Four Layers of Smart Grid Security

Download Report

Transcript Four Layers of Smart Grid Security 

Four Layers of Smart Grid Security
Session: Energy Cybersecurity II
Ernie Hayden CISSP CEH
Managing Principal – Critical Infrastructure Protection/Cyber Security
Verizon Risk Team
Feb 13, 2013
PID#
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
• Smart Grid Security: Who’s Worried and Why?
• “Layers” of Concern
–
–
–
–
Physical Layer
Cyber Layer
Privacy Layer
Storage Layer
• Just What To Do?
• Question & Answer
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
3
• Acknowledged by:
– European Network and Information Security
Agency (ENISA)
– National Institute of Standards and Technology
(NIST)
– North American Electric Reliability Corporation
(NERC)
– Department of Homeland Security (DHS)
– Department of Energy (DOE)
– Federal Energy Regulatory Commission (FERC)
– Government Accountability Office (GAO)
– Selected Nations and US State Public Utility
Commissions
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
• Increasing Complexity of the Grid
• Interconnected Networks Can
Introduce Common Vulnerabilities
• Increasing Vulnerabilities to
Communications
• Introduction of Malicious Software
• Increased Number of Entry Points and
Paths for Potential Adversaries to
Exploit
• Potential for Compromise of Data
Confidentiality, Including Breach of
Customer Privacy
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
6
Storage
Physical
Privacy
Cyber
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
7
• Natural Disasters
– Snow Storms
– Hurricanes
– Solar Flares
– Geomagnetic Storms
– Earthquakes
– Flooding
– Volcanoes
• Recognize that Location of the Smart
Grid Components Can Be Affected by the
Surrounding Environment
• US Case – Overheating Meters
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
8
• The Biggest Opportunity for Trouble
• “The Last Mile” Issues
• Remember – Added Complexity Causes Concerns
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
9
•
•
•
•
•
Broadband Power Line Systems
Power Line Carrier Systems
Public Switched Telephone Network (PSTN)
Cat5/6 Network Connection
Radio Frequency
– WiMax
– ZigBee
– 6LoWPAN
– 802.11x
– Cellular (CDMA/EVDO, GSM, LTE)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
• Remember C I A
–Confidentiality Attacks
• Reading, “Sniffing” the data
–Integrity Attacks
• Changing the Data
–Availability Attacks
• Denial of Service – Prevent Use of Service
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
11
http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/09I-593EG_Spring2009Report-SmartGridPrivacy.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
12
• Very Emotional Discussion
• State of California
– Smart Grid and IOU’s
• Theoretical Impacts
• But…Demographic Data has Value
http://www.baystatetech.org/graphics/major-app.jpg
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
Today’s Environment
The Future Smart Grid
Analog Meters or Simple Digital Meters
Manually Read or Use “Drive By” Reading
“Smart” Digital Meters & “Smart”
Sensors
Read Monthly (or Less Frequently)
Automatic Reading
Minimal Data Accumulation
Read Every ~15 Minutes or More
Frequently
Simple Data Fields – KWH Used Since
Last Reading
“Data Avalanche!” – Numerous Data
Fields and Classes
Microsoft Clip Art Online
Microsoft Clip Art Online
Used with Permission – E N Hayden
www.smartgridnews.com
Microsoft Clip Art Online
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
• Lux Research: Utilities Manage 9x Current Data if Go to Smart Grid
(Boston: Jan 26, 2011)
• Types of Data from Smart Meters
– Broadcast Data
– Billing Interval Data
– Detailed Consumption Data
– Aggregate Statistical Data
• Predictions
http://obiblog.files.wordpress.com/2008/08/datapic.jpg
– Prediction for U.S. by 2019  100M Meters  100 Petabytes generated
during the next 10 years (West Coast Utility)
– Utilities spent $356M on Smart Grid data analytics tools in 2010  $4.2B in
2015 (Pike Research)
– 300 TB per year of meter data by 2012 (Southeast
U.S. Utility) (as of 2011)
1 Petabyte is 1000
Terabytes!
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
15
•
•
•
•
•
•
•
•
•
•
#1:
#2:
#3:
#4:
Start with the NISTIR 7628 and ENISA
Begin with Security in Mind
Work with Your Meter Vendors
Establish Incident Response Team and
Practice
#5: Include Security Experts in Design, Build
and Operate Phases
#6: Have a Dedicated Security Team for SG
#7: Monitor Regulations Affecting the SG
#8: Ensure Code Includes Security (Ref: OWASP)
#9: Beware of Remote Connections
#10: Ultimate Job: Protect the Data!
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
16
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
17
Ernie Hayden CISSP CEH
Managing Principal
Critical Infrastructure Protection/Cyber Security
Verizon Risk Team
+1 206-458-8761
[email protected]
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
18