NERC CIPC March 16, 2006 Roadmap to Secure Control Systems in the Energy Sector U.S. Department of Energy Office of Electricity Delivery and Energy Reliability.

NERC CIPCMarch 16, 2006

Roadmap to Secure Control Systems in the Energy Sector

U.S. Department of EnergyOffice of Electricity Delivery and Energy Reliability

Hank Kenchington202-586-1878

[email protected]

CIPC Confidentiality: Public Release

SCOPEDOE multi-laboratory program jointly managed and executed by INL and SNL (other partners include PNL, ANL, NIST, other contractors)

Key program areas:

– Assess and mitigate SCADA system vulnerability

– Support development of security standards

– Develop and test advanced secure control systems technology

– Conduct outreach and awareness

INL

NIST

SNL

PNL

OBJECTIVESupport industry and government efforts to enhance control systems cyber security across the energy infrastructure

National SCADA Test Bed

Key Activities:

1. SCADA System Assessments - ABB, AREVA, GE, Siemens

2. Provided cyber security training to over 400 end-users

3. Evaluated use of COTS IT antivirus and firewall tools in control systems

4. Working closely with electricity sector, developed mitigation strategies for “top 10” vulnerabilities

5. Conducting performance testing and cryptographic analysis of AGA 12

6. Evaluated and cataloged existing SCADA Standards

National SCADA Test Bed

Results:1. New “hardened” SCADA systems now being deployed

2. Software patches developed by vendors and supplied to end-users to better secure existing systems

Enhanced SCADA systems in market

Enhanced SCADA systems are being deployed…TODAY

VendorVendor

“Public”Test

Reports

SystemPatches

Asset OwnersAsset OwnersEnhanced SCADA/Control

Systems

Test Direction

“Proprietary” Test

Reports

National SCADA Test Bed

National SCADA Test Bed

SCADA/ ControlSystems

Lots of activities…but no coordination

DHS S&T SBIR

projects

DHS S&T SBIR

projects

DHS NCSD Cyber Security

Test Bed

DHS NCSD Cyber Security

Test Bed

NIST Process Control Security Requirements

Forum

NIST Process Control Security Requirements

Forum

DHS Process Control

Systems Forum

DHS Process Control

Systems Forum

NSF R&D projects

NSF R&D projects DOE National

SCADA Test Bed

DOE National SCADA Test

Bed

DOE Critical Infrastructure Test Range

DOE Critical Infrastructure Test Range

EPRI EIS projects

EPRI EIS projects

AGA 12 Standard

AGA 12 Standard

NERC Standards & Guidelines

NERC Standards & Guidelines

DHS I3P SCADA

DHS I3P SCADA

FERC projects

FERC projects

DODTSWG

DODTSWG

Roadmap Process

Create Steering Group

Create Steering Group

Conduct Roadmap Workshop

Conduct Roadmap Workshop

Prepare Technology Roadmap

Prepare Technology Roadmap

Implement Roadmap

Implement Roadmap

Guide Roadmap

Development

Identify Needs and Priorities

Integrate into Plans

Initiate Projects and Partnerships

• Trends & Driver

• Challenges &Barriers

• Priorities

• Action Plans

We Are

Here!

Roadmap Steering Committee

Asset Owners and Operators• Tom Flowers - CenterPoint Energy

(electricity)• Linda Nappier – Ameren (electricity)• Al Rivero – formerly w/Chevron (oil and gas)• David Poczynek – Williams Co. (oil and gas)• Tom Frobase – TEPPCO (oil and gas)• Michael Assante – formerly w/AEP and IEIA

Forum

Industry Organizations• Bill Rush – GTI• Lisa Soda – API• Kimberly Denbow – AGA• Gary Gardner – AGA• Tom Kropp - EPRI

Government• Doug Maughan – U.S. DHS• Hank Kenchington – U.S. DOE• David Darling – Natural Resources Canada

Researchers (National Laboratories)• Tommy Cabe – Sandia National Laboratories• Jeff Dagle – Pacific Northwest National

Laboratory• Bob Hill – Idaho National Laboratory

Roadmap Scope

Time Frames• Near: 0-2 yrs.

• Mid: 2-5 yrs.

• Long: 5-10 yrs.

Sectors- Electricity - Oil - Gas - Telecom (supporting)

People

Processes Technology

Potential Solutions

See: www.controlsystemsroadmap.net

Workshop Participants

• Led by energy sector owners and operators

• Includes representatives from electricity, oil, gas, telecom industries

• Engages a cross-section of stakeholders and experts

IndustryOrganizations

CommercialSuppliers

Asset Owners and Operators

Government & Labs

3015

87

ControlSystems,

15

Business and Security, 10

Operations, 5Target Participants

Roadmap Framework

VisionIn 10 years, control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of critical function.

Key Strategies1. Measure and assess security posture

2. Develop and integrate protective measures

3. Detect intrusion and implement response strategies

4. Sustain security improvements

Develop andIntegrate Protective

Measures

Develop andIntegrate Protective

Measures

Detect Intrusion and Implement

Response Strategies

Detect Intrusion and Implement

Response Strategies

Sustain SecurityImprovements

Sustain SecurityImprovements

Measure and Assess Security

Posture

Measure and Assess Security

Posture

MilestonesMilestonesMilestones MilestonesMilestonesMilestones MilestonesMilestonesMilestones MilestonesMilestonesMilestones

♦ 50% of asset owners and operators performing self-assessments of their control systems using consistent criteria (2008)

♦ Secure connectivity between business systems and control systems within corporate network (2009)

♦ Cyber incident response is part of emergency operating plans at 30% of control systems (2008)

♦ Resolve major info protection and sharing issues between U.S. govt. and industry (2006)

♦ Fully automated security state and common response of control system networks (2015)

♦ Secure control system architectures produced with built-in, end-to-end security (2015)

♦Self-configuring control system network architectures are in production (2015)

♦ Cyber security awareness, education, and outreach programs integrated into energy sector operations (2015)

time

Next Steps• Work with Sector

Coordinating Councils to develop Roadmap Implementation Forum

• Use results to coordinate activities of government, academia, and private sector to align with roadmap

• Use roadmap to guide DOE control systems security program activities

Government

Researchers

IndustryOrganizations

Asset Owners& Operators

Commercial Entities

See: www.controlsystemsroadmap.net

ENDUS Department of Energy

Office of Electricity Delivery and Energy Reliability

Hank [email protected]

202-586-1878