IP) networks, such as the Internet. The Internet has two main name spaces, IP addresses and the Domain Name System. HIP separates the end-point identifier and locator roles of IP addresses. It introduces a Host Identity (HI) name space, based on a public key security infrastructure.

• The Host Identity Protocol provides secure methods for IP multihoming and mobile computing.

• In networks that implement the Host Identity Protocol, all occurrences of IP addresses in applications are eliminated and replaced with cryptographic host identifiers. The cryptographic keys are typically, but not necessarily, self-generated.

• The effect of eliminating IP addresses in application and transport layers is a decoupling of the transport layer from the internetworking layer (Internet Layer) in TCP/IP.[1]

https://en.wikipedia.org/wiki/Host_Identity_Protocol

http://www.wbdg.org/resources/cybersecurity.php

WBDG Cybersecurity Resource Page

http://www.wbdg.org/resources/cybersecurity.php

PMC Cybersecurity Resource Page

PMC Cybersecurity Resource Page

http://www.pmcgroup.biz/services/cybersecurityresources.html

PMC Cybersecurity Workshops

http://www.pmcgroup.biz/services/cybersecurityworkshops.html

This concludes The American Institute of Architects Continuing Education Systems Course

mchipley@pmcgroup.biz