Continuous Security Monitoring Techniques for Energy Delivery - - PowerPoint PPT Presentation

continuous security monitoring techniques for energy
SMART_READER_LITE
LIVE PREVIEW

Continuous Security Monitoring Techniques for Energy Delivery - - PowerPoint PPT Presentation

Nov 29, 2023 299 likes •494 views

Continuous Security Monitoring Techniques for Energy Delivery Systems Adam Hahn, Armin Rahimi, Mathew Merrick, Kudrat Kaur Washington State University CREDC Industry Workshop March 27-29, 2017 Funded by the U.S. Department of Energy and the

slide-1
SLIDE 1

Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org

Continuous Security Monitoring Techniques for Energy Delivery Systems

Adam Hahn, Armin Rahimi, Mathew Merrick, Kudrat Kaur Washington State University CREDC Industry Workshop March 27-29, 2017

slide-2
SLIDE 2

cred-c.org | 2

Challenge

Benefits End nodes are boring

Difficult to assess security

Verify configurations System is free from malicious actors

Within EDS

Problems Legacy systems/devices don’t support Fragility/performance Unclear what data is beneficial

slide-3
SLIDE 3

cred-c.org | 3

Continuous Monitoring

Sources: Roadmap to Achieve Energy Delivery Systems Cybersecurity. DOE, 2011. NIST 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

“Continuous security state monitoring of all energy delivery system architecture levels and across cyber- physical domains is widely adopted by energy sector asset

  • wners and operators”

– DOE Roadmap to Achieve Energy Delivery Systems Cybersecurity Year 2020 Goal

Information System Continuous Monitoring (ISCM): “maintaining ongoing awareness

  • f information security, vulnerabilities, and threats to support organizational risk

management decisions”

slide-4
SLIDE 4

cred-c.org | 4

EDS Efforts and Tools

Utilities Vendors Federal NetAPT CyberLens: N-Dimension: Security Matters: Tenable: Tripwire:

NIST:

SCE: Special Publication 1800-7A “Situational Awareness For Electric Utilities” Feb 2017 Common Cybersecurity Services (CCS) - Edge security client so devices and be monitored, utilizes Trusted Network Connect (TNC) and PKI Network monitoring and analytics Monitoring of grid devices Network monitoring and End-point vuln assessment Network monitoring and analytics Security center/Network monitoring/event logs/vuln scanning Analysis and verification of firewall logs

slide-5
SLIDE 5

cred-c.org | 5

Smart City Testbed

slide-6
SLIDE 6

cred-c.org | 6

Test System

Distribution Mgmt System SCADA Server

Control Center Corporate IT network FW

HMI

FW FW

Gateway Switch Relays

Substation WAN

slide-7
SLIDE 7

cred-c.org | 7

CM Platform

Visualization

Netflows

Analysis

Snort

Real-time monitoring, alerts, and metrics plugins Dashboards Distributed searching and analysis across all data

Distribution Mgmt System SCADA Server

Control Center Corporate IT network FW

HMI

FW FW

Gateway Switch Relays

Substation WAN

Data Collection

Syslogs Win Event Logs Credential Scans Relay Configs

Platform based on ELK Stack (Elasticsearch, Logstash, Kibana)

slide-8
SLIDE 8

cred-c.org | 8

Attack Demo

slide-9
SLIDE 9

cred-c.org | 9

Observable Events

Distribution Mgmt System SCADA Server

Control Center Corporate IT network FW

HMI

FW FW

Gateway Switch Relays

Substation WAN

VPN Connection Log Feb 23 openvpn 18389 TCP connection established with [AF_INET] 192.168.168.23 Netflow Logs Src Addr: 192.168.0.12: Dst Addr: 192.168.2.10 Netflow Logs Src Addr: 192.168.0.12 Dst Addr: 192.168.2.10 Win Event Logs Account was successfully logged on: Logon ID: 0x3E7 Snort Logs Src Addr: 192.168.0.12 Dst Addr: 192.168.2.10 Netflow Logs Src Addr: 192.168.2.101 Dst Addr: 192.168.2.10 Win Event Logs Network connection service entered running state

1) VPN Connection 2) Connection to DMS 3) Malware Installation 4) DNP3 Message

slide-10
SLIDE 10

cred-c.org | 10

Information Sharing Scenario

slide-11
SLIDE 11

cred-c.org | 11

Information Sharing Scenario

Netflow – VPN session Netflow – DNP3 session Window event log

slide-12
SLIDE 12

cred-c.org | 12

Monitoring of EDS devices

Original Configuration Disable overcurrent protection

Real-time monitoring, alerts, and metrics plugins Distributed searching and analysis across all data

Relay Conf Tool

  • EDS devices do not provide OS level interfaces
  • Can utilize configuration interfaces to obtain security data
  • Utilize standard protocols (FTP/HTTP)
  • Developed Python/Logstash tools to:

1. Connect to relays 2. Remotely pull configuration 3. Parse configs and dump to logstash

slide-13
SLIDE 13

cred-c.org | 13

Number of Observations

Netflows: Logs (Sub GW): Logs (DMS): 802 Snort alerts: 296 164 105 Total: 1367

Number of events per week: 100 substations one year

# of Anomalies >> # of Attacks Need to identify key events to monitor! 3,494,504 events

Assume: Attack generates 5 events 1 attack/year IDS

Reference: The Base-Rate Fallacy and the Difficulty of Intrusion Detection Stefan Axelsson. ACM Transactions on Information and System Security, Vol. 3, No. 3, August 2000, Pages 186–205.

True Positive = .999 Prob attack = 1.4 x 10-6 False Positive = .001 Probability of attack given an event P(I|A) = ~0.1%

slide-14
SLIDE 14

cred-c.org | 14

Performance Impacts of Scanning

Tools Systems OpenVAS Ovaldi DMS HMI Sub Gw 100% 100%

slide-15
SLIDE 15

cred-c.org | 15

Continued Efforts

1. Continued analysis of observable events on EDS platforms and devices 2. Evaluation of security assessment tools on EDS platforms 3. Attack simulation and analysis of corresponding data

slide-16
SLIDE 16

cred-c.org | 16

Thanks

ahahn@eecs.wsu.edu https://github.com/wsu-smartcity

slide-17
SLIDE 17

http://cred-c.org @credcresearch facebook.com/credcresearch/

Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security