The outbreak of Smart

Grid Cyber-Security: The

Modern Campfire Story

NOT FOR PUBLIC DISTRIBUTION

Salam Bani-Ahmed, PhD
Eaton Corporation
 Outline

Overview and Definitions.

The Path from philosophy to science to
corporeality.
Cyber-physical perspective (Requirements and
developments).
Where to go (resources, targets), and how to
go (backgrounds, starting point).
Conclusions.

3
NOT FOR PUBLIC DISTRIBUTION
 Objectives of this tutorial
Answer the three questions (security story):
1. What is the right time to begin anything?
2. Who are the right people to listen to?
3. What is the most important thing to be doing at any given
time?
Provide an introductory perspective for interested
personnel in joining the battle.
Learn who and how should be working on finding a
solution.

4
NOT FOR PUBLIC DISTRIBUTION
 Smart Grid Related Definitions
Architecture: The organizational structure of a system or component,
relationships, and the principles and guidelines governing the design and
evolution over time.
Reference model: A collection of concepts and their relationships that cover a
subject, facilitate the partitioning of the relationships into topics relevant to the
overall subject, and can be expressed by a common means of description.
Energy Management System (EMS): A system of tools used to monitor,
control, and optimize the generation, delivery, and/or consumption of energy.
Data flow: Application-level communications from a producer of data to a
consumer of data.
Interoperability: The capability of two or more networks, systems, devices,
applications, or components to externally exchange and readily use information
securely and effectively (Vendor-independent).
Smart Grid Cyber-Security: A combination of processes to be accomplished to
achieve a secure system. The goal is to make it harder to the attacker to
succeed in attacking the system.

5
NOT FOR PUBLIC DISTRIBUTION
 Extra Definitions
Smart Grid Cyber-Security Engineer: A team of
Power Systems Engineers
Control Systems Engineers
Computer Scientists
Cyber-Security Engineers
Industrial Controls Specialists
Penetrations Testers

OR
Interdisciplinary approach with knowledge of the previous disciplines.

Smart Grid philosophy: The continuous process of providing verbal description

on the physical and economic impact of security attacks on power systems
applications. And admiring how hackers are really tricky and intelligent. The
philosophy includes reviewing incidents of cyber attacks and trying to extract
lessons from these incidents, and stress the necessity to have more manpower
to get involved to find solutions to this campfire story.

6
NOT FOR PUBLIC DISTRIBUTION
 When to start? 2016 Incidents Reported

One study estimating that Defense

Industrial
Base
simultaneous malware Energy
20% 0%

attacks on 50 generators in Financial

Services
the Northeast of the United Communications
1%
Emerging
States suggests this could Water
6%
21%
Technologies
1%
cut power to as many as 93
million people, resulting in
Government Food and
6% Architecture

at least US$243bn – 1%
Chemical

US$1trn in economic 1%
Commercial
damage and US$21bn to Critical
Manufacturing
Facilities
2%
IT
US$71bn in insurance
22%
2% Nuclear
Reactors,
claims. Unknown
5%
Meterials,
and Waste
2%
Transportation
5% Healthcare
4%
Source: Lloyds, 2015: Business Blackout: The insurance implications of a
cyber attack on the US power grid

7
NOT FOR PUBLIC DISTRIBUTION
 Moving from philosophy

Things to keep in mind on Critical Infrastructure

– Operation Technology (OT) systems must be able to survive a
cyber incident while sustaining critical functions. Real-time
operations are imperative; latency is unacceptable.
– Power systems must operate 24/7 with high reliability and
availability; no down time for patching/upgrades.
– Some OT components do not have enough computing resources
to support additional cybersecurity capabilities needed for the
energy OT environment.
– Energy OT components are widely dispersed and located in
publicly accessible areas where they are subject to physical
tampering.
Things to keep in mind on SG Cyber-Security:
– Hackers’ only skill that we don’t have is PATIENCE.
– Lessons learned are not applicable if the system is different in
operation.

8
NOT FOR PUBLIC DISTRIBUTION
 IEEE 2030-2011

9
NOT FOR PUBLIC DISTRIBUTION
 First Resort: NERC CIP
NERC-CIP Description

Network administrator or a responsible entity needs to

CIP-002 Critical Cyber Asset
run a network scanner such as AVDS to identify critical
Identification
cyber assets.

Power system operators must create security policies

to protect all critical cyber assets. AVDS Policy
CIP-003 Security Management Controls
management tools help operators to develop their
standards.

Define the methods, processes, and procedures for

securing Cyber Assets within the Electronic Security
CIP-007 Systems Security Management Perimeters (ESP); including how and when
vulnerability assessment is to be done with tools like
AVDS.

10
NOT FOR PUBLIC DISTRIBUTION
 Juggling variables

Questions to ask: Communications

1. What am I protecting? Assets
2. How complex is my network? Operation
3. Communication paths,
protocols? Testing

4. Critical assets/Equipment? Equipment

5. How to test my solution? Network

6. Answer to All: Big ‘O’ Rule

???

11
NOT FOR PUBLIC DISTRIBUTION
 Impacted sub-systems
 Legacy:
– Modbus (no security).
– DNP3 (security
considered).

 Next Generation
 IEC 61850 (defined
security)

 Other: CAN, Backnet,

Zigbee … etc.

Source: IEEE Smart Grid Website

https://smartgrid.ieee.org/

12
NOT FOR PUBLIC DISTRIBUTION
 The Big ‘O’
Get to know
your system.
Big ‘O’ stands
for Operation.

Source: Foundational Support Systems of the Smart Grid: State of the art and Future Trends
http://www.ijsmartgrid.org/index.php/ijSmartGrid/article/view/30

13
NOT FOR PUBLIC DISTRIBUTION
 Securing Control Systems

Source: ICE-CERT Website: https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

14
NOT FOR PUBLIC DISTRIBUTION
 Securing Control Systems

Air-Gapping?

Information Operation
Technology Technology

Source: ICE-CERT CSET 8.1

15
NOT FOR PUBLIC DISTRIBUTION
 Air-gapped systems: Primary
Defense Solution?
Theoretically secure “air-gapped” utility networks.
Some vendors still may not be aware that their systems
have been compromised.
Future plan? What if the system is planned to connect
to remote systems?
Attackers starting point: Wherever you think you’re
safe.
No connectivity? What’s the point!

16
NOT FOR PUBLIC DISTRIBUTION
 Who should I talk to first?
Utility folks?
Vendors? Software or Hardware?
Academic Institutions?
Mr. White Hat

17
NOT FOR PUBLIC DISTRIBUTION
 Security Process
• Risk assessment: An assessment is used to determine the
value of the information assets of an organization, the
threats they are exposed to and vulnerabilities they offer,
and the importance of the overall risk to the organization.
The assessment is accomplished by following the risk
management approach.
• Policy: Policy defines how security should be implemented.
Policy defines the proper mechanisms to use to protect
information and systems as well as physical security.
It includes several aspects such as technical capabilities, best practices, preventative
measures, employees, incident response, administration, and management.
• Deployment: Security policies, standards, and measures to be effective should be
implemented by an organization practicing due care and due diligence.
• Training: Awareness training is the mechanism to provide necessary information to
employees and system operators.
• Audit: This function improves the probability that controls are configured and monitored
correctly with regard to policy. Functions include policy adherence audits, periodic and
new assessments, and penetration testing.

18
NOT FOR PUBLIC DISTRIBUTION
 Security Design Algorithm

Physical
System

Big ‘O’ Testing,

Cyber Security Testing, then
System Layer Design More Testing
Performance

Operation Connectivity Security

Backdoors and holes in network perimeter.
Vulnerabilities in common protocols.
Attacks on field devices.
Database attacks.
Communications hijacking and ‘man-in-the-middle’ attacks.
Spoofing attacks.
Attacks on privileged and/or shared accounts.

19
NOT FOR PUBLIC DISTRIBUTION
 Cyber Security Design Approach
Define data flow,
intrusion detection
mechanisms

Systems connected to
corporate networks are
more vulnerable

Employee Awareness

Network Hardening

Historian security is Offline security analysis

separate than operation (continuous)

Remark: No Solution Fits All. Intrusion detection systems may refer to the
Distributed control devices may IT and ICT perspective. OT is a given.
be an inverter, communication Available pen-testing tools are not satisfactory.
module, controller, .. etc.) Should involve the big “O”.

20
NOT FOR PUBLIC DISTRIBUTION
 Resources (Learning)
IEEE Smart Grid resource center
http://resourcecenter.smartgrid.ieee.org/
 Cybersecurity for the Smart Grid: Challenges and R&D Directions
 IEEE Standards Enable a Reliable, Secure, Interoperable Smart Grid
 The Role of Control Systems Research in Smart Grids
 Cyber-Physical Security Analysis for Transactive Energy Systems
 Ethical Hacking in the Electric Grid

21
NOT FOR PUBLIC DISTRIBUTION
 Resources (Learning)
Industrial Control Systems Cyber Emergency Response
https://ics-cert.us-cert.gov/
Virtual Learning Portal:
• Operational Security (OPSEC) for Control Systems (100W) - 1 hour
• Differences in Deployments of ICS (210W-1) – 1.5 hours
• Influence of Common IT Components on ICS (210W-2) – 1.5 hours
• Common ICS Components (210W-3) – 1.5 hours
• Cybersecurity within IT & ICS Domains (210W-4) – 1.5 hours
• Cybersecurity Risk (210W-5) – 1.5 hours
• Current Trends (Threat) (210W-6) – 1.5 hours
• Current Trends (Vulnerabilities) (210W-7) – 1.5 hours
• Determining the Impacts of a Cybersecurity Incident (210W-8) – 1.5 hours
• Attack Methodologies in IT & ICS (210W-9) – 1.5 hours
• Mapping IT Defense-in-Depth Security Solutions to ICS (210W-10) – 1.5 hours

National Cybersecurity and Communications Integration

Center (NCCIC) Industrial Control Systems (Risk assessment).

22
NOT FOR PUBLIC DISTRIBUTION
 Resources
IEEE Smart Grid Whitepapers:
IEEE Smart Grid Survey Structure of Emerging Technologies
Building Code For Power System Software Security
The Role of Control Systems Research in Smart Grids

The Power System Communications and Cybersecurity

(PSCC) Technical Committee Website
http://sites.ieee.org/pes-pscc/

IEC TS 62351-6: Power systems management and associated

information exchange - Data and communications security - Part 6:
Security for IEC 61850

23
NOT FOR PUBLIC DISTRIBUTION
 Cyber Resilient SG
Problem: What if my system got attacked, successfully!
Dilemma: Do not assume a secure system, no safety is
guaranteed.
Solution: Resilient system.

Incident management  Requires operational

knowledge.
Apply SOA protection techniques.
Not a one-man job.
A topic for a future tutorial.

24
NOT FOR PUBLIC DISTRIBUTION
 Conclusions
Cyber-security concerns are not a new campfire story to
scare everyone, and not old enough to feel safe.
There is no “one size fits all” in smart grid cyber-
security solutions.
Interoperability are a bottle neck, and a security
temporary relief.
The big “O” is essential in security system design.
Note: If you have an interest in specific sub-topic.
Please let us know.

Thanks!

25
NOT FOR PUBLIC DISTRIBUTION
 IEEE Smart Grid Resources
IEEE Smart Grid Portal – provides access to
the latest eNewsletter, interviews,
announcements for webinars and tutorials
– https://smartgrid.ieee.org/
Resource Center – On-Demand Content,
including education credits
– resourcecenter.smartgrid.ieee.org
Join the IEEE Smart Grid community:
– https://www.ieee.org/membership-
catalog/productdetail/showProductDetailPag
e.html?product=CMYSG735

26
NOT FOR PUBLIC DISTRIBUTION
 QUESTIONS?
Today’s tutorial will be
available on the
IEEE Smart Grid
Resource Center along
with the CEU
resourcecenter.smartgrid.
ieee.org

27

NOT FOR PUBLIC DISTRIBUTION

 Please join us for our future Tutorials!

Please visit smartgrid.ieee.org

to register!

To view previously recorded tutorials & CEUs, please

visit the IEEE Smart Grid Resource Center at
resourcecenter.smartgrid.ieee.org

NOT FOR PUBLIC DISTRIBUTION

IEEE Smart Grid Social Media

LIKE: facebook.com/IEEESmartGrid

JOIN: https://www.linkedin.com/groups/3188262

FOLLOW: twitter.com/ieeesmartgrid

COLLABORATE:
ieee-collabratec.ieee.org/app/community/88/activities

EXPLORE: flip.it/Tk5PH

CHANNEL: t.me/IEEESmartGrid

NOT FOR PUBLIC DISTRIBUTION