Smart Grid Securityinnovationforum.peo.on.ca/wp-content/uploads/2018/04/Smart-Grid... · Business...

Smart Grid Security

March 2018

Joe DiAdamo, P. Eng.Executive Consultant, IBM Canada Energy, Environment & Utilities Practice

(C)2018 COPYRIGHT IBM CORPORATION

2

What is the Smart Grid? A Video from the US Department of Energy

Key Benefits:

• More efficient transmission and

distribution of electricity

• Quicker restoration of electricity

after power outages

• Reduced operations and

management costs for utilities,

and ultimately lower power costs

for consumers

• Reduced peak demand, which will

also help lower electricity rates

• Increased integration of large-

scale renewable energy systems

• Better integration of customer-

owner power generation systems,

including renewable energy

systems

• Improved security


3

By 2025, the

Energy and

Utilities

industry

landscape

will change

significantly

Energy and Utilities Industry in Ten Years


4

Enterprise Domain (IT)

Customer Domain

Telecommunications Domain

Operations Domain (OT)

Smart Grid Technical Architecture Overview

Power System Domain

Sys M

gm

t

Secu

rity

Distributed Generation AMIEnergy StorageFeeder Automation

Data Lake

AM

I &

M

ete

rin

g

DM

S &

S

CA

DA

We

ath

er

Load

flo

w

EMS

N

M

S

I

C

C

P

S

C

A

D

A

H

I

S

Sys of Record

Sett

ings

CIS

GIS

Eq

uip

me

nt

AMI Ops

Ou

tag

e

Cu

sto

me

r

Bill

ing

Data Marts

Feeder

Loadin

g

X-f

rmr

Loadin

g

CIM-based Data Model

Reliability

Custo

mer

Billing A

lert

s

Outa

ge

Pre

dic

tion

Extract / Transform / Load (ETL)

Private Network

Substation Automation

Secure IT LAN

Enterprise Service Bus

AMIAnalytics

AMI Mesh

Cellular or Private

Internet

D/R

Secure OT LAN

3rd Party

D/R

Cellular

ADMS

D

M

S

D

E

R

M

S

S

C

A

D

A

I

C

C

P

H

I

S

M

o

b

i

l

e

O

M

S


5

SCADA – Key Area of Exposure Introduced by Smart Grid


• SCADA: Supervisory Control and

Data Acquisition

• Remote monitoring and control of

industrial control systems.

• SCADA has been used for

decades, but Smart Grid solutions

are significantly increasing the use

of SCADA, especially over public

wireless telecommunications

networks.

6

Ransomware phishing on

a Michigan-based

electric and water utility

Malware discovered on a fuel

system at a Bavaria-based

nuclear power plant

SCADA systems of

three Ukrainian electricity

distributors infiltrated

Network breach of US

natural gas and

electricity company

SCADA system for a

New York dam hacked

Ransomware email

delivered to the Israeli

Electricity Authority

Confidential SCADA system

data for a hydroelectric

generator exposed on

the Dark Web

Hackers breach a water

company’s SCADA system,

controlling water flow and

chemical levels

Sophisticated attacks on the Energy Industry are on the rise

April

2016

January

2016

December

2015

June

2015

March

2016

SCADA systems of

Kiev Ukrainian electricity

distribution infiltrated

(again)

December

2016

Busy Month!

WannaCry Industroyer

NotPetya and Cyber

Warfare on Ukraine

June

2017


7

The Industry Stance by ICS-CERT

ICS-CERT: US Industrial Control Systems Cyber

Emergency Response Team

• Number of incidents reported to ICS-CERT

extremely under reported

• Most incidents are classified as un-scheduled

maintenance incidence

• Lack of capable resources to address risk

• The supply chain and maintenance channels

are seen as high risk

• Initiatives to secure ICS environments are

challenged on where and how to start and

struggling to meet expectations


8

If traditional IT security practices are unsustainable, where does that leave ICS?

MILLION

unfilled security

positions by 20201.5PERCENT of CEOs are

reluctant to share incident

information externally68

85 security tools from

45 vendors


9

Network visibility and segmentation

How do I get started when all I see is chaos?

IP reputation

Indicators of compromise

Firewalls

Network forensics and threat management

Virtual patching

Sandboxing

Malware protection

Data access control

Data monitoring

Application security management

Application scanning

Access management

Entitlements and roles

Identity management

Transaction protection

Device management

Content security

Workloadprotection

Cloud accesssecurity broker

Vulnerability management

Privileged identity management

Incident response

Criminal detection

Fraud protection

Endpoint patching and management

Cognitive security

User behavior analysis

Threat and anomaly detection

Threat hunting and investigation

Threat sharing

Endpoint detectionand response


10

NIST* Cybersecurity Framework

Governance

Initiatives

Executive

Initiatives

Continuous Monitoring

Initiatives

Risk Assessment

Initiatives

1.

2.

3.

4.

5.

Organizational Focus Areas

(People, Process, Technology)

Identify

Protect

Detect

Respond

Recover

Desired

Maturity

Maturity Ratings

As-Is

Maturity

Gap Analysis

Asset Management

Initiatives

1

.

2.

4.

5.

3.

3 year Roadmap

Draft FindingsPlanned Activities and Projects

Based on Business Objectives

Current State Desired State Definition Strategic Initiatives Definition Prioritization Roadmap development


• National Institute of Science and Technology – Part of the U.S. Department of Commerce

• Ontario Energy Board Cyber Security Framework is based on the NIST Cybersecurity Framework

11

A security immune system

Criminal detection

Fraud protection

Workloadprotection

Cloud accesssecurity broker

Access management

Entitlements and roles

Privileged identity management

Identity management

Data access control

Application security management

Application scanning

Data monitoring

Device management

Transaction protection

Content security

Malware protection

Endpoint detectionand response

Endpoint patching and management

Virtual patching

Firewalls

Network forensics and threat management

Sandboxing

Network visibility and segmentation

Indicators of compromise

IP reputation Threat sharing

Vulnerability management Incident response

User behavior analysis

Threat hunting and investigationCognitive security

Threat and anomaly detection


12

A Security Intelligence & Operations Operating Model

12

Tech

no

logy

Op

erat

ion

sSt

rate

gy

Data SourcesStructured (transactional)Referential Data Sets (integrated)Unstructured (big data)

Intelligence SourcesSubscriptions (vendor/associations) Open Source (social/news/blogs)Private (trust groups/government)

Asset InformationInventory / CMDBVulnerability DataNetwork Hierarchy

Business IntelligenceStructure & GeographyData ClassificationRisk/Impact Analysis

SIEMTicketing &Workflow

Reporting &Dashboards

Big Data IntelligenceCognitive &

Active Defense

Tier 1Monitoring

Tier 2Triage

Tier 3Response

Security Integration

Vulnerability MgmtIdentity-Access Mgmt,

Data Security, Cloud Computing

Security Analytics & Incident Reporting

Architecture & Projects

Administration & Engineering

Rule Dev/TuningTool Integration

Device Mgmt

CSIRT

Emergency Response

Forensic Handling

Service Delivery & Operations ManagementService Level Management / Efficiency / Capacity Management / Escalation

Help Desk

Network Operations

Server Admin

Development

IT/OT Operations

Corporate Operations

Platforms and Data Components

Cyber-Security Command Center (CSCC)Governance / Collaboration / Requirements / Briefings

Business Units

Risk Management

Audit / Compliance

Legal / Fraud

PR / Communications

Physical Security

Security Intelligence

Intel Analysis

IOC Management

Use Case Mgmt

Runbook Mgmt

Threat HuntingActive Defense

Legend

SIOC

IT / OT

Corporate

Generation

Transmission

Distribution


13

Most security knowledge is untapped…

TraditionalSecurity Data

Human Generated Knowledge

• Security events and alerts

• Logs and configuration data

• User and network activity

• Threat and vulnerability feeds

• Threat intelligence

• Research documents

• Industry publications

• Forensic information

• Conference presentations

• Analyst reports

• Blogs

• Webpages

• Wikis

• News sources

• Wikis

• Newsletters

• Tweets

A universe of security knowledge dark to typical defenses


14

Billions ofData Elements

Incident Exchange

Trusted partner feed

Other threat feeds

Open source

Breach replies

Attack write-ups

Best practices

Course of action

Research

Websites

Blogs

News

Massive Corpus

of Security Knowledge10B elements plus 4M added / hour

1.25M docs plus 15K added / day

Millions ofDocuments

Cognitive Computing for Cyber Security

STRUCTURED DATA UNSTRUCTURED DATA WEB CRAWLER

5-10 updates / hour! 100K updates / week!

50 beta customers

140K+ web visits in 5 weeks

200+ trial requests

SEE THE BIG PICTURE

Truely understand your risk and the needed

actions to mitigate a threat.

ACT WITH SPEED & CONFIDENCE

Enhanced context can provide is a BIG

savings in time versus manual research.


15

Focus security analyst staff on critical issues

Discover more infected endpoints, and send targeted

results to the incident response team

Cognitive Security Advisor


16

Cognitive Security

SECURITY

ANALYTICS

Log SIEM

Vulnerability Cloud

UBA DNS

EDR

THREAT

HUNTING

Search Link Analysis

Visualizations

THREAT

INTELLIGENCE

Sharing

Open Interfaces

Malware Analysis

INCIDENT

RESPONSE

Orchestration

Collaboration Workflow

Cognitive Security

Delivers

• End-to-end protection against advanced threats

despite resource and skills gaps

• Ability to prevent, analyze, hunt, and respond

across the enterprise and beyond

• Orchestrated people, processes and technology

that work together in unison

By

• Considering massive amounts of data

• Integrating detection and response

• Orchestrating security response

• Leveraging ecosystem and open platforms

Patch

Query

Remediate


THANK YOUJoe DiAdamo, P. Eng.

[email protected]

Smart Grid Securityinnovationforum.peo.on.ca/wp-content/uploads/2018/04/Smart-Grid... · Business...

Documents

Transcript of Smart Grid Securityinnovationforum.peo.on.ca/wp-content/uploads/2018/04/Smart-Grid... · Business...