NERC CIP in the Real World on a Real Budget - UMN CCAPS CIP – Cyber security for TSO and Generation Page 3 11/11/16 Energy Automation Generation / DER •Misuse of local administrative

NERC CIP in the Real World on a Real Budget

11/11/16Page 1 Energy Automation

Authors:Eric Stranz, Business Development Manager, SiemensStefan Nohe, Subject Matter Expert, SiemensDr. Chan Wong Phd, Standards Engineering, Entergy

Utilizing Cost Saving Ethernet Technologies in Compliant Architectures

Motivation

11/11/16 Energy AutomationPage 2

NERC CIP – Cyber security for TSO and Generation


Generation / DER• Misuse of local administrative rights

Distribution and Transmission• Substation Configuration is manipulated via local network, wireless or remote access

Operation• Unauthorized remote service access

Market• Fraud based on falsified offers and contracts (Customer, Utilities, DNOs, …)

Customer• Consumer behavior tracking, e.g., through smart meters

• Fraud through smart meter manipulation

Focus of Paper-Implement Technologies in Compliant Architectures


Station Level

Possible Attackers:

• Countries

• Criminalorganizations

• Script kiddies

• Insider

• Spoofing

• Malware

• Viruses

• …..

Control Center Level

Field Level

Substation Control Zone

RemoteAccess

Malware

Misuse of access rights

Unauthorized accessto network Unauthorized access

Attacks via internet

Attacks via internet

Misuse of access rightsMalware

Malware

Control Center

3rdparty

device

Substation HMI

Process Bus

Station Bus MMS (data collection & controls)

Sampled Values (currents / voltages)

GOOSE (virtual wires)

IEC

61850

GOOSE (virtual wires)

Substation Data Collector & Controller

Cost Saving Technologies

IEC-61850 MMS – Station Bus

IED1 IED2 IED3 IED4

61850-MMS CommunicationsRoutable Layer 3

Vendor W

Vendor X

Vendor Y

Vendor Z

CB1 CB2 CB3 CB4

Data Communication using 61850 – Station BusPeer-to-peer communications

CB1

IED1

CB2 CB3 CB4

IED2 IED3 IED4

GOOSE (Generic object oriented

system-wide events) Multicast Message

Non-Routable Layer 2Vendor

WVendor

XVendor

YVendor

Z

Process Bus 61850-9-2

Station Bus

Process Bus –Multicast Message

Non-Routable Layer 2

Hardwired I/O CT’s and PT’s

FiberOpticConnection

61850 9-2 Merging Units

Network Segmentation – Process and Station Bus Networks


CIP 5 Standards Consolidated FAQ Oct. 2015 # 23

IEC 61850 is not a data link or network layer protocol, thus declaring IEC 61850 to be a routable or non-routable protocol is not appropriate. Time-critical messages, such as GOOSE messages for direct inter-bay communication, typically run on a flat Layer 2 network without the need for Layer 3 IP addresses.


IEC 61850 Deterministic Concepts –GOOSE MECHANISM

Sequence Number: 1045State Sequence: 25



Sequence Number: 0State Sequence: 26Starts a new sequence when the status change

Sequence Number: 1State Sequence: 26 Sequence Number: 2

State Sequence: 26Sequence Number: 3State Sequence: 26


A well designed Substation system can determine the health of the network by monitoring sequence or state alarms and indications for fast network diagnosis

IEC-61850 9-2 Sampled Values operates in a similar manner

Cost Savings and other benefits with Ethernet Technologies

• Up to 40% cost savings with Sampled Values Technology within a substation compared to a traditional copper installation (Based on a 12 Feeder Install)

• IEC-61850 GOOSE reduces copper interconnectivity between devices which results in significant savings in some installations

• Templates, reusable engineering make IEC-61850 an attractive option

• Physical Security and Communications Security is required regardless of technology.


Is Nerc CIP Compliance too difficult to even consider these technologies?


1.) Assess stations designations based on the CIP -014-01 (4.1.1.2)2.) Define the (BES) Cyber System (formerly Critical Cyber Assets)3.) Define Physical Security Perimeter (PSP)4.) Define Electronic Security Perimeter(s) (ESP)5.) Provide a Cyber Security Framework to Cyber Assets per CIP Standards6.) Define Electronic Access Points into ESP(s)

In Version 5 NERC now allows for multiple ESP’s and does not restrict the ESP’s to the 6 wall approach.

Physical & Cyber security

• The physical security requirements• Need of authentication before

entrance of station• Recognize and Alarm in case of

unauthorized access• Protection against unauthorized

access • Cyber security

• Mitigate misuse of access rights• Authentication of access• Prevents from outside threads

and attacks on infrastructure


Normal NERC CIP Applicable Substations Should Already Include Physical Security Measures

Two Factor Authentication(Something you know, Something you are, Something you have)

Card Scanners, Cameras, Authentication Systems typically are already in place for a NERC CIP Station


The FERC Order No. 706, Paragraph 572, directive discussed utilizing two or more different andcomplementary physical access controls to provide defense in depth.

ESP at the Control House


CameraKeypad

Card scan

Card Scan

2 Factor Authentication

Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity

Layer 2 Com’s Only

ESP at the Control House


Electronic Security Perimeter

Direct Connection to Device (segregated Networks from Process Bus)

Communications Supervision

Merging Units

All IP services Turned off, pure Layer 2 only communications

Electronic Access Point

ESP at the Substation Fence


CameraKeypad

Card scan

Card Scan

2 Factor Authentication

Card Scan to Retrieve Key for BreakersDoor switch triggers alarm where camera monitors activity

Card scan

Layer 3 or Layer 2

Securing the Network


Encrypted Communications

Traffic Limit FirewallAuthentication


Merging Units


Enterprise Applications

Disable Unused Ports

X

CIP-007-5 Table R1

XXXXX

XX

Even Ports used for testing must be disabled at the time of putting the system into service.

Any Product that Prevents Hackers Access to the Network and can take immediate action to the threat• Reactive

• Can Drop the Malicious Packets• Block Traffic from the Source• Reset the Connection

• Firewalls, Anti-Virus, Malware Tools

Intrusion Prevention Systems (IPS)

Antivirus and Malware (IPS)

XXX

CIP-007-5

Logged

XFirewall (IPS)

CIP-007-5

Logged

Any Product that can Detect an intrusion into the network and report or alarm this detection to a management station• Passive

• Monitors signatures• Alerts Operators • Creates Reports

Intrusion Detection Systems (IDS)

Network Based Intrusion Detection (NIDS)

Network-Based Intrusion Detection Systems (NIDS)

Intrusion Detected –Analysis of Intrusion……

NIDS Server

Host Based Intrusion Detection System (HIDS)

Intrusion Detected –Analysis of Intrusion……

Host Based Intrusion Detection System(HIDS)

Security Patch Update within 35 days of update releaseCIP-007-5 Table R1

CIP-007-5 Table R1

Updated LDAPàActiveDirectory

Within 24hrs of termination

Within 7 Days of leaving the position

X

White List and Logging

Jim-Bob

White List1.) Bobby-Joe2.) Billy-Bob

Operations Log10:30 AM 3/17/14 Invalid Login attempt – Jim Bob

CIP-007-5 Table R1

Billy-Bob

White List1.) Bobby-Joe2.) Billy-Bob

Operations Log10:30 AM 3/17/14 Changed Relay Settings– Billy-Bob

Operations Log10:30 AM 3/17/14 Logged In–Billy-Bob

White List and Logging

CIP-007-5 Table R1

Turn Off all Non-Critical IP Ports

Turn Off all Non Critical Services

- Classify BES Cyber Systems and Assets per V5 requirements-Segment your networks-Secure unused ports and services-Implement malware and virus protection-Passwords should comply with “complex” requirements-Firewall settings properly set-Implement Intrusion Detection and Prevention Systems-Electronic Access points to the Substation should be encrypted- Provide application control software wherever possible

Best Practices

Thank you for your attention!


Documents

NERC CIP in the Real World on a Real Budget - UMN CCAPS CIP – Cyber security for TSO and Generation Page 3 11/11/16 Energy Automation Generation / DER •Misuse of local administrative