Dewa Cyber Security Workshop - ABB

FRANK HOHLBAUM, 2020-05-13

Cyber SecurityABB's cyber security end to end solution for Grid Automation

Security assessment &

monitoring

Backup & recovery

Security updates & hardening

Malware protection

Procedures & policies

Perimeter protection

May 13, 2020

Rough timeline

Some Significant Events

May 13, 2020 Slide 2

Threat level increasing over time

December 2015Ukraine distribution System

December 2017Trisis malware

October 2017NotPetya malware – Ukraine DHS/FBI Russia warning

June 2017NotPetya attack - Maersk

July 2017FBI/DHS warning US Energy Facilities - WCNOC

December 2016Ukraine Transmission System

December 2014DHS Alert – ICS a Target - Black Energy

March 23, 2018DOJ Charges 9 Iranians

March 16, 2018Russian Gov’t targeting Energy and CI

March 1999Melissa

August 2005 USEnergy Policy Act

August 2016NIS Directive

March 19, 2019Norway's Norsk Hydro Hit by 'Extensive' Cyberattack

International standards1

Regulations in Europe, US & Qatar

Cyber security regulations


NERC-CIP

– Regulation in USA and Canada

– Utilities have to be compliant with NERC CIP Version 5 by April 1, 2016

Energiewirtschaftsgesetz (EnWG) currently in forced

– Implement state-of-the-art security controls

– Report incidents.

EU Directive

– EU wide baseline cyber security obligation approved on July 6th 2016. “Market operators" have adequate technical and organizational security measures in place and report incidents

– National governance have to transport this EU directive into national laws (End 2018)

UAE: National Electronic Security Authority (NESA)

– UAE national cyber security standard

– The standard focuses on business continuity and risk management

– Quite similar to ISO27001

Increasing cyber security regulations

Technical & Management Related Aspects

Cyber Security Standards


Technical Aspects

– IEC62351 & IEEE 1686 are mainly relevant for ABB as manufacture

– Grid Automation products and solution has many cyber security features in place to support these standards

Management Aspects

– IEC62443 (former ISO99), NERC-CIP and ISO27000 addresses the processes of an organization

– Grid Automation service agreements can support the customer to maintain the security

Compliance has various aspects

IEC62443

Procedures and processes2

Cyber security layered architecture

May 13, 2020

Station LAN

Engineering

Workstation

Computer HMI

Network Control CenterMaintenance Center

Firewall

VPN

Gateway

GPS

Time Server

Physical Security perimeter

Electronic Security perimeter

IEC 61850 / Station bus

IEC 61850 / Process bus

Unauthorized

Person

Network disturbance,

malware, Cyber attacks

Unauthorized

Person

Infected

Notebook

Infected

Mobile

data

storage

USB

Data storm by a

Faulty Device

Concept summary

Grid Automation Cyber Security

May 13, 2020 Slide 10

– ABB proposes the following cyber security approach

– Secure system architecture

– Product and system hardening

– Defence in depth approach to address the cyber security challenges

– Service offering to keep the cyber security over the lifetime

Defence in depth

Cyber security throughout the entire product and system lifecycle

Cyber Security

13 May 2020 Slide 11

DesignImplementationVerificationReleaseSupport

Product

OperationMaintenanceReviewUpgrade

DesignEngineeringFATCommissioningSAT

Project

Service

ABB maintains a Secure Development Lifecycle & applies stringent Minimum Cyber Security Rules

Cyber security throughout the entire product and system lifecycle


Cyber Security

Development Installation and Testing Operation

Prepare

Realise

VerifySecurity Testing

Secure design

Secure code

Threat Modelling

Developer Security Training

Security Testing

Secure configuration

Security Policy

System Security

Assessment

Project Security Training

Incident Handling

Monitoring & Audits

Security Architecture Maintenance

Patch Management Platform

React

Detect

Protect

Backup and Restore

Cyber Security Training

ABB’s Minimum Cyber Security Requirements

Products Systems Services

ABB Cyber Security Requirements

May 13, 2020 Slide 14

Product Security Requirements

Minimum cyber security requirements that must be fulfilled by all ABB products, e.g.

– Device Security Assurance Center Testing (robustness testing++)

– Removal of backdoor accounts and hardcoded credentials

– Malware prevention

– Hardening

– End-user documentation

– Vulnerability Handling

– Patch Management

Project Deployment Requirements

Minimum cyber security requirements that must be fulfilled by all ABB projects, e.g.

– Project security plan

– Training for project employees


– Hardening

– Removal of temporary accounts and services

– Patch Management

Service Delivery Requirements

Minimum cyber security requirements that must be fulfilled by all ABB services, e.g.

– Training for service employees

– Protection of user accounts

– Change management


– Service infrastructure controls

• Patch management

• Access control

• Data protection

• Logging

• Vulnerability monitoring

• Patch management

• Asset management

• EOL management

• Incident management

• Secure connectivity

Robust minimum requirements

Solution overview for Grid Automation3

Zones according to IEC 62443

The ABB offering for cyber security

Network ManagementFOXMAN NMS

ABB Ellipse Connected AssetLifecycle Management

NetworkControl Center

Security & DataManagement

SDM600

Computer HMIMicroSCADA Pro

SYS600

Firewall & IDS/IPS

GatewaySYS600C / RTU500

Firewall & IDS/IPSVPN

AFF66x

L4

Ne

two

rk

Le

ve

l

L2

Sta

tio

n L

ev

el

L1

Ba

y L

ev

el

L0

Pro

ce

ss

Le

ve

l SAM600Process bus I/O system

FOCS Merging unit

for AIS optical CT

Relion 670/650 Bay control

Relion 670/650 Protection

REB5xx Busbar protection

SAM600Process bus I/O system

CP-MU Merging unit for GIS NCITs

IEC 61850 / Process bus

Security Level: L3

Communication networks

RTU500

FOX615 Multiplexer

NSD570 Teleprotection

IEC104, DNP3.0

Ethernet SwitchAFS family


IEC 61850 / Station bus

Security Level

• Zoning & Perimeter Protection• Secure Communication• Account Management• Malware Protection• Patch Management

• Zoning & Perimeter Protection• Malware Protection• Patch Management• Backup & Recovery• Account Management• Security Logging & Monitoring• System Hardening

• Zoning & Perimeter Protection• Secure Communication• Account Management• Security Logging & Monitoring• Product Hardening

• Zoning & Perimeter Protection• Product Hardening

Cyber Security Offering

NSD570Teleprotection

FOX615 Multiplexer

Remote Substation

• Secure Communication(encryption, real time)

L3

Co

m

DMZ

Communication networks

RemoteAccess

FirewalNGFW

IDS/IPSl

DMZ

Central SecurityWorkplace incl. SDM600

IDS Sensor HW appliance


Mission Critical Communication Networks

May 13, 2020 Slide 19

The full spectrum of mission critical communications from generator to grid

ABB mission critical communications portfolio offers long lasting support for utilities and renewables, whilst also delivering on the critical infrastructure requirements and applications

Tropos Tropos

System Data Manager SDM600

May 13, 2020 Slide 25

SDM600 in a nutshell

A comprehensive software solution for automatic management of service and cyber security relevant data across your substations.

See the unseen from a new perspective

Data Management Cyber SecurityManagement

Service and Maintenance

System Data Manager SDM600

May 13, 2020 All SDM600 functionality is based on open standards and allows to integrate ABB and 3rd party products (except RTU500 specific functionality)Slide 26

Product overview

RTU500 Configuration an

Firmware File management.

Automatically collect, store and provide evaluation for disturbance recorder files

Provide centralized User Account Management and security logging

Retrieve and manage Service and Maintenance relevant data

Disturbance Recorder Data Management

Disturbance Recorder Data

Evaluation

Central User Acount

Management

Tracking Software and Configuration

Versions

Central Cyber Security Logging

RTU500 Configuration and

Firmware File management.

Account Management

Substation Automation Cyber Security Offering

May 13, 2020 Slide 28

– System wide user management

– Role based access control (RBAC) according IEC 62351-8

– Enforce password policies

– For Relion 670/650 2.1 and newer, Windows PCs, MicroSCADAPro, RTU500 R12.4 and any RADIUS capable device.

– In accordance with IEC62443, NERC CIP and BDEW whitepaper requirements

Central user account management

Security Logging & Monitoring


May 13, 2020 Slide 29

– Store user activities and other security events from IEDs or system level components

– Integration of any device using Syslog protocol (UDP and TCP)

– Integration of Windows computers (converting Windows Event Logs)

– Categorization of unknown events based on rules

– Built in visualization and reporting

– Integrate SDM600 into an existing event logging system

System wide cyber security event logging using SDM600

Product & System Hardening


May 13, 2020 Slide 30

– Remove unused software and users

• Only needed software, services, tools and users are implemented in the system, everything that that is not needed is removed or disabled

– Firewall and anti virus

• Firewall is enabled and configured, anti virus is installed and updated through DMZ server

– Application Whitelisting is configured

– Restricted Users

• Each user has only access to the data and tools that are needed to perform the job

– Patch update

• WSUS Server is installed on the DMZ servers and can update all computers of the system

System Hardening

4 Product features

Cyber security in Relion® 670

May 13, 2020

Defense in depth

- Through the different releases of the Relion® 670 series we’ve added new security features to the product series

- This enhances the defense in depth for our users

Evolution of 670 series

- Local account management

670 series 1.1 - Local account management

- Denial of Service protection

670 series 1.2



- Secure communication

- Self-signed certificates

- Activity logging

670 series 2.0


- Central account management




- Signed certificates

- Activity logging

670 series 2.1


- Central account management




- Signed certificates

- Activity logging

- Ethernet configuration

- Firewall

- Restore points

670 series 2.2

2007 2010 - 2012 2014 2015 2017 - 2019

5 Services offering

Service Portfolio


Cyber Security Care - Defense in depth, six layers of protection

We are enabling smarter system protection

Security assessment

& monitoring

Backup & recovery

Security updates & hardening

Malware protection

Procedures & policies

Perimeter protection

Above needs and challenges have historically been addressed in silos The total overview and end-to-end control is naturally limited

Industrial Security Center

Industrial Security Center – A managed Security ServiceMay 13, 2020 Slide 39

IT-Department

• Service continuity

• Cyber secure

• Protected Network & Applications

• Regulatory and Standards Compliant

Asset Management & Safety

• Operational Technology

• Business/ operational continuity

• Availability/Reliability

• Safety

• Risk

• Regulatory compliant

• Digitalized

Physical Security

• Limit risks to people

• Business/ operational continuity

• Protect values

• Compliance

Security needs in the Power Networks sector differ across domains

Target Solution Industrial Security Center


Industrial Security Center – A managed Security ServiceMay 13, 2020 Slide 40

Support the Power Network sector to fulfillsecurity regulations, and manage the new total security threat in a more effective manner both regarding time & cost

A Global Security Partnership for the Power Network sector:

OT Operation

Cyber Defence

Physical Security

Ambition is to improve the total industrial security

Physical

Cyber

OTIT

SOC

Partners

An Integrated Managed Detection and Response Service for Critical Assets


May 13, 2020 Industrial Security Center – A managed Security ServiceSlide 41

Physical Access ControlPhysical Intrusion DetectionVideo SurveillanceRemote Perimeter ProtectionDrone Detection

Physical Security Services

OT domain

Cyber Security ServicesAsset Risk Assessment

Asset Inventory ServiceNetwork Vulnerabiliity AssessmentPhysical Security AssessmentSafety AssessmentOT-check

Physical domain

Continuous Vulnerabilityand Behavioral AnalysisOT IDSOT/IT Health MonitoringThread Intelligence

AC substation

Detect

Respond

Security Center

Customer reference: vertically-integrated power utility, UK

Cyber Security Assessment

May 13, 2020 Slide 46

During cyber security workshop with key technical and management people cyber security improvements identified

ABB solution: Cyber security workshop and assessment

Improve cyber security of the system and keep the system up to date

Customer requirement

– Create security zones between control center and substations

– Update existing XP computers

– Install antivirus + application white listing

– Harden all computers

– Update RTUs to the latest version

– Maintain the security of the system

ABB solution

—

ABB Grid Integration solutions help to balance the demand created by new electricity consumers entering ports with traditional and renewable power generation by enabling a stronger, smarter and greener port grid.

Patrick FragmanManaging Director,ABB, Power Grid, Grid Integration

—Cyber security request are increased

—ABB Grid Automation has an end to end

offering

—Large number of security features are

available in the products and solutions

—Service offering is available to keep the

security level over life time

Cyber SecuritySummary

End to end solution for Grid Automation

Cyber security isn’t a single problem, with one solution. It’s an on-going battle, and ABB provides a range of products and services that can help protect your network, and the equipment connected to it from the evolving threats emanating from the world.

Dewa Cyber Security Workshop - ABB

Documents