NERC CIP in the Real World on a Real Budget

11/11/16Page 1 Energy Automation

Authors:Eric Stranz, Business Development Manager, SiemensStefan Nohe, Subject Matter Expert, SiemensDr. Chan Wong Phd, Standards Engineering, Entergy

Utilizing Cost Saving Ethernet Technologies in Compliant Architectures

Motivation

11/11/16 Energy AutomationPage 2

NERC CIP – Cyber security for TSO and Generation

Generation / DER• Misuse of local administrative rights

Distribution and Transmission• Substation Configuration is manipulated via local network, wireless or remote access

Operation• Unauthorized remote service access

Market• Fraud based on falsified offers and contracts (Customer, Utilities, DNOs, …)

Customer• Consumer behavior tracking, e.g., through smart meters

• Fraud through smart meter manipulation

Focus of Paper-Implement Technologies in Compliant Architectures

Station Level

Possible Attackers:

• Countries

• Criminalorganizations

• Script kiddies

• Insider

• Spoofing

• Malware

• Viruses

• …..

Control Center Level

Field Level

Substation Control Zone

RemoteAccess

Malware

Misuse of access rights

Unauthorized accessto network Unauthorized access

Attacks via internet

Misuse of access rightsMalware

Malware

Control Center

3rdparty

device

Substation HMI

Process Bus

Station Bus MMS (data collection & controls)

Sampled Values (currents / voltages)

GOOSE (virtual wires)

Substation Data Collector & Controller

Cost Saving Technologies

IEC-61850 MMS – Station Bus

IED1 IED2 IED3 IED4

61850-MMS CommunicationsRoutable Layer 3

Vendor W

Vendor X

Vendor Y

Vendor Z

CB1 CB2 CB3 CB4

Data Communication using 61850 – Station BusPeer-to-peer communications

CB2 CB3 CB4

IED2 IED3 IED4

GOOSE (Generic object oriented

system-wide events) Multicast Message

Non-Routable Layer 2Vendor

WVendor

XVendor

YVendor

Process Bus 61850-9-2

Station Bus

Process Bus –Multicast Message

Non-Routable Layer 2

Hardwired I/O CT’s and PT’s

FiberOpticConnection

61850 9-2 Merging Units

Network Segmentation – Process and Station Bus Networks

CIP 5 Standards Consolidated FAQ Oct. 2015 # 23

IEC 61850 is not a data link or network layer protocol, thus declaring IEC 61850 to be a routable or non-routable protocol is not appropriate. Time-critical messages, such as GOOSE messages for direct inter-bay communication, typically run on a flat Layer 2 network without the need for Layer 3 IP addresses.

IEC 61850 Deterministic Concepts –GOOSE MECHANISM

Sequence Number: 1045State Sequence: 25

Sequence Number: 0State Sequence: 26Starts a new sequence when the status change

Sequence Number: 1State Sequence: 26 Sequence Number: 2

State Sequence: 26Sequence Number: 3State Sequence: 26

A well designed Substation system can determine the health of the network by monitoring sequence or state alarms and indications for fast network diagnosis

IEC-61850 9-2 Sampled Values operates in a similar manner

Cost Savings and other benefits with Ethernet Technologies

• Up to 40% cost savings with Sampled Values Technology within a substation compared to a traditional copper installation (Based on a 12 Feeder Install)

• IEC-61850 GOOSE reduces copper interconnectivity between devices which results in significant savings in some installations

• Templates, reusable engineering make IEC-61850 an attractive option

• Physical Security and Communications Security is required regardless of technology.

Is Nerc CIP Compliance too difficult to even consider these technologies?

1.) Assess stations designations based on the CIP -014-01 (4.1.1.2)2.) Define the (BES) Cyber System (formerly Critical Cyber Assets)3.) Define Physical Security Perimeter (PSP)4.) Define Electronic Security Perimeter(s) (ESP)5.) Provide a Cyber Security Framework to Cyber Assets per CIP Standards6.) Define Electronic Access Points into ESP(s)

In Version 5 NERC now allows for multiple ESP’s and does not restrict the ESP’s to the 6 wall approach.

Physical & Cyber security

• The physical security requirements• Need of authentication before

entrance of station• Recognize and Alarm in case of

unauthorized access• Protection against unauthorized

access • Cyber security

• Mitigate misuse of access rights• Authentication of access• Prevents from outside threads

and attacks on infrastructure

Normal NERC CIP Applicable Substations Should Already Include Physical Security Measures

Two Factor Authentication(Something you know, Something you are, Something you have)

Card Scanners, Cameras, Authentication Systems typically are already in place for a NERC CIP Station

The FERC Order No. 706, Paragraph 572, directive discussed utilizing two or more different andcomplementary physical access controls to provide defense in depth.

ESP at the Control House

CameraKeypad

Card scan

Card Scan

2 Factor Authentication

Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity

Layer 2 Com’s Only

ESP at the Control House

Electronic Security Perimeter

Direct Connection to Device (segregated Networks from Process Bus)

Communications Supervision

Merging Units

All IP services Turned off, pure Layer 2 only communications

Electronic Access Point

ESP at the Substation Fence

CameraKeypad

Card scan

Card Scan

2 Factor Authentication

Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity

Card scan

Layer 3 or Layer 2

Securing the Network

Encrypted Communications

Traffic Limit FirewallAuthentication

Merging Units

Enterprise Applications

Disable Unused Ports

CIP-007-5 Table R1

Even Ports used for testing must be disabled at the time of putting the system into service.

Any Product that Prevents Hackers Access to the Network and can take immediate action to the threat• Reactive

• Can Drop the Malicious Packets• Block Traffic from the Source• Reset the Connection

• Firewalls, Anti-Virus, Malware Tools

Intrusion Prevention Systems (IPS)

Antivirus and Malware (IPS)

CIP-007-5

Logged

XFirewall (IPS)

CIP-007-5

Logged

Any Product that can Detect an intrusion into the network and report or alarm this detection to a management station• Passive

• Monitors signatures• Alerts Operators • Creates Reports

Intrusion Detection Systems (IDS)

Network Based Intrusion Detection (NIDS)

Network-Based Intrusion Detection Systems (NIDS)

Intrusion Detected –Analysis of Intrusion……

NIDS Server

Host Based Intrusion Detection System (HIDS)

Intrusion Detected –Analysis of Intrusion……

Host Based Intrusion Detection System(HIDS)

Security Patch Update within 35 days of update releaseCIP-007-5 Table R1

CIP-007-5 Table R1

Updated LDAPàActiveDirectory

Within 24hrs of termination

Within 7 Days of leaving the position

White List and Logging

Jim-Bob

White List1.) Bobby-Joe2.) Billy-Bob

Operations Log10:30 AM 3/17/14 Invalid Login attempt – Jim Bob

CIP-007-5 Table R1

Billy-Bob

White List1.) Bobby-Joe2.) Billy-Bob

Operations Log10:30 AM 3/17/14 Changed Relay Settings– Billy-Bob

Operations Log10:30 AM 3/17/14 Logged In–Billy-Bob

White List and Logging

CIP-007-5 Table R1

Turn Off all Non-Critical IP Ports

Turn Off all Non Critical Services

- Classify BES Cyber Systems and Assets per V5 requirements-Segment your networks-Secure unused ports and services-Implement malware and virus protection-Passwords should comply with “complex” requirements-Firewall settings properly set-Implement Intrusion Detection and Prevention Systems-Electronic Access points to the Substation should be encrypted- Provide application control software wherever possible

Best Practices

Thank you for your attention!

NERC CIP in the Real World on a Real Budget - UMN CCAPS CIP – Cyber security for TSO and...

Documents

Standard CIP–002–4 - SCADAhacker - CIP v4.pdfStandard CIP–002–4 — Cyber Security — Critical Cyber Asset Identification ... Purpose: NERC Standards CIP-002-4 through CIP-009-4

CIP Malicious Code with...CIP-003-8; CIP-005-6 •IDS/IPS CIP-007-6 •Authentication CIP-10-3 •Baseline Configuration •Baseline Monitoring 12 November 18, 2020 ATT&CK® for Industrial

Revista CIP Ed 17 Web CIP

Generation Pilot Program - UMN CCAPS · Lessons learned/being learned • Solar industry is very dynamic –Equipment availability, regulations, company staying power –Large pricing

CIP-003-6 vs CIP-003-7 - WECC vs CIP-003-7_GStory.pdf · CIP-003-6 vs CIP-003-7 Garret Story Compliance Auditor, Cyber Security WECC Compliance Workshop –Boise ID–March 29, 2018

Bulletin CIP. n°5 - rotary-cip-france.org

40 - CIP Report - Agra - Stationery Cost Saving After CIP

The LC CIP Program › assets › Conference_Session_Docs...Pre-publication Workflow for a CIP Title Publisher applies for CIP data via online application CIP Publisher Liaison Team

10 cip rome cip

Milk Line Cleaning (CIP) - Chemical Dispensing …hydrosystemsco.com/wp-content/uploads/2013/12/cip-dairy... · Milk Line Cleaning (CIP) Milk Line Cleaning Equipment (CIP): History:

CIP statements

CIP Questions

F A L L 2 0 1 5 News@CAPS CCAPS · What’s new @CAPS for 2015 - 2016 News@CAPS CCAPS About Counseling & Psychological Services (CAPS) Daily Drop-in-Hours: Page 2 Mindfulness Group:

CIP Latest Technologies, Typical Errors and CIP Assurance...PI PI CIP Return CIP Return TI FI CI TI FI CI CLEANING-IN-PLACE (CIP) INSTALLATION VLB Berlin, D. Bilge CBC 2016 - Philadelphia

CIP Technical Workshop Training/CIP Technical... · 2 RELIABILITY | ACCOUNTABILITY •Welcome •Overview of FERC Order No. 791 •CIP V5 High-level Overview •CIP V5 Core Requirements

CIP Cyber Security Standards Development Update · 2011-06-04 · September 21-22, 2010 3 h Development Process Changes CIP-002-4 CIP-005-4 Urgent Action CIP-10 and CIP-011 Agenda

End to End Testing - UMN CCAPS · End to End Testing • Scott Cooper • OMICRON • scott.cooper@omicronenergy.com

Gaddis- La Guerra Fria (Ccaps 5 a 7)

Lessons Learned from Commission-Led CIP Reliability Audits · 2020. 5. 12. · CIP-004-3, CIP-005-3, CIP-006-3, CIP-007-3, CIP-008-3, and CIP-009-3. 13. The NERC Glossary defines

REGIONAL ENTITY TRUSTEES MEETING OCTOBER 24, 2016 SPP ... trustee... · focused on CIP-002-5.1, CIP-005-5, CIP-006-6, CIP-007-6, and CIP-010-2. Other requirements may be included,