Josh Long and Charlie Givens

ENERGYTECH 2015

Minimum Cyber Security

Requirements for a 20 MW

Photo Voltaic Field

Bechtel Group, NS&E

December 1, 2015

Author Biography

Josiah (Josh) Long

Bechtel Global Corp: Nuclear Security & Environmental

Senior Technical Engineering Specialist

30+ Years experience

Functional Engineering Control System & Electrical Staff

25 years Power, 15 years Nuclear, 10 years Government

BSEE Virginia Tech (1981)

PE (Control System Engineering), GICSP, ISA CFS & SFS

Voting Member ISA 67.04&06 Nuclear SR Setpoints

Whitewater, R&R Guitar and Bass, Robotics

Overview

Introduction

Description of the 20 MW Standard PV Plant

General Approach to Risk

Risk with the 20 MW Standard

Cyber Security Management System (CSMS)

Summary

Elements of the

Standard 20MW

Solar Facility

© Bechtel | 4

PART 1 – Project Overview

Description of the 20 MW Standard PV Plant

Plot Plan – Covers 85 Acres of relatively flat terran

Plant includes 10 Identical 2 MW Standard Blocks

Electrical Designs

– Arrays are based on minimizing wire and maximizing density

– Inverters are centrally located to the blocks

– Transformers are daisy chained to Substation/Switchyard

SCADA Design

– Standard SCADA system is a Cal ISO base configuration

– 2 SCADA Remote Terminal Units (RTUs) are required

– 1 Weather Station is included.

PART 1 – Project Overview

Plot Plan – Covers 85 Acres of relatively flat terrain

PART 1 – Project Overview

Plant includes 10 Identical 2 MW Standard Blocks

PART 1 – Project Overview

Arrays are based on minimizing wire and maximizing density

PART 1 – Project Overview

Transformers are daisy chained to Substation/Switchyard

PART 1 – Project Overview

Description of the 20 MW Standard PV Plant

SCADA Design

– Standard SCADA system is a Cal ISO base configuration

– 2 SCADA Remote Terminal Units (RTUs) are required

– 1 Weather Station is included.

SCADA

UNIT 1

Weather

Station

SCADA

UNIT 2

Elements of the

Risk Assessment

© Bechtel | 11

Part 2 – Risk Assessment Plan

RISK MANAGEMENT PLAN

Asset List

Goals

Risks

Controls

Program

Part 2 – Risk ASSET LIST

CREATE AN ASSET LIST

Solar Panels $20M

Panel Rack $3.8M

Inverters/Transformer $3.5M

SCADA $50K

Metering $50K

Substation/Switchgear $50k

Security Features ???

Cabling and Wires $1M

Part 2 – Risk Assessment

OBJECTIVES OF THE FACILITY

What are the Goals of the site

– Power Generation

– Resale

– Dispatch

– Automatic Generation

– Backup Power

Each Can Change The Risk Profile

Part 2 – Risk Assessment

OBJECTIVES OF THE FACILITY

Power Generation – In the base configuration only generation matters

Resale – If resale is required then Metering is important

Dispatch – If Dispatch is require then a mean of changing output is required

» Internet, Dedicated Phone, Manned Facility

Automatic Generation – Automatic Generation may require automatic control perhaps through SCADA

Backup Power – Backup Power may require a higher integrity of supplied components

Part 2 – Major Risks

Key Risk

Natural Disaster – Earthquake, Hurricane, Flood, Lightening

Infrastructure Failure – Power Grid, Intranet, Communications

Internal Issues – Thief, Damage, Infect, Sabotage

Accidents – Fall or Crushing Incident, Shock, Electrocution

External Targeted Attacks – Thief, Mass Damage, Cyber

External Mass Attacks – Planned Systematic Physical Attack

Part 2 – Risk Controls

What Controls (NIST 800 – 53/82)

The Principle Elements of a Cyber Security Program

– People

– Procedures

– Configs and Physical Security

ISA 99 and NIST 800 Series Approaches to Documentation

Part 2 – Risk Program

Program – Recommended Elements

Policies and Practices (Standards?)

Resource Inventory

Security Liaisons

Normalized Risk Formula

Risk/Change Management Committee

Map of Risk to Objectives

Contributing Security Programs

Exception Tracking

© Bechtel | 19

20MW PV FIELD

Final Cyber

Requirements

Part 3 – Minimum Requirements

SWGR USER

MW MW

Part 3 – The Reality of Operation

TOP OPERATIONS ISSUES

1. Perimeter Fence Damage

2. Vandalism or Theft

3. Transformer Leakage

4. Various Inverter Damage

5. Broken Conduit or Combiner Box Damage

6. Vegetation Overgrowth

7. Cell Browning/Discoloring or Shorted Cell

8. Shorted Cell

9. Unclean Panels

10.Animal Nuisance

Part 3 – A More Realistic Approach

© 2012 Bechtel | 22

Firewall

Switch

SCADA

Unit 1

Security System

CCTV System

SCADA

Unit 2 HISTORIAN

WS MW

Part 3 - Execution

EXECUTION to be performed on an annual or quarterly basis

The Principle Elements of Cyber Security

– People

– Procedures

– Configs and Physical Security

Monitoring

Improvement Plan

Design Delta

Summary