Lessons Learned in Smart Grid Cyber Security

Slides:



Advertisements
Similar presentations
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
Cyber Security in Implementing Modern Grid Automation Systems Vijayan SR CIGRE SC D2 Tutorials & Colloquium on SMART GRID Mysore, 13 – 15 November 2013.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Smart Grid Cyber Security Framework
SMART GRID: What is it? Opportunities, and Challenges
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Cyber Threats/Security and System Security of Power Sector Workshop on Crisis & Disaster Management of Power Sector P.K.Agarwal, AGM Power System Operation.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.
3 Cloud Computing.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SWAMI Threats, vulnerabilities & safeguards in a World of Ambient Intelligence David Wright Trilateral Research & Consulting 21 March 2006.
1st IRRIIS Workshop, April 26th, 2006 Key challenges for Critical Information Infrastructure Protection 1st IRRIIS Workshop Sankt Augustin April 26th,
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Security and Privacy Services Cloud computing point of view October 2012.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Summary Device protocols tied intimately to applications. A need to significantly reduce critical data update times. Current network bandwidth consumption.
Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Sandra C Security Advisor Energy Dan B Security Advisor Water
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
CUTTING COMPLEXITY – SIMPLIFYING SECURITY INSERT PRESENTERS NAME HERE XXXX INSERT DATE OF EVENT HERE XXXX.
FCC Field Hearing on Energy and the Environment Monday November 30, 2009 MIT Stratton Student Center, Twenty Chimneys Peter Brandien, Vice President System.
1 Evolution and Revolution: Windows 7 and Desktop Virtualization How to Accelerate Migration to Windows 7 Miguel Sian, Sr. Enterprise Solutions Consultant.
Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.
Smart Grid Energy Generation Renewable Energy Distributed Generation Transmission & Distribution Load Management Demand Response Electrical Vehicles Charging.
Smart Grid Network Transformation Arthur Locke, Alcatel-Lucent
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
CIP 2015 Smart Grid Vulnerability Assessment Using National Testbed Networks IHAB DARWISHOBINNA IGBETAREQ SAADAWI.
June 17, 2009 Michael W. Howard, Ph.D. Sr. Vice President The Interoperable Smart Grid Evolving.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
IS3220 Information Technology Infrastructure Security
Infrastructure for the People-Ready Business. Presentation Outline POINT B: Pro-actively work with your Account manager to go thru the discovery process.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Critical Infrastructure Protection and the Role of the Next Generation Firewall Blaž Ivanc.
A Layered Solution to Cybersecurity Dr. Erfan Ibrahim Cyber-Physical Systems Security & Resilience Center National Renewable Energy Laboratory.
Security and resilience for Smart Hospitals Key findings
Cloud Security for eHealth – Study Validation
Cybersecurity - What’s Next? June 2017
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
CIM Modeling for E&U - (Short Version)
Agenda Control systems defined
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
National Mining University
I have many checklists: how do I get started with cyber security?
Cyber System-Centric Approach To Cyber Security and CIP
Securing the Threats of Tomorrow, Today.
3 Cloud Computing.
INFORMATION SYSTEMS SECURITY and CONTROL
How to Mitigate the Consequences What are the Countermeasures?
Computer Science and Engineering
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Lessons Learned in Smart Grid Cyber Security Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection lmcghie@quanta-technology.com

Agenda Smart Grid Cyber Security Challenges IT OT Traditional Integration Challenges More Interconnectivity, Distribution and Access Points Cyber Security Vs. Compliance Smart Grid Vendor Management Challenges Software Assurance Other Observations Positive directions - things are changing

Smart Grid Cyber Security Issues and Challenges System complexity is growing through expanding interconnectivity of systems and the extension of the electronic perimeter to new grid components and participants Increasingly distributed assets (AMI, HAN) Lots of legacy investments that need to be secured along side newer, unproven technologies Security upgrades to legacy systems are limited by inherent limitations of the equipment and architectures Operations and control networks previously thought to be inherently protected through private networks, serial connections and proprietary protocols are increasingly more vulnerable as networks are connected

Smart Grid Cyber Security Issues and Challenges SCADA vulnerabilities and malware (Vendor access, USBs, disgruntled employees) Aurora Project proves that control networks can be penetrated Cyber threats are unpredictable and evolve faster than the sector’s ability to develop and deploy countermeasures Threat, vulnerability, incidents and mitigation information sharing is insufficient among government and industry

Smart Grid Cyber Security Issues and Challenges Increasing concern for privacy issues Weak business case for cyber security investment by industry Regulatory uncertainty in energy sector cyber security DOE SGIG investments Provided a boost to cyber security awareness and enhancement, but what is next? Business drivers to change traditional IT / OT boundaries Embedded smart-grid equipment like smart meters require robust security to protect critical utility assets and data. New standards are emerging, requiring system designers to implement multiple layers of security to thwart both physical and cyber attacks.

IT OT Integration Challenges Typically do not work together OT views the corporate network as vulnerable and resources inadequate OT networks and systems have different performance and reliability requirements Differing security architectures and risk management goals OT legacy systems challenging to support, upgrade and integrate Multiple support systems that do not integrate or interoperate – change management, ticketing , tracking and reporting, configuration management, patch management, audit and monitoring A new suite of cyber security tools recently demonstrated by DOE's Idaho National Laboratory includes a tool, the Sophia situational awareness software, designed to help utilities protect their network and control systems from attack. What Sophia can do is passively watch network communications and give both real-time and historical records of those communications. And it can be configured to automatically flag any unusual activity or new types of conversations that may indicate a security issue. Sophia can provide all of the information it receives for operators to evaluate, as can the other tools included in the demonstration. Typically Corporate IT is surrounded by a lot of controls and beauracracy that is needed to ensure reliability and availability. Within the non-business networks and operations area those controls traditionally haven’t existed previously and they could get away with doing things without change control, approvals, etc. But with NERC CIP controls and processes are being added to these control networks. But they can still not deem some environments not to be under NERC CIP. Classify a minimum set of assets.

New Technology Challenges Traditional Approaches More Interconnectivity, distribution and access points Mobile devices Wireless network security Encryption and authentication Distributed key management Need a secure network for key management Integrated and active monitoring

Cyber Security Vs. Compliance Culture of compliance, culture of security – Compatible goals? Many utilities didn’t have a centralized security function prior to NERC CIP Security modeled after NERC CIP – Process not technology oriented Risk management and security governance programs are not in place Getting management’s attention and building the business case for cyber security after NERC CIP In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is ongoing, by various means, among citizens and stakeholders. When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness. Implementing this strategy will help the sector achieve the following goal: Cyber security practices are reflexive and expected among all energy sector stakeholders. Assessing and monitoring risk gives companies a thorough understanding of their current security posture, enabling them to continually assess evolving cyber threats and vulnerabilities, their risks, and responses to those risks. Implementing this strategy will help the sector achieve the following goal: Continuous security state monitoring of all energy delivery system architecture levels and across cyber-physical domains is widely adopted by energy sector asset owners and operators. Sustain Security Improvements. Sustaining aggressive and proactive energy delivery systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders. Energy sector collaboration provides the resources and incentives required for facilitating and increasing sector resilience. Implementing this strategy will help the sector achieve the following goal: Collaboration between industry, academia, and government maintains cybersecurity advances.

Smart Grid Vendor Management Challenges Without skilled resources, many utilities rely on vendors to configure device security Vendors do not know utilities cyber security requirements and do not configure to implement a defined policy or integrated architecture No linkage from vendor to vendor – Defense in depth? Vendors ship products with little or no security turned on by default Rush to bring products to market without testing to ensure that they actually work as advertised or integrate Utilities typically don’t have test environments and rely on vendors to test Technology and standards continue to evolve Vendors won’t share system certifications or provide proof of testing In a connected world, smart-grid equipment designers must consider security at the earliest stages of design. Today, this means secure microcontrollers that support multiple encryption engines, tamper reaction, and increased manufacturing and IP security. In the future, it will mean micros that do all measurement, encryption, and communications in a single chip. This integration will yield significant security benefits, avoiding unnecessary data transmission between ICs. Examples – Our vendors manage our security

Software Assurance Secure software development Integrated systems testing Testing code from third-party vendors Code testing Vendor mergers and use of third-parties Built in backdoors for troubleshooting Performance/acceptance testing of new control and communication solutions is difficult without disrupting operations CIOs can reduce the risk of introducing trap-door-riddled IT by demanding proof of an explicit chain of custody from IT suppliers covering all third-party hardware and software they use in their products. They also should require their IT system providers to periodically sample and test their products; and they should procure the same equipment used by government agencies, which in some cases employ electron microscopes and chemicals to test IT components. McDonald says the spotlight on Huawei put IT supply chain risks "on the radar screen of every CIO. " Now it’s up to every CIO to act on this information.

Other Smart Grid Deployment Observations Smart grids inherent goal to provide consumers with more information to make informed decisions regarding energy consumption But what about concerns for the protection and sharing of usage information and privacy information? Loss of traditional physical security perimeters with more distributed assets requiring physical and logical security to work together Aging infrastructure – many legacy smart grid assets are not being upgraded or patched Outsourced hardware and software support – many partners Anti-virus problem still not solved – integrated solutions and management Current cyber security skill set and ability to recruit Incident Management continues to evolve and integrate Other Smart Grid Deployment Observations An increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use. If customers believe a utility is itself abusing personally identifiable data, or is generally enabling the use of personal information beyond what they deem acceptable (whether or not legal), then they are likely to resist the implementation of AMI. Consumers may refuse to consent (where required), hide their data or awaken political opposition. Utilities may face customer liability claims or regulatory fines if inadequate privacy or security practices enable eavesdroppers, adversaries or bad-actors to acquire and use AMI data to a customer’s detriment. Utilities must take privacy and security concerns into account when designing AMI and must persuade consumers, regulators and politicians that privacy interests are adequately protected. 

Positive Directions – Things are Changing Beginning to see a risk management Vs. pure compliance approach to security within the utilities Government, vendors, research and universities and utilities are working together Practical, business-oriented metrics and measurement mechanisms are being developed and used Increased visibility and understanding of current state and challenges, and to facilitate prioritization Beginning to describe security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability More attention to Operational-side issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.