Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No....
-
Upload
alison-carpenter -
Category
Documents
-
view
212 -
download
0
Transcript of Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No....
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Business Convergence WS#2Smart Grid Technologies and Project Use Cases
Embedding Security SoftwareSébastien Breton, Airbus Defence & Space CyberSecurity
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Forewords
Be reminded that there are two cultures: For IT People, security means cybersecurity For ICS people, security means safety and
reliability
In electric systems, safety and reliability are of paramount importance, and any cyber security measures should not jeopardize power system operations!
IT: Information TechnologyICS: Industrial Control System
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Outline
Introduction Cybersecurity context: today’s grid Cybersecurity concepts
Defence-in-depth Incident handling Critical elements
Cyber-physical attacks Preventing the hack
Can your smart grid system survive from a cyber attack?
Conclusion
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Introduction
Cybersecurity must be considered as a whole system approach
Security requirements to be implemented in a given system must be drawn from a security risk analysis, which, in the specific field of smart grid systems, must take into account not only cyber risks and physical risks, but combined cyber-physical risks, so as to deter cyber-physical threats
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Cyber Security Context: today’s grid
Blackouts, reported in several cities since 2000 (Northeast, Florida, etc.), could have been caused by cyber-attacks against the electric grid
U.S. Department of Homeland Security investigated over 200 serious cyber-attacks against critical infrastructure during the first half of 2013 Electric grid targeted in over half of these attacks
Blackhat: Pentesting Smart Grid and SCADA with SamuraiSTFU
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Defence-in-depth
Setting up a cybersecurity strategy, based on a layered approach, to mitigate the risk:
Embedding Security Software
Prevention• Continuous actions and measures put in
place to reduce the risk of threats• E.g.: Patch management process, software
updates, security by design
Detection• Approaches to identify anomalous
behaviours and discover intrusion• E.g.: Intrusion detection system, traffic
inspection
Response• Emergency operation plans and incident
mitigation activities (short term actions)• E.g.: Containing a cyber attack, modifying
firewall filtering rules
Recovery• Reconstitution of smart grid operations• E.g.: Remediation activities
BUILDINGBLOCKS
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Critical elements
The cybersecurity strategy should consider the following critical elements as being all necessary for each prevention, detection, response, recovery building blocks:
TECHNOLOGY
PROCESS
PEOPLE
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Critical elements applied to prevention (Example)P
EO
PL
E • CYBER SECURITY AWARENESS
• TRAINING (SECURE CODING)
PR
OC
ES
S • TRUSTED SUPPLY CHAIN
• PATCH VALIDATION
TE
CH
NO
LO
GY • UP-TO-DATE
ALGORITHM• STANDARD
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Cyber-physical attacks
Cyber-physical attacks (also called blended attacks) cause a greater impact and/or different consequences than a cyber or physical attack could cause individually
To address the enhanced impacts, risks and vulnerabilities for both cyber and physical attacks must be considered
Can your smart grid system survive from a cyber attack?
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Common control system vulnerabilities and weaknesses
Embedding Security Software
Software / Product Security Weaknesses
• Improper input validation
• Poor code quality• Permissions,
privileges and access controls
• Improper authentication
• Insufficient verification of data authenticity
• Cryptographic issues• Credentials
management• Configuration and
maintenance
Configuration weaknesses
• Permissions, privileges and access controls
• Improper authentication
• Credentials management
• Security configuration and maintenance
• Planning, policy, procedures
• Audit and accountability configuration
Network security weaknesses
• Common network design weaknesses
• Weak firewall rules• Network component
configuration (Implementation) vulnerabilities
• Audit and accountability
Source: Cyber–Physical System Security for the Electric Power Grid , Proceedings of the IEEE | Vol. 100, No. 1, January 2012
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Embedding security software
Large scale key management and cryptographic algorithm Integrity of the software is not simply checking a CRC « signature » It must rely on cryptographic signature, which implies managing secret
elements (cryptographic keys). It is the only way to truly authenticate the software editor
Don’t implement your own cryptographic algorithm. You’ll fail! Secure communications
Must be based on standard protocols with a given cryptograhic key size Managing technological obsolescence… !
Authentication of remote critical controls Protection against eavesdropping (encrypt!) Get your software product independently assessed or pentested
And of course, it is all about human people: Provide relevant training (secure coding…)
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Conclusion
To address new security challenges, cyber security needs to be integrated with system theory to guarantee resilience of the grid
MAS²STERING shall provide: Cross domain (power/electrical to cyber/digital) security event
detection (SIEM), analysis and response Secure communications in regards of the privacy concerns Role-based access control (RBAC) to authenticate, authorize
and grant access to the smart grid system
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Backup slides
Embedding Security Software
project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682)
Bibliography
NIST 7628 - Guidelines for Smart Grid Cybersecurity Volume 1 – Smart Grid Cybersecurity Strategy, Architecture, and
High-Level Requirementsines for Smart Grid Cybersecurity Volume 2 – Privacy and the Smart Grid Volume 3 – Supportive Analyses and References
SANS Institute The Incident Handlers Handbook
The CERT Division Secure coding
OWASP
Embedding Security Software