Critical Infrastructure Protection Securing Electric Grid Control Systems and Assets NRECA TechAdvantage

Critical Infrastructure Protection
Securing Electric Grid Control Systems and Assets
NRECA TechAdvantage
March 6, 2014
VIASAT PROPRIETARY
The bright, shiny, clean future awaits
Renewable
Intelligent
Reliable
Efficient
Integrated
Smart Grid
Resilient
Secure
Customer-centric
Distributed
VIASAT PROPRIETARY
2
©2013 ViaSat Inc.
Smart Grid Value Realization
The value of the Smart Grid is realized by merging data from these islands
of automation to achieve a total end-to-end systems view by integrating
information technology and operational technology
IT Enabled Integration
SCADA and Phasor
Measurements
Substation Automation
Distribution Automation
Smart Metering, Demand Response,
Energy Conservation and Distributed
Resources
VIASAT PROPRIETARY
3
©2013 ViaSat Inc.
Smart Grid Systems of Systems Characteristics
» An increasingly smarter
electric grid is characterized
by increasingly complex
systems that are networkcentric, real-time, cyberphysical-social systems
› Thousands of platforms,
operators, users supporting
millions of sensors, decision
nodes, actuators and customers
› Connected through
heterogeneous wired and
wireless networks
› Operating in a dynamic and
evolving threat environment
Adapted from: SEI Ultra-Large Systems Study
VIASAT PROPRIETARY
4
Webearth from www.ibiblio.org/.../de2007/webearth.jpg
©2013 ViaSat Inc. Used with Permission from Southern California Edison
Smart Grid Layered Architecture:
Common Cybersecurity is Mission Critical
» Operational capabilities are
supported by applications and
common services
» Services are available to devices
at the edge of the network and
are event driven
» Communications design allows
for connectivity across multiple
network domains
» Security is end-to-end and
enables systems integration
» Architecture is supported by
common semantic models and
standards
VIASAT PROPRIETARY
5
©2013 ViaSat, Inc.
Smart Grid Control Ecosystem: Increased Attack Surface and Vulnerability
Increasingly Complex and Interconnected across Multiple Domains (ISO to End User)
VIASAT PROPRIETARY
6
ViaSat Communications and Networking
Consumer
Internet Service
Provider
High Capacity
Satellite
Founded in 1986
$1.2B Revenue
Government and
Enterprise
Mobile SATCOM
and Services
2800 Employees
Communications
Technologies
VIASAT PROPRIETARY
7
Information
Assurance and
Cyber Security
©2013 ViaSat, Inc.
Information Assurance Heritage
High Grade
Secure
Modules
DoD/NIST
Certification
SOC
Services and
Technology
VIASAT PROPRIETARY
8
Secure
Networking
Products
Secure
Architecture
Mission Assurance Capability
Using military grade cybersecurity to enhance resiliency
Networked Battlefield
Networked Utility Operations
CIP owners/operators facing transition that DoD started 10+ years ago
VIASAT PROPRIETARY
9
©2013 ViaSat, Inc.
Smart Grid System of Systems (SoS) Communications
Evolution of Smart Grid SoS Architectures
Silos
ESB
Current-state
VIASAT PROPRIETARY
Typical SI Approach
10
Adapter-based
DoD-style
approach
©2013 ViaSat Inc. Used with Permission from Southern California Edison
Common
Standards –based
Internet-style
Case Study
Southern California Edison
The Irvine Smart Grid Demonstration Project
VIASAT PROPRIETARY
Southern California Edison (SCE) is committed to safely
providing reliable and affordable electricity to its customers
On an average day SCE provides power to:
» Nearly 14 million people
» 180 cities in 50,000 square miles
of service area, encompassing 11
counties in central, coastal and
Southern California
» Commercial industrial and
nonprofit customers, including:
VIASAT PROPRIETARY
12
›
5,000 large businesses
›
280,000 small businesses
©2013 ViaSat Inc. Used with Permission from Southern California Edison
California Climate & Energy Policies
Multi-faceted External Forces Impacting Smart Grid Architecture and Deployment
VIASAT PROPRIETARY
13
©2013 ViaSat Inc. Used with Permission from Southern California Edison
SCE Smart grid design goals
» More – increased capabilities
› More capabilities at the edge and enterprise, pervasive automation
» Better – faster, more reliable & secure
› The electric grid is more resilient
› Dynamic control of all security elements allows the system to
adapt to evolving threats
» Easier – usability (convergence, unified control,
visualization, information on demand)
› Tens of Millions of nodes are manageable
› Situational awareness
› Common Services allow for easier integration of new capabilities
and technologies
VIASAT PROPRIETARY
14
SCE Architecture challenges
» How to ensure investments in SG
technologies and systems today are able
to participate in the SG architecture of tomorrow?
» How do legacy systems participate in the SG architecture?
» How do they manage the complexity of the system over
time?
» How to represent an architecture trajectory that decision makers
(policy makers, regulators etc.) can understand?
» How do they represent an architecture that is actionable?
» How do they relate the architecture to the emerging SG market
and standards development efforts?
VIASAT PROPRIETARY
15
Irvine Smart Grid Overview
SCE will demonstrate an integrated, scalable end-to-end smart grid
system (Irvine Smart Grid Demonstration)
VIASAT PROPRIETARY
16
©2013 ViaSat Inc. Used with Permission from Southern California Edison
Define Infrastructure Required for Smart Grid Functions
and Strategy for Organizing Deployment
SCE’s Smart Grid
SG Functions
Management & Control Systems
Cyber Security
DER Integration
Wide Area
Awareness&Control
C-RAS Central
Controller
Wide-Area Control
System
Wide-Area Situational
Awareness System
Energy Management
System
Geographical
Information Systems
Outage Management
System
Distribution
Management System
Advanced Load
Control System
Energy Service
Provider Interface
Customer Information
Systems
AMI Back Office
Systems
SCE.com
Load Control
Cybersecurity is the overarching capability that
enables all domains to
function and interact
Dynamic Pricing
Cust. Information
Provision
Communications Networks
PEV Readiness
Cyber Security
Advanced Vot/VAR
Control
Inter-Utility Network
Automated
Customer Service
High-Speed Backbone
Substation LAN
Premise-Area
Networks
Field Area Network
Adv. Transmission
Protection
High Speed Protection
Communications
AMI Network
Field Devices
Cyber Security
Dynamic Asset
Management
FACTS Devices
Bulk Renewable
Integration
Advanced Outage
Management
Dynamic Asset
Optimization
VIASAT PROPRIETARY
SCE’s Smart Grid consists of
both functions and
infrastructure required to
deliver functions
17
Advanced Robotics
Energy Storage
Phasor Measurement Units
Smart Inverters
Online Transformer Monitors
Advanced Relays
Workforce Computing Devices
Advanced Switching Devices
Smart Distribution Transformers
Advanced Volt/VAR Devices
Customer Premise Devices
PEV Metrology
Smart Meters
Strategy section describes
required infrastructure for
each function and
guidelines for deployment
©2013 ViaSat Inc. Used with Permission from Southern California Edison
Example: Wide Area Situational Awareness & Control
Energy Policies
AB 32
33% RPS
SG Functions
Definition:
DER Integration
Real-time monitoring and automated control of
transmission system conditions, including voltage,
current, frequency, and phase angle through use of
visualization and intelligent alarming tools.
Once-Thru Cooling
Wide Area
Awareness&Control
DG Incentives
Load Control
PEV Adoption
Dynamic Pricing
500 MW Solar Prog.
Cust. Information
Provision
DR Goals
ZNE Buildings
PEV Readiness
SG OIR Information
Advanced Vot/VAR
Control
SB 17
Automated
Customer Service
Self-Healing
Adv. Transmission
Protection
Resist Attack
DG & Storage
Efficiency
Dynamic Asset
Management
Empower
Customers
Bulk Renewable
Integration
Power Quality &
Reduced Outages
Advanced Outage
Management
Enable Markets
Dynamic Asset
Optimization
Enable Intermittency
VIASAT PROPRIETARY
18
Policy Drivers:
AB 32, 20% RPS by 2010, 33% RPS by 2020
Once Through Cooling
Implementation Challenges:
Interconnection of renewables across western grid and
retirement of coastal plants creates need for enhanced
real-time information about transmission system
conditions
Intermittent renewable generation creates sub-second
fluctuations in transmission system power, voltage, and
frequency
SB 17 Characteristics Achieved:
Power quality/reduced outages
Enable intermittency
©2013 ViaSat Inc. Used with Permission from Southern California Edison
Example: Wide Area Situational Awareness & Control
SG Functions
Management & Control Systems
DER Integration
Cyber Security
Wide Area
Awareness&Control
Load Control
Dynamic Pricing
Cust. Information
Provision
C-RAS Central
Controller
Wide-Area Control
System
Wide-Area Situational
Awareness System
Energy Management
System
Geographical
Information Systems
Outage Management
System
•
Distribution
Management System
Advanced Load
Control System
Energy Service
Provider Interface
•
Customer Information
Systems
AMI Back Office
Systems
SCE.com
•
PEV Readiness
Communications Networks
Advanced Vot/VAR
Control
Substation LAN
PMUs
High Speed Backbone
Communications
Back office systems to process
>30 data points/second
Cyber Security
Inter-Utility Network
Premise-Area
Networks
Field Area Network
Automated
Customer Service
High-Speed Backbone
Adv. Transmission
Protection
High Speed Protection
Communications
AMI Network
Field Devices
Dynamic Asset
Management
Possible Future Deployments:
Cyber Security
Bulk Renewable
Integration
Advanced Outage
Management
Dynamic Asset
Optimization
Market Integration
VIASAT PROPRIETARY
Deployment-Ready Infrastructure:
19
FACTS Devices
Advanced Robotics
Energy Storage
Phasor Measurement Units
Smart Inverters
Online Transformer Monitors
Advanced Relays
Workforce Computing Devices
Advanced Switching Devices
Smart Distribution Transformers
Advanced Volt/VAR Devices
Customer Premise Devices
PEV Metrology
Smart Meters
•
Automated Control Systems
©2013 ViaSat Inc. Used with Permission from Southern California Edison
What is CCS?
» CCS is a real-time cyber-security monitoring, detection and response
platform that provides complete network visualisation.
By using sensors and traffic flow analysis it can identify and respond to
suspicious and anomalous behaviour on operational control systems.
VIASAT PROPRIETARY
20
Cybersecurity System Capabilities
Authentication
Authorization
•Role and Group Based Access Control (RBAC)
Accounting
•Security Information and Event Management (SIEM)
•Authenticated communication
•Defense in Depth
Peer to Peer
Quality-of-Trust
Dynamic Scalable
GUI
21
•Continuous device to device trust monitoring
•Cyber & Physical alerts, device health, operator actions
•Trusted Boot, Trusted Network Connect
•Device Bill-of-Health
Integrity
VIASAT PROPRIETARY
•Integrated Operational Public Key Infrastructure (PKI), Identity Management
•Central operations security visualization GUI accessed via web browser
•Multi-Tier Security Operations Capability
•Large scale System Planning and Test Capabilities
Dissemination restricted as described on cover page.
21
TRUST
IS
EVERYTHING
Without TRUST you cannot achieve your operational and
business objectives
QUALITY OF TRUST gives you a metric to determine the
health of your operational networks and systems and be
CONFIDENT about their interaction
VIASAT PROPRIETARY
22
©2013 ViaSat Inc.
Determining QoT
A device has been
authenticated and has joined
the “fabric” of CCS enabled
devices
QoT – Devices are monitoring
each other’s behaviour and
reporting on those that they are
physically and/or logically
connected to.
Status
Quality
of
Trust
Establishes that a device is
what it’s meant to be
Identity
VIASAT PROPRIETARY
23
Bill of
Health
Dissemination restricted as described on cover page.
A device reporting about
itself based on a defined list
of characteristics/attributes
23
Conceptual Operation
Proxy –
CCS-Enabled Gateway
Bump-In-The-Wire
VIASAT PROPRIETARY
24
Bump-In-The-Stack
Security
VIASAT PROPRIETARY
25
Common Cybersecurity Service Concepts
Security Policy Enforcement & Status based on device and function
Device
A
Policies
Device
B
Policies
BoH
HEARTBEAT
INTEGRITY
QoT
ID
QUALITY of TRUST
CERTIFICATE
Status:
Trusted
Questionable
Untrusted
Unknown
Device
C
Policies
VIASAT PROPRIETARY
Status
26
©2013 ViaSat, Inc.
Common Cybersecurity Service Highlights
» The most advanced security system in the energy sector
›
›
›
›
Next generation utility technologies
DoD technology transfer
Best practices from many sectors
Modern SOA style architecture
» The most compliant security system
› NERC CIP Version X
› All Federal Processing Standards (DHS, FIPS)
› NIST Compliant (NISTIR, SP)
» The most scalable and dynamic security system
›
›
›
›
Supports all Grid Applications
Supports current and next generation networking (MPLS)
Supports all major protocols used on the Grid
Modular Construction
VIASAT PROPRIETARY
27
©2013 ViaSat Inc.
CCS Highlights
» Easily Integrated into existing environment
› Supports existing control and IT investments (Directory Services,
Enterprise PKI)
› 8 inflight advanced programs are relying on new services (e.g.
ISGD, Phasor Measurement, SA3, C-RAS, etc.)
› Supports gradual evolution to full compliance over time
» Ease of Use
› AMI Security uses command line and requires vendor support
› CCS has next generation web based graphical user interface
› Enables a powerful and unified security operations center
» IEC has committed to align with CCS principles
› Hosted IEC TC 57 Security Meetings
› New Part to FERC reviewed/recommended 62351
VIASAT PROPRIETARY
28
©2013 ViaSat Inc.
CCS Concepts:
Advanced Visualization & Wide Area Situational Awareness (WASA)
VIASAT PROPRIETARY
29
©2013 ViaSat Inc.
Questions?
Brett Luedde
[email protected]
+1-760-893-3749
VIASAT PROPRIETARY
30
©2013 ViaSat, Inc.