Post on 06-Apr-2022
WIRAB Webinar Series on Cybersecurity of
Electric Utility Industrial Control Systems
Webinar #2 – Power Grid Resilience and Mitigating the Impacts of a Cyber Event
1December 8, 2017
Three Webinar Series
• Introduction to Industrial Control Systems, Threats and Risks and Future Trends for Cybersecurity– Friday, December 1, 2017 at 11:00 AM MT
• Power Grid Resilience and Mitigating the Impacts of a Cyber Event – Friday, December 8, 2017 at 11:00 AM MT
• Challenges with State/Provincial Policies to Address Cyber Risk– Friday, December 15, 2017 at 11:00 AM MT
• More information and recordings available at: westernenergyboard.org/category/webinars/
2
Copyright © 2017
Earl W. Shockley
President, FounderinPOWERd LLC
Roger Hill
Chief Technology OfficerVeracity Industrial Networks
About Todays Presenters
Copyright © 2017
A quick summary from our last webinar…
Future trends to securing ICS and the US DoE CEDS program approach to attack surface reduction for the Power Grid
Overview of Industrial Control Systems (ICS), types of systems and the components that encompass these systems
The industry segments that utilize ICS (Energy, Automotive, Transportation, Chemical, etc.)
OT IT
1. Confidentiality2. Integrity3. Availability
1. Safety2. Availability3. Integrity4. Confidentiality
Different goals ban priorities between operations technology (OT) and information technology (IT)
Breakdown of the adversaries and bad actors and motivations. Discussion of common threat vectors to ICS. Explored the anatomy of a cyber attack on ICS
Copyright © 2017
Agenda for todays webinar
• Overview of 2003 Blackout – “Sparks Power Grid Resilience Movement”.
• Power Grid Resilience Defined.
• Issues Facing Power Grid Resilience.
• Why Power Grid Resilience is Important to Mitigate Cyber Events.
• Connecting the dots between the DoE Chess Master and Resilience Enhancement using Software Defined Networking.
Copyright © 2017
• On August 14, 2003, large portions of the Midwest and Northeast United States and Ontario, Canada, experienced an electric power blackout.
• The outage affected an area with an estimated 50 million people and 61,800 megawatts (MW) of electric load in the states of Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and the Canadian province of Ontario.
• The blackout began a few minutes after 4:00 pm Eastern Daylight Time (16:00 EDT), and power was not restored for 4 days in some parts of the United States. Parts of Ontario suffered rolling blackouts for more than a week before full power was restored.
• Estimates of total costs in the United States range between $4 billion and $10 billion (U.S. dollars). In Canada, there was a net loss of 18.9 million work hours, and manufacturing shipments in Ontario were down $2.3 billion (Canadian dollars).
Overview of 2003 blackout – Sparks grid resilience
Copyright © 2017
What is the Difference Between Reliability and Resilience?
“…reliability can be defined as the ability of the power system to deliver electricity in the quantity and with the quality demanded by users. Reliability is generally measured by interruption indices defined by the Institute of Electrical and Electronics Engineers Standard 1366.”
“…resilience can be defined as the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.” The National Infrastructure Advisory Council (2009, 8)
Power grid resilience defined:
Copyright © 2017
1. Absorptive, which is the ability of the grid to minimize the disruption from the initial attack.
2. Adaptive, which is the ability of the grid to keep operating under the damaged state.
3. Restorative, which is the ability of the grid to restore to full functionality after the attack.
Three properties for grid resilience (R1)
Copyright © 2017
Five key issues facing power grid resilience
1. North America's power grid is vulnerable to “Severe Events” Such as natural disasters, operational issues, physical threats, and cyber attacks.
2. Increasing reliance on cyber infrastructure, including computers, communication networks, other control system electronics, smart meters, and other distribution-side cyber assets, in order to achieve its purpose of delivering electricity to the consumer.
3. Aging workforce issues (loss of tribal knowledge) and a lack of work force cyber security expertise.
4. Vulnerabilities from aging critical Infrastructure and critical infrastructure interdependencies.
5. Supply Chain Vulnerabilities.
Copyright © 2017
1. The energy industry is experience a huge turnover in workforce.
• 234,000 estimated new jobs in the West Coast energy industry will need to be filled over next 15 years. 1.5 million needed across energy Sector by 2030.
2. Energy worker retirements are occurring at a rate more than double the percent of new energy apprentices are being trained. 500,000 workers are expected to retire in the next 5 to 10 years.
3. The average energy worker is seven years older than the average worker across all industries in the United States
4. 77 percent of energy companies find it difficult to hire qualified employees – especially cyber security subject matter experts (SMEs). 30 percent of firms claimed insufficient qualifications, certifications, and education.
5. The Energy Industry is changing rapidly and the needed skill mix has shifted and will shift more rapidly in the future. Entire job classes have been phased out and new ones created. Worker demographics are shifting and training models have shifted.
6. Emerging Technology has a place in helping to retain tribal knowledge as well as reducing the complexity of legacy systems.
Aging workforce and challenges to resilience (R6)
Copyright © 2017
Graphic Reference – NIST SP-
800-161
Increase Visibility, Understanding and Control
Critical Infrastructure interdependencies (R2)
Copyright © 2017
• In a smart grid environment, it is expected that the cyber-physical system would be attack resilient using security at the device or component levels.
• “Self-healing networks” not only addresses automated network restoration strategies considering distributed energy resources, but also deals with high level decentralized control methodologies to prevent blackouts.
• A smart grid can be treated as the combination of physical power system components and cyber system infrastructure including software defined networks, hardware and communication requirements.
• Emerging technology does not equal complexity - reducing complexity helps address the aging workforce and a lack of cyber security SMEs.
Cyber smart grid’s – Enhancement of resilience
Copyright © 2017
DoE Chess Master Innovation to realize cyber grid resilience
Utilizing Software Defined Networking (SDN) to drive grid and cyber resilience
Continual and Autonomous Reduction of Cyber Attack Surface for Energy Delivery Control Systems
Copyright © 2017
Hardware Defined Networking (HDN) vs Software Defined Networking (SDN)
Logical separation of
the control plane to a
centralized control
plane.
18
Control Plane
Data Plane
Control Plane
Data Plane
Control Plane
Data Plane
Control Plane
Data Plane
Controller Agent
Data Plane
Controller Agent
Data Plane
Controller Agent
Data Plane
Controller Agent
Data Plane
SDN Controller(Logical Control Plane)Hardware Defined Networking
Software Defined Networking
Business Application
Business Application
Business Application
API API API
Copyright © 2017
Known and Allowed Traffic
A Switch B
Controller
Ping B Ping B
I know what to do with ping.
”Working” traffic never leaves the switching fabric.
1
2
3
Unknown / New Traffic
A Switch B
Controller
DNP3 B DNP3 B
What do I do with DNP3 from
A to B?
Pass it and remember for
next time.
”Centralized” decision of what to do with the flow.
1
2
3
4
5
Software Defined Networking (SDN) – Packet Flow Part 1
Known and Denied Traffic
A Switch B
Controller
FTP B FTP B
Not allowed.
1
”Explicit” deny rule for flow.
Known, Allowed, and Audited Traffic
A Switch B
Controller
FTP B FTP B
A is FTP’ing to B
I will alert people.
I might copy the packets to a logger,
too.
”Audited” traffic for authorized flow.
2
3
1
2
3
4
Software Defined Networking (SDN) – Packet Flow Part 2
Copyright © 2017
Quarantined Devices (or Device Types.. Or Zones.. Or..)
A Switch B
Controller
Various Various
A is trying to do things.
I will alert people.
I might copy the packets to a logger,
too.
1
23
Software Defined Networking (SDN) – Packet Flow Part 3
Copyright © 2017
Abstraction of complexities key to operation efficiency
Transitioning from a serial based infrastructure to Ethernet based
infrastructure represents a transfer of knowledge
Subject matter experts for the physical process that is being automated and controller are critical to a sound cyber resilience plan
User Experience will be key as well as complexity
abstraction to enable users on making effective business
decisions quickly while leveraging their knowledge of the automated process
Complexity is the Enemy of Security!
Copyright © 2017
Improve the efficiency and productivity of SME’s critical to addressing
knowledge transfer in transitioning from tribal knowledge
Model cyber physical system network into simulated network.Test to predict behavior and reduce human error
Creation of change management into policy enforcement model with integrated digital peer
review provides non-repudiation
Allow decisions to be made based upon device behavior and what functional role of device, abstract the
complexities of HOW
Copyright © 2017
Examination of how the resilience properties can be applied specifically to cyber resilience
Applying resilience properties to securing the network fabric
Copyright © 2017
DEFCON 5
Disaster recovery planning exercises utilized as process to define threat state categories. Each elevated state of threat presents a
new response plan that has a corresponding policy.
Defining a threat state model first to the Normal resilience property
Threat State elevates from DEFCON 5 to
DEFCON 1
NORMAL
NORMAL resilience property
corresponds to the DEFCON 5
threat state
Copyright © 2017
Absorptive property is applied specifically to the Reconnaissance stage of the cyber kill chain
How the Absorptive resilience property can be realized for cyber resilience
ABSORPTIVE
ABSORPTIVE property
minimizes the disruption from
initial attack
Inherently, the deny-by-default approach applied to network renders network scanning tools and techniques useless
Active defense strategies can be applied in the form of deception to provide false information to adversary
Copyright © 2017
Defense Readiness Condition (DEFCON) represents a pre-defined response plan to ensure operational continuity, availability
and critical mission of the system
How the Adaptive resilience property can be realized for cyber resilience
ADAPTIVE
ADAPTIVE property ensures
operational continuity during
attackDEFCON 1
DEFCON 2
DEFCON 3
DEFCON 4
DEFCON 5
Most permissive, least
restrictive policy
Autonomous zones,
mission critical devices &
mission critical
communication only
System Threat State
Automatically Triggers
Pre-Designed Response
Policy to Changing
Threat
Copyright © 2017
Responsible use of encryption to enable threat state transitions
Redefine firewalls by
securing every flow of
data by every device
Application of encryption
on switch fabric
transparent to connected
device
Transition from static
segmentation and trust
zones to dynamic micro-
segmentation
Copyright © 2017
Preview to our next series: Webinar 3 State/Provincial Policies
• Challenges with the speed of technology vs response by policy makers
• Compliance of regulation does not equal security• How language can be critical in defining policy• Enabling innovation with specific focus of commercialization at the
State and/or Provincial level
Copyright © 2017
Earl W. Shockley
President, FounderinPOWERd LLC
Roger Hill
Chief Technology OfficerVeracity Industrial Networks
Earl.shockley@inpowerd.comwww.inpowerd.com423-667-4938
Questions & Answers Panel
roger@veracity.iowww.veracity.io678-381-6426
Copyright © 2017
References
OT environments have as many as 10X the assets, and the CISO
and Security often have little knowledge of their technology
and no idea where they even are
1. Analysis of Determinants of the Impact and the Grid Capability to Evaluate and Improve Grid Resilience from Extreme Weather Event, Fauzan Hanif Jufri, Jun-Sung Kim, and Jaesung Jung (Nov 2017).
2. Severe Impact Resilience: Considerations and Recommendations, NERC Severe Impact Resilience Task Force, (May 2012)
3. Addressing Dynamic Threats to the Electric Power Grid Through Resilience, The Chertoff Group (Nov 2014)
4. Electric Grid Security and Resilience: Establishing a baseline for Adversarial Threats, ICF International (June 2016)