Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Nenad Andrejević
Comtrade Solutions Engineering
Security in Smart Grid / IoT
Why is security important
Introduction
With so much of our lives connected to the Internet – from our critical infrastructure andnational security systems to our cars and bank accounts – we know the urgency ofaddressing these new and growing cyber threats.
Traditional power grid
• The present infrastructure is overstrained and inter region bulk transfer is limited
• Cannot fully support the integration of renewable energy
• Low reliability of Power - Outage
• Fluctuating quality of Power
• Major source is fossil fuel
• Efficiency of Power transmission
• Almost zero customer participation
• Low Billing and collecting efficiency
Smart Grid v3
• Decentralization of Generating resources
• Integration of all sources of energy, mainly renewable
• Continuous monitoring and feedback from the network
• Anticipation of faults and helps in fault prevention
• Establishes a two-way communication between the utilities and the consumers
• Reduces the stress on the power system infrastructure
• Reduces and shifts the peak demand
• Continuous self-learning
SECURITY THREATS TO THE ENERGY NETWORK
• CYBER-ATTACKS: • MALWARE INJECTIONS,
• “DENIAL OF SERVICE”,
• REMOTE CONNECT / DISCONNECT COMMANDS
• ATTACKS ON PRIVACY
• REVENUE PROTECTION – THE THEFT OF DATA AND ENERGY
Landscape of attack
• Oil pipeline explosion in Turkey 2008
• Stuxnet Virus
• Ukraine Attack
• U.S. grid was successfully hacked 2015
Privacy concern #1
Privacy concern #2
Risk Levels
UTILITY
Back office
HEAD END SYSTEM
Collection system
WAN
Wide Area Network
FAN
Field Area Network
HAN
Home Area Network
Smart Meter
More Secure
Least Secure
Highest Risk
Least Risk
CiscoNMS
Network Options
Billing/CIS
OMSDMS SCADA
Utility Systems and Back Office
Business Outcomes
Consumer Engagement
EV SmartCharging
Smart Payment
EnergyEfficiency
Meter-to-Cash
RevenueAssurance
RenewablesIntegration
DemandResponse
OutageManagement
DistributionAutomation
Analytics
» Transformer Load Management» Power Quality (Voltage/Outage)» Energy Diversion Detection» Energy Efficiency & Demand Response
WAN Backhaul
Security Manager MDMHead-End
Head End System
Substation
DRMS/DLC
More Secure
Least Secure
Highest Risk
Least Risk
Open Standards
IPv6/IPv4
UDP/TCP
IEEE 802.15.4e MAC enhancements
IPv6 RPL
Web Services, EXI, SOAP, RestFul,HTTPS/CoAP
802.1x / EAP-TLS & IEEE 802.11i based Access Control
Physical Layer
IEEE 802.15.4g2.4GHz, 915, 868MHzDSSS, FSK, OFDM
IEEE 1901.2 NB-PLCOFDM
IEEE 802.11 Wi-Fi
2.4, 5 GHz, Sub-GHz
IEEE 802.3 Ethernet UTP, FO
2G, 3G, LTECellular
IEEE 802.16WiMAX
1.x, 3.xGHz
Data Link Layer
IEEE 802.15.4including FHSS
IEEE 1901.2 802.15.4 frame
format
IEEE 802.11 Wi-Fi
IEEE 802.3 Ethernet
2G, 3G, LTECellular
IEEE 802.16WiMAX
6LoWPAN (RFC 6282) IPv6 over Ethernet (RFC 2464)IPv6 over PPP
(RFC 5072)IP or Ethernet
Convergence SubL.
NetworkLayer
TransportLayer
ApplicationLayer
Addressing, Routing, Multicast,
QoS, Security
Security (DTLS/TLS)
DNS, NTP, IPfix/Netflow, SSHRADIUS, AAA, LDAP, SNMP,…
(RFC 6272 IP in Smart Grid)
MeteringIEC 61968 CIM, ANSI C12.22,
DLMS/COSEM,…
SCADAIEC 61850, 60870
DNP3/IP, Modbus/TCP,…
LLC
MAC
Mgmt
Smart Grid Key AttributesStandards and Conformance• Standards are critical to enabling interoperable systems and
components.
• Mature, robust standards are the foundation of mass markets for the millions of components that will have a role in the future smart grid.
• Standards enable innovation where thousands of companies may construct individual components.
IoT
[ WIKIPEDIA ] The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices.
[ OXFORD ] A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data
Challenge of Securing the IoT
• Manufacturers, energy and transportation providers, and smart cities are gaining a competitive advantage by harnessing the Internet of Things (IoT).
• Connecting more things in more places creates new security challenges. Mitigating risk requires a combination of cybersecurity and physical security.
• The IoT is expected to grow to 50 billion by 2020. Each device is a potential entry point for a network attack by insiders, hackers, or criminals
How to process
• IoT is one of the “new” areas where the new innovative solutions are created every day, for business and eco systems.
• We still have no complete – standard security measures.
• We use threat modeling to find out all relevant threats and risk model to find out best suite security
• European Union Agency for Network and Information Security• Smart Grid Threat Landscape and Good Practice Guide
• NIST • Cyber security framework for critical infrastructure
• OWASP Top 10 IoT
Top 10 IoT Vulnerabilities OWASP
Top 10 IoT Vulnerabilities Project The OWASP Top 10 IoT Vulnerabilities are as follows:
Rank Title
I1 •Insecure Web Interface
I2 •Insufficient Authentication/Authorization
I3 •Insecure Network Services
I4 •Lack of Transport Encryption/Integrity Verification
I5 •Privacy Concerns
I6 •Insecure Cloud Interface
I7 •Insecure Mobile Interface
I8 •Insufficient Security Configurability
I9 •Insecure Software/Firmware
I10 •Poor Physical Security
• 10/10 security systems accept ‘123456’
• 10/10 security systems with no lockout
• 10/10 security systems with enumeration
• SSH listeners with root/“” access
• 6/10 web interfaces with XSS/SQLi
• 70% of devices not using encryption
• 8/10 collected personal information
• 9/10 had no two-factor options
• Unauthenticated video streaming
• Completely flawed software update systems
Why COMTRADE?
• Comtrade firmly believes that the best way to ensure reliable security for the entire smart grid /IoT is to integrate security directly into the design process.
• Our „Security by Design‟ methodology involves the security team working hand in hand with Comtrade architecture team to ensure its products are created with security in mind right from the start.
• Security is not an afterthought; it evolves with the product and needs to be continually developed.
COMTRADE „SECURITY BY DESIGN‟ METHODOLOGY The „Security by Design‟ methodology is a simple, iterative process. It was decided at Comtrade that in the manufacturing of applications for utilities and IoT
An Iterative Approach
1. Assess the security vulnerabilities applicable to the system and all components
2. Conduct a risk evaluation with an impact analysis
3. Design defensive counter measures for mitigating impact
4. Perform penetration tests against each component and then the entire system
5. Iterate - if there are any gaps identified in step
Secure by design
Pre poduction
Production
Being knowledgeable about what can be achieved is one thing. The other is to reduce the impact. In cyber-security – an environment with asymmetric approaches - this can be achieved through common effort and coordination.
Conclusion
“That which depends on me, I can do; that which depends on the enemy cannot be certain. Therefore it is said that one may know how to win, but cannot necessarily do so” (Sun Tzu).
Q&A
Have a nice day!
Thanks for coming