Critical Infrastructure Protection Securing Electric Grid Control Systems and Assets NRECA TechAdvantage
Critical Infrastructure Protection Securing Electric Grid Control Systems and Assets NRECA TechAdvantage March 6, 2014 VIASAT PROPRIETARY The bright, shiny, clean future awaits Renewable Intelligent Reliable Efficient Integrated Smart Grid Resilient Secure Customer-centric Distributed VIASAT PROPRIETARY 2 ©2013 ViaSat Inc. Smart Grid Value Realization The value of the Smart Grid is realized by merging data from these islands of automation to achieve a total end-to-end systems view by integrating information technology and operational technology IT Enabled Integration SCADA and Phasor Measurements Substation Automation Distribution Automation Smart Metering, Demand Response, Energy Conservation and Distributed Resources VIASAT PROPRIETARY 3 ©2013 ViaSat Inc. Smart Grid Systems of Systems Characteristics » An increasingly smarter electric grid is characterized by increasingly complex systems that are networkcentric, real-time, cyberphysical-social systems › Thousands of platforms, operators, users supporting millions of sensors, decision nodes, actuators and customers › Connected through heterogeneous wired and wireless networks › Operating in a dynamic and evolving threat environment Adapted from: SEI Ultra-Large Systems Study VIASAT PROPRIETARY 4 Webearth from www.ibiblio.org/.../de2007/webearth.jpg ©2013 ViaSat Inc. Used with Permission from Southern California Edison Smart Grid Layered Architecture: Common Cybersecurity is Mission Critical » Operational capabilities are supported by applications and common services » Services are available to devices at the edge of the network and are event driven » Communications design allows for connectivity across multiple network domains » Security is end-to-end and enables systems integration » Architecture is supported by common semantic models and standards VIASAT PROPRIETARY 5 ©2013 ViaSat, Inc. Smart Grid Control Ecosystem: Increased Attack Surface and Vulnerability Increasingly Complex and Interconnected across Multiple Domains (ISO to End User) VIASAT PROPRIETARY 6 ViaSat Communications and Networking Consumer Internet Service Provider High Capacity Satellite Founded in 1986 $1.2B Revenue Government and Enterprise Mobile SATCOM and Services 2800 Employees Communications Technologies VIASAT PROPRIETARY 7 Information Assurance and Cyber Security ©2013 ViaSat, Inc. Information Assurance Heritage High Grade Secure Modules DoD/NIST Certification SOC Services and Technology VIASAT PROPRIETARY 8 Secure Networking Products Secure Architecture Mission Assurance Capability Using military grade cybersecurity to enhance resiliency Networked Battlefield Networked Utility Operations CIP owners/operators facing transition that DoD started 10+ years ago VIASAT PROPRIETARY 9 ©2013 ViaSat, Inc. Smart Grid System of Systems (SoS) Communications Evolution of Smart Grid SoS Architectures Silos ESB Current-state VIASAT PROPRIETARY Typical SI Approach 10 Adapter-based DoD-style approach ©2013 ViaSat Inc. Used with Permission from Southern California Edison Common Standards –based Internet-style Case Study Southern California Edison The Irvine Smart Grid Demonstration Project VIASAT PROPRIETARY Southern California Edison (SCE) is committed to safely providing reliable and affordable electricity to its customers On an average day SCE provides power to: » Nearly 14 million people » 180 cities in 50,000 square miles of service area, encompassing 11 counties in central, coastal and Southern California » Commercial industrial and nonprofit customers, including: VIASAT PROPRIETARY 12 › 5,000 large businesses › 280,000 small businesses ©2013 ViaSat Inc. Used with Permission from Southern California Edison California Climate & Energy Policies Multi-faceted External Forces Impacting Smart Grid Architecture and Deployment VIASAT PROPRIETARY 13 ©2013 ViaSat Inc. Used with Permission from Southern California Edison SCE Smart grid design goals » More – increased capabilities › More capabilities at the edge and enterprise, pervasive automation » Better – faster, more reliable & secure › The electric grid is more resilient › Dynamic control of all security elements allows the system to adapt to evolving threats » Easier – usability (convergence, unified control, visualization, information on demand) › Tens of Millions of nodes are manageable › Situational awareness › Common Services allow for easier integration of new capabilities and technologies VIASAT PROPRIETARY 14 SCE Architecture challenges » How to ensure investments in SG technologies and systems today are able to participate in the SG architecture of tomorrow? » How do legacy systems participate in the SG architecture? » How do they manage the complexity of the system over time? » How to represent an architecture trajectory that decision makers (policy makers, regulators etc.) can understand? » How do they represent an architecture that is actionable? » How do they relate the architecture to the emerging SG market and standards development efforts? VIASAT PROPRIETARY 15 Irvine Smart Grid Overview SCE will demonstrate an integrated, scalable end-to-end smart grid system (Irvine Smart Grid Demonstration) VIASAT PROPRIETARY 16 ©2013 ViaSat Inc. Used with Permission from Southern California Edison Define Infrastructure Required for Smart Grid Functions and Strategy for Organizing Deployment SCE’s Smart Grid SG Functions Management & Control Systems Cyber Security DER Integration Wide Area Awareness&Control C-RAS Central Controller Wide-Area Control System Wide-Area Situational Awareness System Energy Management System Geographical Information Systems Outage Management System Distribution Management System Advanced Load Control System Energy Service Provider Interface Customer Information Systems AMI Back Office Systems SCE.com Load Control Cybersecurity is the overarching capability that enables all domains to function and interact Dynamic Pricing Cust. Information Provision Communications Networks PEV Readiness Cyber Security Advanced Vot/VAR Control Inter-Utility Network Automated Customer Service High-Speed Backbone Substation LAN Premise-Area Networks Field Area Network Adv. Transmission Protection High Speed Protection Communications AMI Network Field Devices Cyber Security Dynamic Asset Management FACTS Devices Bulk Renewable Integration Advanced Outage Management Dynamic Asset Optimization VIASAT PROPRIETARY SCE’s Smart Grid consists of both functions and infrastructure required to deliver functions 17 Advanced Robotics Energy Storage Phasor Measurement Units Smart Inverters Online Transformer Monitors Advanced Relays Workforce Computing Devices Advanced Switching Devices Smart Distribution Transformers Advanced Volt/VAR Devices Customer Premise Devices PEV Metrology Smart Meters Strategy section describes required infrastructure for each function and guidelines for deployment ©2013 ViaSat Inc. Used with Permission from Southern California Edison Example: Wide Area Situational Awareness & Control Energy Policies AB 32 33% RPS SG Functions Definition: DER Integration Real-time monitoring and automated control of transmission system conditions, including voltage, current, frequency, and phase angle through use of visualization and intelligent alarming tools. Once-Thru Cooling Wide Area Awareness&Control DG Incentives Load Control PEV Adoption Dynamic Pricing 500 MW Solar Prog. Cust. Information Provision DR Goals ZNE Buildings PEV Readiness SG OIR Information Advanced Vot/VAR Control SB 17 Automated Customer Service Self-Healing Adv. Transmission Protection Resist Attack DG & Storage Efficiency Dynamic Asset Management Empower Customers Bulk Renewable Integration Power Quality & Reduced Outages Advanced Outage Management Enable Markets Dynamic Asset Optimization Enable Intermittency VIASAT PROPRIETARY 18 Policy Drivers: AB 32, 20% RPS by 2010, 33% RPS by 2020 Once Through Cooling Implementation Challenges: Interconnection of renewables across western grid and retirement of coastal plants creates need for enhanced real-time information about transmission system conditions Intermittent renewable generation creates sub-second fluctuations in transmission system power, voltage, and frequency SB 17 Characteristics Achieved: Power quality/reduced outages Enable intermittency ©2013 ViaSat Inc. Used with Permission from Southern California Edison Example: Wide Area Situational Awareness & Control SG Functions Management & Control Systems DER Integration Cyber Security Wide Area Awareness&Control Load Control Dynamic Pricing Cust. Information Provision C-RAS Central Controller Wide-Area Control System Wide-Area Situational Awareness System Energy Management System Geographical Information Systems Outage Management System • Distribution Management System Advanced Load Control System Energy Service Provider Interface • Customer Information Systems AMI Back Office Systems SCE.com • PEV Readiness Communications Networks Advanced Vot/VAR Control Substation LAN PMUs High Speed Backbone Communications Back office systems to process >30 data points/second Cyber Security Inter-Utility Network Premise-Area Networks Field Area Network Automated Customer Service High-Speed Backbone Adv. Transmission Protection High Speed Protection Communications AMI Network Field Devices Dynamic Asset Management Possible Future Deployments: Cyber Security Bulk Renewable Integration Advanced Outage Management Dynamic Asset Optimization Market Integration VIASAT PROPRIETARY Deployment-Ready Infrastructure: 19 FACTS Devices Advanced Robotics Energy Storage Phasor Measurement Units Smart Inverters Online Transformer Monitors Advanced Relays Workforce Computing Devices Advanced Switching Devices Smart Distribution Transformers Advanced Volt/VAR Devices Customer Premise Devices PEV Metrology Smart Meters • Automated Control Systems ©2013 ViaSat Inc. Used with Permission from Southern California Edison What is CCS? » CCS is a real-time cyber-security monitoring, detection and response platform that provides complete network visualisation. By using sensors and traffic flow analysis it can identify and respond to suspicious and anomalous behaviour on operational control systems. VIASAT PROPRIETARY 20 Cybersecurity System Capabilities Authentication Authorization •Role and Group Based Access Control (RBAC) Accounting •Security Information and Event Management (SIEM) •Authenticated communication •Defense in Depth Peer to Peer Quality-of-Trust Dynamic Scalable GUI 21 •Continuous device to device trust monitoring •Cyber & Physical alerts, device health, operator actions •Trusted Boot, Trusted Network Connect •Device Bill-of-Health Integrity VIASAT PROPRIETARY •Integrated Operational Public Key Infrastructure (PKI), Identity Management •Central operations security visualization GUI accessed via web browser •Multi-Tier Security Operations Capability •Large scale System Planning and Test Capabilities Dissemination restricted as described on cover page. 21 TRUST IS EVERYTHING Without TRUST you cannot achieve your operational and business objectives QUALITY OF TRUST gives you a metric to determine the health of your operational networks and systems and be CONFIDENT about their interaction VIASAT PROPRIETARY 22 ©2013 ViaSat Inc. Determining QoT A device has been authenticated and has joined the “fabric” of CCS enabled devices QoT – Devices are monitoring each other’s behaviour and reporting on those that they are physically and/or logically connected to. Status Quality of Trust Establishes that a device is what it’s meant to be Identity VIASAT PROPRIETARY 23 Bill of Health Dissemination restricted as described on cover page. A device reporting about itself based on a defined list of characteristics/attributes 23 Conceptual Operation Proxy – CCS-Enabled Gateway Bump-In-The-Wire VIASAT PROPRIETARY 24 Bump-In-The-Stack Security VIASAT PROPRIETARY 25 Common Cybersecurity Service Concepts Security Policy Enforcement & Status based on device and function Device A Policies Device B Policies BoH HEARTBEAT INTEGRITY QoT ID QUALITY of TRUST CERTIFICATE Status: Trusted Questionable Untrusted Unknown Device C Policies VIASAT PROPRIETARY Status 26 ©2013 ViaSat, Inc. Common Cybersecurity Service Highlights » The most advanced security system in the energy sector › › › › Next generation utility technologies DoD technology transfer Best practices from many sectors Modern SOA style architecture » The most compliant security system › NERC CIP Version X › All Federal Processing Standards (DHS, FIPS) › NIST Compliant (NISTIR, SP) » The most scalable and dynamic security system › › › › Supports all Grid Applications Supports current and next generation networking (MPLS) Supports all major protocols used on the Grid Modular Construction VIASAT PROPRIETARY 27 ©2013 ViaSat Inc. CCS Highlights » Easily Integrated into existing environment › Supports existing control and IT investments (Directory Services, Enterprise PKI) › 8 inflight advanced programs are relying on new services (e.g. ISGD, Phasor Measurement, SA3, C-RAS, etc.) › Supports gradual evolution to full compliance over time » Ease of Use › AMI Security uses command line and requires vendor support › CCS has next generation web based graphical user interface › Enables a powerful and unified security operations center » IEC has committed to align with CCS principles › Hosted IEC TC 57 Security Meetings › New Part to FERC reviewed/recommended 62351 VIASAT PROPRIETARY 28 ©2013 ViaSat Inc. CCS Concepts: Advanced Visualization & Wide Area Situational Awareness (WASA) VIASAT PROPRIETARY 29 ©2013 ViaSat Inc. Questions? Brett Luedde [email protected] +1-760-893-3749 VIASAT PROPRIETARY 30 ©2013 ViaSat, Inc.
© Copyright 2024