Cyber Threats/Security and System Security of Power Sector Workshop on Crisis

1
Cyber Threats/Security and System Security of
Power SectorWorkshop on Crisis Disaster
Management of Power Sector

• P.K.Agarwal, AGM
• Power System Operation Corporation
• pk.agarwal_at_posoco.in

2
Security
3
Security Acronyms

• Threat
• Cyber Space
• Cyber Threat
• Security
• Vulnerability
• Risk
• Risk Management
• Vulnerabilities
• Security vs Cyber Security
• Information Security vs System Security
• Defense-in-depth

4
What is Security
Unauthorised access to Infomation
Confidentiality
CIA Triad
Unauthorised Modification or Theft of Infomation
Integrity
Denial of Service or Prevention of Authorised
Access
Availability
E-Commerce
Authentication
The individual is who he claims to be.
Accountability Denial of Action That took place,
or claim of Action that did not take place
Non-Repudiation
5
Security concerns for power sector
6
Concerns

• Current power grid depends on complex network of
  computers, software and communication
  technologies.
• If compromised, have the potential to cause
  great damages.
• A cyber attack has the unique in nature that it
  can be launched through
• public network
• from a remote location
• Form any where in the world.
• Coordinated to attack many locations

7
More Concerns

• The legacy communication method used for grid
  operations also provide potential cyber attack
  paths.
• Many cyber vulnerabilities in Supervisory Control
  and Data Acquisition (SCADA) System have been
  surfaced.
• Level of automation in substations is
  increasing, which can lead more cyber security
  issues.
• Recent study have shown that the deployed
  components have significant cyber
  vulnerabilities.

8
Still More Concerns

• Increasing use of standard and open system
  Security by Obscurity is no more valid.
• Efforts of energy sector to
• uncover system vulnerabilities develop
  effective countermeasures have prevented
  serious damages to electric supply chain.
• Some of these vulnerabilities are in the process
  of being mitigated.
• However, attack on energy control systems have
  been successful in many cases.

9
What is Security? Some Key Concepts

1. For power systems, keeping the lights on is the
   primary focus. Therefore the key security
   requirements are Availability and Integrity, not
   Confidentiality (AIC, not CIA)
2. Encryption, by itself, does not provide security.
   
3. Security threats can be deliberate attacks OR
   inadvertent mistakes, failures, and natural
   disasters.
4. The most dangerous attacker is a disgruntled
   employee who knows exactly where the weaknesses
   are the easiest to breach and could cause the
   worst damage.
5. Security solutions must be end-to-end to avoid
   man-in-the-middle attacks or failed equipment
   from causing denial of service
6. Security solutions must be layered, so that if
   one layer is breached, the next will be there.
   Security is only as strong as its weakest link.
7. Security will ALWAYS be breached at some time
   there is no perfect security solution. Security
   must always be planned around that eventuality.
8. Security measures must balance the cost of
   security against the potential impact of a
   security breach

10
Cyber Security in Power System
11
To maintain power system reliability, need to
manage both the Power System Infrastructure and
its supporting Information Infrastructure
1.Power System Infrastructure
Photovoltaic systems
12
Traditional Security Measures Cannot Meet All
Power System Security Requirements

• Two key security issues for utilities are power
  system reliability and legacy equipment
• Power systems must continue to operate as
  reliably as possible even during a security
  attack.
• It is financially and logistically impractical to
  replace older power system equipment just to add
  security measures.
• Layered security is critical not only to prevent
  security attacks, but also to detect actual
  security breaches, to survive during a security
  attack, and to log all events associated with the
  attack.
• Most traditional IT security measures, although
  able to prevent and/or detect security attacks,
  cannot directly help power systems to continue
  operating.
• For legacy systems and for non-critical,
  compute-constrained equipment, compensating
  methods may need to be used in place of these
  traditional IT security measures.

13
Use of Power System SCADA and Energy Management
Systems for Certain Security Solutions

• One method for addressing these problems is to
  use existing power system management technologies
  as a valid and very powerful method of security
  management, particularly for detecting, coping
  with, and logging security events.
• Add sensors, intelligent controllers, and
  intrusion-detection devices on critical
  equipment
• Utilize and expand existing SCADA systems to
  monitor these additional security-related devices
• Expand the SCADA system to monitor judiciously
  selected power system information from AMI
  systems.
• Expand Power Flow analysis functions to assess
  anomalous power system behaviors such as
  unexpected shifts of load and generation
  patterns, and abnormal power flow contingency
  analysis results to identify unexpected
  situations.

14
Challenges and Strategies.
15
Challenges
16
Barriers

• Cyber threats are unpredictable and evolve faster
  than the sectors ability to develop and deploy
  countermeasures
• Security upgrades to legacy systems are limited
  by inherent limitations of the equipment and
  architectures
• Threat, vulnerability, incident, and mitigation
  information sharing is insufficient among
  government and industry
• Weak business case for cyber security investment
  by industry
• Regulatory uncertainty in energy sector cyber
  security

17
Strategies

• Build a culture of security.
• Access and Monitor Risks.
• Develop and Implement New Protective Measures to
  reduce Risks.
• Manage Incidence.
• Sustain Security Improvements.
• Use of emerging new security technologies like
  data-diode.

18
Adoption of Security Standards and Framework

• ISO/IEC 27001 - Information Security
  Management System.
• NERC-CIP Standards-Critical Infrastructure
  Protection Standard.
• NIST IR 7628 Guidelines for Smart Grid
  Cyber Security.
• IEC 62351 Series Security Standards Standards

19
Road Map for Cyber Security of Grid

• Information Security Management System have been
  adopted by every regional load dispatch center.
• Each RLDC has been certified by International
  Certifying Body (BSI) for ISO 270012005.
• SCADA system up gradation is being done with-
• Adoption of Secure ICCP.
• Secure connection between SCADA network and
  Enterprise network for cyber security.
• Use of air-gap technology like data-diode at
  interfacing point between secure and non-secure
  network.

20
Points to Ponder

• There is nothing like absolute security
• Every requirement is unique and every solution is
  unique.
• Security comes at a cost need optimization.
• Secure real-time information is a key factor to
  reliable delivery of power to the end-users.
• Commoditization of electricity means increased
  players increased exchange of power increased
  requirement of security solution.
• Emerging technology like data-diode is an
  exciting technology for ensuring cyber security
  of critical infrastructure.

21
Thankyou