The energy sector is one of the national critical infrastructures and now will increasingly be dependent on less secure information and telecommunications infrastructures
Navigate this Report
Back to Stimulus and Regulation Index
3. Business Case
6. Success Factors
7. Next Steps
|Idaho National Laboratory's Transmission Line Security monitor can remotely detect abnormal vibrations, temperatures and conditions around high-voltage transmission lines.|
- The systems and networks that make up the infrastructure of society are often taken for granted, yet a disruption to just one of those systems can have dire consequences across other sectors. For example, a computer virus could disrupts the distribution of natural gas across a region. This could lead to a consequential reduction in electrical power generation, which in turn leads to the forced shutdown of computerized controls and communications. Road traffic, air traffic, and rail transportation might then become affected. Emergency services might also be hampered.
An entire region can become debilitated because some critical elements in the infrastructure become disabled through natural disaster. While potentially in contravention of the Geneva Conventions, military forces have also recognized that it can cripple an enemy's ability to resist by attacking key elements of its civilian and military infrastructure.
- In addition to the increased threat, there is a disconnect between the accepted standard practices among the IT and Internet security communities and the current state of the art, or education, or experience, among many of the implementers and advocates of power grid advancement. Given the importance of our electrical infrastructure to the economy it is hard to understand why the most critical of all of our infrastructures, our electrical power, was not leading the charge for more and better IT security.
- According to the Wall Street Journal, Cyber-Spies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system. Rather than considering system failures like the unexpected failure of a digital protection and control device within a substation, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations.
- As the smart grid relies on business interactions as much as it does upon the physical processes of delivering electricity, security for the smart grid must consider interference or disruption of business communications as much as it does disruption of the delivery of electricity. Matters of identity and authorization are paramount, as are privacy and appropriate access concerns for handling personal information of customers.
- With the advent of inexpensive microcontrollers and smart-grid implementation, there is a growing trend for increased intelligence and capabilities in field equipment installed in substations, within the distribution network, and even at the customer’s premises. This increased control capability, while vastly increasing the flexibility and functionality to achieve better economies, also introduces cyber-vulnerabilities that have not previously existed and presents a significantly larger number of targets.
- Additionally, economic forces and technology development are making the power system more dependent on information systems and external communications networks. The interconnected nature of the communications systems that support regional and interregional grid control, and the need to continue supporting older legacy systems in parallel with newer generations of control systems, further compound these security challenges.
- According to the President’s Cyberspace Policy Review, as the United States deploys new Smart Grid technology, the Federal government must ensure that security standards are developed and adopted to avoid creating unexpected opportunities for adversaries to penetrate these systems or conduct large-scale attacks.
- Security requirements are critical to development of the Smart Grid. communications to the grid can create security vulnerabilities. A Smart Grid requires effective and multi-layered cyber security built in from the start.
Staged cyber attack reveals vulnerability in power grid This experiment, called "Aurora,"was conducted in March 2007 by the Idaho National Laboratory for DHS. They hacked this machine with nothing more than knowing the name of the company / DNS name, and the fact that the control systems were connected to the Internet. No firewall codes were needed. 2. Acronyms/Definitions
- BES - Bulk Electric System - As defined by the Regional Reliability Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition. NERC’s standards and enforcement help maintain and improve the reliability of North America’s bulk power system.
- Critical Assets - Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the BES.
- CCA - Critical Cyber Assets - Cyber Assets essential to the reliable operation of Critical Assets. This specifically includes computers, computer network components, and cyber-based peripheral and protective systems that are essential to the reliable operation of the BES. NERC Standard CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. April 7, 2009 letter from NERC to Industry Stakeholders RE: Critical Cyber Asset Identification.
- CISPA - Cyber Intelligence Sharing and Protection Act - A proposed law in the United States which would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill is to help the U.S government investigate cyber threats and ensure the security of networks against cyberattack.
CISPA has been criticized by advocates of Internet privacy and civil liberties who argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers.
What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.
By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned that using the term in legislation may "have unforeseen consequences for both existing and future laws.") "Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."
- CIP - Critical Infrastructure Protection - A concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation. President Clinton's directive PDD-63 of May 1998 set up a national program of "Critical Infrastructure Protection". This recognized certain parts of the national infrastructure as critical to the national and economic security of the United States and the well-being of its citizenry, and required steps to be taken to protect it.
Compared to NERC's other reliability standards, which were a codification of historic practices, the CIP standards are relatively new. Also unlike other standards, the CIP standards affect departments within the industry (HR and IT) that have not had a history of day to day regulatory oversight by NERC or by FERC. Moreover, in the past 7 years since the CIP standards were first adopted, there have been five revisions of the CIP standards, and as discussed below, NERC is currently working toward the sixth version.
This was updated on December 17, 2003 by President Bush through Homeland Security Presidential Directive HSPD-7 for Critical Infrastructure Identification, Prioritization, and Protection. The directive broadened the definition of infrastructure in accordance with the Patriot Act, as the physical and virtual systems that are "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety."
Recognizing the importance of cybersecurity to the electric industry, NERC recently developed a new set of CIP standards with a much broader scope. NERC submitted CIP Version 5 to FERC on January 13, 2013, and FERC approved it on November 22, 2013.
The biggest change in the cybersecurity requirements under CIP Version 5 is that it requires registered entities to apply cybersecurity protections to all "BES Cyber Systems," or cyber assets that "if rendered unavailable, degraded, or misused, would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact" reliable operation of the bulk electric system.
Older versions of the CIP standards required protections only for "Critical Cyber Assets" or those cyber assets that were deemed essential to the operation of critical bulk power system facilities. This shift in focus away from Critical Cyber Assets to BES Cyber Systems will greatly expand the universe of information systems that the industry will be required to protect, and many more industry participants, especially smaller entities that may not have had critical bulk power system facilities, will come under the scope of the CIP standards than before.
In Europe the equivalent 'European Programme for Critical Infrastructure Protection' (EPCIP) refers to the doctrine or specific programs created as a result of the European Commission's directive EU COM(2006) 786 which designates European critical infrastructure that, in case of fault, incident or attack, could impact both the country where it is hosted and at least one other European Member State. Member states are obliged to adopt the 2006 directive into their national statutes.
- Cyber Infrastructure - Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.
- Cyber Security - The prevention of damage to, unauthorized use of, exploitation of, and, if needed, the restoration of electronic information and communications systems and services (and the information contained therein) to ensure confidentiality, integrity, and availability.
A mutually reinforcing fabric of policies, processes, technologies and people assembled to identify, control and protect information assets, through a formalized, programmatic strategy that is authorized by management and infused into routine organizational operations.
- Cybersecurity Act of 2012 - CSA2012 - S. 3414 -
On Aug 2, 2012, in a 52-46 vote, the Senate shut down the Cybersecurity Act of 2012, essentially blocking any chance at cybersecurity legislation passing this year, and maybe for years to come. The bill failed to gain the 60 votes needed to move the bill past cloture and go up for a full vote. The Obama administration is considering imposing cybersecurity rules via executive order after the Cybersecurity Act failed to gain enough Republican support to move forward
The unsurprising defeat of CSA2012, proposed by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) is seen as a blow to President Obama, who expressed strong support for cybersecurity legislation that would have bolstered protections for critical infrastructure networks, like water supply systems and electrical grids, from attacks by rogue hackers and foreign nation states.
Utilities are already required under the Energy Policy Act of 2005 to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. Meantime, nuclear operators have their own separate requirements that they follow and that they report to the Nuclear Regulatory Commission.
Despite strong support from Democrats and a WSJ Editorial by President Obama, CSA2012 faced opposition from both business groups and privacy advocates, though their reasons for dissent differed. The U.S. Chamber of Commerce said the bill would have imposed debilitating pressures on businesses to establish cybersecurity measures. The Chamber feared the proposed voluntary standards could become mandatory regulations in the future. In contrast, civil liberty groups like Fight for the Future and the Electronic Frontier Foundation said the bill would have allowed businesses to spy on Web users, and expose that information to the U.S. government.
But not all civil liberty advocates saw Lieberman’s bill as a bad choice for Web users. In a statement following the blockage of CSA2012, the American Civil Liberties Union lamented the early death of the “improved cybersecurity bill,” which included protections against the passage of private information to military agencies, like the National Security Agency. The ACLU urged Members of Congress to make sure any future cybersecurity legislation includes similar users protections.
Private Impact At-A-Glance
- Gives DHS authority to designate “covered” critical infrastructure.
- Allows private sector to challenge designation or self-designate.
- Requires critical infrastructures to report on and certify security protections annually.
- Requires a third-party assessment of security performance requirements.Requires critical infrastructure operators to report significant cybersecurity incidents.
- Provides liability coverage to those infrastructure operators who are in “substantial compliance” with performance requirements.
- Requires DHS to develop threat, risk and information sharing mechanisms (cybersecurity exchanges) with private critical infrastructure owners.
- Protects information shared with the government from disclosure.
- Provides the President with authority to exempt critical infrastructure sectors if he/she believes sufficient regulations already exist.
- Prohibits regulating the design, development and manufacture of commercial IT products.
Federal Impact At-A-Glance
- Reforms FISMA by granting DHS authority to oversee civilian agency information security.
- Gives DHS authority to issue risk mitigation directives to agencies.
- Moves to continuous monitoring and risk assessment.
- DHS Secretary can take action against imminent threats to agency networks without prior notification to affected agency.
- Consolidates the National Cyber Security Division, National Communications System and Office of Emergency Communications into a new National Center for Cybersecurity and Communications (NCCC).
- Gives DHS Secretary hiring and compensation authority for cybersecurity professionals at the executive service level.
- Requires development of comprehensive cybersecurity occupation classifications and a cybersecurity awareness and training program for all federal employees and contractors.
- Cybersecurity Act of 2013(S 1353) - The bill directs the National Institute of Standards and Technology (NIST) as an authority in this area to 'protect individual privacy and civil liberties' as it develops best practices and processes for the critical infrastructure cybersecurity ecosystem." In recent years, NIST, working in a public/private partnership has developed standards for the Smart Grid.
The bill will also:
- Advance the education of stakeholders and awareness of the steps they can take in the cybersecurity ecosystem to protect against cyberthreats and attacks.
- Direct the Office of Science and Technology Policy (OSTP) to develop, and update triennially, a federal cybersecurity research and development plan to meet cybersecurity objectives, including how to guarantee individual privacy, verify third-party software and hardware, address insider threats, determine the origin of messages transmitted over the Internet, and protect information stored using cloud computing or transmitted through wireless services.
- Direct the National Science Foundation (NSF) to support cybersecurity research and to review cybersecurity test beds. Permits NSF, if it determines that additional test beds are necessary, to award grants to institutions of higher education or research and development nonprofit institutions to establish such additional test beds.
- Direct NSF to continue the Federal Cyber Scholarship-for-Service program under which recipients agree to work in the cybersecurity mission of a federal, state, local, or tribal agency for a period equal to the length of their scholarship.
- Require NSF and DHS to enter arrangements with the National Academy of Sciences to conduct a comprehensive study of government, academic, and private-sector education, accreditation, training, and certification programs for the development of professionals in information infrastructure and cybersecurity.
- Direct NIST to continue coordinating a national cybersecurity awareness and preparedness campaign to increase public awareness and understanding of cybersecurity risks, support education programs, and evaluate workforce needs. Requires NIST to develop a strategic plan to guide federal activities in support of such campaign.
- ERO - Electric Reliability Organization - The EPAct 2005 gave FERC authority to direct the industry to develop reliability standards and the authority to designate an ERO to develop and propose mandatory reliability standards for all owners, users and operators of the bulk power system. Once such standards are approved by FERC, the ERO and regional entities may enforce the standards, subject to FERC oversight. FERC selected the North American Electric Reliability Counsel (NERC), a voluntary private industry coordinating body, as the ERO in 2006 and, by rulemaking, approved reliability standards proposed by NERC in March 2007.
- FERC - The Federal Energy Regulatory Commission - The United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. FERC also reviews and authorizes liquefied natural gas (LNG) terminals, interstate natural gas pipelines and non-federal hydropower projects.
- FISMA - Federal Information Security Management Act - 2002 law that requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
- IEEE 1686 - IED Security Standards - Defines functions and features provided in substation intelligent electronic devices (IEDs) to accommodate critical infrastructure protection programs. Security regarding the access, operation, configuration, firmware revision, and data retrieval from an IED is addressed in this standard.
- IDS/IPS - Intrusion Detection and Prevention Services (also known as Intrusion Detection and Prevention Systems (IDPS) network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.
Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected.
- IEC 62351 - Utility Communications Security Standard - Specifies procedures, protocol extensions, and algorithms to facilitate securing ISO 9506 – Manufacturing Message Specification (MMS) based applications.
- ITIL - The Information Technology Infrastructure Library - A set of concepts and practices for Information Technology Services Management, IT development and IT operations. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. Change Management aims to ensure that standardised methods and procedures are used for efficient handling of all changes.
- NERC - North American Electric Reliability Corp., a nonprofit corporation based in Atlanta, GA was given responsibility for setting security standards for some utility operations. NERC's mission states that it is to "ensure that the bulk power system in North America is reliable."
NERC oversees eight regional reliability entities and encompasses all of the interconnected power systems of the contiguous United States, Canada and a portion of Baja California in Mexico.
NERC's major responsibilities include working with all stakeholders to develop standards for power system operation, monitoring and enforcing compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient. NERC also investigates and analyzes the causes of significant power system disturbances in order to help prevent future event.
The two major and three minor NERC Interconnections, and the nine NERC Regional Reliability Councils.
- NERC CIP – Critical Infrastructure Protection - NERC Standards CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed. Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.
- CIP-001 Sabotage Reporting - Disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies.
- CIP-002 Critical Cyber Asset Identification - Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment.
- CIP-003- Security Management Controls - requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets.
- CIP-004 Personnel & Training - Requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness.
- CIP-005 Electronic Security Perimeter(s) - Requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.
- CIP-006 Physical Security of Critical Cyber Assets - Intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets.
- CIP-007 Systems Security Management - Requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the Electronic Security Perimeter(s).
- CIP-008 Incident Reporting and Response Planning - Ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets.
- CIP-009 Recovery Plans for Critical Cyber Assets - Ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. Standard CIP-009 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should apply Standards CIP-002 through CIP-009 using reasonable business judgment
- CIP-010 Cyber Security - Configuration Change Management and Vulnerability Assessments - To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.
- CIP -011 Cyber Security - Information Protection - To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
- CIP - 014 Physical Security Reliability Standard - enhance the physical security of the most-critical Bulk-Power System facilities and reduce the overall vulnerability of the grid to attacks
- NSPF - Network Single Points of Failure - High voltage transformers, breakers, and other long-lead time items are particularly critical system elements.
- RAI - Reliability Assurance Initiative - Undertaken by NERC to revamp how it goes about enforcing and monitoring compliance with these reliability standards. At its core, RAI is intended to shift away from rote application of the reliability standards and focus more on management of risk to the bulk power system. NERC and its regulator, the Federal Energy Regulatory Commission (FERC), have been criticized for taking a zero-tolerance approach to applying the reliability standards, which caused the industry to focus more on mitigating their compliance risks than on reliability. This former approach was also becoming impossible to manage, as more violations (regardless of how minor they were) were coming into the system than NERC and the Regional Entities could process in a timely fashion.
As proposed, RAI has several key components.
- From an enforcement standpoint, NERC is looking at ways to extend its enforcement discretion to registered entities and regional entities so that they may dispose of minor reliability standards infractions without having to go through the entire enforcement process. To this end, NERC and its regional entities are creating programs to allow the regional entities to dispose of minor violations through an "exceptions process" outside of the formal enforcement realm and similarly to allow registered entities to "self-log" minor violations as compliance exceptions.
- From a compliance monitoring perspective, NERC is looking at various reforms to reorient its audits and reporting to focus on risk rather than strict compliance with the reliability standards. Among these reforms are:
- documenting NERC's risk analysis process,
- assessing the risk profile of each individual registered entity and
- assessing such entities' internal controls for mitigating the risks.
- Finally, RAI also includes a number of reforms for auditors to ensure that they are trained to conduct audits with more of a risk management focus and so that entities will have greater understanding as to how compliance audits will be conducted.
- Reliability Standards – The EPAct 2005 gave the Federal Energy Regulatory Commission (FERC) authority to direct the industry to develop reliability standards and the authority to designate an Electric Reliability Organization (ERO) to develop and propose mandatory reliability standards for all owners, users and operators of the bulk power system. Once such standards are approved by FERC, the ERO and regional entities may enforce the standards, subject to FERC oversight. FERC selected the North American Electric Reliability Counsel (NERC), a voluntary private industry coordinating body, as the ERO in 2006 and, by rulemaking, approved reliability standards proposed by NERC in March 2007.
Reliability Standards are the planning and operating rules that electric utilities follow to ensure the most reliable system possible. These standards are developed by the industry using a balanced, open, fair and inclusive process managed by the NERC Standards Committee. The Committee is facilitated by NERC staff and comprised of representatives from many electric industry sectors.
Proposed standards are reviewed and approved by the NERC Board of Trustees, which then submits the standards to the FERC and Canadian provincial regulators for approval. Once approved by these governmental agencies, the standards become legally binding on all owners, operators and users of the bulk power system.
- Risk - The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated impacts.
- SAML: Security Assertion Markup Language - A framework for the exchange of security-related information between trusting parties. It is the key standard for federated identity systems and widely used today for cross-domain single sign-on
- SCADA - Supervisory Control and Data Acquisition. It generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. SCADA and control systems were not built for security, but for speed and performance.
- SIEM - Security Information Event Management - A combination of the formerly disparate product categories of SIM (Security Information Management) and SEM,(Security Event Management). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.
The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).
- Stuxnet - A sophisticated, targeted weapon that proved utilities' seemingly isolated SCADA networks could be compromised, potentially disrupting energy production and distribution. a computer worm discovered in July 2010. It targets Siemens industrial software and equipment running on Microsoft Windows. While it is not the first time that crackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices. Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran.
- System Reliability – A measure of an electric system’s ability to deliver uninterrupted service at the proper voltage and frequency.
- The federal government has developed a standardized description of critical infrastructure, in order to facilitate monitoring and preparation for disabling events. The government requires private industry in each critical economic sector to:
- Assess its vulnerabilities to both physical or cyber attacks
- Plan to eliminate significant vulnerabilities
- Develop systems to identify and prevent attempted attacks
- Alert, contain and rebuff attacks
- And then, with the Federal Emergency Management Agency (FEMA), to rebuild essential capabilities in the aftermath.
- Security compliance can seem very daunting but it all boils down to answering five questions
- Who should have access to what? - Policy
- Who does have access to what? - Actual Controls
- Who could have access to what? - Risk Assessment
- Who did have access to what? - Often taken for granted
- Can we sustain our primary mission if everything fails? - Disaster Recovery
- An understanding of component and associated system vulnerabilities will be necessary to quantify cyber-security issues inherent in smart grid deployments, particularly when these systems can be used to control or influence the behavior of the system. Assessments will be needed, both in controlled laboratory and test-bed environments, and in actual deployed field conditions, to explore and understand the implications of various cyber-attack scenarios, the resilience of existing security measures, and the robustness of proposed countermeasures.
- Implementation of a cyber security strategy will require the development of an overall cyber security risk management framework for the Smart Grid. This framework will be based on existing risk management approaches developed by both the private and public sectors. This risk management framework will establish the processes for combining impact, vulnerability, and threat information to produce an assessment of risk to the Smart Grid. Because the Smart Grid includes systems and components from the IT, telecommunications and energy sectors, the risk management framework will be applied on an asset, system, and network basis, as applicable. The goal is to ensure that a comprehensive assessment of the systems and components of the Smart Grid is completed.
- Utilities are increasingly employing digital devices in substations to improve protection, enable substation automation, and increase reliability and control. However, these remotely accessible and programmable devices can introduce cyber security concerns. While NERC has developed Critical Infrastructure Protection standards to address these issues, Smart Grid technology and capabilities will offer better integration of these devices, increased use of sensors, and added layers of control. Smart Grid technologies, however, can bring their own cyber security concerns, which will require comprehensive, built-in security during implementation. Smart Grid technologies can do the following:
- Bring higher levels of investment and greater penetration of information technology (IT) into the grid, allowing utilities to address cyber security issues more effectively.
- Increase the robustness of the grid to withstand component failures, whether due to natural events, age/condition of assets, or hostile causes.
- Allow grid components and IT systems in time to detect intrusion attempts and provide real-time notification to cyber security organizations.
- Cyber Attacks - could take down parts of the grid for extended periods. Grid control systems are continuously probed electronically, and there have been numerous attempted attacks on the Supervisory Control and Data Acquisition (SCADA) systems that operate the grid. None have yet resulted in major problems in the U.S., but the potential exists for major outages. U.S. grid control systems are continuously probed electronically, and there have been numerous attempted attacks on the Supervisory Control and Data Acquisition (SCADA) systems that operate the grid.
- Catastrophic failure - The existing grid lacks sufficient security tools and practices to defend against disruptions caused by cyber attacks, since it was built on “security through obscurity”. As the grid evolves into the Smart Grid, obscurity fades away. Devices that are capable of remote communications may fall victim to remote cyber attacks by lone hackers, terrorist groups, or unfriendly foreign governments.
- Smart Meter Security Holes - In 2009 Seattle, Washington-based IOActive Inc., successfully reverse engineered a smart meter--known as Advanced Metering Infrastructure (AMI)--and demonstrated the ability to inject a worm into the grid that would grant a hacker full control over the grid devices. The tests also revealed that the worm could spread like wildfire throughout the grid, potentially allowing the hackers to shut down massive portions of electricity to major cities, critical infrastructures and government agencies.
- Security Holes in Programmable Logic Controllers (PLCs) - At Black Hat USA 2011, Dillon Beresford, a researcher with NSS Labs, showed a backdoor in Siemens S7-300, S7-400, and S7-1200 devices that allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He staged a live demonstration of how he could control the Siemens devices, which are used in power and manufacturing plants worldwide. It took Beresford, who says he's no SCADA expert, only about two-and-half hours to write code to exploit the backdoor in the Siemens PLCs. He found a hard-coded password -- "Basisk," German for "basic" -- and was then able to open a command shell: "That allowed me to do other things," such as perform a memory dump, capture passwords, and reprogram the programmable logic, he says.
The backdoor, which likely was put in place for diagnostics purposes, could allow attackers to get inside and perform arbitrary commands on the systems and intercept any communications coming to the PLC, he says. The researchers say it's likely these attacks could also work against GE, Rockwell, and other SCADA products that run the same communications protocols.
- Communications Networks - the nonprofit research group Foundation for Resilient Societies claims communications between grid control centers and transformer substations are still not protected against cyberattack. The foundation says, FERC has directed NERC, to define the term "communications network." In FERC Order 791 on Nov 22, 2013, FERC approved removal of the phrase "communication networks" from NERC's definition of equipment needing cyber protection, saying it was "confusing." FERC also gave NERC another year to create a definition of "communication networks."
Further, in November 2013 an order was passed to approve NERC cybersecurity standards that exempt protection of electric utility communications networks.
There are three kinds of communications networking used to manage the bulk transmission system.
- There are the legacy protocol serial lines. The serial stuff is not readily hacked - one, it's not that easy in a practical sense, and, two, compromising it would have limited impact on grid reliability as a whole. A malicious attack could cause some loss of visibility in limited areas, but that can be easily restored.
- Now we're starting to put in more TCP/IP communications networking, which are the Internet protocols that get hacked. A 69-kilovolt substation in a swamp running TCP/IP is a bigger risk than a 500-KV substation running serial protocols, because the IP communications circuit can provide an attack vector into control host data centers. It makes a difference what the protocols are. Bad guys don't have to come in through the main gate, they can come through some little access point out in the boonies with an TCP/IP connection.
- The third is dial-up, which is scary in its own way.
- Denial of Service - One scenario is If an attacker were to determine out how to send a service disconnect command to thousands of meters at the same time producing a denial of service attack. The load on the system and generation would greatly diminish and some generators may be taken off-line. Then the attacker waits for a period of time and turns all the meters on again wreaking havoc on the bulk electric system. The advent of AMI has definitely increased the threat surface of the smart grid.
- Security System Failure - During the August 2003 blackout most systems failed that would detect unauthorized border crossings, port landings, or unauthorized access to vulnerable sites. Future such blackouts could be exploited for terrorist activity, with potentially far more catastrophic results.
- Natural Disasters such as hurricanes, tornadoes, electrical storms or other extreme weather events. The consequences have the added risk of physical damage to the infrastructure.
- Sabotage or Terrorist Activity, whether local, trans-national, or state-sponsored, and including both conventional and nuclear attack. Nuclear attack could take place either directly or through the generation of a high altitude electromagnetic pulse (EMP). Although the system is designed to survive single points of failure, increasing demand on the system and increasing network constraints make multiple points of failure more.
- EMP - Electro-Magnetic Pulse - EMP has received very little attention. An electromagnetic pulse attack can have a devastating impact on the grid, rendering it useless perhaps for many years. While it is generally considered a low frequency/high consequence threat, recent developments regarding both human-caused EMP and the likelihood of geomagnetic storms significantly increase the chances of a major hit. Protective activity needs to be jump-started if appropriate measures are to be in place before it's too late.
- Interruptions in supplies to generating plants through events, infrastructure failures, attack or even market forces. This occurred in California during 2000 and 2001 when supplies of natural gas were interrupted and forced a reduction in electricity generation. Approximately 20% of U.S. electricity is generated by natural gas and market prices have swung wildly over the past several years. Approximately 52% of U.S. electricity is generated by coal and transportation routes that move coal from mines to generating plants are sometimes remote and lacking in alternatives. Critical rail lines or bridges could be taken out by determined.
- Threat to Military Installations - Historically, DoD has viewed the mission of each installation to be to launch or deploy combat forces when directed. Beyond that, the installation itself has been viewed as less critical. However, this is changing. Concern over domestic terrorist attacks, the establishment of the Department of Homeland Security and a new Homeland defense mission for DoD have created a new role for military installations. Not only is there now a critical need for installations to continue functioning 24/7, but the power needed is significantly greater than that needed to support only specific critical missions.
- Identity Theft - Potential for compromise of data confidentiality, including the breach of customer privacy.
- Insecure Home Automation Networks - X10i - An international and open industry standard for communication among electronic devices used for home automation, also known as domotics. It primarily uses power line wiring for signaling and control, where the signals involve brief radio frequency bursts representing digital information. A wireless radio based protocol transport is also defined.
Researchers at the Black Hat USA 2011 security conference showed today how they could disrupt and snoop on home automation networks in residences and offices using devices connected to Ethernet networks that communicate via public power lines.
Dave Kennedy and Rob Simon have created a device that can be plugged in to a power outlet outside a target building or a nearby building and programmed to interfere with the home Ethernet network inside. The X10 Black Out device can be programmed to jam the signals that turn lights on and off and open doors, as well as disable security systems, kill security cameras, turn air conditioning or heat off, and interfere with other functions of a home automation network based on the X10 protocol. X10 is one of the most popular protocols.
"We can track people with motion sensors and see what part of the house they might be in," Simon said during a presentation. The sniffer device basically "maps out the entire house," The weaknesses stem from the fact that there is no encryption in the X10 protocol.
- A January 2011 GAO report "ELECTRICITY GRID MODERNIZATION - Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed" found:
- Regulatory Ambiguity - Aspects of the current regulatory environment make it difficult to ensure the cybersecurity of smart grid systems. In particular, jurisdictional issues and the difficulties associated with responding to continually evolving cyber threats are a key regulatory challenge to ensuring the cybersecurity of smart grid systems as they are deployed. There is a lack of clarity about the division of responsibility between federal and state regulators, particularly regarding cybersecurity. While jurisdictional responsibility has historically been determined by whether a technology is located on the transmission or distribution system, experts raised concerns that smart grid technology may blur these lines. For example, devices such as smart meters deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on those parts of the grid that federal regulators are responsible for—namely the reliability of the transmission system.
- Lack of Consumer Awareness - Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems. Specifically, there is concern that consumers are not aware of the benefits, costs, and risks associated with smart grid systems. This lack of awareness may limit the extent to which consumers are willing to pay for secure and reliable systems, which may cause regulators to be reluctant to approve rate increases associated with cybersecurity. As a result, until consumers are more informed about the benefits, costs, and risks of smart grid systems, utilities may not invest in, or get approval for, comprehensive security for smart grid systems, which may increase the risk of attacks succeeding.
- Compliance Focus - Utilities are focusing on regulatory compliance instead of comprehensive security. The existing federal and state regulatory environment creates a culture within the utility industry of focusing on compliance with cybersecurity requirements, instead of a culture focused on achieving comprehensive and effective cybersecurity. Utilities focus on achieving minimum regulatory requirements rather than designing a comprehensive approach to system security.
- Missing Security Features - There is a lack of security features being built into smart grid systems. Security features are not consistently built into smart grid devices. Certain currently available smart meters have not been designed with a strong security architecture and lack important security features, including event logging and forensics capabilities which are needed to detect and analyze attacks. In addition, smart grid home area networks—used for managing the electricity usage of appliances and other devices in the home—do not have adequate security built in, thus increasing their vulnerability to attack.
- Little Sharing of Best Practices - The electricity industry does not have an effective mechanism for sharing information on cybersecurity and other issues. The electricity industry lacks an effective mechanism to disclose information about smart grid cybersecurity vulnerabilities, incidents, threats, lessons learned, and best practices in the industry. Information regarding incidents such as both unsuccessful and successful attacks must be able to be shared in a safe and secure way to avoid publicly revealing the reported organization and penalizing entities actively engaged in corrective action.
- Lack of Cybersecurity Metrics - The electricity industry does not have metrics for evaluating cybersecurity. The electricity industry is also challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. While such metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system. Furthermore, having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment.
- No National Standards for Smart Grid Security or Privacy.- Regional level committees established by the North American Electric Reliability Corporation (NERC) have been focusing largely on compliance for the transmission of bulk electricity, but the smart grid focuses on the distribution side of the grid. Whatever NERC mandates will still focus on bulk transmission, leaving local distribution without any legislation or regulation. FERC and NERC have no jurisdiction over distribution. The only real jurisdiction over the distribution level is nominally the public utility commission.
- Openness - Should Utility system be closed with access at the edges or open? The Smart Grid is inherently an open system with numerous players, multiple technologies, physical and software components
- Complexity - Increasing complexity can introduce vulnerabilities and increase exposure to potential attackers Interconnected networks can introduce common vulnerabilities Increased number of entry points and paths for adversaries to exploit The interdependencies of various grid components can bring about a domino effect; a cascading series of failures that could bring our nation’s banking, communications, traffic, and security systems among others to a standstill.
- Legacy Equipment - Legacy equipment may be difficult to modify to meet the new standards developed. Legacy systems not designed with security in mind and have multiple chinks. The issue of legacy equipment is not unique to the Smart Grid. There are many industrial control systems and IT systems that do not have the most current suite of cyber security controls. In addition, the life cycle for information technology, particularly software, is very short -- 6 months for applications -- and the knowledge and skill of adversaries to these systems continues to increase. To address this issue, the Smart Grid cyber security strategy must address the addition and upgrade of cyber security controls and countermeasures to meet these needs. These new controls and countermeasures may be allocated to stand-alone components within the overall Smart Grid architecture.
- Low Latency - Power Network equipment has a high dependence on system timing and a low tolerance for latency. Traditional information security methods like interrogating information before it is processed may not work in a power grid environment.
- Legacy Expertise - The complex and largely proprietary systems that have evolved to service the growing market for power has bred its own priests and priestesses who can conjure the connections between sensors and centralization, and between remote units and controllers. This is a very different skill than weaving a consistent pattern of routers, hubs, and access controls. These control networks are the "backbones" that create the possibility of reliable power, and while security is most definitely a requirement, it has meant something very different until recently. Where Internet and IT teams are looking at understanding likely breaches, utility teams have sought out likely failures.
- Legacy Regulation - If a utility wants to institute a new program or policy, it needs to justify that investment to regulators, who represent the ratepayers who will ultimately have to bear the upfront and operational costs of any improvements. While this clearly complicates any major investment, it makes more granular and speculative investments (like securing grids against attackers that haven't been widely seen yet,) become downright impossible, as ratepayers would be asked to pay more money for the same power that they have been receiving right along, and will likely see only minimal positive impact over a long period of time.
- Consumers will be technology-ignorant
- Spare Parts - The level of spare parts kept in inventory has declined, and spare parts are often co-located with their operational counterparts putting both at risk from a single act. In some cases, industrial capacity to produce critical spares is extremely limited, available only from overseas sources and very slow and difficult to transport due to physical size. Grid sections could be taken down for months even if replacement transformers and breakers could be found; or for years if certain components need to be newly manufactured and transported. There are only limited backups located around the country—generally co-located with operating equipment. For some of the largest equipment, there is no domestic supply and only limited overseas production capacity which is fully booked years ahead. For example, 765 kV transformers are manufactured only by one company in Canada.
- Risk Prioritization - In many cases, installations have not distinguished between critical and non-critical loads when configuring backup power systems, leaving critical missions competing with non-essential loads for power.
- Compliance does not beget Security - What we want is a "culture of security", but the unintended consequence of mandatory and enforceable regulations with financial penalties for failure to comply gets utilities' legal and compliance oversight staffs involved. This can result in fine-point adherence to the literal language of the standards instead of the spirit of the standards. If you focus on the security, you'll be really close to compliance. But if you're focused on compliance, you may not be all that secure.
- Internet Vulnerability - Utilities have already taken advantage of the existing communications infrastructure and capabilities of the Internet to aid their marketing operations. While typically not connecting their more sensitive control center systems directly to the Internet, many entities have nevertheless upgraded those systems to use Internet-based protocols and technologies. This, coupled with the fact that the non- Internet-connected control center operations may be connected to the same corporate network as the Internet-connected marketing systems, means that there may be an indirect Internet vulnerability to those sensitive control systems.
- Two Way Communication - The fact that a smarter grid would permit two-way communication between the electric system and a much larger number of devices located outside of controlled utility environments commands that even more attention be given to the development of cyber-security standards.
- Applying Holistic Security - The NERC Critical Infrastructure Protection (CIP) standards clearly specify that utilities must integrate information system security into all aspects of their automation systems: not just devices, computer systems and technologies but also policies, procedures, and training. Furthermore, utilities must apply these measures consistently and in an integrated fashion across their entire organization in order to be effective. The Smart Grid vision of information flowing automatically throughout the utility provides great opportunities for efficiency, reliability and cost-effectiveness. However, it also provides many more opportunities for attackers. The challenge for most utilities will be to build their Smart Grid systems in an evolutionary fashion, integrating security, network management and data management into each Smart Grid application as they deploy it.
- Zero Tolerance Focus - NERC and its regulator, the Federal Energy Regulatory Commission (FERC), have been criticized for taking a zero-tolerance approach to applying the reliability standards, which caused the industry to focus more on mitigating their compliance risks than on reliability. This former approach was also becoming impossible to manage, as more violations (regardless of how minor they were) were coming into the system than NERC and the Regional Entities could process in a timely fashion.
- A Strategic Plan based on fundamental and operational excellence rather than tactical responses to NERC CIP Audit findings
- Emphasize Security Processes over Technology Fixes
- Network Zoning
- Vulnerability Management
- Event Log Management
- Change Control Management
- Track all known and authorized changes to critical cyber assets
- Discover all unauthorized changes to a system of interest
- Data Confidentiality in sensitive applications
- Threat Protection (worms, viruses, Trojans, etc.)
- Denial of Service Protection
- Separating critical from noncritical loads
- Hardened network devices and systems
- Identity and access control policies
- Integrated physical security
- Comprehensive management and reporting
- Physical security
- Identity and access control policies
- Protection for data transmission and storage
- Real-time monitoring, management, and correlation
- Security as a design function
- Security through identity management
- Security built into components
- Security through dedicated devices
- Security at every layer
- Pending Federal Legislation - In 2009, both the U.S. Senate and the U.S. House of Representatives (HR 5026) began drafting legislation designed to protect grid reliability and to defend energy infrastructure from cyber and physical attack. New drafts of those proposals, strikingly familiar in their structure and wording to those of two years ago, appeared in Congress earlier this year, and were widely discussed in May and June 2011. Click here to view the May 31 hearing in the House Energy Committee.
In both cases, it was clear that the federal government intends to redefine FERC's powers and control over both the bulk power system and "defense critical electric infrastructure" (defined, essentially, as anything not currently covered by the legal definition of the bulk power system including the Distribution System which is currently not covered by federal law)-even if only for the purposes of "protect(ing) the bulk power system and electric infrastructure critical to the defense of the United States against cyber security and other threats and vulnerabilities" (according to the Grid Reliability and Infrastructure Defense, or GRID, Act proposed by the U.S. House of Representatives).
NERC currently has security policy responsibility for the bulk power grid and this legislation puts the future of NERC into question.
- A NIST-led Cyber Security Coordination Task Group (SCWP) consisting of more than 200 particiapants from the private and public sectors is leading the development of a cyber security strategy and requirements for the Smart Grid. The task group is identifying use cases with cyber security considerations, performing a risk assessment including assessing vulnerabilities, threats and impacts, developing a security architecture linked to the Smart Grid conceptual reference model, and documenting and tailoring security requirements to provide adevante protection. They developed and published guidelines for Smart Grid cyber security (Guidelines for Smart Grid Cyber Security, NISTIR 7628, published, August 2010)
- April 28, 2011 - The CSWG Three-Year plan has been finalized and posted here.
- Develop Key Management Strategies - Key management of the millions of devices and meters is becoming a critical issue, since truck rolls are too expensive for manual key entry, and some communication infrastructures may not be adequate for handling key updates. Cyber security is only as good as the secrecy of the cyber keys used not only for encryption but also just for authentication. Key management over narrowband communication channels to inexpensive end devices needs resolution and standardization.
- Develop more detailed security requirements for AMI systems. AMI-SEC has developed high level security requirements for AMI systems, but these are not detailed enough to provide explicit security requirements for different functions using the AMI systems. AMI systems are becoming an enormous communications infrastructure that reach into all customer sites. Ensuring that these AMI systems are truly secure enough for the different functions that can be performed across them, is critical. That assurance can only come from more detailed security requirements linked to the different functions.
- BAE Systems - Defense, security and aerospace company, with operations in the advanced electronics, security, IT solutions markets, that has moved into the smart grids market. Owns Detica, which provides consulting services and data analytics for (among other areas) cyber-security and information assurance market.
- Boeing - Named as a security partner on Southern California Edison's $60 million request to connect a 32-megawatt wind storage battery to the grid. Targeting the market with its cyber-security and large systems integration expertize. It has been awarded US stimulus funding – for instance to demonstrate an advanced software technology with military-grade cyber-security that can optimize transmission system operation.
- Certicom Mississauga, ON - A wholly owned subsidiary of Research In Motion Limited (RIM). Offers an AMI Network Security Solution comprising three elements: the Certicom AMI 7000 series (an encryption and key management platform that protects the authenticity, integrity and confidentiality of AMI network data), the Certicom Security Builder AMI Agent (provides the cryptographic algorithms to create a trusted platform) and Certicom's ZigBee Smart Energy certificate service (issues unique identity certificates for each ZigBee Smart Energy device enrolled on the network). Its Device Authentication Service for ZigBee Smart Energy has shipped more than 1 million certificates for smart meters and ZigBee Smart Energy networked devices.
- Cisco San Jose, CA - A global provider of networking solutions. As part of its major push to provide smart grid platforms, Cisco has developed a suite of security services for smart grids.
- EMC RSA - Bedford, MA - A provider of information infrastructure technology and solutions. Targeting the smart grid market through two routes. EMC's subsidiary RSA offers solutions designed to protect customer privacy including identity assurance & access control, encryption & key management, compliance and security information management and fraud protection. In addition EMC offers its Ionix range of products which monitor and manage IT networks, and which it is positioning as suitable for running the technology underpinning smart grids. The Ionix range of products can monitor and manage connectivity, applications, storage, server, resource allocation and network configurations.
- HP - Positioned as a systems integrator for smart grid solutions, operating in part through its subsidiary EDS. Announced the introduction of HP Smart Grid Security Quality Assessment (SGSQA), a service designed to provide security auditing for utilities and Smart Grid operators.
- IBM - Positioned itself as a systems integrator for smart grid deployments. IBM security solutions are based on the IBM Security Framework, which defines an end-to-end approach to developing, deploying and supporting security solutions across people, networks, applications, data, and the physical plant.
- Industrial Defender- Foxborough, MA - A leader in security and compliance management for automation systems. Provides solutions to protect power generation, transmission and distribution infrastructure. Its Defense-in-Depth solution suite includes three major services: Intrusion Prevention at the network perimeter via a Unified Threat Management platform (UTM/Firewall), and within servers and end-point devices via a Host Intrusion Prevention System (HIPS); Access Management which uses authentication and authorization to regulate access to key systems; Monitoring & Response which integrates intrusion detection, performance monitoring and event management from all protected systems, end point devices, perimeter/firewall platforms and network infrastructure; Compliance Sustainability provides security process automation and information tools that simplify and reduce the cost of security management, including analytical and reporting tools for security forensics and compliance audit support. Compliance Manager and related Industrial Defender Sensor and Collector technologies are specifically built to work with critical automation systems (e.g., SCADA, EMS/DMS, DCS/PCS).
- InGuardians - Washington, DC - Offers security auditing, penetration testing, forensics, incident response and architecture review. Their testing service includes a network security architecture review; network, application and physical penetration tests and assessments; and a code review. InGuardians’ ARM Threat Mitigation Service encompasses firewall deployment, IDS rollout, OS hardening, and security policy consulting. The company has also designed a number of attack frameworks (e.g. for AMI and ZigBee) that can be used to test system security.
- IOActive - Seattle, WA - Offers computer security services with specializations in smart grid technologies, software assurance, and compliance.
- Juniper Networks - Sunnyvale, CA - Smart Grid Security Solution encompasses intrusion protection systems (IPS), behavioural monitoring, local and remote user access control, use of roles in combination with SSL VPNs to identify and quarantine users acting out-with the scope of their allocated roles, network event visibility and analytical tools, application acceleration platforms, firewalls, and a single network management system.
- KEMA - Provides consultancy (business and technical), operational support services, measurement and inspection services, and testing and certification services for the energy and utility industry.
- Lockheed Martin - Is involved with eight utilities seeking Department of Energy smart grid grants, including a $150 million smart grid project being proposed by American Electric Power Co. in Ohio and PPL Electric Utilities' $38 million proposal to pilot smart grid technology in the area of Harrisburg, Pa.
According to Ken Van Meter, a principal in Lockheed's enterprise integration group. Cybersecurity is Lockheed's "A-plus-plus-plus product" when it comes to utility customers. Given the decades-old technology of today's grid, "almost everything in the conventional networks right now is manual" control, he said. "It's pretty hard to cause widespread damage, and it's almost impossible to cause remote damage."
But add IT to that grid, and you open the grid to hacking, he said. Gaining control over automated shut-down features at homes, substations and other points of the grid could give tamperers the ability to disrupt power for lots of customers, including such critical systems as airport runway lighting and city traffic light systems, he said.
Lockheed Martin recently launched its Smart Energy Enterprise Suite, or SEEsuite, of advanced grid management applications designed to give utilities, system operators and defense customers insight into their enterprise operations and command and control of their smart grid assets.
- Mocana, San Francisco, CA - Developed a new model for keeping critical systems safe. Whereas conventional computer security systems keep a database of all “bad” behaviors, Mocana’s method keeps a database of “good” behaviors, and continuously checks current behavior against that database. This approach requires less processing power, doesn’t need to be updated as often, and is more robust to a plethora of attacks.
In addition to preventing bad behaviors from executing, this approach allows the system to keep out bad software from the beginning, since that software generally gets on the system through unauthorized channels. Mocana pairs this approach with other parts of its security architecture to offer a security solution for smart grid and AMI.
- N-Dimension Solutions Inc. Richmond Hill, Ontario, Canada - Provides Smart Grid cyber security solutions for the power & energy sector. N-Dimension’s Cyber Security Solutions include the n-Platform and n-Central product lines which provide defense-in-depth cyber security protection and assistance in achieving NERC CIP compliance.
- Raytheon - Developing its cyber-security business in recent years and is targeting the energy sector as a natural fit for this. It was chosen by Tucson Electric Power to provide security systems for the IT backbone of its large-scale solar project.
- SAIC - A provider of scientific, engineering, and technology applications. Offers end-to-end smart grid deployment support from design and build through to systems procurement and integration.
- SEL Schweitzer Engineering Laboratories - Pullman, WA - Designs, manufactures, and supports a line of products and services, ranging from generator and transmission protection to distribution automation and control systems.
- Subnet Solutions - Calgary, Alberta - Provides solutions focused on how access to data is controlled, logged, and monitored. Its PowerSYSTEM Center provides secure central management of the different intelligent electronic devices (meters, relays, RTUs, etc) deployed throughout the transmission and distribution system. It provides a single access point between substation WAN and corporate network, and acting as the gateway to substation IEDs helps to minimize the introduction of malware, virus and other software. It can also be used as a patch management server, and anti-virus server. It uses secure encrypted communications through SSL. Also provides equipment to access substation data.
- Verizon is offering compliance and readiness assessments to help utilities meet the 2010 NERC CIP requirement to be Auditably Compliant (AC) - the highest level of compliance - subject to spot checks and audits. Verizon Security Blog
- Waterfall Security - Israel; New York, NY - Provides unidirectional security gateways and data diodes for process control systems, SCADA systems, remote monitoring and segregated networks. The Waterfall Unidirectional Security Gateways are non-routable communication systems which provide protection against external cyber attacks. There is no data backflow – the hardware based appliance core of the Waterfall One-Way enforces unidirectional data flow at the physical layer (Layer 1 of the OSI model), to in turn ensure unidirectional communication at all higher layers of the protocol stack. Its complementary Integral Application White listing means only allowed application data and protocols can pass via the unidirectional gateway. Any other protocol, not set up at the gateway is blocked.
- Wurldtech - Vancouver BC; The Hague, Netherlands - offers cyber-security technology certification, consulting and risk assessment services and its key products The Achilles Satellite, and Achilles Inside. Achilles Satellite is a cyber security and robustness testing platform designed for equipment manufacturers to diagnose vulnerabilities in any device, system or application that is found on the process control network. It is a standalone system to be used before deployment of equipment. Achilles Inside provides an ongoing mitigation update service to manage the optimisation of firewalls and intrusion detection systems. It updates them with data about industrial system vulnerabilities.
- ASAP-SG The Advanced Security Acceleration Project - Smart Grid - Addresses security concerns in the Advanced Metering Infrastructure. The ASAP-SG is a collaborative effort of EnerNex Corporation, multiple major North American utilities, NIST, and DOE.
- CSTG - Cyber Security Coordination Task Group - Established by NIS, CSCTG has over 120 participants and has established several sub-working groups: vulnerability class analysis, bottom-up analysis, use case assessment and standards/requirements assessment.
- ESISAC - Electricity Sector Information Sharing and Analysis Center - Operated by NERC as required by Presidential Decision Directive (PDD) 63 in critical nfrastructure protection. The ESISAC is a voluntary means for utilities to share security-related information. In turn, the ESISAC is tasked with providing “timely, reliable and actionable warnings of threats and impending attacks on our critical infrastructures.
- ISACA - An international professional association that deals with IT Governance. It is an affiliate member of IFAC. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves
- SGIP CSWG - Smart Grid Interoperability Panel - Cyber Security Working Group -In November 2009, NIST Launched a consensus-based organization to coordinate the development of standards. (See my blog article Standards Development Process for details)
- NIST - NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements The collective privacy and security recommendations of about 350 experts including representatives of vendors, service providers, academics, regulators and federal agencies convening as the Smart Grid Interoperability Panel. Published August 2010
The report identifies the types of personal and business information that can be collected via SG technology, suggests practices that could be codified to address security issues, describes the known actors and interfaces in the "logical architecture" of the SG, discusses various categories of vulnerability to the grid based on comments received on an earlier draft, and identifies security/privacy "thematic issues" requiring immediate research and development.
- NIST - Cyber Security Working Group - One of the most comprehensive resource so far is the collection of documents is the NIST CSCTG Twiki
- Idaho National Labs. Control Systems Cyber Security for Managers and Operators there is a four hour course and an eight hour course , and they have a lot of good content inside.
- NERC CIP Standards
- Idaho National Laboratory - Transmission Line Security monitor can help protect nation's power grid
- The US-Canada Power Systems Outage Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, April 2004
- Findings from the Field - Cyber Security Discussion - This blog covers topics related to assurance and availability of control systems, especially critical infrastructure control system
- Unfettered Blog - Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
- [In]Security Culture - With the ever increasing…
amount of content, standards, regulations, opinions and general discussion about cyber security for critical infrastructure and process control industries, the landscape is becoming crowded. From the wild west of Alberta, Security Cowboy Rick Kaun aims to share thought-provoking, straight from the hip observations, commentary and content about the wild west of security culture.
- In the Dark: Crucial Industries Confront Cyber Attacks - 2011 - The second annual report sponsored by security firm McAfee and conducted—presumably at arm's length—by the Center for Strategic and International Studies (CSIS). The report mentions the Stuxnet virus, which was designed for sabotage, with the likely target Iran's nuclear centrifuges at Natanz, Iran. However, about 40 percent of the report's respondents around the world said they found Stuxnet in their systems. More than half the report's respondents said they have experienced government sponsored attacks. While last year fears focused equally on China and the United States, today China stands alone as the top concern, followed distantly by Russia and the U.S.