power system cybersecurity: threats, challenges, and barriers

Power System Cybersecurity Threats, Challenges, and Barriers

NathanWallace,PhD,CSSACybersecurityResearchEngineer

05Jan.2017

PersonalBackground

Volunteering:

EEIntern

Dra$ing

EEIntern

Protec.onSe0ngs&Config

AssociateEngineer

TransmissionSystemProtec.on

ResearchAssociate VisiHngLecturer

StaffEngineer CybersecurityResearcher

Overview

•  WhyStateofAffairs:Grid&CyberspaceCybersecurity=>SafetyMisconcep.ons&Challenges

•  WhatarewemissingCyberawaredevicesandsystems

80–95%oftheGrid’s

CyberAssetsFallOutsideNERC-CIP

80–90%oftheGrid’s

CyberAssetsareOutsideNERC-CIP

MostViolated:NERC-CIP

&NERC-PRC

Security:“Thefacetofreliabilitythatrelatestothedegreeofcertaintythatarelayorrelaysystemwillnotoperateincorrectly.”cyberdeviceor

Na.onStates

Hackers

Vendors

Inten.onalInsider

AccidentInsider

Misconfigura.onCyberSecurity

Cybersecurity=Physical+EMI+Digital[Compu.ng&Communica.ons]

TwoInfrastructures

Residen.al IndustrialCommercial

GeneraHon Transmission

DistribuHon

•  Physical•  Cyber

ControlCenter

Distribu.onControlCenter

RTOs/ISO

2016TechExpo:Virtualrealityusedtofixasteamturbinethat’slocatedhoursaway.

StateofAffairs:TheGrid

MonitoringPoints ControlPoint

Markets OperaHons ServiceProvider

GeneraHon

Transmission DistribuHon

Customer

StateofAffairs:TheGrid

Communica.on

CYBER

NortheastOutage2003

ArizonaOutage2007

FPLOutage2008

UkraineAXack2016

LoadLost 61,800MW 400MW 4,300MW 230,000Customers

Intent Uninten.onal Uninten.onal Uninten.onal Inten.onal

CyberCaused Yes Yes Yes Yes

Computa.onal

“Ourexpecta.onsisthatthemodernizedelectricitygridwillbe100to1000.meslargerthantheInternet” –CISCOVP

AdvancedMetering

ElectricVehicles

DistributedGenera.on

GridModerniza.on

Distribu.onAutoma.on

StateofAffairs:TheGrid‘GridofThings’

StateofAffairsCyberspacehmp://map.ipviking.com/

•  Avgpriceper0-Day:•  Avgnumberofdays0-dayremainsprivate:

•  Avgnumberofdays.llpatchisissued:

•  Avgofnewlycreatedmalwareperday:•  Avgdwell.me.lldetec.on:

USD$40,000-$160,000

151days

300,000

205days

120days

StateofAffairsCyberspace&Cyberwar

“Global Cyber Weapon Market Expected to Reach USD 522 billion in 2021.”

-GlobalNewswire,2015TransparencyMarketResearchReport

Cybersecurity=>Safety

21LinesofCodeAuroraGeneratorTest

Distribu.onSystemOperator

VirtualPowerPlant

Cybersecurity=>Safety

CommonMisconcepHons

•  Wearenotatarget.

•  Minimumsecurityneeded,wearelowimpact.

•  WearenotconnectedtotheInternet.

Ipviking,Shodan,ICS-CERT,ForeignFTPservers

Ukraine,ChangingStandards,StateRegula.ons

Stuxnet,Repor.ngcapacitytoRTO,Firewalls

Challenges

MisconcepHon:Wearenotatarget. Ipviking,

MisconcepHon:Wearenotatarget. Ipviking,Shodan,

MisconcepHon:Wearenotatarget. Ipviking,Shodan,ICS-CERT,

0

50

100

150

200

250

300

350

2012 2013 2014 2015

Incide

nts

MisconcepHon:Wearenotatarget. Ipviking,Shodan,ICS-CERT,

•  Passwords,electricaldrawings,communica.ondrawings(IP,Protocols),etc•  Fileserverscontainedmaliciouscode

71Genera.onPlants

~20,000FilesGenera.on,Transmission,

Distribu.onSystems“FromNewYorktoCalifornia”

Source:APInves.ga.on:USPowerGridVulnerabletoForeignHacks.Dec.21,2015

“Digitalcluespointedtoforeignhackers.”

Sevenfile(FTP)serverswithnoauthoriza.on

FTPservers

MisconcepHon:Minimumsecurityneeded,wearelowimpact. Ukraine,

30Sta.onsDe-energized

•  7110kVsta.ons•  2335kVsta.ons•  ~3to6hrstore-energize•  230,000customersimpacted•  Telephonedenialofservice•  Breached6monthsprior•  Alteredfirmwareatsubsta.ons

“Wewereblinded”

Dec232015

ControlCenterOperator

Source:E-ISAC.AnalysisoftheCyberAmackontheUkrainianPowerGrid.March18,2016

MisconcepHon:Minimumsecurityneeded,wearelowimpact. Ukraine,ChangingStandards,

NERCPhysical

Securityv3

Voluntary Mandatory

2000MetcalfAmack

Ukraine

2015Dec

2013Apr

StuxnetDiscovered

20101stIEEE

Substa.onSecStandard

2002

EnergyPolicyAct

2005

2005

NERCupdatesAssetID

CIP-002v4

2010

FERCdesignates

NERCasERO

2007

FERCApprovesAssetID

CIP-002v4

2012 2015

NERCEffec.veAssetID

CIP-002v5.1

2017

FERCtoApprove

NERCCIPv7

‘CodemovesfasterthanPolicy’

MisconcepHon:Minimumsecurityneeded,wearelowimpact. Ukraine,ChangingStandards,StateRegula.ons

MisconcepHon:WearenotconnectedtotheInternet.

Stuxnet,

MisconcepHon:WearenotconnectedtotheInternet.

Stuxnet, Repor.ngCapacitytoRTO,

MisconcepHon:WearenotconnectedtotheInternet.

Stuxnet,Repor.ngCapacitytoRTO, Firewall

Aug13th2016,accidentalreleaseof0-dayvulnerabili.eskeptbyaGovt.(Cisco,Juniper,etc.)

Challenges NoLongerCanSetItandForgetIt

ChallengesCybersecurity:Who’sResponsibilityisit?

ITDept. OTDept.

t

-  So$waretodeterminehowpowerflowsandwhenbreakersopen/closes-  Apache,Telnet,SSH,MySQL,FTP,LDAP,EmbeddedLinux,Windows,etc.-  VirtualPowerPlantsandprotec.onrelays,so$waredefinednetworking

Challenges ComplexityandAge

PowerGridSpaceSta.on

VS

TVIntegratedCircuit

•  Ageisphysicalandhasvisualindicators

•  Ageisanabstrac.onandexistsinso$ware

Challenges VendorConfusion/SalesPitchesExample1:Installsmartmeterto‘side-stepcybersecurityrequirements’Issue:Howarethevaluesbeingusedwhenreceived…

Example2:

Issue:So$wareandprotocolshaveatendencytobecome vulnerableover.me.(Poodle,Heartbleed,Shellshock,etc)

Whatarewemissing

Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity

Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.

Strategies: BuildCultureofSecurity

AssesandMonitorRisk

Protec.veMeasurestoReduceRisk

ManageIncidents

SustainSecurityImprovements

Near-term (0–3 years) By 2013

Mid-term (4–7 years) By 2017

Long-term (8–10 years) By 2020

Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity

Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.

Near-term (0–3 years) By 2013

3.1 Capabilities to evaluate the robustness and survivability of platforms, systems, networks, and systems

Strategies: BuildCultureofSecurity

AssesandMonitorRisk

Protec.veMeasurestoReduceRisk

ManageIncidents

SustainSecurityImprovements

Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity

Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.

Near-term (0–3 years) By 2013

4.1 Tools to identify cyber events across all levels of energy delivery system networks 4.2 Tools to support and implement cyber attack response decision making for the human operator

Strategies: BuildCultureofSecurity

AssesandMonitorRisk

Protec.veMeasurestoReduceRisk

ManageIncidents

SustainSecurityImprovements

Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity

Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.

4.4Real-.meforensicscapabili.es4.5Cybereventdetec.ontoolsthatevolvewiththedynamicthreatlandscape

Strategies: BuildCultureofSecurity

AssesandMonitorRisk

Protec.veMeasurestoReduceRisk

ManageIncidents

SustainSecurityImprovements

Mid-term (4–7 years) By 2017

Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity

Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.

Strategies: BuildCultureofSecurity

AssesandMonitorRisk

Protec.veMeasurestoReduceRisk

ManageIncidents

SustainSecurityImprovements

2.3Toolsforreal-.mesecuritystatemonitoringandriskassessmentofallenergydeliverysystemarchitecturelevelsandacrosscyber-physicaldomains.

Long-term (8–10 years) By 2020

Exhibit 4.1.1 Strategies for Achieving Energy Delivery Systems Cybersecurity

Vision: By2020,resilientenergydeliverysystemsaredesigned,installed,operated,andmaintainedtosurviveacyberincidentwhilesustainingcri.calfunc.ons.

Strategies: BuildCultureofSecurity

AssesandMonitorRisk

Protec.veMeasurestoReduceRisk

ManageIncidents

SustainSecurityImprovements

4.7Capabili.esforautomatedresponsetocyberincidents.

Long-term (8–10 years) By 2020

BusinessLayer

Life-CycleManagementLayer

OperaHonsLayer

PhysicalLayer

Cyber-PhysicalLayer

Requirements Regula.ons Incen.ves

Design Upgrades Ops Disposal

Design

Sensors

Compu.ngPlaxorm

Models

PowerSystemState

Controller

Monitor ControlDisposal

Current New

Models

Cyber Phys.CPS

Phys.Econ.

Whatarewemissing

CyberInfrastructure(ComputaHon&CommunicaHon)

ProtecHonandControl

Detec.on,Processing,Manipula.on

PhysicalInfrastructure(FlowofPower)

Inputs:Currents,Voltages,Impedance,Status(open,close,lockout)

Output:Open/CloseBkr,+/-Vars,

Inputs:Topology,trafficflows,deeppacketinspec.on,communica.onstate,stateofphysicalpowersystem

Output:NOTHING!

Whatarewemissing

Ques.ons&Thoughts?NathanWallace,PhD,CSSAnathanwallace@computer.org

@NathanSWallace

Safety?

IEEE Computer Society New Orleans Chapter

MeeHngIdeas

MeeHngLocaHons

TakeourSurveyWhatareyourInterestsandIdeas?

The scope of the Computer Society shall encompass all aspects of theory, design, practice, and application relating to computer and information

processing science and technology.

hXp://sites.ieee.org/neworleans/cs-survey/