Communications and Cyber Securityindiasmartgrid.org/event2017/10-03-2017/4. Roundtable on... ·...
Transcript of Communications and Cyber Securityindiasmartgrid.org/event2017/10-03-2017/4. Roundtable on... ·...
-
Satya Gupta
Head(IT) & CISO
Tata Power Delhi Distribution Ltd
Communications and Cyber Security
10th March2017
-
Tata Power-DDL BUSINESS OVERVIEW
Licensed for distribution of power in North and North West Delhi
Certifications : ISO 9001, 14001, 27001, 22301, 31000, SA 8000 & OHSAS 18001
Joint Venture of Tata Power Company and Govt. of NCT of Delhi (51: 49)
ParameterValues(Jul'02)
Values(Mar'16)
AT&C Loss 53.10% 8.88%
Annual Energy Requirement
970 MW 1791 MW
Total Registered Customers 7 Lakhs 15.3 Lakhs
Number of Employees 5600 3525
Area 510 SQ KMS
Turnover INR 6174 Crs
-
3
Current scenarioWhat TPDDL had inherited
Multi-pronged approach adopted by Management to turnaround a traditional Government setup into a role model for private sector efficiency in only 10 years
AT&C losses: > 50%
No concept of consumer service and IT interface
Lack of performance orientation
Electricity supply system on the verge of collapse
AT&C losses: 8.88 %
One stop solution: State-of-the-artIntegrated Call Centers & ConsumerCare Centers
Performance orientationthrough Change Management & Balanced Scorecard Approach
Remarkable improvementin System Reliability: DT losses
-
Vision 2022
-
Industrys Shift Towards Smart Grid
Power Sectors move towards Smart Grid Practices has resulted in steep rise in adoption of various advance IT & OT technologies.
Communication technology plays a key role in the implementation of various Smart Grid Technologies.
Robust Cyber Security practices are required to ensure all systems & services are up and running(24X7).
-
Communication a Key Enabler of Smart-Grid
Smart Grid requires a robust and a two-way communication system.
Applications like AMI, ADR, ADMS etc.. requires information to communicated on a real time basis.
Communication system acts as the cornerstone for successful implementation of various Smart Grid applications.
Any failure in ensuring an effective communication system will have severe impact on reliability and services.
-
TPDDL Communication System: Objectives
TPDDL established its Communication Network (in FY 2004-2005) across its area of operation ; to
support
Operational applications like SCADA/ Tele-protection / GIS /OMS/
Commercial and Billing applications
Enterprise applications SAP CRM/ SAP BCM/SAP ERP , e-mail etc.
TPDDL has upgraded its Communication Network to TP-MPLS (in FY 2014-2015) ; to
support
forthcoming Smart grid applications such as AMI, EV charging stations, MWM, ADR and Integrated security solution etc.
-
TP-DDL Communication Landscape
The Communications landscape consists of laying its own OFC
network covering all main offices, data-centers, stores, district
offices and Zonal Offices.
-
Redundant Communication Network
RG-3 SUB Ring 1STM 42
2
2 2
2
2
RG-5
PUSA ROAD
RANIBAGH GRID
Saraswati garden
NARAYANA PH-I
CORE RINGSTM 16
FIBER RING - TPDDL
RANIBAGH CCC
NEW ROHTAK ROAD
2
2
WZP-II
INDER VIHAR
AZAD PUR
WAZIRABAD
CIVIL LINES
SARASWATI GARDEN
PANDU NAGAR
VSNL
S PARK
KESHAV PURAM DO
ROHTAK ROAD
RAM PURA
TRI NAGAR
ASHOK VIHAR H BLOCK CCC
GULABI BAGH SHEHJADA BAGH
SHAKTI NAGAR DO
GTK Grid
SHALIMAR BAGH
PITAM PURA DO
PP III
PP II
MGP-II
INDER PURIHUDSON LINES
WZP-I
ASHOK VIHAR GRID
MGP-1
2
RG-IVRG-22
RG-23
BAWANA GRID-6
POOTH KHURD GRID
BAWANA WATER WORKS and Bawana DO
DSIDC A7, NARELA
DSIDC1 NARELA
RG-1
PP-1
HDRPUR
SGTN
JAHANGIR PURI
AIR KHAMPUR
BADLI
RG-6
RG-II
Fiber Sub RingFiber Main Ring
Grids2 Enterprise DATA 2 Enterprise and Grid
VSNL VSNL Gateway for internet
RAMA ROAD
2
2
2
2
2
2NARELA DO
DSIDC2 NARELA
SUB Ring 3STM 4
SUB Ring 2STM 4
SUB Ring 4 STM 4
SUB Ring 5STM 4
-
OFFICES
TRANSCO Grid
Stations
Sub Transmission
Grid Stations
Distribution
Stations
CUSTOMERS
SCADA/ DMS/DA
SAP-ISU
(CRM/BILLING)
SAP
(PM/PS/MM/HR/FICO)
GIS
Call Centre
OMS
AMR/PG/SPT BILL
WEBDATA
CENTER
ONE
DATA
CENTER
TWO
COMMUNICATION NETWORK
ISO 9001, ISO 27001 & BCMS (ISO 22301:2012) certified
Adoption of Technology
-
Integrated Communications Architecture
Home
Network
Meters &
Premise
Gateways
Access
Communication
AMI Mgmt
System
Home /CustomerNetwork
Local
Field CommsNeighborhood
AggregationT&D
Management
System
Monitoring,
DA
Utility Wide
Comm.Web
Access
Back Haul
Communication
Back-Office
& Operational
SystemsExternal
Data Access
3rd Parties
Customers
Field Crew
Distribution Equipment
200kW Phosphoric Acid Fuel Cell
The power plant in
Santa Clara is rated
at 1.8 MW AC net
It contains more
than 4,000 cells
$2000-3000/kW
DG
T&D Equipment
Control & Monitoring Centers
Monitoring
SA, DA
Field
Workforce
Automation
PEV
Monitoring
AMI
WiFi, WiMax, PLC, RF Mesh,
GSM, CDMA
Zigbee, Bluetooth,
HomePlugMicrowave,
SDH,MPLS,MPLS-TP, CE
Internet, HTTPS,
VPNEthernet LAN
-
Mail service on mobile and web(External/Internal)
Website Consumers accessing connection, reading, bill, payment details,etc.
On line bill payment
SMS services for consumers
E-procurement
Smart Grid Applications require to communicate with various field based devices
IT & OT Integration for enhancing consumer experience
FFA for improving field based operations
Cyber Security-Vital for Survival
-
Cyber Security Challenges
Highly exposed and distributed environment
Technology Obsolescence
Separate IT & OT Verticals with limited coordination
Less awareness about cyber security practices among OT team members
Cyber Security not considered during fundamental design phase
Fast and constantly evolving nature of security risks
Ever evolving standards, technologies, services, applications
Increasing complexity of systemsMobile & Wireless EverywhereHeterogeneous SystemsMultiple Interfaces
-
Cyber Security for Smart Grid
Change in traditional scenario
Grid automation systems use public networks due to lower costs
Increases the vulnerability of grids to cyber attacks
Field components like RTU are attacked through remote access
Using communication protocols available in public domain, an intruder can reverse engineer the data acquisition protocols & exploit them
Network topology vulnerability is exploited e.g. DOS attack
Classification of Attacks
ComponentWise
ProtocolWise
TopologyWise
-
Strategies to detect & Mitigate
Network Segmentation
Effective network segmentation restricts communication between networks and reduces the extent to which an
adversary can move across the network
Strict Role-Based Access Control
Grants or denies access to resources based on job function
Active Directory (AD) implements role-based user access control through group policies.
Application Whitelisting
Permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else
Eliminates the execution of unknown executable, including malware
-
Multiple Layers of Security
Firewall based security
Intrusion Detection System
Threat Management Gateway(Proxy Server)
Demilitarized zone for all public portals
Single sign-on
Secure tunnel via two factor authentication for Remote Access
Vulnerability assessment & Penetration Testing
-
Operationalizing Information Security
Regular Review meeting of Information Security Council (ISC) for identifying new risks, mitigating them
and discussing Incidents
Involvement of Top Management
Cyber Security Awareness through TIPS, Quiz, sessions etc.
Involvement of all major departments like OT, HR, Finance, Administration, Safety, Legal, etc. in Council
Annual Plan for review and implementation -
- Review and update processes
- Focus on creating awareness on IT Security
- DR Drill at regular intervals
- Pro-active approach before implementing any new solution
System driven implementation of various policies Password & patch management, anti-virus, etc
-
Cyber Security Control Room
EMS, NMS and SIEM generates huge logs.
Cyber Security Control Room required for real time monitoring and analysis to decide and quickly take preventive and corrective actions in case of any event / incident and activating Emergency Response Team, if required
-
MUX
SAP/R3 Application servers
Database Servers
Websense
Ironport
Mailbox
Exchange server
ISP router (CENNET)
ISP
Local LAN for CENNET
Crystal Reports
CHECKPOINT(4800 series)
DMZ
6509 Switch
4507 Switch
Enterprise Router
SCADA Router
OMS Switch
OMS ServersSCADA Servers
SCADA Switch
IT Network OT Network
DC1 Segregation of IT & OT
ISA
IT OT Technology Segregation at DCs
19
-
Risk Mitigation
Penetration Testing followed by Grey Box testing, through CERT approved agency forall portals on public domain e.g. Website, Customer Portal, E-tendering, etc. toensure that
- Public portals are Secured to avoid hacking.
- Consumer data remains confidential.
Training team members to develop secure web enabled S/Ws Robust Change Management Process for H/W & S/W Pro-active approach for Security of System before implementing any new solution in
both IT & OT side
-
Best Practices at TPDDL
ISO 27001 certification for both IT & OT Systems HR directly activates and de-activates mail-ids on joining and separation Revalidation of User ids, VPN access specially for critical roles or discontinuation
of BA services Regur DR Drill for all critical applications, network, electrical equipment's, etc. n-1 for all elements i.e. IT Infra, Communication, Data Center, Application and
Manpower Use of BitLocker Drive Encryption to protect hard disk on laptops to protect
Enterprise Data Security Incidents handled by Information Security Council Measurement of Information Security parameters through Departmental
Balanced Score Card
3/16/201721
-
THANK YOU