josh long: minimum cyber security requirements for a 20 mw photo voltaic field
TRANSCRIPT
Josh Long and Charlie Givens
ENERGYTECH 2015
Minimum Cyber Security
Requirements for a 20 MW
Photo Voltaic Field
Bechtel Group, NS&E
December 1, 2015
Author Biography
Josiah (Josh) Long
Bechtel Global Corp: Nuclear Security & Environmental
Senior Technical Engineering Specialist
30+ Years experience
Functional Engineering Control System & Electrical Staff
25 years Power, 15 years Nuclear, 10 years Government
BSEE Virginia Tech (1981)
PE (Control System Engineering), GICSP, ISA CFS & SFS
Voting Member ISA 67.04&06 Nuclear SR Setpoints
Whitewater, R&R Guitar and Bass, Robotics
Overview
Introduction
Description of the 20 MW Standard PV Plant
General Approach to Risk
Risk with the 20 MW Standard
Cyber Security Management System (CSMS)
Summary
Elements of the
Standard 20MW
Solar Facility
© Bechtel | 4
PART 1 – Project Overview
Description of the 20 MW Standard PV Plant
Plot Plan – Covers 85 Acres of relatively flat terran
Plant includes 10 Identical 2 MW Standard Blocks
Electrical Designs
– Arrays are based on minimizing wire and maximizing density
– Inverters are centrally located to the blocks
– Transformers are daisy chained to Substation/Switchyard
SCADA Design
– Standard SCADA system is a Cal ISO base configuration
– 2 SCADA Remote Terminal Units (RTUs) are required
– 1 Weather Station is included.
PART 1 – Project Overview
Plot Plan – Covers 85 Acres of relatively flat terrain
PART 1 – Project Overview
Plant includes 10 Identical 2 MW Standard Blocks
PART 1 – Project Overview
Arrays are based on minimizing wire and maximizing density
PART 1 – Project Overview
Transformers are daisy chained to Substation/Switchyard
PART 1 – Project Overview
Description of the 20 MW Standard PV Plant
SCADA Design
– Standard SCADA system is a Cal ISO base configuration
– 2 SCADA Remote Terminal Units (RTUs) are required
– 1 Weather Station is included.
SCADA
UNIT 1
Weather
Station
SCADA
UNIT 2
Elements of the
Risk Assessment
© Bechtel | 11
Part 2 – Risk Assessment Plan
RISK MANAGEMENT PLAN
Asset List
Goals
Risks
Controls
Program
Part 2 – Risk ASSET LIST
CREATE AN ASSET LIST
Solar Panels $20M
Panel Rack $3.8M
Inverters/Transformer $3.5M
SCADA $50K
Metering $50K
Substation/Switchgear $50k
Security Features ???
Cabling and Wires $1M
Part 2 – Risk Assessment
OBJECTIVES OF THE FACILITY
What are the Goals of the site
– Power Generation
– Resale
– Dispatch
– Automatic Generation
– Backup Power
Each Can Change The Risk Profile
Part 2 – Risk Assessment
OBJECTIVES OF THE FACILITY
Power Generation – In the base configuration only generation matters
Resale – If resale is required then Metering is important
Dispatch – If Dispatch is require then a mean of changing output is required
» Internet, Dedicated Phone, Manned Facility
Automatic Generation – Automatic Generation may require automatic control perhaps through SCADA
Backup Power – Backup Power may require a higher integrity of supplied components
Part 2 – Major Risks
Key Risk
Natural Disaster – Earthquake, Hurricane, Flood, Lightening
Infrastructure Failure – Power Grid, Intranet, Communications
Internal Issues – Thief, Damage, Infect, Sabotage
Accidents – Fall or Crushing Incident, Shock, Electrocution
External Targeted Attacks – Thief, Mass Damage, Cyber
External Mass Attacks – Planned Systematic Physical Attack
Part 2 – Risk Controls
What Controls (NIST 800 – 53/82)
The Principle Elements of a Cyber Security Program
– People
– Procedures
– Configs and Physical Security
ISA 99 and NIST 800 Series Approaches to Documentation
Part 2 – Risk Program
Program – Recommended Elements
Policies and Practices (Standards?)
Resource Inventory
Security Liaisons
Normalized Risk Formula
Risk/Change Management Committee
Map of Risk to Objectives
Contributing Security Programs
Exception Tracking
© Bechtel | 19
20MW PV FIELD
Final Cyber
Requirements
Part 3 – Minimum Requirements
SWGR USER
MW MW
Part 3 – The Reality of Operation
TOP OPERATIONS ISSUES
1. Perimeter Fence Damage
2. Vandalism or Theft
3. Transformer Leakage
4. Various Inverter Damage
5. Broken Conduit or Combiner Box Damage
6. Vegetation Overgrowth
7. Cell Browning/Discoloring or Shorted Cell
8. Shorted Cell
9. Unclean Panels
10.Animal Nuisance
Part 3 – A More Realistic Approach
© 2012 Bechtel | 22
Firewall
Switch
SCADA
Unit 1
Security System
CCTV System
SCADA
Unit 2 HISTORIAN
WS MW
Part 3 - Execution
EXECUTION to be performed on an annual or quarterly basis
The Principle Elements of Cyber Security
– People
– Procedures
– Configs and Physical Security
Monitoring
Improvement Plan
Design Delta
Summary