Smart Grid Securityinnovationforum.peo.on.ca/wp-content/uploads/2018/04/Smart-Grid... · Business...
Transcript of Smart Grid Securityinnovationforum.peo.on.ca/wp-content/uploads/2018/04/Smart-Grid... · Business...
Smart Grid Security
March 2018
Joe DiAdamo, P. Eng.Executive Consultant, IBM Canada Energy, Environment & Utilities Practice
(C)2018 COPYRIGHT IBM CORPORATION
2
What is the Smart Grid? A Video from the US Department of Energy
Key Benefits:
• More efficient transmission and
distribution of electricity
• Quicker restoration of electricity
after power outages
• Reduced operations and
management costs for utilities,
and ultimately lower power costs
for consumers
• Reduced peak demand, which will
also help lower electricity rates
• Increased integration of large-
scale renewable energy systems
• Better integration of customer-
owner power generation systems,
including renewable energy
systems
• Improved security
(C)2018 COPYRIGHT IBM CORPORATION
3
By 2025, the
Energy and
Utilities
industry
landscape
will change
significantly
Energy and Utilities Industry in Ten Years
(C)2018 COPYRIGHT IBM CORPORATION
4
Enterprise Domain (IT)
Customer Domain
Telecommunications Domain
Operations Domain (OT)
Smart Grid Technical Architecture Overview
Power System Domain
Sys M
gm
t
Secu
rity
Distributed Generation AMIEnergy StorageFeeder Automation
Data Lake
AM
I &
M
ete
rin
g
DM
S &
S
CA
DA
We
ath
er
Load
flo
w
EMS
N
M
S
I
C
C
P
S
C
A
D
A
H
I
S
Sys of Record
Sett
ings
CIS
GIS
Eq
uip
me
nt
AMI Ops
Ou
tag
e
Cu
sto
me
r
Bill
ing
Data Marts
Feeder
Loadin
g
X-f
rmr
Loadin
g
CIM-based Data Model
Reliability
Custo
mer
Billing A
lert
s
Outa
ge
Pre
dic
tion
Extract / Transform / Load (ETL)
Private Network
Substation Automation
Secure IT LAN
Enterprise Service Bus
AMIAnalytics
AMI Mesh
Cellular or Private
Internet
D/R
Secure OT LAN
3rd Party
D/R
Cellular
ADMS
D
M
S
D
E
R
M
S
S
C
A
D
A
I
C
C
P
H
I
S
M
o
b
i
l
e
O
M
S
(C)2018 COPYRIGHT IBM CORPORATION
5
SCADA – Key Area of Exposure Introduced by Smart Grid
(C)2018 COPYRIGHT IBM CORPORATION
• SCADA: Supervisory Control and
Data Acquisition
• Remote monitoring and control of
industrial control systems.
• SCADA has been used for
decades, but Smart Grid solutions
are significantly increasing the use
of SCADA, especially over public
wireless telecommunications
networks.
6
Ransomware phishing on
a Michigan-based
electric and water utility
Malware discovered on a fuel
system at a Bavaria-based
nuclear power plant
SCADA systems of
three Ukrainian electricity
distributors infiltrated
Network breach of US
natural gas and
electricity company
SCADA system for a
New York dam hacked
Ransomware email
delivered to the Israeli
Electricity Authority
Confidential SCADA system
data for a hydroelectric
generator exposed on
the Dark Web
Hackers breach a water
company’s SCADA system,
controlling water flow and
chemical levels
Sophisticated attacks on the Energy Industry are on the rise
April
2016
January
2016
December
2015
June
2015
March
2016
SCADA systems of
Kiev Ukrainian electricity
distribution infiltrated
(again)
December
2016
Busy Month!
WannaCry Industroyer
NotPetya and Cyber
Warfare on Ukraine
June
2017
(C)2018 COPYRIGHT IBM CORPORATION
7
The Industry Stance by ICS-CERT
ICS-CERT: US Industrial Control Systems Cyber
Emergency Response Team
• Number of incidents reported to ICS-CERT
extremely under reported
• Most incidents are classified as un-scheduled
maintenance incidence
• Lack of capable resources to address risk
• The supply chain and maintenance channels
are seen as high risk
• Initiatives to secure ICS environments are
challenged on where and how to start and
struggling to meet expectations
(C)2018 COPYRIGHT IBM CORPORATION
8
If traditional IT security practices are unsustainable, where does that leave ICS?
MILLION
unfilled security
positions by 20201.5PERCENT of CEOs are
reluctant to share incident
information externally68
85 security tools from
45 vendors
(C)2018 COPYRIGHT IBM CORPORATION
9
Network visibility and segmentation
How do I get started when all I see is chaos?
IP reputation
Indicators of compromise
Firewalls
Network forensics and threat management
Virtual patching
Sandboxing
Malware protection
Data access control
Data monitoring
Application security management
Application scanning
Access management
Entitlements and roles
Identity management
Transaction protection
Device management
Content security
Workloadprotection
Cloud accesssecurity broker
Vulnerability management
Privileged identity management
Incident response
Criminal detection
Fraud protection
Endpoint patching and management
Cognitive security
User behavior analysis
Threat and anomaly detection
Threat hunting and investigation
Threat sharing
Endpoint detectionand response
(C)2018 COPYRIGHT IBM CORPORATION
10
NIST* Cybersecurity Framework
Governance
Initiatives
Executive
Initiatives
Continuous Monitoring
Initiatives
Risk Assessment
Initiatives
1.
2.
3.
4.
5.
Organizational Focus Areas
(People, Process, Technology)
Identify
Protect
Detect
Respond
Recover
Desired
Maturity
Maturity Ratings
As-Is
Maturity
Gap Analysis
Asset Management
Initiatives
1
.
2.
4.
5.
3.
3 year Roadmap
Draft FindingsPlanned Activities and Projects
Based on Business Objectives
Current State Desired State Definition Strategic Initiatives Definition Prioritization Roadmap development
(C)2018 COPYRIGHT IBM CORPORATION
• National Institute of Science and Technology – Part of the U.S. Department of Commerce
• Ontario Energy Board Cyber Security Framework is based on the NIST Cybersecurity Framework
11
A security immune system
Criminal detection
Fraud protection
Workloadprotection
Cloud accesssecurity broker
Access management
Entitlements and roles
Privileged identity management
Identity management
Data access control
Application security management
Application scanning
Data monitoring
Device management
Transaction protection
Content security
Malware protection
Endpoint detectionand response
Endpoint patching and management
Virtual patching
Firewalls
Network forensics and threat management
Sandboxing
Network visibility and segmentation
Indicators of compromise
IP reputation Threat sharing
Vulnerability management Incident response
User behavior analysis
Threat hunting and investigationCognitive security
Threat and anomaly detection
(C)2018 COPYRIGHT IBM CORPORATION
12
A Security Intelligence & Operations Operating Model
12
Tech
no
logy
Op
erat
ion
sSt
rate
gy
Data SourcesStructured (transactional)Referential Data Sets (integrated)Unstructured (big data)
Intelligence SourcesSubscriptions (vendor/associations) Open Source (social/news/blogs)Private (trust groups/government)
Asset InformationInventory / CMDBVulnerability DataNetwork Hierarchy
Business IntelligenceStructure & GeographyData ClassificationRisk/Impact Analysis
SIEMTicketing &Workflow
Reporting &Dashboards
Big Data IntelligenceCognitive &
Active Defense
Tier 1Monitoring
Tier 2Triage
Tier 3Response
Security Integration
Vulnerability MgmtIdentity-Access Mgmt,
Data Security, Cloud Computing
Security Analytics & Incident Reporting
Architecture & Projects
Administration & Engineering
Rule Dev/TuningTool Integration
Device Mgmt
CSIRT
Emergency Response
Forensic Handling
Service Delivery & Operations ManagementService Level Management / Efficiency / Capacity Management / Escalation
Help Desk
Network Operations
Server Admin
Development
IT/OT Operations
Corporate Operations
Platforms and Data Components
Cyber-Security Command Center (CSCC)Governance / Collaboration / Requirements / Briefings
Business Units
Risk Management
Audit / Compliance
Legal / Fraud
PR / Communications
Physical Security
Security Intelligence
Intel Analysis
IOC Management
Use Case Mgmt
Runbook Mgmt
Threat HuntingActive Defense
Legend
SIOC
IT / OT
Corporate
Generation
Transmission
Distribution
(C)2018 COPYRIGHT IBM CORPORATION
13
Most security knowledge is untapped…
TraditionalSecurity Data
Human Generated Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
• Threat intelligence
• Research documents
• Industry publications
• Forensic information
• Conference presentations
• Analyst reports
• Blogs
• Webpages
• Wikis
• News sources
• Wikis
• Newsletters
• Tweets
A universe of security knowledge dark to typical defenses
(C)2018 COPYRIGHT IBM CORPORATION
14
Billions ofData Elements
Incident Exchange
Trusted partner feed
Other threat feeds
Open source
Breach replies
Attack write-ups
Best practices
Course of action
Research
Websites
Blogs
News
Massive Corpus
of Security Knowledge10B elements plus 4M added / hour
1.25M docs plus 15K added / day
Millions ofDocuments
Cognitive Computing for Cyber Security
STRUCTURED DATA UNSTRUCTURED DATA WEB CRAWLER
5-10 updates / hour! 100K updates / week!
50 beta customers
140K+ web visits in 5 weeks
200+ trial requests
SEE THE BIG PICTURE
Truely understand your risk and the needed
actions to mitigate a threat.
ACT WITH SPEED & CONFIDENCE
Enhanced context can provide is a BIG
savings in time versus manual research.
(C)2018 COPYRIGHT IBM CORPORATION
15
Focus security analyst staff on critical issues
Discover more infected endpoints, and send targeted
results to the incident response team
Cognitive Security Advisor
(C)2018 COPYRIGHT IBM CORPORATION
16
Cognitive Security
SECURITY
ANALYTICS
Log SIEM
Vulnerability Cloud
UBA DNS
EDR
THREAT
HUNTING
Search Link Analysis
Visualizations
THREAT
INTELLIGENCE
Sharing
Open Interfaces
Malware Analysis
INCIDENT
RESPONSE
Orchestration
Collaboration Workflow
Cognitive Security
Delivers
• End-to-end protection against advanced threats
despite resource and skills gaps
• Ability to prevent, analyze, hunt, and respond
across the enterprise and beyond
• Orchestrated people, processes and technology
that work together in unison
By
• Considering massive amounts of data
• Integrating detection and response
• Orchestrating security response
• Leveraging ecosystem and open platforms
Patch
Query
Remediate
(C)2018 COPYRIGHT IBM CORPORATION
THANK YOUJoe DiAdamo, P. Eng.