CYBERSECURITY AND RURAL ELECTRIC POWER SYSTEMS Paul R. Kaster, Jr., LtCol, USAF, MS, MA, EIT, PhD Candidate Department of Electrical Engineering and Computer Science Advisor : Dr. P.K. Sen, PE, IEEE Fellow 2015 IEEE Rural Electric Power Conference, Ashville, North Carolina
29
Embed
CYBERSECURITY AND RURAL ELECTRIC POWER SYSTEMS Paul R. Kaster, Jr., LtCol, USAF, MS, MA, EIT, PhD Candidate Department of Electrical Engineering and Computer.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CYBERSECURITY AND RURAL ELECTRIC POWER SYSTEMS
Paul R. Kaster, Jr., LtCol, USAF, MS, MA, EIT, PhD Candidate
Department of Electrical Engineering and Computer Science
Advisor: Dr. P.K. Sen, PE, IEEE Fellow
2015 IEEE Rural Electric Power Conference, Ashville, North Carolina
ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
Availability Ensuring timely and reliable access to and use of information
Low: Limited impactModerate: Serious impactHigh: Severe or catastrophic impact
IntegrityUnauthorized modification or destruction
Low: Limited impactModerate: Serious impactHigh: Severe or catastrophic impact
AvailabilityDisruption of Access Low: Limited impact
Moderate: Serious impactHigh: Severe or catastrophic impact
Source: NISTIR 7628
“CIA”
Analyses
Fundamentals:Cyber Security Core Functions
Term DefinitionIdentify Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities.
Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
Respond Develop and implement the appropriate activities to take action regarding a detected cyber security event.
Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity
Fundamentals:Risk Assessment (Subjective)
‣Most Dangerous Course of Action (MDCOA)– Potential cyber event that has the greatest impact on
operations
‣Most Likely Course of Action (MLCOA)– Potential cyber event that is most likely to occur
‣Minimum: Identify threat, target, and consequences
Fundamentals:Risk Assessment (Quantified)
‣R: Risk (money or time)
‣T: Threat (probability)
‣V: Vulnerability (probability)
‣C: Consequence (money or time)
Term DefinitionRisk
potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences
Threatnatural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property
Vulnerabilityphysical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard
Consequence effect of an event, incident, or occurrence
Source: DHS Risk LexiconSource: Department of Homeland (DHS) Risk Assessment Methodology: Evolution, Issues, and Options for Congress
Fundamentals: Adversaries
Nation States
HackersTerrorists
Organized Crime
Other Criminal Elements
Industrial Competitors
Disgruntled Employees
Careless Employees
Political FinancialChaos
InternalSource: NISTIR 7628
Fundamentals: Controls
‣ Inventory of authorized and unauthorized devices
‣ Inventory of authorized and unauthorized software
‣ Incident response and management
‣ Security skills assessment and appropriate training to fill gaps
‣ Controlled access based on need to know
‣ Boundary defense
‣ Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
‣ Continuous vulnerability assessment and remediation
‣ Malware defenses
‣ Application software security
‣ Wireless access control
‣ Data recovery capability
‣ Secure configurations for network devices such as firewalls, routers, and switches
‣ Limitation and control of network ports, protocols, and services
‣ Controlled use of administrator privileges
‣ Maintenance, monitoring, and analysis of audit logs
‧ Under frequency load shedding (UFLS) or under voltage load shedding (UVLS) systems that perform automatic load shedding of at least 300MW or are part of a larger load shedding program subject to NERC or Regional Reliability Standards.
‧ Any of the following that are subject to NERC or Regional Reliability Standards: Special Protection Scheme
Remedial Action Scheme
Transmission Protection System (other than UFLS or UVLS)
Cranking Path or Group of Elements required for Blackstart Resources
CIP Standards: Applicability (continued)
‣ CIP standards applicable to all facilities owned by a functional entity except for:– Distribution providers only
responsible for those areas described above
– Facilities owned by Canadian Nuclear Safety Commission
– Communication links between Electronic Security Parameters (i.e. only responsible for assets within your own ESP)
– Anything regulated by the Nuclear Regulatory Commission
‣Evidence of compliance must be maintained for 3 calendar years. Records from the last audit must be maintained until the next audit.
CIP-002-5.1 BES Cyber System Categorization
‣Background:– The Responsible Entity has
flexibility to “determine the level of granularity” when defining systems.
– Limited to “BES Cyber Systems that would impact the reliable operation of the BES.”
– BES Cyber Assets:
‧ Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”
‣Requirements:– Identify high, medium,
and low impact BES Cyber Systems
‧ Provides specific guidance to identify level
– Review those identifications every 15 months and document even if no identified items
NISTIR 7628: Overview
‣597 pages of best practices Vol. 1: Smart Grid Cyber Security Strategy,
1-4 Communications between control systems and equipment L H H/M5 Interface between control systems within an organization L H H6 Interface between control systems within different organizations L H M7-8 Interface between back office systems H M L9 Business to Business (B2B) connections involving financial/market
transactionsL H H/M
10 Interface between control systems and other systems L H M11 Interfaces between environmental sensors L M M12 Interface between sensor networks and control systems L M M13 Advanced Metering Infrastructure (AMI) H H L14 High Availability AMI H H H15 Systems using customer site networks L M M16 Interface between external systems and the customer site H M L17 Mobile field crew equipment L H M18 Metering equipment L H L19 Operations decision support systems L H M20 Engineering/maintenance for control equipment L H M21 Vendor maintenance and support for control systems L H L22 Security/network/system management consoles H H H
NISTIR 7628: Actors
NISTIR 7628: Security Requirements
‣180 High-level requirements Governance, Risk,
Compliance (GRC)
Common technical requirements
Unique technical requirements
Applied to each interface category
19 CategoriesAccess Control (21) Media Protection (6)