Download presentation
Published byDorcas Montgomery Modified over 9 years ago
1
Lessons Learned in Smart Grid Cyber Security
Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection
2
Agenda Smart Grid Cyber Security Challenges
IT OT Traditional Integration Challenges More Interconnectivity, Distribution and Access Points Cyber Security Vs. Compliance Smart Grid Vendor Management Challenges Software Assurance Other Observations Positive directions - things are changing
3
Smart Grid Cyber Security Issues and Challenges
System complexity is growing through expanding interconnectivity of systems and the extension of the electronic perimeter to new grid components and participants Increasingly distributed assets (AMI, HAN) Lots of legacy investments that need to be secured along side newer, unproven technologies Security upgrades to legacy systems are limited by inherent limitations of the equipment and architectures Operations and control networks previously thought to be inherently protected through private networks, serial connections and proprietary protocols are increasingly more vulnerable as networks are connected
4
Smart Grid Cyber Security Issues and Challenges
SCADA vulnerabilities and malware (Vendor access, USBs, disgruntled employees) Aurora Project proves that control networks can be penetrated Cyber threats are unpredictable and evolve faster than the sector’s ability to develop and deploy countermeasures Threat, vulnerability, incidents and mitigation information sharing is insufficient among government and industry
5
Smart Grid Cyber Security Issues and Challenges
Increasing concern for privacy issues Weak business case for cyber security investment by industry Regulatory uncertainty in energy sector cyber security DOE SGIG investments Provided a boost to cyber security awareness and enhancement, but what is next? Business drivers to change traditional IT / OT boundaries Embedded smart-grid equipment like smart meters require robust security to protect critical utility assets and data. New standards are emerging, requiring system designers to implement multiple layers of security to thwart both physical and cyber attacks.
6
IT OT Integration Challenges
Typically do not work together OT views the corporate network as vulnerable and resources inadequate OT networks and systems have different performance and reliability requirements Differing security architectures and risk management goals OT legacy systems challenging to support, upgrade and integrate Multiple support systems that do not integrate or interoperate – change management, ticketing , tracking and reporting, configuration management, patch management, audit and monitoring A new suite of cyber security tools recently demonstrated by DOE's Idaho National Laboratory includes a tool, the Sophia situational awareness software, designed to help utilities protect their network and control systems from attack. What Sophia can do is passively watch network communications and give both real-time and historical records of those communications. And it can be configured to automatically flag any unusual activity or new types of conversations that may indicate a security issue. Sophia can provide all of the information it receives for operators to evaluate, as can the other tools included in the demonstration. Typically Corporate IT is surrounded by a lot of controls and beauracracy that is needed to ensure reliability and availability. Within the non-business networks and operations area those controls traditionally haven’t existed previously and they could get away with doing things without change control, approvals, etc. But with NERC CIP controls and processes are being added to these control networks. But they can still not deem some environments not to be under NERC CIP. Classify a minimum set of assets.
7
New Technology Challenges Traditional Approaches
More Interconnectivity, distribution and access points Mobile devices Wireless network security Encryption and authentication Distributed key management Need a secure network for key management Integrated and active monitoring
8
Cyber Security Vs. Compliance
Culture of compliance, culture of security – Compatible goals? Many utilities didn’t have a centralized security function prior to NERC CIP Security modeled after NERC CIP – Process not technology oriented Risk management and security governance programs are not in place Getting management’s attention and building the business case for cyber security after NERC CIP In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is ongoing, by various means, among citizens and stakeholders. When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness. Implementing this strategy will help the sector achieve the following goal: Cyber security practices are reflexive and expected among all energy sector stakeholders. Assessing and monitoring risk gives companies a thorough understanding of their current security posture, enabling them to continually assess evolving cyber threats and vulnerabilities, their risks, and responses to those risks. Implementing this strategy will help the sector achieve the following goal: Continuous security state monitoring of all energy delivery system architecture levels and across cyber-physical domains is widely adopted by energy sector asset owners and operators. Sustain Security Improvements. Sustaining aggressive and proactive energy delivery systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders. Energy sector collaboration provides the resources and incentives required for facilitating and increasing sector resilience. Implementing this strategy will help the sector achieve the following goal: Collaboration between industry, academia, and government maintains cybersecurity advances.
9
Smart Grid Vendor Management Challenges
Without skilled resources, many utilities rely on vendors to configure device security Vendors do not know utilities cyber security requirements and do not configure to implement a defined policy or integrated architecture No linkage from vendor to vendor – Defense in depth? Vendors ship products with little or no security turned on by default Rush to bring products to market without testing to ensure that they actually work as advertised or integrate Utilities typically don’t have test environments and rely on vendors to test Technology and standards continue to evolve Vendors won’t share system certifications or provide proof of testing In a connected world, smart-grid equipment designers must consider security at the earliest stages of design. Today, this means secure microcontrollers that support multiple encryption engines, tamper reaction, and increased manufacturing and IP security. In the future, it will mean micros that do all measurement, encryption, and communications in a single chip. This integration will yield significant security benefits, avoiding unnecessary data transmission between ICs. Examples – Our vendors manage our security
10
Software Assurance Secure software development
Integrated systems testing Testing code from third-party vendors Code testing Vendor mergers and use of third-parties Built in backdoors for troubleshooting Performance/acceptance testing of new control and communication solutions is difficult without disrupting operations CIOs can reduce the risk of introducing trap-door-riddled IT by demanding proof of an explicit chain of custody from IT suppliers covering all third-party hardware and software they use in their products. They also should require their IT system providers to periodically sample and test their products; and they should procure the same equipment used by government agencies, which in some cases employ electron microscopes and chemicals to test IT components. McDonald says the spotlight on Huawei put IT supply chain risks "on the radar screen of every CIO. " Now it’s up to every CIO to act on this information.
11
Other Smart Grid Deployment Observations
Smart grids inherent goal to provide consumers with more information to make informed decisions regarding energy consumption But what about concerns for the protection and sharing of usage information and privacy information? Loss of traditional physical security perimeters with more distributed assets requiring physical and logical security to work together Aging infrastructure – many legacy smart grid assets are not being upgraded or patched Outsourced hardware and software support – many partners Anti-virus problem still not solved – integrated solutions and management Current cyber security skill set and ability to recruit Incident Management continues to evolve and integrate Other Smart Grid Deployment Observations An increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use. If customers believe a utility is itself abusing personally identifiable data, or is generally enabling the use of personal information beyond what they deem acceptable (whether or not legal), then they are likely to resist the implementation of AMI. Consumers may refuse to consent (where required), hide their data or awaken political opposition. Utilities may face customer liability claims or regulatory fines if inadequate privacy or security practices enable eavesdroppers, adversaries or bad-actors to acquire and use AMI data to a customer’s detriment. Utilities must take privacy and security concerns into account when designing AMI and must persuade consumers, regulators and politicians that privacy interests are adequately protected.
12
Positive Directions – Things are Changing
Beginning to see a risk management Vs. pure compliance approach to security within the utilities Government, vendors, research and universities and utilities are working together Practical, business-oriented metrics and measurement mechanisms are being developed and used Increased visibility and understanding of current state and challenges, and to facilitate prioritization Beginning to describe security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability More attention to Operational-side issues
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.