CES 21 Cal 21 st Cent Californ rnia E Ene nergy System f for or - PowerPoint PPT Presentation

CES 21 Cal 21 st Cent Californ rnia E Ene nergy System f for or the he 2 ntury Overview and Ac and Accomplishments C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y Commissioner Committee Meeting Emerging Trends Subcommittee December 4, 2019 Glenn Haddox, Southern California Edison, Dir Cybersecurity & IT Compliance David Lo, Pacific Gas & Electric, Cybersecurity Senior Manager Nate Gleason, Lawrence Livermore National Laboratory, Cyber & Infrastructure Resilience Program Leader TLP GREEN 1

CES 21 Note o e on Public Di Disclosur ure C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y The CES-21 Cybersecurity R&D effort is focused on the protection of critical infrastructure, therefore a secure process for reporting and a secure process for deliverables will need to be maintained. Detailed tactics, techniques, and procedures developed for use fall under DHS guidelines and will be marked and handled as: “Protected Critical Infrastructure Information (PCII)” and are not open to the public CES-21 TLP Information Sensitivity Classifications White Green Amber Red Public: approved Internal: not approved for Sensitive: Restricted: high risk to for public release public release but low risk if moderate risk reputation, operations, disclosed personnel, safety, or security if disclosed TLP GREEN 2

CES 21 California Energy Systems for the 21 st Century C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y • CES-21 was a 5 year, $35M CPUC-authorized research and development program primarily focused on enhancing the security of California’s electric grid against cyber attack • Collaborative effort between California-based investor-owned utilities (IOUs) and Lawrence Livermore National Laboratory. • CES-21 developed a visionary concept called “ Machine to Machine Automated Threat Response ” that provided a substantive starting point for future work • CES-21 research concluded in October 2019 and has focused on developing technologies for automated detection and response to identified threats to the electric … transmission grid in California Collaboration TLP GREEN 3

CES 21 Military-Inspired Concepts Cyber Response C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y • What can be learned from military systems that have used automated threat responses for decades? • Organic radars augmented with automated identification system provide integrated surface picture • Science Applications International Corporation (SAIC) Blast Hailer & spotlight used for non-lethal engagement • Vision Technology video camera provides long range identification Pre-set “rules” or doctrine Employing Layered SA to Stretch the SPS Timeline TLP GREEN 4

CES 21 Key Concept • Machine to Machine Automated Threat Response (MMATR) C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y Analysis Center New STIX Anomalies Packets Remediation Threat Data of Known Threats Detection Aggregation System Alert Data Industrial Control New Indicators of Compromise Systems Data MMATR enables response to cyber attacks at machine speed TLP GREEN 5

CES 21 C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y CES-21 Video TLP GREEN 6

CES 21 CES-21 Accomplishments: Machine to Machine Automated Threat Response (MMATR) C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y TLP GREEN 7

CES 21 CES ES-21 A Accompl plishm hmen ents: To Tools C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y Secure SCADA Protocol for the Hardware Testbeds 21 st Century Cyber-Physical Simulation Capability TLP GREEN 8

CES 21 CES ES-21 A Accompl plishm hmen ents: Standar dards ds C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y SSP-21 protocol specification Evolution of the STIX standard to support ICS threat description TLP GREEN 9

CES 21 CES ES-21 A Accompl plishm hmen ents: Impact act Anal nalysi sis C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y System Models Threat Scoring and Prioritization TLP GREEN 10

CES 21 Remaining Gaps: Machine to Machine Automated Threat Response (MMATR) C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y Additional work is needed to enable MMATR operational capability Hardening needed Analysis Center Integration needed R&D needed New STIX Anomalies Packets Data Threat Remediation Aggregation Detection of Known Threats System Alert Data Industrial Control New Indicators of Compromise Systems Data TLP GREEN 11

CES 21 Since ce the prog ogram am b began an f five y years s ago, the c cyber threat has e as evol olved…. C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y • Cyber attacks on the grid have been Bowman Ave Dam conducted – these are no longer just hypothetical events • In California, the growing use of automation Ukraine 2015 (e.g., smart meters, inverters) is increasing the cyber attack surface substantially • Highly sophisticated nation-state actors who are constantly innovating are driving urgency Triton Intrusion for solutions for today and research to address emerging needs in cyber defense TLP GREEN 12

CES 21 Layered Defense Strategy for the Electric Grid C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y TLP GREEN 13

CES 21 Framework for resilient energy infrastructure Low-tier Mid-tier Sophisticated-tier C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y Adversaries Adversaries Adversaries Identify Risk Assessment, Asset Inventory and Identification, Critical failure analysis Basic Security Encryption and Network Protect Supply chain verification Protections (firewalls) Isolation Known Threats Only Advanced cross-domain Detect Anomaly Detection (antivirus) data analytics Real time automated Manual Response After Automated response to Respond response to unknown Event known threats threats Pre-Planning Only, Post-Event Analysis and Optimized strategies for Recover Manual Recovery Event Reconstruction blackstart leveraging DERs Basic Automation for Endure Manual Event Isolation Decentralization Real Time Isolation Commercially available products CES-21 Focus Gaps to be addressed TLP GREEN 14

CES 21 Collabo boration & n & Impact acts • Briefed to Governor of California Jerry Brown in 2017 and 2018 C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y • Briefed to Deputy Secretary of Department of Energy (DOE) Dan Brouillete • Briefed to multiple Assistant Secretaries in Department of Energy and Department of Homeland Security • Referenced in April 4, 2017 U.S. Senate Hearing to receive testimony on examining efforts to protect U.S. energy delivery systems from cybersecurity threats : "... California Energy Systems for the 21st Century (CES-21) program’s Machine-to-Machine Automated Threat Response (MMATR) project has strong potential to accelerate alerts for specific categories of threat information to near real time .” – Andy Bochman, Idaho National Laboratory • Presented at major conferences: DistribuTECH, S4, SANS ICS Security Summit CES-21 made significant impact across multiple aspects of cybersecurity for the power grid and established strong relationship between California Utilities and DOE National Laboratories enhancing the collaboration between state of California and federal government. TLP GREEN 15

CES 21 C A L I F O R N I A E N E R G Y S Y S T E M S F O R T H E 2 1 S T C E N T U R Y THANK YOU & QUESTIONS TLP GREEN 16