20 March 2012
UTILITY CYBERSECURITY PREPARE FOR THE WORST DAN RUECKERT, P.E. ASSOCIATE VICE PRESIDENT BLACK & VEATCH
GEORGE GAMBLE DIRECTOR BLACK & VEATCH
AGENDA Utility Landscape & Trends Regulations Looking Ahead Questions & Discussion
2
UTILITY LANDSCAPE & TRENDS
3
RECENT NEWS SETTING THE STAGE Cybersecurity and Privacy Issues related to Smart Meters Public Utilities Commissions are examining current cyber security and privacy requirements that exist under federal and state law, rules and utility policies and practices that apply to transmission and distribution utilities and identify potential regulatory gaps that may exist by examining the extent to which existing federal requirements may or may not apply to cyber security and privacy issues regarding smart meters and related systems. (December 2011)
UTILITY LANDSCAPE & TRENDS
SEC Issues Guidance on the Disclosure of Cybersecurity Incidents and Costs On October 13, 2011 the U.S. Securities and Exchange Commission (SEC) issued disclosure guidance related to cybersecurity risks and costs that may have far-reaching impacts on electric utilities. For those electric utilities already subject to the North American Electric Reliability Corporation (NERC) CIP cybersecurity requirements, this guidance suggests the need for increased scrutiny of compliance costs and harms resulting from cyber incidents and potential cyber incidents to evaluate appropriate disclosure. With the pending increase in the number of assets covered by the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards, which the Federal Energy Regulatory Commission (FERC) recently proposed to approve, the costs of compliance are likely to significantly increase across the electric utilities industry, affecting a wide variety of SEC registrants subject to FERC’s reliability jurisdiction.
Cyber attacks on Utilities, Industries rise According to the DHS, Control System Security Program cyber experts based at the Idaho National Laboratory responded to 116 requests for assistance in 2010, and 342 so far in 2011. A senior Homeland Security cyber official, who spoke on condition of anonymity because of the sensitivity of the topic, said the Stuxnet worm exploited well-known design flaws in the Siemens SIMATIC WinCC Defalut Password Security Bypass vulnerabilities that in general can't be patched. The Stuxnet is not just another run-of-the-mill malware (worm- self contained and self reproducing) , but is instead one designed to target critical infrastructure. It uses two currently unpatched vulnerabilities in windows to gain administrative rights on a system. (AP – Thu, Sep 29, 2011) According to the General Accountability Office, the nation's wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people. Because the system is now connected to the outside world, it is open to attack.
4
CYBERSECURITY IS IN BROAD PUBLIC VIEW
UTILITY LANDSCAPE & TRENDS
RECENT MEDIA
Don’t forget about Duqu
CBS 60 Minutes - early march 2012
5
THE ELECTRIC UTILITY LANDSCAPE A CYBERSECURITY LAYERED PERSPECTIVE NEIGHBORHOOD AREA NETWORK (NAN)
RETAIL MARKETS
RTO
ISO
GENERATION UTILITY LANDSCAPE & TRENDS
CONTROL CENTER
DISTRIBUTION
TRANSMISSION
6
EVOLVING COMPLEX ARCHITECTURES
UTILITY LANDSCAPE & TRENDS
NIST IR 7628 – UNIFIED LOGICAL ARCHITECTURE FOR THE SMART GRID
There are only two (2) basic ways to hack computers • Taking advantage of configuration problems • Taking advantage of problems built into software
7
INDUSTRY TRENDS
UTILITY LANDSCAPE & TRENDS
TECHNOLOGY CONVERGENCE
Convergence of energy technologies provides a platform for driving performance
8
UTILITY LANDSCAPES INTEGRATED AND DEPENDENT WITH EACH OTHER
Oil
Electric Power
Natural Gas Water
Telecom Transportation 9
CYBERSECURITY CHALLENGES FOR THE UTILITY
Service Level Expectations
UTILITY LANDSCAPE & TRENDS
Increasing Threats • • • • • •
Sophistication Frequency Speed Quantity Complexity Impact potential
• • • • •
Trustworthiness Confidentiality Integrity Availability Privacy
Demands on Technology Management • An integrated approach to risk management • A holistic approach to security • Proactive • How to operationalize
Regulation & Compliance • Governance (Policy & Procedures) • CEO, Board-level accountability • New laws and dynamic regulations • Industry-specific regulations
10
POTENTIAL UTILITY BUSINESS IMPACTS
UTILITY LANDSCAPE & TRENDS
CYBER INCIDENT Productivity
• (No. of employees impacted x hours) + (burdened hours + cost restoration)
Other Expenses
• Temporary employees, Equipment rental, overtime costs, extra shipping costs, travel expenses • Regulatory fines
Financial Performance
Technology Management
Hidden Costs
Damaged Reputation
• Cash flow, payment guarantees, lost discounts (A/P), credit rating, stock price, penalties
• Analysis and Remediation Costs
• Impacted customers and liabilities • Lost opportunities • Customers, suppliers, financial markets, business partners, banks, litigation & internally
11
UTILITY MARKET ANALYSIS
UTILITY LANDSCAPE & TRENDS
CYBERSECURITY TRENDS Cyber security appears to be a market that will continue to have growth regardless of economic conditions. According to Gartner, the recession has had minimal impact on the utility security market, with the expectation for continued growth. Overall, security solutions in the United States are expected to grow approximately 9 to 13 percent annually, reaching approximately $50 billion by 2015. Current estimates on spending by utilities (i.e., water, electric and natural gas) are expected to be $15 to $18 billion through 2015. NERC is not the only security standard driving cyber security. In addition, utilities also measure themselves against Sarbanes-Oxley (SOX) and information security infrastructure against NIST. Others measure against additional industry standards such as InfoSec Assessment Capability Maturity Model (IA-CMM) that was set up by the National Security Agency (NSA).
12
UTILITY LANDSCAPE & TRENDS
UTILITY MARKET ANALYSIS
13
TOP 20 AREAS OF VULNERABILITY SANS (System Administration, Network & Security Institute)
UTILITY LANDSCAPE & TRENDS
Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention
Additional Critical Controls (not directly supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps
Working on the Top 20 would form 80% of a security foundation within your company
14
REGULATIONS
15
REGULATIONS
The boss says that cybersecurity is extremely important and top priority. That is, unless it makes something inconvenient.
16
REGULATIONS
U.S. GOVERNMENT IMPACT ON SECURITY
17
REGULATORY LANDSCAPE MULTIPLE REGULATIONS & STANDARDS • Federal Energy Regulatory Commission – NERC
• Department of Energy – NIST • Department of Homeland Security – U.S. CERT
• Nuclear Regulatory Commission – CFR’s • Nuclear Energy Institute – NEI’s
REGULATIONS
• U.S. Government Accountability Office – FISCA
• S. 2105 - Cybersecurity Act of 2012 • S. 2151 - Strengthening Cybersecurity
Pressures originate from more than one government body and the taxonomy is becoming complex
18
FERC / NERC CIP STANDARDS EVOLUTION Risk Based Methodology Review of Critical Assets (CAs) and Critical Cyber Assets (CCAs): • A letter dated April 7, 2009 from Michael Assante Vice President and Chief Security Officer of NERC expressed concerns with data recently submitted to NERC regarding Critical Asset and Critical Cyber Assets identification NERC is moving away from Risk Based Methodology to ensure protection of all Critical Assets: • NERC CIP Version 4 – Proposed for Approval by FERC on September 15, 2011, removes the Risk Based Methodology and establishes “bright-line” criteria for determining Critical Assets
REGULATIONS
• NERC CIP Version 5 – Initial Ballot Completed and under review, removes Critical Assets and moves toward identifying Bulk Electric System (BES) Cyber Systems (i.e. based on NIST SP 800-37 “information systems). Ensures that ALL BES related information systems are afforded some level of protection
NERC is advising all registered entities of the concern about the sufficiency of evidence supporting Critical Asset identifications where all substations and generating facilities are excluded. They believe that a finding of non-compliance is highly probable absent such evidence to the NIST 800-30 Risk Assessment.
19
NRC NUCLEAR EVOLUTION AND NEI • FERC and NRC “Brightline Study” clarified jurisdictional delineation of Nuclear Power Plant (NPP) Systems Structures and Components (SSC) through the creation of an exemption process for excluding certain SSCs from the scope of applicable NERC Standards as provided in FERC Order No. 706-B • Regulations: • 10 CFR 73.54 • Regulatory Guide 5.71 REGULATIONS
• Standards: • NEI 08 – 09 and implementation 10-09
Each plant has developed a cyber security plan and implementation schedules with deadlines
20
POWER AND INFORMATION INFRASTRUCTURE HOW TO ASSESS AND IMPLEMENT THE REGULATIONS (CURRENT STATE)
Protection, SCADA, EMS, RTO, DER
Security, Network & Data Management
IEC61850, CIM, GID, …
TCP/IP, Encryption, SNMP, …
2. INFORMATION INFRASTRUCTURE
REGULATIONS
1. POWER INFRASTRUCTURE
Two infrastructures must be managed
21
POWER AND INFORMATION INFRASTRUCTURE HOW TO ASSESS AND IMPLEMENT THE REGULATIONS (FUTURE STATE) 1. POWER INFRASTRUCTURE
Transmission
Generating Plant
Step-Up Transformer
Users of Power System Data
2. INFORMATION INFRASTRUCTURE Fuel Cell
Transmission Substation
Control Center
REGULATIONS
MicroTurbine
Distribution Substation Distribution Substation
Photovotaics
Diesel Genset
Combined Heat & Power
Commercial
Fuel Cell
Batteries
Flywheel Residential
Industrial
Commercial
Two infrastructures must be managed in the future; not just one!
22
LOOKING AHEAD
23
UTILITY EXPECTATIONS EVOLVING SMART UTILITY INFRASTRUCTURE LANDSCAPE AND MATURITY
III. Smart Utility Multi-System – Multi-Facility Aggregation II. Smart Information Data Aggregation and Analysis Smart Single-Use Infrastructure
Industry Defining
Industry Best
I. Smart Network Device Connectivity Smart Grid Industry Average
low
LOOKING AHEAD
Strategic Impact
Market Today
high
IV. Smart Infrastructure Multi-Utility Integration Physical – Cyber Integration
low Data
Integration Progression Information Knowledge
Convergence of energy, heating / cooling, water, waste management, communications, security, and transport is needed to support efficiency & reliability
high Wisdom
24
UTILITY DEFENSE-IN-DEPTH ISSUES SMART GRID VIEW Strategy & Direction Requirements & Drivers Application Security Privacy Considerations
LOOKING AHEAD
Security & Operations
Enterprise Organization Business Process
Strategic Direction
Application Data Meter / Host Network Physical
Tamper Management
People, Process & Technology have to work together
Technical Execution 25
UNIFIED CONTROLS PROGRAM A LIFECYCLE APPROACH
NIST NERC NEI
Establish Governance Harmonize Controls To create Unified Control Framework
Tailor Controls to determine correct baseline
Assess Existing Implementation of Controls
State Local DHS
Plan Remediation Activities & Tools
ITIL
LOOKING AHEAD
CobIT SOX Implement Remediation Actions
ASIS ANSI/ISA IEEE HIPAA
Treat cybersecurity like safety in our daily tasks
26
QUESTIONS & DISCUSSION
27