project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies and Project Use Cases Embedding Security Software Sébastien Breton, Airbus Defence & Space CyberSecurity

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Forewords  Be reminded that there are two cultures:  For IT People, security means cybersecurity  For ICS people, security means safety and reliability  In electric systems, safety and reliability are of paramount importance, and any cyber security measures should not jeopardize power system operations! IT: Information Technology ICS: Industrial Control System Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Outline  Introduction  Cybersecurity context: today’s grid  Cybersecurity concepts  Defence-in-depth  Incident handling  Critical elements  Cyber-physical attacks  Preventing the hack  Can your smart grid system survive from a cyber attack?  Conclusion Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Introduction  Cybersecurity must be considered as a whole system approach  Security requirements to be implemented in a given system must be drawn from a security risk analysis, which, in the specific field of smart grid systems, must take into account not only cyber risks and physical risks, but combined cyber-physical risks, so as to deter cyber-physical threats Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Cyber Security Context: today’s grid  Blackouts, reported in several cities since 2000 (Northeast, Florida, etc.), could have been caused by cyber-attacks against the electric grid  U.S. Department of Homeland Security investigated over 200 serious cyber-attacks against critical infrastructure during the first half of 2013  Electric grid targeted in over half of these attacks  Blackhat: Pentesting Smart Grid and SCADA with SamuraiSTFU Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Defence-in-depth  Setting up a cybersecurity strategy, based on a layered approach, to mitigate the risk: Embedding Security Software Prevention Continuous actions and measures put in place to reduce the risk of threats E.g.: Patch management process, software updates, security by design Detection Approaches to identify anomalous behaviours and discover intrusion E.g.: Intrusion detection system, traffic inspection Response Emergency operation plans and incident mitigation activities (short term actions) E.g.: Containing a cyber attack, modifying firewall filtering rules Recovery Reconstitution of smart grid operations E.g.: Remediation activities

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Incident handling [1] Preparation [2] Identification [3] Containment [4] Eradication [5] Recovery [6] Lessons learned Embedding Security Software SANS: Sysadmin, Audit, Networking and Security

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Critical elements  The cybersecurity strategy should consider the following critical elements as being all necessary for each prevention, detection, response, recovery building blocks: TECHNOLOGY PROCESS PEOPLE Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Critical elements applied to prevention (Example) PEOPLE CYBER SECURITY AWARENESS TRAINING (SECURE CODING) PROCESS TRUSTED SUPPLY CHAIN PATCH VALIDATION TECHNOLOGY UP-TO-DATE ALGORITHM STANDARD Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Cyber-physical attacks  Cyber-physical attacks (also called blended attacks) cause a greater impact and/or different consequences than a cyber or physical attack could cause individually  To address the enhanced impacts, risks and vulnerabilities for both cyber and physical attacks must be considered  Can your smart grid system survive from a cyber attack? Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Common control system vulnerabilities and weaknesses Embedding Security Software Software / Product Security Weaknesses Improper input validation Poor code quality Permissions, privileges and access controls Improper authentication Insufficient verification of data authenticity Cryptographic issues Credentials management Configuration and maintenance Configuration weaknesses Permissions, privileges and access controls Improper authentication Credentials management Security configuration and maintenance Planning, policy, procedures Audit and accountability configuration Network security weaknesses Common network design weaknesses Weak firewall rules Network component configuration (Implementation) vulnerabilities Audit and accountability Source: Cyber–Physical System Security for the Electric Power Grid, Proceedings of the IEEE | Vol. 100, No. 1, January 2012

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Embedding security software  Large scale key management and cryptographic algorithm  Integrity of the software is not simply checking a CRC « signature »  It must rely on cryptographic signature, which implies managing secret elements (cryptographic keys). It is the only way to truly authenticate the software editor  Don’t implement your own cryptographic algorithm. You’ll fail!  Secure communications  Must be based on standard protocols with a given cryptograhic key size  Managing technological obsolescence… !  Authentication of remote critical controls  Protection against eavesdropping (encrypt!)  Get your software product independently assessed or pentested  And of course, it is all about human people:  Provide relevant training (secure coding…) Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Conclusion  To address new security challenges, cyber security needs to be integrated with system theory to guarantee resilience of the grid  MAS²STERING shall provide:  Cross domain (power/electrical to cyber/digital) security event detection (SIEM), analysis and response  Secure communications in regards of the privacy concerns  Role-based access control (RBAC) to authenticate, authorize and grant access to the smart grid system Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Backup slides Embedding Security Software

project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Bibliography  NIST Guidelines for Smart Grid Cybersecurity  Volume 1 – Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirementsines for Smart Grid Cybersecurity  Volume 2 – Privacy and the Smart Grid  Volume 3 – Supportive Analyses and References  SANS Institute  The Incident Handlers Handbook  The CERT Division  Secure coding  OWASP Embedding Security Software