Grid Modernization
Cybersecurity discussion for
Massachusetts DPU
12 March 2013
© 2013 IBM Corporation
Agenda
Intro & Obligatory Threat update
Key Issues & Challenges
-- AMI and Smart Meter Security
-- The Cybersecurity Side of Privacy
-- Notes from Other States
NARUC's Cybersecurity Guide for State Regulators 2.0
Security Governance initiative, metrics and the EO
Q&A / Discussion
© 2012 IBM Corporation
About me
Current
IBM Energy Security Lead
Founder, Smart Grid Security & DOD
Energy Blogs
Advisor to DOE, NIST
Member, MIT Energy Club
Former
Cybersecurity start-up vet
Tech analyst
USAF Comms & Computers
© 2012 IBM Corporation
Threat update
RasGas Hit By
Computer Virus
Saudi Aramco
Struck By
Shamoon Attack
Rasgas, the world's
second-biggest LNG
exporter, found its
corporate networks and
computers over-run by
a hostile virus.
Source: Reuters, Aug 2012
Iberdrola USA
Exposes Customer
Records
Telvent IT Breach
Led to OT IP Theft
Malware attack infected
approximately 30,000
workstations at the
world’s largest oil
producer.
Admits it allowed 3rd
party access to 1.8
million customer records
including PII and social
security numbers.
Attacker penetrated
firewalls and security
systems, implanted
malicious software, and
stole project files for
systems that remotely
control portions of the
electric grid.
Source: Information Week,
Aug 2012
Source: InfoSecurity, Jan 2012
Source: ZDNet, Sep 2012
DHS ICS-CERT 4Q12 Report says (reported) attacks on sector way up:
2012 (81) vs. 2011 (32)
© 2012 IBM Corporation
Awareness update
Mainstream
 DHS Secret Threat Briefing to
Utility CEOs
 CEOs asking for help with intel on
emerging threats
Industry lobbying firm, the
Edison Electric Group (EEI),
shared an observation in
June 2012 that for the last
year utility CEOs have
become much more
interested in / concerned
with cybersecurity matters,
but are unsure how to
proceed
© 2012 IBM Corporation
Issues and Challenges
 AMI and Smart Meter Security
-- Black Hat exposures
-- Software security
-- Encryption and Head-end security
protections
 Privacy
-- Information Governance, Privacy and
data security concerns
-- Opt-out campaigns
-- Youtube FUD video “A search without a
warrant every day”
-- Helpful: Smart Grid Consumer
Collaborative (SGCC)
Point of contact: Patty Durand
© 2012 IBM Corporation
Issues and Challenges (cont.)
 Key Question: Is AMI riskier than AMR and/or Advanced AMR?


Vs. AMR: Yes
Vs. Enhanced AMR: if using RF mesh, yes. Usually AMR is read only, so the meter data would need
to be encrypted with some sort of authentication binding the meter to the HAN. AMI will include
Demand Response actions (
 More on Meter risks



Reverse engineering meter hardware
Searching for vulnerabilities and exploits at the board level (e.g., web services running on a chip of
which the vendor is unaware)
Also lock picking to defeat tamper resistance – how to open lid without triggering alarm
 Utility Actions/Options

Collect tamper data and investigate

This is a point problem with tolerable revenue loss

However, cyber/malware issues that could propagate would be bigger.

Utility might have to rebuild config files on each meter via optical or serial ports
 Recommendations


Study what is working elsewhere and work very closely with Smart Meter vendor(s)
With issues with billing accuracy, customer privacy, widespread outages - utilities should consider
reputational/regulatory risks primary
© 2012 IBM Corporation
Notes from Other States
 California
 Points of Contact: Liza Malashenko and Chris Villarreal
-- 2011 Privacy and Data Security decision
-- Also
Metrics (including cybersecurity)
Cybersecurity policy paper and hosted discussions
 Texas
 Point of Contact: Allan Rivaldo
-- Security and the statewide portal
-- Teaming and collaboration with AMI and meter vendor on security matters
 Ohio
-- Interrogatories on security (from NARUC)
© 2012 IBM Corporation
CPUC's Customer Usage Data Privacy Rules
7/29/2011: DECISION ADOPTING RULES TO PROTECT THE PRIVACY
AND SECURITY OF THE ELECTRICITY USAGE DATA OF THE
CUSTOMERS OF PG&E, SCE and SDG&E
Touches on:
HAN
networks
Real-time pricing signals for consumers
3rd party access to usage data with customer consent
New security and privacy rules for the big 3 CA IOU utilities with CPUC
oversight
© 2012 IBM Corporation
NARUC's Guide
State utility regulators can and should:
• Create expertise within their own
organizations
• Ask the right questions of utilities
• Assess their own cybersecurity and
information protection capabilities
• Engage with other efforts led by the
private sector, State agencies or federal
officials, as well as engaging with
processes that link these sectors
Points of Contact:


Miles Keogh
Christina Cody
© 2012 IBM Corporation
NARUC Questions: Planning
Having a plan indicates that the response isn’t piece-meal, reactive or fragmented.
Asking planning questions aims to encourage proactive and strategic action on the part
of the utilities, rather than a patchwork response:
1. Does your company have a cybersecurity policy, strategy or governing document?
2. Is the cybersecurity policy reviewed or audited? Internally or by an outside party?
What qualifications does the company consider relevant to this type of review?
3. Does your cybersecurity plan contain both cyber and physical security components,
or does your physical security plan identify critical cyber assets?.
© 2012 IBM Corporation
NARUC Questions: Standards
 Standards are an important driver of enforceable action with which regulators can
attempt to ensure utilities’ compliance.
 13. Describe the company’s compliance status with NERC CIP-002 through CIP-009.
 14. What collaborative organizations or efforts has your company interacted with or
become involved with to improve its cybersecurity posture (such as NESCO,
NESCOR, Fusion centers, Infragard, US-CERT, ICS-CERT, ES-ISAC, SANS, the
Cross-Sector Cyber Security Working Group of the National Sector Partnership, etc.)?
 15. Can your company identify any other mandatory cybersecurity standards that apply
to its systems? What is your company’s plan for certifying its compliance or identifying
that it has a timetable for compliance?
© 2012 IBM Corporation
NARUC Questions: Procurement Practices
 While the information of procurement seen upstream to vendors may only be
proprietary to the utility, the decisions the vendor makes around procurement may
contain key elements for cybersecurity. The questions below cover these aspects of
procurement.
 19. Has your organization conducted an evaluation of the cybersecurity risks for
major systems at each stage of the system deployment lifecycle? What has been
done with the results?
 20. Are cybersecurity criteria used for vendor and device selection?
 21. Have vendors documented & independently verified their cybersecurity controls?
Who is the verifier and how are they qualified?
© 2012 IBM Corporation
NARUC Questions: Personnel and Policies
Personnel, the people who run the systems we aim to protect, are key to ensuring
cybersecurity. They way employees are hired, trained and separated from operations
can make or break cybersecurity.
27. Is cybersecurity budgeted for? What is the current budget for cybersecurity
activities relative to the overall security spending?
28. Are individuals specifically assigned cybersecurity responsibility? Do you have a
Chief Security Officer and do they have explicit cybersecurity responsibilities?
29. Does your company employ IT personnel directly, use outsourcing or employ both
approaches to address IT issues? For companies that lack a full IT department,
explain if one individual in your company is held responsible for IT security. (You may
want to ask same questions in regard to Operations Technology (OT) [i.e. energy
operations] security; larger companies may have separate staffs.)
© 2012 IBM Corporation
NARUC Questions: Systems and Operations
 Be aware that as the questioning agency, you want to consider carefully whether
answers to the below questions are needed and, if so, whether the answers to
them could create vulnerabilities to the system. Modify them to your needs
accordingly.
 37. Is cybersecurity integrated between business systems and control systems?
For the existing grid and for the smart grid?
 38. Have logical and physical connections to key systems been evaluated and
addressed?
 39. Does the company maintain standards and expectations for downtime during
the upgrade and replacement cycle?
© 2012 IBM Corporation
Security Governance guidance for utilities
For CEOs and BoDs:
1.
Security as risk management
2.
A fully integrated security
enterprise
3.
Security by design
4.
Business-oriented security metrics
and measurement
5.
Change that begins at the top
6.
IBM’s 10 essential security actions
16
© 2012 IBM Corporation
IBM Security Systems
A measurement movement is forming
– DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
• Metrics for utilities to use to baseline and gauge effectiveness
– DOE’s Electricity Subsector Risk Management Process (May 2012)
• Help translating cybersecurity into risk management framework
– NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update)
• Questions utilities will be asked by their state public utility commissions
– NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
– NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011)
17
© 2012 IBM Corporation
Andy Bochman
WW Energy Security Lead, IBM
bochman@us.ibm.com
---------------------------------Smart Grid Security Blog
ibm.com/energy
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
© 2012 IBM Corporation