Post on 25-Feb-2016
description
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PID#
Four Layers of Smart Grid Security
Session: Energy Cybersecurity II
Ernie Hayden CISSP CEHManaging Principal – Critical Infrastructure Protection/Cyber Security Verizon Risk TeamFeb 13, 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 2
Today’s Agenda
• Smart Grid Security: Who’s Worried and Why?• “Layers” of Concern
– Physical Layer– Cyber Layer– Privacy Layer– Storage Layer
• Just What To Do?• Question & Answer
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3
History of Verizon Security Practice
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4
Who is Worried About Smart Grid Security?High-Level Security Concerns from Global Agencies
• Acknowledged by:– European Network and Information
Security Agency (ENISA)– National Institute of Standards and
Technology (NIST)– North American Electric Reliability
Corporation (NERC)– Department of Homeland Security (DHS)– Department of Energy (DOE)– Federal Energy Regulatory Commission
(FERC)– Government Accountability Office (GAO)– Selected Nations and US State Public Utility
Commissions
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
DOE and NIST Concerns
• Increasing Complexity of the Grid
• Interconnected Networks Can Introduce Common Vulnerabilities
• Increasing Vulnerabilities to Communications
• Introduction of Malicious Software
• Increased Number of Entry Points and Paths for Potential Adversaries to Exploit
• Potential for Compromise of Data Confidentiality, Including Breach of Customer Privacy
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6
Who Said Anything About Complexity?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7
“LAYERS” OF CONCERN
PhysicalCyberPrivacyStorage
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8
Physical Layer Security
• Natural Disasters– Snow Storms– Hurricanes– Solar Flares– Geomagnetic Storms– Earthquakes– Flooding– Volcanoes
• Recognize that Location of the Smart Grid Components Can Be Affected by the Surrounding Environment
• US Case – Overheating Meters
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9
Cyber Layer Security
• The Biggest Opportunity for Trouble• “The Last Mile” Issues • Remember – Added Complexity Causes Concerns
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10
“Last Mile”
• Broadband Power Line Systems• Power Line Carrier Systems• Public Switched Telephone Network (PSTN)• Cat5/6 Network Connection• Radio Frequency
– WiMax – ZigBee– 6LoWPAN– 802.11x– Cellular (CDMA/EVDO, GSM, LTE)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11
Cyber Attacks
• Remember C I A–Confidentiality Attacks
• Reading, “Sniffing” the data –Integrity Attacks
• Changing the Data–Availability Attacks
• Denial of Service – Prevent Use of Service
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
Privacy Attacks
http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/09I-593EG_Spring2009Report-SmartGridPrivacy.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13
Privacy Attacks (2)
• Very Emotional Discussion• State of California
– Smart Grid and IOU’s• Theoretical Impacts• But…Demographic Data has Value
http://www.baystatetech.org/graphics/major-app.jpg
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14
“Data Avalanche!” – Numerous Data Fields and Classes
Simple Data Fields – KWH Used Since Last Reading
Read Every ~15 Minutes or More FrequentlyMinimal Data Accumulation
Automatic ReadingRead Monthly (or Less Frequently)
“Smart” Digital Meters & “Smart” Sensors
Analog Meters or Simple Digital Meters Manually Read or Use “Drive By” Reading
The Future Smart GridToday’s Environment
www.smartgridnews.comMicrosoft Clip Art Online Microsoft Clip Art Online Microsoft Clip Art OnlineUsed with Permission – E N Hayden
Storage
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
Is it a Data Avalanche? Tsunami?
• Lux Research: Utilities Manage 9x Current Data if Go to Smart Grid (Boston: Jan 26, 2011)
• Types of Data from Smart Meters– Broadcast Data– Billing Interval Data– Detailed Consumption Data– Aggregate Statistical Data
• Predictions– Prediction for U.S. by 2019 100M Meters 100 Petabytes
generated during the next 10 years (West Coast Utility)– Utilities spent $356M on Smart Grid data analytics tools in
2010 $4.2B in 2015 (Pike Research)– 300 TB per year of meter data by 2012 (Southeast
U.S. Utility) (as of 2011)
http://obiblog.files.wordpress.com/2008/08/data-pic.jpg
1 Petabyte is 1000 Terabytes!
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16
What To Do?
• #1: Start with the NISTIR 7628 and ENISA• #2: Begin with Security in Mind• #3: Work with Your Meter Vendors• #4: Establish Incident Response Team and
Practice• #5: Include Security Experts in Design, Build
and Operate Phases• #6: Have a Dedicated Security Team for SG• #7: Monitor Regulations Affecting the SG• #8: Ensure Code Includes Security (Ref: OWASP)• #9: Beware of Remote Connections• #10: Ultimate Job: Protect the Data!
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17
QUESTIONS? OBSERVATIONS?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18
Ernie Hayden CISSP CEHManaging Principal
Critical Infrastructure Protection/Cyber Security Verizon Risk Team
+1 206-458-8761ernie.hayden@verizon.com