communications and cyber security...oct 03, 2017 · •communication technology plays a key role...
TRANSCRIPT
Satya Gupta
Head(IT) & CISO
Tata Power Delhi Distribution Ltd
Communications and Cyber Security
10th March’2017
Tata Power-DDL BUSINESS OVERVIEW
Licensed for distribution of power in North and North West Delhi
Certifications : ISO 9001, 14001, 27001, 22301, 31000, SA 8000 & OHSAS 18001
Joint Venture of Tata Power Company and Govt. of NCT of Delhi (51: 49)
ParameterValues(Jul'02)
Values(Mar'16)
AT&C Loss 53.10% 8.88%
Annual Energy Requirement
970 MW 1791 MW
Total Registered Customers 7 Lakhs 15.3 Lakhs
Number of Employees 5600 3525
Area 510 SQ KMS
Turnover INR 6174 Crs
3
Current scenarioWhat TPDDL had inherited
Multi-pronged approach adopted by Management to turnaround a traditional Government setup into a role model for private sector efficiency in only 10 years
• AT&C losses: > 50%
• No concept of consumer service and IT interface
• Lack of performance orientation
• Electricity supply system on the verge of collapse
• AT&C losses: 8.88 %
• One stop solution: State-of-the-artIntegrated Call Centers & ConsumerCare Centers
• Performance orientationthrough Change Management & Balanced Scorecard Approach
• Remarkable improvementin System Reliability: DT losses <1%
TPDDL Turnaround Story-Brief Snapshot
Parameter UoM 2002-03 2016-17AT&C Losses % 53.1 8.88%
System Reliability – ASAI % 70 99.9%
Number of Employees Nos. 5600 3530
Number of Consumers Mln 0.7 1.6
Vision 2022
Industry’s Shift Towards Smart Grid
Power Sector’s move towards Smart Grid Practices has resulted in steep rise in adoption of various advance IT & OT technologies.
• Communication technology plays a key role in the implementation of various Smart Grid Technologies.
• Robust Cyber Security practices are required to ensure all systems & services are up and running(24X7).
Communication a Key Enabler of “Smart-Grid”
• Smart Grid requires a robust and a two-way communication system.
• Applications like AMI, ADR, ADMS etc.. requires information to communicated on a real time basis.
• Communication system acts as the cornerstone for successful implementation of various Smart Grid applications.
• Any failure in ensuring an effective communication system will have severe impact on reliability and services.
TPDDL Communication System: Objectives
TPDDL established its Communication Network (in FY 2004-2005) across its area of operation ; to
support
Operational applications like SCADA/ Tele-protection / GIS /OMS/
Commercial and Billing applications
Enterprise applications – SAP CRM/ SAP BCM/SAP ERP , e-mail etc.
TPDDL has upgraded its Communication Network to TP-MPLS (in FY 2014-2015) ; to
support
forthcoming Smart grid applications such as AMI, EV charging stations, MWM, ADR and Integrated security solution etc.
TP-DDL Communication Landscape
The Communications “landscape” consists of laying its own OFC
network covering all main offices, data-centers, stores, district
offices and Zonal Offices.
Redundant Communication Network
RG-3 SUB Ring 1STM 4Σ2
2
2 2
2
2
Σ
Σ
RG-5
PUSA ROAD
RANIBAGH GRID
Saraswati garden
NARAYANA PH-I
CORE RINGSTM 16
FIBER RING - TPDDL
RANIBAGH CCC
NEW ROHTAK ROAD
ΣΣ
Σ
Σ
Σ
ΣΣ Σ
Σ
Σ
Σ Σ
Σ
Σ
ΣΣ
Σ
Σ
Σ
Σ
Σ
Σ
Σ
2
Σ
Σ2
Σ
Σ
Σ
Σ
Σ
WZP-II
INDER VIHAR
AZAD PUR
WAZIRABAD
CIVIL LINES
SARASWATI GARDEN
PANDU NAGAR
VSNL
S PARK
KESHAV PURAM DO
ROHTAK ROAD
RAM PURA
TRI NAGAR
ASHOK VIHAR H BLOCK CCC
GULABI BAGH SHEHJADA BAGH
SHAKTI NAGAR DO
GTK Grid
SHALIMAR BAGH
PITAM PURA DO
PP III
PP II
MGP-II
INDER PURIHUDSON LINES
WZP-I
ASHOK VIHAR GRID
MGP-1
Σ2
RG-IVRG-22
RG-23
BAWANA GRID-6
POOTH KHURD GRID
BAWANA WATER WORKS and Bawana DO
DSIDC A7, NARELA
DSIDC1 NARELA
RG-1
PP-1
HDR’PUR
SGTN
JAHANGIR PURI
AIR KHAMPUR
BADLI
RG-6
RG-II
Fiber Sub RingFiber Main Ring
Σ Grids2 Enterprise DATA Σ2 Enterprise and Grid
VSNL VSNL Gateway for internet
RAMA ROAD
Σ
Σ2
Σ2
Σ2
Σ2
Σ2
2NARELA DO
DSIDC2 NARELA
SUB Ring 3STM 4
SUB Ring 2STM 4
SUB Ring 4 STM 4
SUB Ring 5STM 4
OFFICES
TRANSCO Grid
Stations
Sub Transmission
Grid Stations
Distribution
Stations
CUSTOMERS
SCADA/ DMS/DA
SAP-ISU
(CRM/BILLING)
SAP
(PM/PS/MM/HR/FICO)
GIS
Call Centre
OMS
AMR/PG/SPT BILL
WEBDATA
CENTER
ONE
DATA
CENTER
TWO
COMMUNICATION NETWORK
ISO 9001, ISO 27001 & BCMS (ISO 22301:2012) certified
Adoption of Technology
Integrated Communications Architecture
Home
Network
Meters &
Premise
Gateways
Access
Communication
AMI Mgmt
System
Home /CustomerNetwork
Local
Field CommsNeighborhood
AggregationT&D
Management
System
Monitoring,
DA
Utility Wide
Comm.Web
Access
Back Haul
Communication
Back-Office
& Operational
SystemsExternal
Data Access
3rd Parties
Customers
Field Crew
Distribution Equipment
200kW Phosphoric Acid Fuel Cell
The power plant in
Santa Clara is rated
at 1.8 MW AC net
It contains more
than 4,000 cells
$2000-3000/kW
DG
T&D Equipment
Control & Monitoring Centers
Monitoring
SA, DA
Field
Workforce
Automation
PEV
Monitoring
AMI
WiFi, WiMax, PLC, RF Mesh,
GSM, CDMA
Zigbee, Bluetooth,
HomePlugMicrowave,
SDH,MPLS,MPLS-TP, CE
Internet, HTTPS,
VPNEthernet LAN
• Mail service on mobile and web(External/Internal)
• Website• Consumers accessing connection, reading, bill, payment details,etc.
• On line bill payment
• SMS services for consumers
• E-procurement
• Smart Grid Applications require to communicate with various field based devices
• IT & OT Integration for enhancing consumer experience
• FFA for improving field based operations
Cyber Security-Vital for Survival
Cyber Security Challenges
• Highly exposed and distributed environment
• Technology Obsolescence
• Separate IT & OT Verticals with limited coordination
• Less awareness about cyber security practices among OT team members
• Cyber Security not considered during fundamental design phase
• Fast and constantly evolving nature of security risks
• Ever evolving standards, technologies, services, applications
• Increasing complexity of systemsMobile & Wireless EverywhereHeterogeneous SystemsMultiple Interfaces
Cyber Security for Smart Grid
• Change in traditional scenario
• Grid automation systems use public networks due to lower costs
• Increases the vulnerability of grids to cyber attacks
Field components like RTU are attacked through remote access
Using communication protocols available in public domain, an intruder can reverse engineer the data acquisition protocols & exploit them
Network topology vulnerability is exploited e.g. DOS attack
Classification of Attacks
ComponentWise
ProtocolWise
TopologyWise
Strategies to detect & Mitigate
• Network Segmentation
− Effective network segmentation restricts communication between networks and reduces the extent to which an
adversary can move across the network
• Strict Role-Based Access Control
− Grants or denies access to resources based on job function
− Active Directory (AD) implements role-based user access control through group policies.
• Application Whitelisting
− Permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else
− Eliminates the execution of unknown executable, including malware
Multiple Layers of Security
• Firewall based security
• Intrusion Detection System
• Threat Management Gateway(Proxy Server)
• Demilitarized zone for all public portals
• Single sign-on
• Secure tunnel via two factor authentication for Remote Access
• Vulnerability assessment & Penetration Testing
Operationalizing Information Security
• Regular Review meeting of Information Security Council (ISC) for identifying new risks, mitigating them
and discussing Incidents
• Involvement of Top Management
• Cyber Security Awareness through TIPS, Quiz, sessions etc.
• Involvement of all major departments like OT, HR, Finance, Administration, Safety, Legal, etc. in Council
• Annual Plan for review and implementation -
- Review and update processes
- Focus on creating awareness on IT Security
- DR Drill at regular intervals
- Pro-active approach before implementing any new solution
• System driven implementation of various policies – Password & patch management, anti-virus, etc
Cyber Security Control Room
• EMS, NMS and SIEM generates huge logs.
• Cyber Security Control Room required for real time monitoring and analysis to decide and quickly take preventive and corrective actions in case of any event / incident and activating Emergency Response Team, if required
MUX
SAP/R3 Application servers
Database Servers
Websense
Ironport
Mailbox
Exchange server
ISP router (CENNET)
ISP
Local LAN for CENNET
Crystal Reports
CHECKPOINT(4800 series)
DMZ
6509 Switch
4507 Switch
Enterprise Router
SCADA Router
OMS Switch
OMS ServersSCADA Servers
SCADA Switch
IT Network OT Network
DC1 Segregation of IT & OT
ISA
IT – OT Technology Segregation at DCs
19
Risk Mitigation
• Penetration Testing followed by Grey Box testing, through CERT approved agency forall portals on public domain e.g. Website, Customer Portal, E-tendering, etc. toensure that
- Public portals are Secured to avoid hacking.
- Consumer data remains confidential.
• Training team members to develop secure web enabled S/W’s• Robust Change Management Process for H/W & S/W• Pro-active approach for Security of System before implementing any new solution in
both IT & OT side
Best Practices at TPDDL
• ISO 27001 certification for both IT & OT Systems• HR directly activates and de-activates mail-ids on joining and separation• Revalidation of User ids, VPN access specially for critical roles or discontinuation
of BA services• Regur DR Drill for all critical applications, network, electrical equipment's, etc.• n-1 for all elements i.e. IT Infra, Communication, Data Center, Application and
Manpower• Use of BitLocker Drive Encryption to protect hard disk on laptops to protect
Enterprise Data• Security Incidents handled by Information Security Council• Measurement of Information Security parameters through Departmental
Balanced Score Card
3/16/201721
“THANK YOU”