CYBERSECURITY AND RURAL ELECTRIC POWER SYSTEMS
Paul R. Kaster, Jr., LtCol, USAF, MS, MA, EIT, PhD Candidate
Department of Electrical Engineering and Computer Science
Advisor: Dr. P.K. Sen, PE, IEEE Fellow
2015 IEEE Rural Electric Power Conference, Ashville, North Carolina
Overview
‣ Cyber Security Basics
‣ Critical Infrastructure Protection (CIP)
Standards
‣ National Institute of Standards and
Technology (NIST) Interagency Report (NISTIR)
7628
‣ Future Research
Fundamentals: The Cyber Threat
‣ Russian invasion
of Georgia (2008)
‣ Stuxnet
‣ Markey and
Waxman report
(May 2013)
Fundamentals:
Confidentiality, Integrity, Availability
Term
Confidentiality
Integrity
Availability
Definition
Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and
proprietary information
Guarding against improper information
modification or destruction, and includes
ensuring information non-repudiation and
authenticity
Ensuring timely and reliable access to and use
of information
Source: 44 U.S.C., SEC. 3542
Fundamentals:
Potential Impact Levels
Attribute
Failure
Unauthorized
Confidentiality disclosure
Integrity
Unauthorized
modification or
destruction
Disruption of Access
Availability
Source: NISTIR 7628
Impact Level
Low: Limited impact
Moderate: Serious impact
High: Severe or
catastrophic impact
Low: Limited impact
Moderate: Serious impact
High: Severe or
catastrophic impact
Low: Limited impact
Moderate: Serious impact
High: Severe or
catastrophic impact
Fundamentals:
Cyber Security Core Functions
Term
Definition
Identify
Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities.
Develop and implement the appropriate safeguards to ensure
delivery of critical infrastructure services.
Develop and implement the appropriate activities to identify
the occurrence of a cyber security event.
Develop and implement the appropriate activities to take
action regarding a detected cyber security event.
Develop and implement the appropriate activities to maintain
plans for resilience and to restore any capabilities or services
that were impaired due to a cyber security event.
Protect
Detect
Respond
Recover
Source: NIST Framework for Improving Critical Infrastructure Cybersecurity
Fundamentals:
Risk Assessment (Subjective)
‣ Most Dangerous Course of Action (MDCOA)
– Potential cyber event that has the greatest impact on operations
‣ Most Likely Course of Action (MLCOA)
– Potential cyber event that is most likely to occur
‣ Minimum: Identify threat, target, and consequences
Fundamentals:
Risk Assessment (Quantified)
𝑹=𝑻∗𝑽∗𝑪
‣
‣
‣
‣
Term
Definition
potential for an unwanted outcome resulting
from an incident, event, or occurrence, as
Risk
R: Risk
determined by its likelihood and the
(money or time)
associated consequences
T: Threat (probability)
natural or man-made occurrence, individual,
entity, or action that has or indicates the
Threat
V: Vulnerability
potential to harm life, information,
(probability)
operations, the environment and/or
C: Consequence
property
(money or time)
physical feature or operational attribute that
Vulnerability renders an entity open to exploitation or
susceptible to a given hazard
Consequence effect of an event, incident, or occurrence
Source: Department of Homeland (DHS)
Risk Assessment Methodology: Evolution, Issues, and Options for Congress
Source: DHS Risk Lexicon
Fundamentals: Adversaries
Nation
States
Organized
Crime
Other
Criminal
Elements
Disgruntled
Employees
Terrorists
Hackers
Industrial
Competitors
Careless
Employees
Political
Chaos
Financial
Internal
Source: NISTIR 7628
Fundamentals: Controls
Administrative
‣ Inventory of authorized and
unauthorized devices
‣ Inventory of authorized and
unauthorized software
Technical
‣ Wireless access control
‣ Data recovery capability
‣ Secure configurations for network
devices such as firewalls, routers, and
switches
‣ Incident response and management
‣ Security skills assessment and
‣ Limitation and control of network ports,
‣ Controlled access based on need to
‣ Controlled use of administrator
‣ Boundary defense
Physical
‣ Secure configurations for hardware and
‣ Maintenance, monitoring, and analysis
appropriate training to fill gaps
know
software on mobile devices, laptops,
workstations, and servers
‣ Continuous vulnerability assessment
and remediation
‣ Malware defenses
‣ Application software security
protocols, and services
privileges
of audit logs
‣
‣
‣
‣
Account monitoring and control
Data protection
Secure network engineering
Penetration tests and red team exercises
Source: SANS Institute
Fundamentals: Example
Metering system for rural electric provider
‣ “CIA” Analysis
– Low Confidentiality
– High Integrity
– Low Availability
‣ Core Functions: Identify
– Subjective Risk Analysis
 MLCOA: power thief attacking
single meter for up to a year
 MDCOA: disgruntled
employee corrupting data
preventing accurate billing
Fundamentals: Example (Continued)
‣ Core Functions: Identify
– Quantitative Risk Analysis
Threat
Database
Risk
Meter
Risk
Thief
$0.02
$0.10
Employee
$62.50
$0.25
– Known historical data
– Two known threats
‧ Power Thief (T=2%)
‧ Disgruntled Employee (T=0.25%)
– Two known vulnerabilities
‧ Individual meters (V=1% for thief,
20% for employee)
‧ Database (V=0.001% for thief, 25%
for employee
– Two estimated consequences
‧ Meters: $500
‧ Database: $100,000
𝑹=𝑻∗𝑽∗𝑪
Fundamentals: Example (Continued)
‣ Core Functions: Protect
– Physical Controls:
 Sealed metal boxes at meters,
junctions
 Limited access to equipment,
operations rooms
– Administrative Controls:
 Two person authentication for
network access
 Limited administrator
privileges
– Technical Controls:
 Internal network equipment
capability
 Lock down unused ports
 Off site data backup
Fundamentals: Example (Continued)
‣ Core Functions: Detect
– Physical Controls:
 Tamper tags
 Random visual inspections for
metal boxes
– Administrative Controls
 Inspection policies
– Technical Controls:
 Network logging, monitoring
‣ Core Functions: Respond
and Recover
– Administrative Controls:
 Policies, procedures, drills
– Technical controls
 Off-site data backup
CIP Standards: Overview
‣ North American Electric Reliability Corporation (NERC) standards for cybersecurity
‣ Ten standards, Version 5 becomes effective on/about July 2015
 CIP-002-5.1 Bulk Electric System (BES) Cyber System Categorization
 CIP-003-5 Cyber Security-Security Management Controls
 CIP-004-5.1 Cyber Security-Personnel and Training
 CIP-005-5 Cyber Security-Electronic Security Parameter(s)
 CIP-006-5 Cyber Security-Physical Security of BES Cyber Systems
 CIP-007-5 Cyber Security-System Security Management
 CIP-008-5 Cyber Security-Incident Reporting and Response Planning
 CIP-009-5 Cyber Security-Recovery Plans for BES Cyber Systems
 CIP-010-1 Cyber Security-Configuration Change Management and Vulnerability Assessment
 CIP-011-1 Cyber Security-Information Protection
CIP Standards: Applicability
‣ Functional/Responsible
Entities
– Balancing Authority
– Generator Operator
– Generator Owner
– Interchange
Coordinator/Interchange
Authority
– Distribution providers that own:
‧ Under frequency load shedding
(UFLS) or under voltage load
shedding (UVLS) systems that
perform automatic load shedding of
at least 300MW or are part of a
larger load shedding program
subject to NERC or Regional
Reliability Standards.
‧ Any of the following that are subject
to NERC or Regional Reliability
Standards:
 Special Protection Scheme
– Reliability Coordinator
 Remedial Action Scheme
– Transmission Operator
 Transmission Protection System
(other than UFLS or UVLS)
– Transmission Owner
 Cranking Path or Group of Elements
required for Blackstart Resources
CIP Standards: Applicability (continued)
‣ CIP standards applicable to all
facilities owned by a
functional entity except for:
– Distribution providers only
responsible for those areas
described above
– Facilities owned by Canadian
Nuclear Safety Commission
– Communication links between
Electronic Security Parameters
(i.e. only responsible for assets
within your own ESP)
– Anything regulated by the
Nuclear Regulatory Commission
‣ Evidence of compliance must
be maintained for 3 calendar
years. Records from the last
audit must be maintained
until the next audit.
CIP-002-5.1
BES Cyber System Categorization
‣ Background:
– The Responsible Entity has
flexibility to “determine the
level of granularity” when
defining systems.
– Limited to “BES Cyber Systems
that would impact the reliable
operation of the BES.”
– BES Cyber Assets:
‧ Assets that, if rendered
unavailable, degraded, or
misused, would adversely
impact the reliable operation of
the BES within 15 minutes of
the activation or exercise of the
compromise.”
‣ Requirements:
– Identify high, medium, and
low impact BES Cyber Systems
‧ Provides specific guidance to
identify level
– Review those identifications
every 15 months and
document even if no
identified items
NISTIR 7628: Overview
‣ 597 pages of best practices
 Vol. 1: Smart Grid Cyber Security Strategy, Architecture, and
High-Level Requirements
 Vol. 2: Privacy and the Smart Grid
 Vol. 3: Supportive Analyses and References
NISTIR 7629: Domains
NISTIR 7628: Interface Categories
Number Description
1-4
5
6
7-8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Communications between control systems and equipment
Interface between control systems within an organization
Interface between control systems within different organizations
Interface between back office systems
Business to Business (B2B) connections involving financial/market
transactions
Interface between control systems and other systems
Interfaces between environmental sensors
Interface between sensor networks and control systems
Advanced Metering Infrastructure (AMI)
High Availability AMI
Systems using customer site networks
Interface between external systems and the customer site
Mobile field crew equipment
Metering equipment
Operations decision support systems
Engineering/maintenance for control equipment
Vendor maintenance and support for control systems
Security/network/system management consoles
Confidentiality Integrity
Availability
L
L
L
H
L
H
H
H
M
H
H/M
H
M
L
H/M
L
L
L
H
H
L
H
L
L
L
L
L
H
H
M
M
H
H
M
M
H
H
H
H
H
H
M
M
M
L
H
M
L
M
L
M
M
L
H
NISTIR 7628: Actors
NISTIR 7628: Security Requirements
19 Categories
‣ 180 High-level
Access Control (21)
Media Protection (6)
Awareness/Training (7)
Physical/Environmental Security
(12)
Audit/Accountability (16)
Planning (5)
Security Assessment/
Authorization (6)
Program Management (8)
Configuration Management (11)
Personnel Security (9)
requirements
Continuity of Operations (11)
Risk Management/Assessment
(6)
 Unique technical
Identification/Authentication
(6)
IS and Services Acquisition (11)
Information/Document
Management (4)
IS and Communication
Protection (30)
Incident Response (11)
IS and Information Integrity (9)
requirements
 Governance, Risk,
Compliance (GRC)
 Common technical
requirements
 Applied to each interface
category
Information System (IS)
Development/Maintenance (7)
NISTIR 7628: Security Requirements (continued)
NISTIR 7628: Security Requirements (continued)
NISTIR 7628: Use Case Scenarios
‣ Advanced Metering
Infrastructure (AMI) (8)
‣ Demand Response (6)
‣ Customer Interfaces (6)
‣ Electricity Market (3)
‣ Distribution Automation (7)
‣ Plug-in Hybrid Electric
Vehicles (4)
‣ Distributed Resources (2)
‣ Transmission Resources (4)
‣ RTO/ISO Operations (1)
‣ Asset Management (4)
Future (Ongoing) Research
‣ Cyber Security Quantification!!!
– Objective: metric that is usable by industry to evaluate and compare
the security of different networks
‧ Must quantify a measurable value (e.g. time, cost)
‧ Must correlate with real world data
‧ Must be tailored to the power industry
– Several (flawed) models proposed in literature
– Two proposed metrics
‧ Mean Time Between Security Incidents (MTBSI)
‧ Estimated Annual Security Incident Impact (EASII)
– Modeling and Simulation
– Analysis of real world data
Conclusion
‣ Cyber Security Basics
‣ Critical Infrastructure Protection (CIP)
Standards
‣ National Institute of Standards and
Technology (NIST) Interagency Report
(NISTIR) 7628
‣ Future Research
CONTACT INFORMATION
Paul R. Kaster, Jr., LtCol, USAF, MS, MA, EIT
pkaster@mines.edu