![Page 1: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/1.jpg)
In a grid operator’s security trenches
From Comic Sans to Common Sense
![Page 2: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/2.jpg)
~/$ whoami
Ing. Erwin Kooi, MSIT CISSP SCP RCX …
Information Security Architect at Alliander, IT Asset department
Primairy focus on ICS and “new developments”
Background in healthcare IT and energy IT
[email protected], PGP key 0x45914eee
Nerd creds: µControllers (AVR FTW!), 3D printing, FreeBSD,
lockpicking, Club Mate, hedgehogs and no Oxford comma.
((ma)eb)db (ma)
ebdb (ma)1mod((nb)) (ma)
1 + k (nb)
ma (ma)k (nb) ma ((ma)
(nb) )k ma (1)k
ma mod(nb)
![Page 3: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/3.jpg)
~/$ su - rik
Rik van Hees
Information Security Architect at Alliander, IT Asset department
Primairy focus on ICS and “new developments”
Background in substation automation and energy IT
![Page 4: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/4.jpg)
Cyber-Security
Deploying advanced cybersecurity measures within next generation SCADA
systems whilst preserving functionality, flexibility and integration with other
systems
![Page 5: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/5.jpg)
What is security?
Alliander resilience vision*:
Alliander is a resilient organization capable of anticipating and
responding on a range or threats against her mission
Alliander security mission:
Protecting the mission of Alliander and her stakeholders by
securing our crown jewels against (intentionally caused)
damage through human actions
* Underwriting the WEF resilience principles
![Page 6: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/6.jpg)
![Page 7: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/7.jpg)
ISO27002:2013 - 13.1.3
![Page 8: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/8.jpg)
ISO27002:2013 - 13.1.3
Anyone?...
![Page 9: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/9.jpg)
ISO27002:2013 - 13.1.3
Segregation in networks
Control
Groups of information services, users and information systems should be
segregated on networks.
Implementation guidance
One method of managing the security of large networks is to divide them into
separate network domains. The domains can be chosen based on trust levels
(e.g. public access domain, desktop domain, server domain), along
organizational units (e.g. human resources, finance, marketing) or some
combination (e.g. server domain connecting to multiple organizational units).
The segregation can be done using either physically different networks or by
using different logical networks (e.g.virtual private networking).
[…]
![Page 10: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/10.jpg)
ISO27002:2013 - 13.1.3
So we went ahead and did it…
TL;DR
Good segmentation is much, much more that just
adding a firewall
Ukraine-type attacks proved us right.
IT/OT integration: Share knowledge, not servers
![Page 11: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/11.jpg)
11
![Page 12: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/12.jpg)
12
![Page 13: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/13.jpg)
NIST Smart Grid Framework 2.0(simplified model, US centric)
![Page 14: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/14.jpg)
14
s
![Page 15: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/15.jpg)
Resillient households
.
![Page 16: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/16.jpg)
IT/OT Integration
Still 2 domains with integration on an information level, but
• No unsollicited connections into OT domain
• No direct Internet connectivity into OT domain
• No remote connectivity into OT domain, unless emergency.
• Management of the domain is located within the domain
• Also $vendor has to come on-site or it has to be life-and-death
• Enforcement is done by separate team
• No dependency on other domains for mission-critical operation
• No unnecesary intra-domain communication
• Zoning and sub-zoning
![Page 17: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/17.jpg)
“Zoning” and “Siting”
Zoning: Build stand-alone supporting infrastructure and its processes
• Physical network (switches/routers/firewalls)
• Time synchronization
• Authentication/authorization
• Information exchange with IT
• Logging
• …
Siting: Place the applications in their new zones
• Telephony
• EMS/DMS
• Element managers
• …
![Page 18: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/18.jpg)
![Page 19: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/19.jpg)
“Zoning” and “Siting”
Worst case scenario grid operation: “rebuild the grid from a cold start”
Which services are a must have? (we identified eight, they are in scope for OT)
• Identify dependencies on supporting infrastructure (are they still there or else
add them to the pizza bottom)
Which services are a should have?
• Discuss if they should be included in the scope
Which services are a nice to have?
• Move them to the IT domain and build for degraded operation
.
![Page 20: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/20.jpg)
Anticipate degradation
![Page 21: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/21.jpg)
Anticipate degradation
Really grok what is important for your company:
• video streaming
• program guide
• account management (add/modify/delete)
• personalized program guide
• other stuff
Cut resources from less important components to support critical components.
And test every time, all the time.
![Page 22: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/22.jpg)
Anticipate degradation
.
![Page 23: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/23.jpg)
Anticipate degradation
Really grok what is important for grid operations: *
• Communication (telephony)
• SCADA (EMS)
• SCADA (DMS)
• (Security) monitoring
• Documentation
• …
• …
• Analytics
• Grid planning
• Other stuff
* this will change over time, so re-evaluate regularely…
![Page 24: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/24.jpg)
Anticipate degradation
Business requirements for (real-time) OT data are growing
• SCADA on an iPad, why not?...
Store-and-forward principle with sufficient buffer storage between OT and IT
Management of OT domain must be done from within OT domain
• No remote control from IT domain
• Can have huge impact on current operations!
• IT operations
• Field service engineers
• Security
![Page 25: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/25.jpg)
The red button…
![Page 26: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/26.jpg)
![Page 27: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/27.jpg)
“Defense in depth”
Defense in depth is much more
than two firewalls by different
vendors.
Defense in depth only works if
you can detect someone
breaching your layers.
“And only the middle window is in scope for the penetration test.”
![Page 28: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/28.jpg)
SIEM installation 1.0
Console
processorprocessor processor
flowflow
IT DC 1 & 3 OT DC 1 OT DC 2
log log log
flow
![Page 29: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/29.jpg)
SIEM installation 2.0
Console
processor
IDS flowIDS flow
IT DC 1 & 3 OT DC 1 OT DC 2
log log log
flow
log log
![Page 30: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/30.jpg)
Use cases
SIEMVirus
Detected
104 traffic
anomaly
Unknown
Device
detected
Login
Failure
…
Successful
Logon
Unusual
Login
User
created
Proces
shutdown
Likelyhood unauthorised access
Login attempts
No Workticket
ID stays within autorisations
User created
Warning: Unauthorised Access > 50%
Alert: Unauthorised Access > 70%
Process shutdown
Virus detected
Traffic Anomaly
Total
.
![Page 31: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/31.jpg)
Added value for operations too
![Page 32: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/32.jpg)
Liander Control Room
![Page 33: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/33.jpg)
response
.
![Page 34: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/34.jpg)
In previous presentations Erwin complained
Default passwords
Service backdoors
“open” wireless connections
Internet connections (basic hygene)
No secure design
Underestimating the motivation of the attacker
More than enough people writing policy (chiefs)
Not enough people to implement and run it (indians)
More than enough people telling me what’s wrong
.
![Page 35: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/35.jpg)
Recap
If you don’t know where you’ll be going, how do you know when you get there?
• Set clear goals
• Allow flexibility in the journey (agile-ish approach)
Support at board level (CxO)
• Prioritize fundamentals (build pizza crust first with topping in mind)
• Cancel vital resources claims from other projects (like analytics)
Support at operation level
• Build a team (not an org chart)
• Listen and respect every member’s expertise and input (even if you do not agree)
Communicate why this is still a good idea (and then communicate some more)
• Ukraine incidents helped…
![Page 36: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/36.jpg)
.
![Page 37: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/37.jpg)
![Page 38: In a grid operator’s security trenches · ISO27002:2013 - 13.1.3 Segregation in networks Control Groups of information services, users and information systems should be segregated](https://reader033.vdocuments.us/reader033/viewer/2022041603/5e323eb6f72ccd75176a242d/html5/thumbnails/38.jpg)