VIASAT PROPRIETARY Critical Infrastructure Protection Securing Electric Grid Control Systems and Assets NRECA TechAdvantage March 6, 2014
VIASAT PROPRIETARY
Critical Infrastructure Protection Securing Electric Grid Control Systems and Assets NRECA TechAdvantage March 6, 2014
VIASAT PROPRIETARY 2
The bright, shiny, clean future awaits
Renewable Reliable
Resilient
Efficient
Distributed
Intelligent
Customer-centric Secure
Integrated Smart Grid
©2013 ViaSat Inc.
VIASAT PROPRIETARY 3
Smart Grid Value Realization
SCADA and Phasor Measurements
Substation Automation Distribution Automation
Smart Metering, Demand Response, Energy Conservation and Distributed
Resources
The value of the Smart Grid is realized by merging data from these islands of automation to achieve a total end-to-end systems view by integrating information technology and operational technology
IT Enabled Integration
©2013 ViaSat Inc.
VIASAT PROPRIETARY 4
Smart Grid Systems of Systems Characteristics
» An increasingly smarter electric grid is characterized by increasingly complex systems that are network-centric, real-time, cyber-physical-social systems › Thousands of platforms,
operators, users supporting millions of sensors, decision nodes, actuators and customers
› Connected through heterogeneous wired and wireless networks
› Operating in a dynamic and evolving threat environment
Webearth from www.ibiblio.org/.../de2007/webearth.jpg Adapted from: SEI Ultra-Large Systems Study
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 5
Smart Grid Layered Architecture: Common Cybersecurity is Mission Critical
» Operational capabilities are supported by applications and common services
» Services are available to devices at the edge of the network and are event driven
» Communications design allows for connectivity across multiple network domains
» Security is end-to-end and enables systems integration
» Architecture is supported by common semantic models and standards
©2013 ViaSat, Inc.
VIASAT PROPRIETARY 6
Smart Grid Control Ecosystem: Increased Attack Surface and Vulnerability Increasingly Complex and Interconnected across Multiple Domains (ISO to End User)
VIASAT PROPRIETARY 7
Consumer Internet Service
Provider
Government and Enterprise
Mobile SATCOM and Services
Information Assurance and Cyber Security
Communications Technologies
High Capacity Satellite
ViaSat Communications and Networking
Founded in 1986 $1.2B Revenue
2800 Employees
©2013 ViaSat, Inc.
VIASAT PROPRIETARY 8
High Grade Secure
Modules
Secure Networking Products
Secure Architecture
SOC Services and Technology
DoD/NIST Certification
Information Assurance Heritage
VIASAT PROPRIETARY 9
Mission Assurance Capability Using military grade cybersecurity to enhance resiliency
CIP owners/operators facing transition that DoD started 10+ years ago
Networked Battlefield Networked Utility Operations
©2013 ViaSat, Inc.
VIASAT PROPRIETARY 10
Smart Grid System of Systems (SoS) Communications
Silos ESB Adapter-based Common
Evolution of Smart Grid SoS Architectures
Current-state Typical SI Approach DoD-style approach
Standards –based Internet-style
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY
Case Study Southern California Edison The Irvine Smart Grid Demonstration Project
VIASAT PROPRIETARY 12
Southern California Edison (SCE) is committed to safely providing reliable and affordable electricity to its customers
» Nearly 14 million people
» 180 cities in 50,000 square miles of service area, encompassing 11 counties in central, coastal and Southern California
» Commercial industrial and nonprofit customers, including: › 5,000 large businesses
› 280,000 small businesses
On an average day SCE provides power to:
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 13
California Climate & Energy Policies Multi-faceted External Forces Impacting Smart Grid Architecture and Deployment
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 14
SCE Smart grid design goals
» More – increased capabilities › More capabilities at the edge and enterprise, pervasive automation
» Better – faster, more reliable & secure › The electric grid is more resilient › Dynamic control of all security elements allows the system to
adapt to evolving threats
» Easier – usability (convergence, unified control, visualization, information on demand) › Tens of Millions of nodes are manageable › Situational awareness › Common Services allow for easier integration of new capabilities
and technologies
VIASAT PROPRIETARY 15
SCE Architecture challenges
» How to ensure investments in SG technologies and systems today are able to participate in the SG architecture of tomorrow?
» How do legacy systems participate in the SG architecture?
» How do they manage the complexity of the system over time?
» How to represent an architecture trajectory that decision makers (policy makers, regulators etc.) can understand?
» How do they represent an architecture that is actionable?
» How do they relate the architecture to the emerging SG market and standards development efforts?
VIASAT PROPRIETARY 16
SCE will demonstrate an integrated, scalable end-to-end smart grid system (Irvine Smart Grid Demonstration)
Irvine Smart Grid Overview
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 17
Define Infrastructure Required for Smart Grid Functions and Strategy for Organizing Deployment
SCE’s Smart Grid
Management & Control SystemsSG Functions
Bulk Renewable Integration
Dynamic Pricing
Cust. Information Provision
DER Integration
Load Control
Adv. Transmission Protection
Dynamic Asset Management
Wide Area Awareness&Control
Dynamic Asset Optimization
Advanced Outage Management
Advanced Vot/VAR Control
Automated Customer Service
AMI Back Office Systems
Communications Networks
Substation LAN
Field Devices
FACTS Devices
Premise-Area Networks
SCE.com
Field Area Network
High-Speed Backbone High Speed Protection Communications
Inter-Utility Network
Customer Information Systems
Energy Service Provider Interface
Distribution Management System
Advanced Load Control System
Outage Management System
Energy Management System
Wide-Area Situational Awareness System
C-RAS Central Controller
Wide-Area Control System
Cyber Security
Geographical Information Systems
PEV Readiness
AMI Network
Advanced Robotics
Energy Storage Phasor Measurement Units
Smart Inverters Online Transformer Monitors
Advanced Relays Workforce Computing Devices
Advanced Switching Devices Smart Distribution Transformers
Advanced Volt/VAR Devices Customer Premise Devices
PEV Metrology Smart Meters
Cyber Security
Cyber Security
Cybersecurity is the over-arching capability that enables all domains to function and interact
SCE’s Smart Grid consists of both functions and infrastructure required to deliver functions
Strategy section describes required infrastructure for each function and guidelines for deployment
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 18
Example: Wide Area Situational Awareness & Control
SB 17 Self-Healing
Empower Customers
Resist Attack
Power Quality & Reduced Outages
DG & Storage
Enable Markets
Efficiency
Enable Intermittency
Energy Policies AB 32
33% RPS
Once-Thru Cooling
DG Incentives
PEV Adoption
500 MW Solar Prog.
ZNE Buildings
DR Goals
SG OIR Information
SG Functions
Bulk Renewable Integration
Dynamic Pricing
Cust. Information Provision
DER Integration
Load Control
Adv. Transmission Protection
Dynamic Asset Management
Wide Area Awareness&Control
Dynamic Asset Optimization
Advanced Outage Management
Advanced Vot/VAR Control
Automated Customer Service
PEV Readiness
Definition: Real-time monitoring and automated control of
transmission system conditions, including voltage, current, frequency, and phase angle through use of visualization and intelligent alarming tools.
Policy Drivers: AB 32, 20% RPS by 2010, 33% RPS by 2020 Once Through Cooling Implementation Challenges: Interconnection of renewables across western grid and
retirement of coastal plants creates need for enhanced real-time information about transmission system conditions
Intermittent renewable generation creates sub-second fluctuations in transmission system power, voltage, and frequency
SB 17 Characteristics Achieved: Power quality/reduced outages Enable intermittency
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 19
Example: Wide Area Situational Awareness & Control
Management & Control SystemsSG Functions
Bulk Renewable Integration
Dynamic Pricing
Cust. Information Provision
DER Integration
Load Control
Adv. Transmission Protection
Dynamic Asset Management
Wide Area Awareness&Control
Dynamic Asset Optimization
Advanced Outage Management
Advanced Vot/VAR Control
Automated Customer Service
Market Integration
AMI Back Office Systems
Communications Networks
Substation LAN
Field Devices
FACTS Devices
Premise-Area Networks
SCE.com
Field Area Network
High-Speed Backbone High Speed Protection Communications
Inter-Utility Network
Customer Information Systems
Energy Service Provider Interface
Distribution Management System
Advanced Load Control System
Outage Management System
Energy Management System
Wide-Area Situational Awareness System
C-RAS Central Controller
Wide-Area Control System
Cyber Security
Geographical Information Systems
PEV Readiness
AMI Network
Advanced Robotics
Energy Storage Phasor Measurement Units
Smart Inverters Online Transformer Monitors
Advanced Relays Workforce Computing Devices
Advanced Switching Devices Smart Distribution Transformers
Advanced Volt/VAR Devices Customer Premise Devices
PEV Metrology Smart Meters
Cyber Security
Cyber Security
Deployment-Ready Infrastructure:
• PMUs • High Speed Backbone
Communications • Back office systems to process
>30 data points/second
Possible Future Deployments:
• Automated Control Systems
©2013 ViaSat Inc. Used with Permission from Southern California Edison
VIASAT PROPRIETARY 20
» CCS is a real-time cyber-security monitoring, detection and response platform that provides complete network visualisation. By using sensors and traffic flow analysis it can identify and respond to suspicious and anomalous behaviour on operational control systems.
What is CCS?
VIASAT PROPRIETARY 21
Cybersecurity System Capabilities
•Integrated Operational Public Key Infrastructure (PKI), Identity Management Authentication
•Role and Group Based Access Control (RBAC) Authorization
•Security Information and Event Management (SIEM) Accounting
•Authenticated communication •Defense in Depth Peer to Peer
•Continuous device to device trust monitoring •Cyber & Physical alerts, device health, operator actions Quality-of-Trust
•Trusted Boot, Trusted Network Connect •Device Bill-of-Health Integrity
•Central operations security visualization GUI accessed via web browser •Multi-Tier Security Operations Capability •Large scale System Planning and Test Capabilities
Dynamic Scalable GUI
21 Dissemination restricted as described on cover page.
VIASAT PROPRIETARY 22
TRUST IS
EVERYTHING
Without TRUST you cannot achieve your operational and business objectives
QUALITY OF TRUST gives you a metric to determine the health of your operational networks and systems and be
CONFIDENT about their interaction
©2013 ViaSat Inc.
VIASAT PROPRIETARY 23
Determining QoT
Dissemination restricted as described on cover page. 23
Status
Identity
Quality of
Trust
Bill of Health
A device reporting about itself based on a defined list of characteristics/attributes
Establishes that a device is what it’s meant to be
A device has been authenticated and has joined the “fabric” of CCS enabled devices
QoT – Devices are monitoring each other’s behaviour and reporting on those that they are physically and/or logically connected to.
VIASAT PROPRIETARY 24
Conceptual Operation
Bump-In-The-Wire
Bump-In-The-Stack Proxy – CCS-Enabled Gateway
VIASAT PROPRIETARY 25
Security
VIASAT PROPRIETARY 26
Status HEARTBEAT
BoH INTEGRITY
QoT QUALITY of TRUST
ID CERTIFICATE
Status: Trusted Questionable Untrusted Unknown
©2013 ViaSat, Inc.
Common Cybersecurity Service Concepts Security Policy Enforcement & Status based on device and function
Device A
Policies
Device B
Policies
Device C
Policies
VIASAT PROPRIETARY 27
Common Cybersecurity Service Highlights
» The most advanced security system in the energy sector › Next generation utility technologies › DoD technology transfer › Best practices from many sectors › Modern SOA style architecture
» The most compliant security system
› NERC CIP Version X › All Federal Processing Standards (DHS, FIPS) › NIST Compliant (NISTIR, SP)
» The most scalable and dynamic security system
› Supports all Grid Applications › Supports current and next generation networking (MPLS) › Supports all major protocols used on the Grid › Modular Construction
©2013 ViaSat Inc.
VIASAT PROPRIETARY 28
CCS Highlights
» Easily Integrated into existing environment › Supports existing control and IT investments (Directory Services,
Enterprise PKI) › 8 inflight advanced programs are relying on new services (e.g.
ISGD, Phasor Measurement, SA3, C-RAS, etc.) › Supports gradual evolution to full compliance over time
» Ease of Use
› AMI Security uses command line and requires vendor support › CCS has next generation web based graphical user interface › Enables a powerful and unified security operations center
» IEC has committed to align with CCS principles
› Hosted IEC TC 57 Security Meetings › New Part to FERC reviewed/recommended 62351
©2013 ViaSat Inc.
VIASAT PROPRIETARY 29
CCS Concepts: Advanced Visualization & Wide Area Situational Awareness (WASA)
©2013 ViaSat Inc.