Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch February 4, 2010

Smart Grid Cyber Security Best Practice Approach to Cyber Security for the Small Rural Electric Smart Grid Cyber Security Plan require a technical approach to cyber security. Cyber security must be addressed in every phase of the engineering lifecycle of the project, including design and procurement, installation and commissioning, and the ability to provide ongoing maintenance and support. Cyber security solutions are comprehensive and capable of being extended or upgraded in response to changes to the threat or technological environment. The technical approach to cyber security must include: Cyber Security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact). Cyber Security criteria utilized for vendor and device selection. Cyber Security Standards and/or best practices that will be followed. (NIST, ISO, COBiT, ITIL) Support of emerging smart grid cyber security standards.

Enterprise Security Architecture Enterprise security architecture provides the conceptual design of network security infrastructure, related security mechanisms, and related security policies and procedures Enterprise security architecture link components of the security infrastructure as a cohesive unit The goal of this cohesive unit is to protect organizational information including smart grid

Risk Management Managing risk requires a defined Risk Management lifecycle The Smart Grid environment must be defined, criteria established to protect the environment, and monitoring and checks must be put into place to ensure that as the environment is challenged, appropriate indicators provide new considerations to adjust protective mechanisms to ensure stability to the Smart Grid environment. Assessment, mitigation, and evaluation represent a basic framework for a risk management approach. Example - Risk Assessment process is consistent with the NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems” risk management recommendations.

Defensive Strategy To support the development of a defensive strategy The Small Rural Electric has to implement a defense strategy with measures for the following components: Threat Threat Agents Threat Environment Cyber Attack Vulnerability and Exploitation Attack Trees Defensive Model Defense-In-Depth Strategies Threat A threat represents the capability and the intent to attack or inflict harm.  With respect to modern computing systems, this definition can be refined to represent cyber threat as the capability and intent to inflict harm on computers or networked systems by a knowledgeable threat agent.  Threat Agents Threat agents conduct cyber attacks utilizing tools, tactics, and procedures in response to some sort of motivation.  A threat agent may be an individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities, that may be detrimental to industrial control systems, computer systems and networks.  Common examples of agents include disgruntled or former employees, script-kiddies, hackers, crackers, computer criminals, terrorists, industrial espionage agents, foreign espionage agents, and cyber warriors.  Each of these categories of potential threat agents may be employed through active, passive, inside, and outside access.  TAL Cyber Attack A cyber attack is a manifestation of a threat (e.g. assault) conducted by a threat agent against an industrial control system, digital component/device, computer system, or network.  The scope of this definition covers a wide variety of events that could result in challenging the integrity, availability, or confidentiality of a system or network including, but not limited to: Viruses Worms Malware Forged data Denial or disruption of access or service Unauthorized access or unintended use of system assets Theft or destruction of hardware or data Modification of environmental conditions to negatively impact system functionality Vulnerability and Exploitation For a threat agent to conduct successfully conduct an attack against a given target, the chosen vector of the attack must seek to exploit some inherent weakness or vulnerability contained within the target.  The term vulnerability is defined to be a weakness in the physical or electronic configuration of a critical digital asset or connected digital asset that could allow an action that compromises the cyber security of the asset.  If the vector of attack is poorly executed or attempts to leverage an exploit that the target itself is invulnerable to, the attack will likely prove to be unsuccessful.  This basic concept holds true regardless of whether the attack takes place within theaters of the real world or within the virtual worlds of cyberspace. Attack Trees Attack trees are a mature security concept that provides a systematic method to describe threats that may exist for a given system.  As an analytical tool, attack trees are a powerful technique because, unlike other forms of analyses, it requires the analyst to adopt the mindset or perspective of the threat agent.  This approach also adds significant value to the identification of scenarios that attribute to an attack.  The development of scenario-based attacks indicates that the cyber security specialist has paid particular attention to the what and whom is presenting a specific cyber security challenge vector.  Attack trees are useful in: Identifying potential vectors of attack Understanding where critical points of vulnerability exist Understanding the effectiveness of deployed countermeasures Determining optimal use or placement of countermeasures Focusing risk management efforts to address the most likely vectors of attack Adding value to multiple phases of the system design lifecycle Defense-in-Depth Strategies Defense-in-depth is a practice that employs the use of multiple layers of security to guard against failure of adjacent security components or layers.  Utilizing proper application of defense-in-depth principals, a singular failure occurring within any element of a protective strategy should not result in complete failure of the security system. Defensive strategies represent a documented assortment of comprehensive and diverse technologies, administrative processes and programmatic procedures that invoke multiple layers of defense to protect critical systems.   The defensive strategies devised should ensure the capability exists to detect, isolate, and neutralize unauthorized activities in a timely manner ensuring that the design-based functions and capabilities of systems and networks are maintained. Defense-in-depth protective strategies can be visualized as a series of concentric layers (established boundaries) of security in which the vulnerabilities that exist for a given layer are prohibited from existing within the adjacent layers. 

Layered Defense Framework Corporate Perimeter Corporate Network Network Architecture Energy Management System Applications Host Device Security Remote Access Dial-up or VPN Electronic Security Perimeter 1 2 3 4 5 6 Communications 7 8 AMI Systems 9 Layered Defense Framework (Defense in Depth) Corporate Perimeter - Defines the separation between the public and corporate domains. Remote Access – Methods and controls used to manage access to assets located within the corporate perimeter from locations external to that perimeter. Corporate Network – Equipment and topology used to provide the general employee population access to corporate computer resources. Host Device Security – Operating Systems, access accounts, network services, community strings and removable media capabilities. Applications – All non-operating system software. Communications – Technology and protocols used to communicate outside of a security perimeter. AMI – Contains Head-End system, Meter Data Management Systems Electronic Security Perimeter – Device(s) used to control data flow between two security zones. Definitions:

Security Controls Security controls are key elements supporting the overall defensive strategy and are implemented through the mechanisms and methods described within the defense-in-depth protective strategies.  Security controls, as discussed in detail in NIST Special Publications 800-53 Rev 3 and 800-82, “Guide to Industrial Control Systems (ICS) Security Implemented three types of controls: Management Controls Operational Controls Technical Controls

Development Lifecycle It is recommended that organizations utilize a good lifecycle approach to incorporate cyber security into your infrastructure (NIST 800-64 Revision 2, The following components represent some of the stages of such an approach: Concept Requirements Design Implementation Test Installation, Checkout, and Acceptance testing Operation Maintenance Retirement

Policies & Procedures Topical areas to be addressed by site-specific cyber security policies include, but are not limited to: Use of Cyber Defensive Model, defensive strategies, and a cyber security plan; Cyber Security Assessments of systems and networks; Roles and Responsibilities; Compartmentalization and Separation of Duties; Identification and Protection of Cyber Sensitive Information; Determination and Delineation of Critical Assets, Systems, and Networks; Design and Management Practices for Systems and Networks; Implementation, Design, and Management of Cyber Security Defense-In-Depth Protective measures; Cyber Security Requirements for Software and Hardware Procurement; Software Quality Assurance; Controlling Access to Systems and Networks; Monitoring of Systems and Networks; Virus/Malware Protection; Use of Wireless and Portable Computing Devices; Use of Encryption; Remote Access; Incident Response and Disaster Recovery; Response to Department of Homeland Security Threat Level Advisories; Reporting/Notification Requirements; and Cyber Security Awareness, Training, and Education of Personnel

Cyber Security Program Roles & Responsibilities Cyber security program establishes clear and unambiguous roles, responsibilities, authorities, delegations, and interfaces within the organization responsible for implementing and maintaining their company’s cyber security program.