Secure Microgrid Operations Cyber Security for Critical Infrastructure

7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure

1/36

BDS| PhantomWorks

Copyright 2011 Boeing. All rights reserved.

BDS | Boeing Energy

Cyber Security

Automation of energy systems provides attack surfaces thatpreviously did not exist

Cyber attacks have matured from teenage hackers to organized crimeto nation states

Centralized control is vulnerable, decentralized mitigates some of theriskNSA multi-layered defense-in-depth architecture is the standardAdvanced analytics and cyber/physical event correlation provide

protection against increasing threats

Securing communications to end devices (Gens, Switch Gear, etc) --which may not have intrinsic security--is criticalRole level protection at the end device versus traditional user

interface roles is a critical capability

Cyber threats are real and rapidly evolving as are the standards tobuild and deploy solutions to mitigate them

| 1


2/36

Boeing Defense, Space & Security

PhantomWorks

BOEING is a trademark of Boeing Management Company.Copyright 2011 Boeing. All rights reserved.

. . I

I

Cyber Security

Concepts Demonstration

Joe McCormick - Boeing

Author, date, filename | 2


3/36

BDS| PhantomWorks


BDS | Boeing Energy

Electric Grid Cybersecurity Risks (NIST)

Greater communications complexity increases exposure topotential attackers and unintentional errors

Networks linked to other networks may introduce commonvulnerabilities spanning multiple domains

More interconnections present increased opportunities forlegacy and new cybersecurity attacks

More network nodes means more entry points and vectorsthat potential adversaries might exploit

Extensive data gathering and two-way information flows maybroaden potential for compromises of data confidentialityand breaches of customer privacy


4/36

BDS| PhantomWorks


BDS | Boeing Energy

Distributing Operational Control

Distributed grid control is necessary to achieve goals ofincreasing efficiency and resiliency of electric grid

Electric grid will become a grid of grids over the next 20 to 30years with wide distribution of (renewable) energy resourcesand resulting microgrid technology

TCP/IP over multiple media will be the communicationsplatform, replacing proprietary, un-routable protocols overphone lines and low-bandwidth wireless

Intelligence will be decentralized within the control,communication, and cybersecurity architectures

Analogues in other areas include avionics, military command andcontrol, and telecommunications


5/36

BDS| PhantomWorks


BDS | Boeing Energy

Defense in Depth Cybersecurity Model

Model created by US National Security Agency (NSA)Balanced Best Practices strategyNISTIR 7628 guidelines support this modelShould be integral to Smart Grid deployment platforms


6/36

BDS| PhantomWorks


BDS | Boeing Energy

Evolution of Cybersecurity Requirements

Current: NERC CIP 002-009 applied to Generation and

Transmission Various input sources including power industry

players

Very basic controls and processes on order of 20Over next 2 years: NERC CIP will be applied to Distribution critical

assets Input sources to NERC CIP will include NIST with

NISTIR 7628, which is sourced on various DHS

cybersecurity standards with many more controls onorder of several hundred

Beyond Legislation calling for enhanced cybersecurity

standards for critical infrastructure, which will requireenforcement of cybersecurity over an even larger,

more distributed set of controlsAuthor, date, filename | 6

NERC CIP(Generation and

Transmission Only)

DoD / DHS

NERC CIP(NISTIR 7628)


7/36

BDS | Boeing Energy


Protection at Every Level

Author, date, filename | 7

EnterpriseNetwork

Security

(ENS)

SecureDistributed

Operational

Service Bus

(SDOSB)


8/36

Boeing Defense, Space & Security

Mountain View, CA

BOEING is a trademark of Boeing Management Company.Copyright 2012 Boeing. All rights reserved.

. . I

I

Smart Grid LiveBoeing EnterpriseNetwork Security (ENS)

Robert Esposito, Cyber Security Solutions Architect

Integrated Situational

Awareness andAdvanced ThreatDetection for Securingthe Grid


9/36

BDS| PhantomWorks


BDS | Boeing Energy

Agenda

The Threat Lifecycle Zero Day Advanced ThreatsWhat is Boeing ENS? Behavioral Detection vs. Signature Detection Boeing ENS Capability Details

Workflow DiscussionLive Demo Intrusion Attempt Incident Response


10/36

BDS| PhantomWorks


BDS | Boeing Energy

The Threat Lifecycle

Reconnaissance Priority 3 Blue

Intrusion / Penetration Priority 5 Yellow

Communication Beacons Priority 7 & 8 Orange

Suspicious Flows / Exfiltration Priority 9 & 10 Red


11/36

BDS| PhantomWorks


BDS | Boeing Energy

Boeing Enterprise Network Security (ENS)

Self Contained & Passive Advanced Malware Detection Integrated Non-Signature Based Detection ApproachAdvanced Anomaly Based DetectionAdvanced Malware Detection Real-Time Network Forensics Correlation and Workflow Enabling Accurate

Detection

Integrates best of Industry capabilitiesinto one unit

Safe and Secure Detection Rack, 14U Portable Pelican Case Sanitization of Data Prior to Removal

Detect APTs at the earliest phases


12/36

BDS| PhantomWorks


BDS | Boeing Energy

Security Information and EventManagement

Features Prioritize alerts and present to the NetworkAnalyst

Correlate alerts from sensor componentsthrough the implementation of customized rulesets

Case Management system for the aggregationof events & external data into individual casesthat may then be presented to any audience

Benefits Single system for access by Network Analyst

with custom dashboards to identify the severityof potential advanced threats

Integrated drill down into individual componentsserving as the single point of entry for theNetwork Analyst


13/36

BDS| PhantomWorks


BDS | Boeing Energy

Anomaly Analytics

Features Up to 10 Gigabit/sec throughput Behavioral based anomaly detection Traffic inspection supporting full layer 7 extensible

analysis Entropy based statistical algorithms to identify

advanced threat behaviors

BenefitsAbility to identify advanced threats in early

reconnaissance - Phase 1

Ability to identify advanced threats incommunications establishment - Phase 3

Ability to identify advanced threats indata exfiltration - Phase 4


14/36

BDS| PhantomWorks


BDS | Boeing Energy

Malware Detection System

Features 1Gigabit/Sec throughput of analyzed web traffic Early detection of malicious activity through

fingerprinting of malicious communications

before the affects are actually seen in thenetwork

Proprietary virtual machine mechanism toavoid advanced malware detection

Evaluated to EAL-2Benefits Locate malware as it enters the network

before a system is infected.

See potential intrusions that are blockedby existing systems or patches.

Identify advanced threats across Phases 2 - 4


15/36

BDS| PhantomWorks


BDS | Boeing Energy

Network Forensics

Features 2Gigabit/Second throughput scalable to larger

installations

Full packet classification and storage to includenon-standard packet formats for meta-data

querying Seamless session retrieval and reconstruction

and rendering to support case management andarchiving

Intuitive visualization environment to identifyadditional stored documents leaving the network

Benefits Provides the Network Security Analyst with the

tools to research the affects of AdvancedPersistent Threat.

Arms the Network Security Analyst with context intailoring existing countermeasures to respond toattacks.


16/36

BDS| PhantomWorks


BDS | Boeing Energy

Boeing ENS: Non-Intrusive & PassiveMonitoring


17/36

BDS| PhantomWorks


BDS | Boeing Energy

Discovered Phase 1 ActivityReconnaissance

(Blue Priority 3 & 4)


18/36

BDS| PhantomWorks


BDS | Boeing Energy

Example Phase 1 Event Pattern


19/36

BDS| PhantomWorks


BDS | Boeing Energy

Discovered Phase 2 Activity IntrusionAttempt

(Yellow Priority 5 & 6)


20/36

BDS| PhantomWorks


BDS | Boeing Energy

Phase 2 Intrusion Attempt BehaviorsObserved


21/36

BDS| PhantomWorks


BDS | Boeing Energy

Discovered Phase 3 Activity OutboundSuspicious Communications

(Orange Priority 7 & 8)

BDS | Boeing Energy


22/36

BDS | Boeing Energy


BDS | Boeing Energy


23/36

BDS | Boeing Energy



24/36

BDS| PhantomWorks


BDS | Boeing Energy

Discovered Phase 4 Activity SuspiciousData in Motion

(Red Priority 9 & 10)

BDS | Boeing Energy


25/36

BDS | Boeing Energy


Most of the traffic is from United States

Very little traffic to foreigncountries is suspicious

BDS | Boeing Energy


26/36

BDS | Boeing Energy


Legacy WWW Server Discovered

Most of the traffic is from United States

Very little traffic to foreigncountries is suspicious


27/36

BDS| PhantomWorks


BDS | Boeing Energy

Workflow Provides Efficient Operations

Discovery Analysis Case Creation

Case

ManagementInitialFollow-upFinal

Course of

Action

Protection

& Case

ResolutionClosed

Whats the priority?Higher priority alerts havethe greatest business impact

What are the details?Ticket Type & IDStageFrequencyOperational ImpactSecurity ClassificationConsequence Severity

What is it?

Detailed Forensics

Research notes, attachments, PCAPsOwnership Tracking

Block/Shutdown, monitor, other Detailed metrics availableTime to resolutionAnalysts involved, etc


28/36

BDS| PhantomWorks


BDS | Boeing Energy

Boeing ENS Live Demo Phase 2Intrusion Attempt Incident Response

Security Operations Center Analyst Investigates Phase 2 Intrusion Attempt Further Incident Details Gathered Case Created with Integrated Case Management System Case Assigned to Incident Response Team (CERT)


29/36

BDS| PhantomWorks


BDS | Boeing Energy

Boeing Operations Service Bus Architecture

S Di t ib t d O ti S i


30/36

BDS| PhantomWorks


BDS | Boeing Energy

Secure Distributed Operations ServiceBus

Distributed service bus provides secure two-way communicationsDesigned for tactical / field environmentsArchitecture provides plug-n-play modularity at application, sub-system, anddevice level

Information assurance designed-inProtected transportRole-based access control at application and transaction levelsDistributed security agents

Network Performance Management - Bandwidth and Quality of ServiceManagement

No central hub eliminates scalability and vulnerability issues


31/36

BDS| PhantomWorks


BDS | Boeing Energy

Protected Transport Unencrypted/encrypted


32/36

BDS| PhantomWorks


BDS | Boeing Energy

Role Based Access Control (RBAC)

Occur at the application layer in a communications protocol stackProvides higher level of access control than the application

provides for allowing legacy applications to be supported

Three Cases Unauthorized User trying to authenticate onto the system to execute acommandAuthorized User trying to execute an unauthorized commandAuthorized User trying to execute an authorized command

Authorized User

Unauthorized User or

Authorized User without proper Role


33/36

BDS| PhantomWorks


BDS | Boeing Energy

RBAC: Unauthorized User Attempting Access

33


34/36

BDS| PhantomWorks


BDS | Boeing Energy

RBAC: Authorized User Attempting toExecute an Unauthorized Command

Activate correct role

Access interface thatdoes not belong to

user/role

Activate role that doesnot belong to user

34


35/36

BDS| PhantomWorks


BDS | Boeing Energy

RBAC: Authorized User SuccessfullyAuthenicating and Executing a Command

35


36/36

BDS| PhantomWorksBDS | Boeing Energy

Questions?

Documents

Secure Microgrid Operations Cyber Security for Critical Infrastructure