Practical Operational Environment SecurityJ O E P E T E R S ON, P EWA R R E N L A P L A N T EA L L E T E/ MN P O W E R

Topics• What is an Operational Environment?

• Basic Approach

• Considerations

• Cyber Security

• Physical Security

• Questions

• Resources

Operational Environment• Control Centers

• Generation Plants

• Substations

• Industrial/Manufacturing Control Systems

• Building Automation Systems

Different Technology Environments

I N F O R M ATI ON ( I T )

• Focus is Information

• Servers, Printers, Routers…

• Technology/Skillsets Align

• Devices/Software Last ~3-5 Years

• Devices are Complex/Adaptable

• Primarily Networked

• Cyber Security ~35 years

O P E R AT I ONA L (OT )

• Focus is Physical Interaction

• Relays, RTU, PLC, Meters…

• Technology/Skillsets Do Not Align

• Devices Last ~10-25 Years

• Devices are Simple/Rigid

• Can Be Air-Gapped/Isolated

• Cyber Security is a Growing Focus

Basic Approach

•“Crown Jewels”•Perimeter

Defense Systems•Safety

What to Protect

•Impact/Damage•Applicable to

Your System

Determine Threat/Risk •Impact/Risk

•Compliance•Budget

Prioritize

•Plan 2-5 Years•Document Key

Characteristics

Plan Your Defenses •Address the

Threat•Modify if Needed

Implement

•Keep Current•Re-Evaluate

Adapt and Improve

Collaboration• IT/OT

• Cyber Security

• Firewall

• Network

• Communications

• Physical Security

• Management

• Engineering

• Operations

• Field Personnel

• Safety

• Project Management

• Purchasing

• Compliance

Considerations• Know Your Devices, System, and Environment!

• Risk -> Threat x Vulnerability x Potential Impact x Likeliness

• Layers of Defense – Prevent, Detect, Deter, Delay, Alert/Alarm

• Resiliency/Recovery

• Simplicity

• Compliance does not Equal Security

Cyber Security – Why We Need to Care• Stuxnet

• Ukraine• Crash Override/Industroyer

• Energetic Bear/DragonFly• Havex/Backdoor.Oldrea

• Safety• Triton/Trisis

• Backdoor:W32/BlackEnergy

• WannaCry

• Eternal Blue

• Petya and NotPetya

• Conficker

Cyber SecurityDevice Risks

• Firmware vs OS Devices

• Diversify Brands (as Needed)

• Serial vs Dial-Up vs Ethernet

• Communication Converters – Use Caution

• Virtualization – Use Caution

Cyber SecurityRemote Access Risks

• Airgap

• Minimize Remote Access and Connected Devices

• Secure Local Gateway/Proxy Device

• Minimize Unencrypted Communications – Telnet, FTP, DNP, etc.

• Enable/Disable Network Port, Modem/etc.

Cyber SecurityNetwork Architecture Risks

• WIFI – Proceed with Caution

• Separate Trust Levels• Physical/Hardware

• Logical/Virtual

• Encryption – SSL VPN/VPN Tunnel

Cyber SecurityAlerts and Awareness

• RTU, PLCS, or Other Remote I/O• Inputs – Monitor Alerts/Alarms

• Outputs – Switch Power or Enables (Consider Consequences)

• Locks/Locking Racks

• Tamper Tape

Cyber SecurityGeneral Good Practices

• Password Management

• Multi-Factor Authentication

• Security Patch Management

• Spares/Backups

• Change Management

• Use Logs

Physical Security

Source: 101clipart.com

Why We Need to Care

• Copper thefts

• Equipment thefts

• Property Damage

• Suspicious Activity

• Metcalf Substation

Methodology • Traditional Security Engineering

• Crime Prevention Through

Environmental Design (CPTED)

Source: corpsrisk

Traditional SecurityDETER

DETECTDELAY

RESPOND

ANALYISSource: montaukgirl.wordpress

Source: SpoterRF

Source: safezoneballistics

COMM

Source: shycom

Source: unknown

Source: Warren

Traditional Security Engineering• What are you trying to protect

• What is the threat

• What are the vulnerabilities

• What is the risk (R=TxVxC)

• Prioritize and Develop Mitigation

Source: DHS

Traditional Security Engineering Examples

Source: seton

Soucre: montaukgirl.wordpress

Source: tindallsecurity

Source: spsfence

Source: midstatelockandsafe

Source: libertyunyielding

Source: racomtel

Source: psxgroup

Source: lightloc

PhysicalSecurity Plan

Source: unknown

Collaboration Examples (???)

Source: wallpaper4me.com

Source: Pinterest

Source: Pinterest

Source: CISSP Common Body of Knowledge Review PPT, V 5.10

Source: unknown

Source: Warren LaPlante

CPTED• Is a considerations guide

• Natural lighting

• Open areas

• Natural avenues of travel

• Easy Up-keep

• Augmented with traditional

security concepts

Source: cityoftacoma.org

CPTED Examples

Source: blog.conversion.comSource: powerinn.org

Source: Warren LaPlante

Source: Easyplanettravel.com

Questions?Joe Peterson japeterson1@allete.com

Warren LaPlante wlaplante@allete.com

Resources - Cyber• Websites

• Wired

• Ars Technica

• Dark Reading

• NIST (Intro to Information Security, Guide to ICS Security, Framework)

• Info Security Magazine

• National Vulnerability Database

• Industrial Internet Consortium

Resources - Cyber• Government

• E-ISAC• ICS CERT (ICS JWG, Recommended Practices, CSET, Training, Defense-In-Depth)• US CERT (C3 VP)• NERC (Alerts, Lessons Learned)

• NERC Regional Reliability Organizations (WECC, MRO, ReliabilityFirst, etc.)

• Conferences (YouTube has some videos)• Black Hat• DEF CON• DerbyCon• Bsides

Resources - Cyber• Podcasts

• SANS StormCast

• GRC Security Now

• Defensive Security

• The CyberWire

• Recorded Future

• Training• SANS (Secure Architecture, CIS Critical Security Controls)

Resources – Physical• Government

• E-ISAC

• NERC (Alerts, Lessons Learned)• NERC Regional Reliability Organizations (WECC, MRO, ReliabilityFirst, etc.)

• National Institute of Crime Prevention

• www.usacearmy.mil

• DHS

• FEMA

• Department of Defense (DoD, all branches)

Resources - Physical• Private/Other

• www.asisonline (American Society for Industrial Security)

• www.CPTED.net

• www.cptedtraining.net

Practical Operational Environment SecurityJoe Peterson, Warren LaPlante, Minnesota Power

The operational world has evolved to an integrated network of intelligent devices that requires attention to physical and cybersecurity measures to operate effectively, safely, and reliably. Practical approaches and available resources will be discussed.