Business Convergence
WS#2
Smart Grid Technologies
and Project Use Cases
Embedding Security Software
Sébastien Breton, Airbus Defence & Space CyberSecurity
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Forewords
Be reminded that there are two cultures:
 For IT People, security means cybersecurity
 For ICS people, security means safety and
reliability
In electric systems, safety and reliability
are of paramount importance, and any
cyber security measures should not
jeopardize power system operations!
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
IT: Information Technology
ICS: Industrial Control System
Embedding Security Software
Outline
 Introduction
 Cybersecurity context: today’s grid
 Cybersecurity concepts
 Defence-in-depth
 Incident handling
 Critical elements
 Cyber-physical attacks
 Preventing the hack
 Can your smart grid system survive from a cyber attack?
 Conclusion
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Introduction
Cybersecurity must be considered as a whole
system approach
Security requirements to be implemented in a
given system must be drawn from a security
risk analysis, which, in the specific field of
smart grid systems, must take into account not
only cyber risks and physical risks, but
combined cyber-physical risks, so as to deter
cyber-physical threats
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Cyber Security Context: today’s grid
Blackouts, reported in several cities since 2000
(Northeast, Florida, etc.), could have been
caused by cyber-attacks against the electric grid
U.S. Department of Homeland Security
investigated over 200 serious cyber-attacks
against critical infrastructure during the first
half of 2013
 Electric grid targeted in over half of these attacks
Blackhat: Pentesting Smart Grid and SCADA
with SamuraiSTFU
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Defence-in-depth
 Setting up a cybersecurity strategy, based on a
layered approach, to mitigate the risk:
Recovery
• Reconstitution of smart grid operations
• E.g.: Remediation activities
Response
• Emergency operation plans and incident
mitigation activities (short term actions)
• E.g.: Containing a cyber attack, modifying
firewall filtering rules
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Prevention
• Continuous actions and measures put in
place to reduce the risk of threats
• E.g.: Patch management process, software
updates, security by design
Detection
• Approaches to identify anomalous behaviours
and discover intrusion
• E.g.: Intrusion detection system, traffic
inspection
Embedding Security Software
Critical elements
The cybersecurity strategy should consider the
following critical elements as being all
necessary for each prevention, detection,
response, recovery building blocks:
PEOPLE
PROCESS
TECHNOLOGY
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
• TRUSTED
SUPPLY
CHAIN
• PATCH
VALIDATION
TECHNOLOGY
• CYBER
SECURITY
AWARENESS
• TRAINING
(SECURE
CODING)
PROCESS
PEOPLE
Critical elements applied to prevention
(Example)
• UP-TO-DATE
ALGORITHM
• STANDARD
Embedding Security Software
Cyber-physical attacks
Cyber-physical attacks (also called blended
attacks) cause a greater impact and/or different
consequences than a cyber or physical attack
could cause individually
To address the enhanced impacts, risks and
vulnerabilities for both cyber and physical
attacks must be considered
Can your smart grid system survive from a cyber
attack?
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Common control system
vulnerabilities and weaknesses
Software / Product
Security Weaknesses
Configuration
weaknesses
• Improper input
validation
• Poor code quality
• Permissions,
privileges and access
controls
• Improper
authentication
• Insufficient verification
of data authenticity
• Cryptographic issues
• Credentials
management
• Configuration and
maintenance
• Permissions,
privileges and access
controls
• Improper
authentication
• Credentials
management
• Security configuration
and maintenance
• Planning, policy,
procedures
• Audit and
accountability
configuration
Network security
weaknesses
• Common network
design weaknesses
• Weak firewall rules
• Network component
configuration
(Implementation)
vulnerabilities
• Audit and
accountability
Source: Cyber–Physical System Security for the Electric Power Grid , Proceedings of the IEEE | Vol. 100, No. 1, January 2012
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Embedding security software
 Large scale key management and cryptographic algorithm

Integrity of the software is not simply checking a CRC « signature »
 It must rely on cryptographic signature, which implies managing secret
elements (cryptographic keys). It is the only way to truly authenticate the
software editor
 Don’t implement your own cryptographic algorithm. You’ll fail!
 Secure communications

Must be based on standard protocols with a given cryptograhic key size
 Managing technological obsolescence… !
 Authentication of remote critical controls
 Protection against eavesdropping (encrypt!)
 Get your software product independently assessed or pentested
 And of course, it is all about human people:
 Provide relevant training (secure coding…)
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Conclusion
 To address new security challenges, cyber security
needs to be integrated with system theory to guarantee
resilience of the grid
 MAS²STERING shall provide:
 Cross domain (power/electrical to cyber/digital) security event
detection (SIEM), analysis and response
 Secure communications in regards of the privacy concerns
 Role-based access control (RBAC) to authenticate, authorize
and grant access to the smart grid system
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Backup slides
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)
Embedding Security Software
Bibliography
 NIST 7628 - Guidelines for Smart Grid Cybersecurity
 Volume 1 – Smart Grid Cybersecurity Strategy, Architecture,
and High-Level Requirementsines for Smart Grid Cybersecurity
 Volume 2 – Privacy and the Smart Grid
 Volume 3 – Supportive Analyses and References
 SANS Institute
 The Incident Handlers Handbook
 The CERT Division
 Secure coding
 OWASP
project co-funded by the European
Commission within the 7th Framework
Program (Grant Agreement No. 619682)