Securing Buildings Facilities From Emerging Cyber Threats · • PNNL conducted various B‐C2M2...
Transcript of Securing Buildings Facilities From Emerging Cyber Threats · • PNNL conducted various B‐C2M2...
Rhode Island Convention Center • Providence, Rhode Island
Securing Buildings & Facilities From Emerging Cyber Threats
Session 5: [Session Title]
Michael MylreaManager, Cybersecurity & Energy TechnologyPacific Northwest National Lab August 10, 2016
Energy Exchange: Federal Sustainability for the Next Decade
DOE‐PNNL Buildings Cybersecurity Framework
DOE‐PNNL Buildings Cybersecurity Maturity Model (B‐C2M2)
Maturity
Indicator Levels
Each cell contains the defining practices by goal for domain for that maturity indicator level. If performing those practices, you earn this maturity level.
Defined progression of goals
Buildings Cybersecurity Maturity Model (B‐C2M2)& Application
Tool and data sets to quickly identify and compare buildingsNeed:
• DOE and PNNL developed a tool and visualization platform to measure cybersecurity maturity for energy utilities. This tool has been adapted to buildings, but its current form does not compare maturity levels of buildings and is difficult to distribute
• A tool and data set for measuring and comparing nation’s buildings cybersecurity maturity does not exist
• PNNL conducted various B‐C2M2 pilot tests to inform the development of the B‐C2M2 app
Cybersecurity Maturity Model (B‐C2M2) Application
Tool and data sets to quickly identify and compare cybersecurity maturityNeed:
• Web and mobile based cybersecurity maturity model• Obfuscate identity of users, but collects valuable information and data set• Provide online and offline sharing solution• A tool and data set for measuring and comparing cybersecurity maturity of energy
infrastructure• PNNL conducted various B‐C2M2 pilot tests to inform the future development of an
application
Energy Exchange: Federal Sustainability for the Next Decade
Assessment Findings –Building Control System Vulnerabilities
Smart building control systems often prioritize ease of use and interoperability before security
Energy Exchange: Federal Sustainability for the Next Decade
Building Cybersecurity MitigationIllustrative/Assessment Findings
Recommendations
• Build security into your smart building design criteria
• Introduce a security program to promote cyber best practices
• Introduce a cyber security training program.
• Introduce cyber security policies and standard operating procedures.
• Maintain a list of staff members and contractors.
• Use procurement guidelines
• NIST Cyber Security Framework
• DOE Cyber Energy Maturity Model
Energy Exchange: Federal Sustainability for the Next Decade
Building Control System Risk Matrix Heat Map
Cyber Secure ‐ Facility Energy Decision System
Cyber Secure ‐ Facility Energy Decision System (CS‐FEDS)
10
Challenges
Challenge 1: Cybersecurity solutions often times increase costs, reduce functionality and lack a clear value proposition.
Challenge 2: Networking and digitizing energy technology and controls can reduce costs, increase functionality and efficiency, but often times increases cyber vulnerabilities.
Challenge 3: A turn key tool to improve energy efficiency and cybersecurity does not exist
Turn‐Key buildings cybersecurity and energy efficiency tool
Proposed Solution‐ PNNL have beta tested a tool called the Cyber Secure ‐ Facility Energy Decision System (CS‐FEDS) that could potentially help building owners reduce their energy consumption, while increasing their cybersecurity maturity and situational awareness.
Key Features‐Models energy and cost performance of heating, cooling, ventilation, lighting, motors, plug loads, building shell, and hot water systems, plus central plants and thermal loops.‐Models buildings systems interoperability and inventories critical cyber assets‐Identifies cybersecurity vulnerabilities in building automation systems
CS‐FEDS ‐ Energy Efficiency and Security Training
• Combined energy efficiency and cybersecurity training targeted at IT and OT professionals• Helped increase cybersecurity situational awareness, overview of cyber‐physical threats, vulnerabilities
and mitigation• Upcoming training with operations managers, cybersecurity professional and senior policy makers from
USG interagency• PNNL conducted various B‐C2M2 pilot tests to inform the development of training curriculum
‐Modeling both energy and cost performance and cyber vuns in buildings‐Modeling buildings systems interoperability and inventories critical cyber assets‐Identifies critical cybersecurity assets in building automation systems and controls
Risk Management Cycle for Building Automation Systems
Risk Management Cycle for Building Automation Systems
Need: A systematic approach to identify requisite security enhancements to prevent/mitigate impact
Credit – Sri Nikhil Gourisetti/Brooke Brisbois
• Building Automation Systems (BAS)– Building energy efficiency– Safety systems– Gird‐level controls integration
• BAS Vulnerabilities (select)– IT/OT separation– Patch management– Roles and responsibilities
• Cyber attack impacts – Safety (Buildings/Occupants) – Property damage (Equipment)– Operational costs (Campus)– Energy security
(Campus/Utility)
Cybersecurity Risk Assessment for Building Automation Systems
• Cybersecurity Risk Assessment for Building Automation Systems
• Adapted from All‐Hazards Power Grid Risk Framework developed for OE‐40 (Veeramany, 2015)
• Framework for power grid was developed to model natural hazards and man‐made threats
• Adapted to systematically formulate and quantify attack scenarios for risk‐informed decision‐making based on NIST and Buildings Cybersecurity Frameworks
• Risk mitigation – Identify, protect, detect, respond, and recover
Resilient Controllers for Campus Building Management Systems
Resilient Controllers for Campus BMS• Demand Side Management
– Schedulable/controllable loads
– Distributed energy resources– Transactive energy schemes– Utility contracts
• Increasing cyber threats– Vulnerable, insecure
controllers
• Cyber attack impacts – Safety (Buildings/Occupants) – Property damage
(Equipment)– Operational costs (Campus)– Energy security
(Campus/Utility)
Resilient Controllers for schedulable loads in a campus to detect and mitigate cyber attacks.Need:
Resilient Controller
Cyber Anomalies
ON/OFF Command
s
Schedules/ Pricing Signals
Local measurements
(Voltage, Current, PV, Weather)
Spatial & Temporal
Measurement Correlation Baselines
Alerts to BMS
Load‐level, resilient controllers using a combination of machine learning techniques and cyber‐physical alert correlation algorithms for control validation.
Resilient Controllers for Campus BMS
• Machine learning to baseline physical system behavior
– Local voltage measurements– Spatial & Temporal
correlation across RCs– Additional sources‐Weather,
Solar irradiance
• Cyber‐physical alert correlation to fuse
– Cyber anomalies from IDS– Physical anomalies from
learnt patterns in machine learning
• Relevant stakeholders/clients– DOE FEMP – Tim Unrue– DOE BTO – Joe Hagerman– DOE CEDS – Carol Hawk
Proposed Solution:
Human in the Loop Virtual Reality Cyber Security and Building Operations Trainer (VCS‐BOT)
Energy Exchange: Federal Sustainability for the Next Decade
Human In The Loop Virtual Reality Cyber Security And Building Operations Trainer (VCS‐BOT) Scientific Challenges • Cyber Security and building operations training
methodologies need to adapt with evolving buildings infrastructure and smart grid
• Can we design human action based adaptive models?
– Can such enhanced immersive approach lead to incorporating cyber secure practices in IT & OT?
– Can we improve repeatability?
Approach
ConceptAn augmented/virtual reality based adaptive building environment application enabling human in the loop for immersive and enhanced training experience Impact• Strengthen Building Cyber Security practices• Next-generation BCF based training framework• Novel combination of unsupervised ML, AR/VR, and AI• Situational models with realistic attack-action scenarios
• Best Practices
• Best Practices
BCF
• Evaluation• Assessment• Evaluation• Assessment
BC2M2•Human in the loop
•Human in the loop
VR App
800‐82
800‐53
Unity 3DOculus
Java‐scriptC#
Holo‐Lens
Deliverables
Design• Software with AR/VR CS scenarios• Cyber‐physical Training Curriculum
Train• Pilot training for buildings managers• Train‐the trainers workshop
Explore• Cyber‐Physical training landscape• Enhanced human action area
Papers Patent BCF Visibility