Cyber Security for Smart Grid

George Gamble

Cyber Security Architect

Black & Veatch

The boss says that security is extremely important and top priority. That is, unless it makes something inconvenient.

4

U.S. Government Impact on Cyber Security

Energy Independence and Security Act (EISA) of 2007 Title XIII, Section 1305. Smart Grid

Interoperability Framework

The Framework:“The framework…shall align policy, business, and technology approaches [to] enable… an

efficient, reliable electricity network.” “a framework that includes protocols and… standards for information management to achieve

interoperability of smart grid devices and systems.”

NIST has “primary responsibility to coordinate the development of” an interoperability framework, in

cooperation with DOE and other stakeholders.

What standards are being used to implement Smart Grid controls

NIST SP 800-53 Rev 3 - Guideline NIST SP 800-82 - Guideline DHS Catalog of Controls - Guideline NIST IR 7628 - Guideline NERC CIP-002 through 009 - Standard SANS TOP 20 Critical Controls - Best Practices

NIST SP 800-30 Risk Assessment

* Task 2, 3, 4, and 6 can be conducted in parallel after Task 1 has been completed.

Task 1.System Characterization

Task 2.Threat Identification

Task 3.Vulnerability Identification

Task 4.Control Analysis

Task 5.Likelihood Determination

Task 6.Impact Analysis

Loss of Integrity, Availability, Confidentiality

Task 7.Risk Determination

Task 8.Control Recommendations

Task 9.Results Documentation

Risk Assessment Activities

- System boundary- System functions- System & data criticality - System & data sensitivity

- Hardware- Software- System Interfaces- Data & Information- People- System Mission

- History of system attack- Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media

- Reports from prior risk assessment - Any audit comments- Security requirement- Security test results

- Current controls- Planned controls

- Threat-source motivation- Threat capacity- Nature of vulnerability- Current controls

- Mission impact analysis- Asset criticality assessment- Data criticality- Data sensitivity

- Likelihood of threat exploitation - Magnitude of impact- Adequacy of planned or current controls

- List of potential vulnerabilities

- List of current & planned controls

- Likelihood rating

- Impact rating - Risks & associated risk levels - Recommended controls - Risk assessment report

Legend:Risk Assessment Activities:Input:Output:

- Threat statement

Develop a System Security ArchitectureDeveloping a security Architecture involves determining how each security requirement will be meet through management, operational and technical controls.

NIST IR 7628 - Smart Grid Cyber Security Strategy and Requirements

• 1St Draft September 2009• 2nd Draft February 2010• 3rd Draft August 2010 The NIST IR 7628 draft document contains the overall security strategy for the

Smart Grid. Contents include: Development of vulnerability classes, identification of well-understood

security problems that need to be addressed, selection and development of security-relevant use cases, initial privacy impact assessment, identification and analysis of interfaces identified in six functional priority areas, advanced metering infrastructure (AMI) security requirements, and selection of a suite of security documents that will be used as the base for determining and tailoring security requirements.

NIST IR 7628 - Figure 2.1 Unified Logical Architecture for the Smart Grid

NERC/NIST DirectionWhat does this

mean?

11

NIST Security Risk Management Framework

NIST 800-53

12

Government’s Push to Secure the Grid North American Electric Reliability Corporation

Risk Based Methodology Review of Critical Assets and Critical Cyber Assets:– April 7, 2009 - Michael Assante Vice President and Chief Security Officer of NERC expressed

concerns with data submitted regarding Critical Asset and Critical Cyber Assets identification.

NERC developed a set of Security Guidelines for the Electricity Sector to assist in the review process of:

– Categorizing Cyber Systems – July 2009– Identifying Critical Assets – Sept 2009– Identifying Critical Cyber assets – Nov 2009

NERC is advising all registered entities about the sufficiency of evidence supporting Critical Asset identifications where all substations and generating facilities are excluded.  They believe that a finding of non-compliance is highly probable absent such evidence to the NIST 800-30 Risk Assessment.

13

Ultimately, self regulation has lead to increased definition and accountability from FERC.

Smart Grid is coming into Scope with changes in

CIP-002 v1-3 and CIP-002 V4

CIP-011-1 Electronic Boundary

A boundary protection device – is “(a) device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system0; and/or (II) monitors and controls communication at the external boundary of the information system to prevent and detect malicious and other unauthorized communications.A boundary protection device include such components as proxies, gateways, routers, firewalls, guards, and encryption tunnelsProxy Server – Computer system or an application that acts as and intermediary.

Gateways is an interface providing a capability between networks by converting transmission speeds, protocols, codes or security measuresRouter is a hardware device or software program that forwards network traffic between computer networksFirewall is a network device or system running special software that controls the flow of network traffic between networks or between a host and a networkEncryption Tunnel To encrypt information means to transform the information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

SANS TOP 20 Controls• Critical Control 1: Inventory of Authorized and Unauthorized Devices • Critical Control 2: Inventory of Authorized and Unauthorized Software • Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers • Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Critical Control 5: Boundary Defense • Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs • Critical Control 7: Application Software Security • Critical Control 8: Controlled Use of Administrative Privileges • Critical Control 9: Controlled Access Based on Need to Know • Critical Control 10: Continuous Vulnerability Assessment and Remediation • Critical Control 11: Account Monitoring and Control • Critical Control 12: Malware Defenses • Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services • Critical Control 14: Wireless Device Control • Critical Control 15: Data Loss Prevention• Critical Control 16: Secure Network Engineering • Critical Control 17: Penetration Tests and Red Team Exercises • Critical Control 18: Incident Response Capability • Critical Control 19: Data Recovery Capability • Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps

Appendix

Department of Homeland Security (DHS)Catalog of Control Systems Security: Recommendations for

Standards Developers• 1St Draft September 2009• 2nd Draft June 2010 The DHS catalog presents a compilation of practices that various industry

bodies have recommended to increase the security of control systems from both physical and cyber attacks. The recommendations in the catalog are grouped into 19 families, or categories.

The catalog is not limited for use by a specific industry sector but can be used by all sectors to develop a framework needed to produce a sound cyber security program. The DHS catalog should be viewed as a collection of recommendations to be considered and judiciously employed, as appropriate, when reviewing and developing cyber security standards for control systems. The recommendations in the catalog are intended to be broad enough to provide any industry using control systems the flexibility needed to develop sound cyber security standards specific to their individual security needs.

NIST SP 800-30 Risk AssessmentThe purpose of this risk assessment is to evaluate the adequacy of the system security. This risk assessment provides a structured qualitative assessment of the operational environment. It addresses sensitivity, threats, vulnerabilities, risks and safeguards. The assessment recommends cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities.The objective of performing risk management is to enable the organization to accomplish its mission(s): (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

NIST SP 800-82• Initial public draft released September 2007 NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security provides

guidance on securing Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations while addressing the performance, reliability, and safety requirements of each.

The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

CIP-011-1 Boundary Protection (R20-R22) NERC CIP 2 unchanged, 9 new, 4 changes requirements

SANS TOP 20 ControlsTwenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines• The Twenty Critical Security Controls have already begun to transform security in government

agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.

• These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.

• The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 80% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.