DNV GL © 2014 10-03-2014 SAFER, SMARTER, GREENER DNV GL © 2014
28-03-2014
ENERGY
Cyber Security for the energy industry
1
DNV GL © 2014 10-03-2014 10-03-2014 2
DNV GL © 2014 10-03-2014 10-03-2014 3
DNV GL © 2014 10-03-2014
Challenges
Utilities are thinking they are ok!
The fence around the assets isn’t enough anymore
The smart grid is moving in, and interconnecting things along the way
Vendors offer an answer but is it enough?
IT security companies are happy to help, but do they understand what we need?
The translation form a security policy to a secure device implementation is not
straightforward
There are a lot of standards for guidance, but none of them complete, and all with
a different scope
4
DNV GL © 2014 10-03-2014
Cyber security questions currently facing the utility industry
We are moving from IEC60870-5-101/ DNP3 serial to IEC60870-5-104/DNP3
Ethernet. What do we need to do regarding cyber security when introducing
Ethernet components in our SCADA system?
We are rolling out a new smart meter network infrastructures and we worry about
privacy and security of the system, where to start?
We are rolling out a new IP based SCADA system(CDMA, MPLS based
technologies), and we worry about the security of the system. What are the first
things we need to secure?
We wonder how secure our current system is. What should we do first to improve
this?
5
DNV GL © 2014
Risk Assessment
• Security awareness • Implementation • Requirements • Procedures • Processes
Residual risks
Our approach to a cyber secure End to End infrastructure
6
Component Health Testing
E2E Test Verification E2E secure?
Programs / projects
Weighted risks
Roadmap
Test reports • Verification results
Evaluate
System Standards Legislation
DNV GL © 2014
Security challenges
7
Chief Security Officer
Information and Competence GAP
Asset Management
Engineers
Problem owner
Solution Implementers
The issue:
DNV GL © 2014
Recently done and running projects
Cyber risk and threat analysis on SCADA system for a Gas company
Requirements for cyber security certification of smart grid components for ENISA
Security management for a company in middle east
Risk analysis for SCADA DMS project in middle east
Risk analysis on 104 communication infrastructure, and procurement cyber
security requirements for substations at a European TSO
ENCS Topsectoren: cyber security testing workstream with TNO, Alliander, KPN,
Security matters
GIP2013 cyber security health check
– Cyber security component and system tests: Tennet, Statkraft, Westland, GNF,
Alliander
GIP2014 cyber security end to end test service launch
8
DNV GL © 2014 10-03-2014
When a design is not validated…
9
DNV GL © 2014 10-03-2014
The Cyber security health testing service
10
Requirements
test pack
Smart grid
and security
standards
In-situ,
smart grid
equipment
1. Functional Testing
2. Negative and
Robustness testing
3. Known vulnerability
testing, leveraging
global vulnerability
database
Findings and
recommendations
Common
criteria
methodology
Testing topics
DNV GL © 2014 10-03-2014
Pilots & participants
We performed 6 pilots at TSO’s, DNO’s and
power generation companies
Participating countries:
USA
Norway
Spain
Netherlands
Germany
Deliverable: Test report includes
Implemented security features
Assessment depth and findings
Recommendations for mitigation
11
Provided equipment:
SCADA system
Protection relay
Telecom equipment
RTU, IED
Smart meter
Data concentrator
DNV GL © 2014 10-03-2014
Findings
Security officers do not know what is inside their network on a deep level
Not much high level requirements are facilitated by functionality in devices
Multiple security functions could be circumvented
Standard or bad passwords is still the biggest threat
Claimed security functions are not used, or broken
Configurations do not display an understanding of device capabilities
Devices are easy to break: ICMP, HTTP are capable of crashing a device
Requirements are not considered by the vendor as applicable for them
Or vendors claim compliance to standards that not apply
Utilities only consider functions they use (are not aware of other functions)
Interconnection is done without considering security
Usage of standard components is very common
12
DNV GL © 2014 10-03-2014
SAFER, SMARTER, GREENER
www.dnvgl.com
Thank you More info on our blog: dnvkemautilityfuture.com
13
For further info and the public requirements test pack, please ask or email me: [email protected]
+31 026 356 2586
http://www.dnvkemautilityfuture.com/dnv-gl-explains-the-importance-of-cyber-security-health-testing-of-scada-systems
Top Related