WIRAB Webinar Series on Cybersecurity of

Electric Utility Industrial Control Systems

Webinar #2 – Power Grid Resilience and Mitigating the Impacts of a Cyber Event

1December 8, 2017

Three Webinar Series

• Introduction to Industrial Control Systems, Threats and Risks and Future Trends for Cybersecurity– Friday, December 1, 2017 at 11:00 AM MT

• Power Grid Resilience and Mitigating the Impacts of a Cyber Event – Friday, December 8, 2017 at 11:00 AM MT

• Challenges with State/Provincial Policies to Address Cyber Risk– Friday, December 15, 2017 at 11:00 AM MT

• More information and recordings available at: westernenergyboard.org/category/webinars/

2

Power Grid Resilience and Mitigating the Impacts of a Cyber Event

Copyright © 2017

Earl W. Shockley

President, FounderinPOWERd LLC

Roger Hill

Chief Technology OfficerVeracity Industrial Networks

About Todays Presenters

Copyright © 2017

A quick summary from our last webinar…

Future trends to securing ICS and the US DoE CEDS program approach to attack surface reduction for the Power Grid

Overview of Industrial Control Systems (ICS), types of systems and the components that encompass these systems

The industry segments that utilize ICS (Energy, Automotive, Transportation, Chemical, etc.)

OT IT

1. Confidentiality2. Integrity3. Availability

1. Safety2. Availability3. Integrity4. Confidentiality

Different goals ban priorities between operations technology (OT) and information technology (IT)

Breakdown of the adversaries and bad actors and motivations. Discussion of common threat vectors to ICS. Explored the anatomy of a cyber attack on ICS

Copyright © 2017

Agenda for todays webinar

• Overview of 2003 Blackout – “Sparks Power Grid Resilience Movement”.

• Power Grid Resilience Defined.

• Issues Facing Power Grid Resilience.

• Why Power Grid Resilience is Important to Mitigate Cyber Events.

• Connecting the dots between the DoE Chess Master and Resilience Enhancement using Software Defined Networking.

Copyright © 2017

• On August 14, 2003, large portions of the Midwest and Northeast United States and Ontario, Canada, experienced an electric power blackout.

• The outage affected an area with an estimated 50 million people and 61,800 megawatts (MW) of electric load in the states of Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and the Canadian province of Ontario.

• The blackout began a few minutes after 4:00 pm Eastern Daylight Time (16:00 EDT), and power was not restored for 4 days in some parts of the United States. Parts of Ontario suffered rolling blackouts for more than a week before full power was restored.

• Estimates of total costs in the United States range between $4 billion and $10 billion (U.S. dollars). In Canada, there was a net loss of 18.9 million work hours, and manufacturing shipments in Ontario were down $2.3 billion (Canadian dollars).

Overview of 2003 blackout – Sparks grid resilience

Copyright © 2017

What is the Difference Between Reliability and Resilience?

“…reliability can be defined as the ability of the power system to deliver electricity in the quantity and with the quality demanded by users. Reliability is generally measured by interruption indices defined by the Institute of Electrical and Electronics Engineers Standard 1366.”

“…resilience can be defined as the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.” The National Infrastructure Advisory Council (2009, 8)

Power grid resilience defined:

Copyright © 2017

1. Absorptive, which is the ability of the grid to minimize the disruption from the initial attack.

2. Adaptive, which is the ability of the grid to keep operating under the damaged state.

3. Restorative, which is the ability of the grid to restore to full functionality after the attack.

Three properties for grid resilience (R1)

Copyright © 2017

Three key risk factors for power grid resilience

Copyright © 2017

Other risk factors for power grid resilience (R3)

Copyright © 2017

Five key issues facing power grid resilience

1. North America's power grid is vulnerable to “Severe Events” Such as natural disasters, operational issues, physical threats, and cyber attacks.

2. Increasing reliance on cyber infrastructure, including computers, communication networks, other control system electronics, smart meters, and other distribution-side cyber assets, in order to achieve its purpose of delivering electricity to the consumer.

3. Aging workforce issues (loss of tribal knowledge) and a lack of work force cyber security expertise.

4. Vulnerabilities from aging critical Infrastructure and critical infrastructure interdependencies.

5. Supply Chain Vulnerabilities.

Copyright © 2017

Severe Event Phases

Understanding severe events (R2)

Copyright © 2017

1. The energy industry is experience a huge turnover in workforce.

• 234,000 estimated new jobs in the West Coast energy industry will need to be filled over next 15 years. 1.5 million needed across energy Sector by 2030.

2. Energy worker retirements are occurring at a rate more than double the percent of new energy apprentices are being trained. 500,000 workers are expected to retire in the next 5 to 10 years.

3. The average energy worker is seven years older than the average worker across all industries in the United States

4. 77 percent of energy companies find it difficult to hire qualified employees – especially cyber security subject matter experts (SMEs). 30 percent of firms claimed insufficient qualifications, certifications, and education.

5. The Energy Industry is changing rapidly and the needed skill mix has shifted and will shift more rapidly in the future. Entire job classes have been phased out and new ones created. Worker demographics are shifting and training models have shifted.

6. Emerging Technology has a place in helping to retain tribal knowledge as well as reducing the complexity of legacy systems.

Aging workforce and challenges to resilience (R6)

Copyright © 2017

Graphic Reference – NIST SP-

800-161

Increase Visibility, Understanding and Control

Critical Infrastructure interdependencies (R2)

Copyright © 2017

• In a smart grid environment, it is expected that the cyber-physical system would be attack resilient using security at the device or component levels.

• “Self-healing networks” not only addresses automated network restoration strategies considering distributed energy resources, but also deals with high level decentralized control methodologies to prevent blackouts.

• A smart grid can be treated as the combination of physical power system components and cyber system infrastructure including software defined networks, hardware and communication requirements.

• Emerging technology does not equal complexity - reducing complexity helps address the aging workforce and a lack of cyber security SMEs.

Cyber smart grid’s – Enhancement of resilience

Copyright © 2017

DoE Chess Master Innovation to realize cyber grid resilience

Utilizing Software Defined Networking (SDN) to drive grid and cyber resilience

Continual and Autonomous Reduction of Cyber Attack Surface for Energy Delivery Control Systems

Copyright © 2017

Hardware Defined Networking (HDN) vs Software Defined Networking (SDN)

Logical separation of

the control plane to a

centralized control

plane.

18

Control Plane

Data Plane

Control Plane

Data Plane

Control Plane

Data Plane

Control Plane

Data Plane

Controller Agent

Data Plane

Controller Agent

Data Plane

Controller Agent

Data Plane

Controller Agent

Data Plane

SDN Controller(Logical Control Plane)Hardware Defined Networking

Software Defined Networking

Business Application

Business Application

Business Application

API API API

Copyright © 2017

Known and Allowed Traffic

A Switch B

Controller

Ping B Ping B

I know what to do with ping.

”Working” traffic never leaves the switching fabric.

1

2

3

Unknown / New Traffic

A Switch B

Controller

DNP3 B DNP3 B

What do I do with DNP3 from

A to B?

Pass it and remember for

next time.

”Centralized” decision of what to do with the flow.

1

2

3

4

5

Software Defined Networking (SDN) – Packet Flow Part 1

Known and Denied Traffic

A Switch B

Controller

FTP B FTP B

Not allowed.

1

”Explicit” deny rule for flow.

Known, Allowed, and Audited Traffic

A Switch B

Controller

FTP B FTP B

A is FTP’ing to B

I will alert people.

I might copy the packets to a logger,

too.

”Audited” traffic for authorized flow.

2

3

1

2

3

4

Software Defined Networking (SDN) – Packet Flow Part 2

Copyright © 2017

Quarantined Devices (or Device Types.. Or Zones.. Or..)

A Switch B

Controller

Various Various

A is trying to do things.

I will alert people.

I might copy the packets to a logger,

too.

1

23

Software Defined Networking (SDN) – Packet Flow Part 3

Copyright © 2017

Abstraction of complexities key to operation efficiency

Transitioning from a serial based infrastructure to Ethernet based

infrastructure represents a transfer of knowledge

Subject matter experts for the physical process that is being automated and controller are critical to a sound cyber resilience plan

User Experience will be key as well as complexity

abstraction to enable users on making effective business

decisions quickly while leveraging their knowledge of the automated process

Complexity is the Enemy of Security!

Copyright © 2017

Improve the efficiency and productivity of SME’s critical to addressing

knowledge transfer in transitioning from tribal knowledge

Model cyber physical system network into simulated network.Test to predict behavior and reduce human error

Creation of change management into policy enforcement model with integrated digital peer

review provides non-repudiation

Allow decisions to be made based upon device behavior and what functional role of device, abstract the

complexities of HOW

Copyright © 2017

Examination of how the resilience properties can be applied specifically to cyber resilience

Applying resilience properties to securing the network fabric

Copyright © 2017

DEFCON 5

Disaster recovery planning exercises utilized as process to define threat state categories. Each elevated state of threat presents a

new response plan that has a corresponding policy.

Defining a threat state model first to the Normal resilience property

Threat State elevates from DEFCON 5 to

DEFCON 1

NORMAL

NORMAL resilience property

corresponds to the DEFCON 5

threat state

Copyright © 2017

Absorptive property is applied specifically to the Reconnaissance stage of the cyber kill chain

How the Absorptive resilience property can be realized for cyber resilience

ABSORPTIVE

ABSORPTIVE property

minimizes the disruption from

initial attack

Inherently, the deny-by-default approach applied to network renders network scanning tools and techniques useless

Active defense strategies can be applied in the form of deception to provide false information to adversary

Copyright © 2017

Defense Readiness Condition (DEFCON) represents a pre-defined response plan to ensure operational continuity, availability

and critical mission of the system

How the Adaptive resilience property can be realized for cyber resilience

ADAPTIVE

ADAPTIVE property ensures

operational continuity during

attackDEFCON 1

DEFCON 2

DEFCON 3

DEFCON 4

DEFCON 5

Most permissive, least

restrictive policy

Autonomous zones,

mission critical devices &

mission critical

communication only

System Threat State

Automatically Triggers

Pre-Designed Response

Policy to Changing

Threat

Copyright © 2017

Responsible use of encryption to enable threat state transitions

Redefine firewalls by

securing every flow of

data by every device

Application of encryption

on switch fabric

transparent to connected

device

Transition from static

segmentation and trust

zones to dynamic micro-

segmentation

Copyright © 2017

Preview to our next series: Webinar 3 State/Provincial Policies

• Challenges with the speed of technology vs response by policy makers

• Compliance of regulation does not equal security• How language can be critical in defining policy• Enabling innovation with specific focus of commercialization at the

State and/or Provincial level

Copyright © 2017

Earl W. Shockley

President, FounderinPOWERd LLC

Roger Hill

Chief Technology OfficerVeracity Industrial Networks

Earl.shockley@inpowerd.comwww.inpowerd.com423-667-4938

Questions & Answers Panel

roger@veracity.iowww.veracity.io678-381-6426

Copyright © 2017

References

OT environments have as many as 10X the assets, and the CISO

and Security often have little knowledge of their technology

and no idea where they even are

1. Analysis of Determinants of the Impact and the Grid Capability to Evaluate and Improve Grid Resilience from Extreme Weather Event, Fauzan Hanif Jufri, Jun-Sung Kim, and Jaesung Jung (Nov 2017).

2. Severe Impact Resilience: Considerations and Recommendations, NERC Severe Impact Resilience Task Force, (May 2012)

3. Addressing Dynamic Threats to the Electric Power Grid Through Resilience, The Chertoff Group (Nov 2014)

4. Electric Grid Security and Resilience: Establishing a baseline for Adversarial Threats, ICF International (June 2016)