in a G&T Coop Andrew Wright, CTO November 7, 2014 -dimension - - PowerPoint PPT Presentation

▶

Sep 14, 2022 104 likes •420 views

Experience with Implementing Cybersecurity in a G&T Coop Andrew Wright, CTO November 7, 2014 -dimension solutions G&T Coop 1 Primary Control Center 2000 MW combined peak load 1 Backup Control Center residential

SLIDE 1

dimension

solutions

Andrew Wright, CTO November 7, 2014

Experience with Implementing Cybersecurity in a G&T Coop

SLIDE 2

dimension

solutions

G&T Coop

1 Primary Control Center
1 Backup Control Center
dozens of Member COOPs

– some with SCADA hosts – some with dual SCADA hosts – some with only RTUs – most with AMI

several gas power plants
several wind farms
1 Transmission provider
1 Power Provider
1 Power Market Purchaser
1 Hosted AMI Service
2000 MW combined peak load

– residential – commercial – agricultural

no critical assets per NERC CIP
primary function of G&T is

energy trading to provide members best possible rate

SLIDE 3

dimension

solutions

G&T Operations Technology (OT)

SCADA

– load data collected from members

– aggregate member usage information – provide hosted AMI functions to members

OsiSoft PI

– data historian for power plant data – historical analysis, forecasting

SLIDE 4

dimension

solutions

G&T Interconnect

x dozens x many

64kbps to 1Mbps

SLIDE 5

dimension

solutions

Security Goals

protect OT

– G&T from attack through members, plants, 3rd parties – plants, members from attack through members, plants, 3rd parties – all from private WAN compromise

monitor for intrusions

– G&T OT – plant OT – member OT

SLIDE 6

dimension

solutions

Reliability Goals

improve resilience against cyber threats
improve reliability of communications
ensure

– availability, integrity, and confidentiality – of load and plant data – to enable market trading $$$

SLIDE 7

dimension

solutions

N-Dimension Network Security

n-Platform Unified Threat Management

– UTMs provide a variety of security functions

perimeter and interior security for operations systems
passive and active security functions
Control DMZs segregating control from enterprise
encryption over private WAN, Internet, Radio

– several dozen UTMs deployed in this soln

n-Central Log & Event Management

– one system providing central log & event mgmt

SLIDE 8

dimension

solutions

Security Deployment

Secure Interconnect

– secure communications – restrict protocols

Operations / Corporate Segregation

– via Control DMZs

Monitor

– detect potential intrusions – log events for forensic analysis

SLIDE 9

dimension

solutions

Secure Interconnect

SLIDE 10

dimension

solutions

Secure Interconnect

SSL Site-to-Site VPNs between

– over MPLS, Internet, Radio

IPSEC Site-to-Site VPNs

– for 3rd parties

Stateful Firewall

– to restrict protocols between sites

OSPF Dynamic Routing

– to improve availability

Active / Standby Failover of UTMs

– to improve availability

SLIDE 11

dimension

solutions

Segregation via Control DMZs

SLIDE 12

dimension

solutions

Control DMZ Security

Firewall limits inbound and outbound traffic

– most traffic makes a stop at a “jump box”

Remote access VPN authenticates connections

– two-factor authentication

IDS, scheduled port scanning, scheduled vuln

scanning monitors DMZ servers

Host anti-virus / whitelisting on DMZ servers
Operations AD server providing centralized AAA

for operations systems access

SLIDE 13

dimension

solutions

Monitoring OT Systems

SLIDE 14

dimension

solutions

Monitoring OT Systems

Intrusion Detection System

– signature based with SCADA signatures

Port Scanning

– scheduled

Vulnerability Scanning

– manually initiated

System & Service Monitoring

– cpu load, disk utilization, network utilization – service availability

SLIDE 15

dimension

solutions

Central Log & Event Monitoring

SLIDE 16

dimension

solutions

Central Log & Event Monitoring

events and logs collected by n-Central

– all n-Platforms – certain Windows servers

critical events forwarded to email addresses

and thereby mobile phones

summary security status displayed on SCADA

SLIDE 17

dimension

solutions

Experiences

SLIDE 18

dimension

solutions

Status

“fully deployed” for more than a year
“full deployment” took several years
several questionable cyber events detected, but

none directly identified as attacks

– corporate network not monitored – firewalls may have blocked attacks – G&T may not have told N-Dimension of attacks

significant improvement in communications

availability due to dynamic routing

SLIDE 19

dimension

solutions

IP is Interoperability

real world environments are heterogeneous

– OT: ICCP, DNP3, Modbus – proprietary SCADA, AMI, etc. – IT: RDP, HTTP, HTTPS, FTP, etc. – many custom built devices, applications

IP is the interoperability framework

– only 2 serial links in this G&T

IP network layer security protects IT & OT

– VPN, firewall, IDS, VLAN, OSPF

SLIDE 20

dimension

solutions

Politics

we desired to implement

– network segregation within members – monitoring of member OT networks – secure remote access to member networks

but ownership issues intruded!

– members won’t provide details of their networks – members do not want G&T to see their traffic – G&T does not want to own/control equipment in member’s systems

SLIDE 21

dimension

solutions

PCI Compliance

in several cases members refused Internet

connections as backup links

– these would need to be addressed in their PCI compliance requirements – poor segregation of billing functions from control functions?

SLIDE 22

dimension

solutions

Geography

many sites are fairly remote, making any
nsite work require at least a full day

SLIDE 23

dimension

solutions

Weather

adverse weather can disrupt your plans

SLIDE 24

dimension

solutions

Scheduling

outage windows may

need to be coordinated weeks in advance

last minute events may

throw all those plans

ut the window

SLIDE 25

dimension

solutions

Coordination with Third Parties

change windows may need to be

coordinated with 2 or 3 third parties

SLIDE 26

dimension

solutions

Can’t Touch This

significant periods, even whole seasons, of no

changes allowed (it is critical infrastructure)

SLIDE 27

dimension

solutions

Complexity

There are no detailed

complete up-to-date network diagrams

You can’t understand

everything before you start

SLIDE 28

dimension

solutions

Don’t Screw Up!

have backup plans for your backup plans

SLIDE 29

dimension

solutions

Safety Briefings

pay attention, things DO blow up

If everyone else is running you better catch up!

SLIDE 30

dimension

solutions

Andrew Wright, CTO November 7, 2014

Experience with Implementing Cybersecurity in a G&T Coop

G&T Coop

– some with SCADA hosts – some with dual SCADA hosts – some with only RTUs – most with AMI

– residential – commercial – agricultural

energy trading to provide members best possible rate

G&T Operations Technology (OT)

– load data collected from members

– aggregate member usage information – provide hosted AMI functions to members

– data historian for power plant data – historical analysis, forecasting

G&T Interconnect

x dozens x many

Security Goals

– G&T from attack through members, plants, 3rd parties – plants, members from attack through members, plants, 3rd parties – all from private WAN compromise

– G&T OT – plant OT – member OT

Reliability Goals

– availability, integrity, and confidentiality – of load and plant data – to enable market trading $$$

N-Dimension Network Security

– UTMs provide a variety of security functions

– several dozen UTMs deployed in this soln

– one system providing central log & event mgmt

Security Deployment

– secure communications – restrict protocols

– via Control DMZs

– detect potential intrusions – log events for forensic analysis

Secure Interconnect

Secure Interconnect

– over MPLS, Internet, Radio

– for 3rd parties

– to restrict protocols between sites

– to improve availability

– to improve availability

Segregation via Control DMZs

Control DMZ Security

– most traffic makes a stop at a “jump box”

– two-factor authentication

scanning monitors DMZ servers

for operations systems access

Monitoring OT Systems

Monitoring OT Systems

– signature based with SCADA signatures

– scheduled

– manually initiated

– cpu load, disk utilization, network utilization – service availability

Central Log & Event Monitoring

Central Log & Event Monitoring

– all n-Platforms – certain Windows servers

and thereby mobile phones

Experiences

Status

none directly identified as attacks

– corporate network not monitored – firewalls may have blocked attacks – G&T may not have told N-Dimension of attacks

availability due to dynamic routing

IP is Interoperability

– OT: ICCP, DNP3, Modbus – proprietary SCADA, AMI, etc. – IT: RDP, HTTP, HTTPS, FTP, etc. – many custom built devices, applications

– only 2 serial links in this G&T

– VPN, firewall, IDS, VLAN, OSPF

Politics

– network segregation within members – monitoring of member OT networks – secure remote access to member networks

– members won’t provide details of their networks – members do not want G&T to see their traffic – G&T does not want to own/control equipment in member’s systems

PCI Compliance

connections as backup links

– these would need to be addressed in their PCI compliance requirements – poor segregation of billing functions from control functions?

Geography

Weather

Scheduling

need to be coordinated weeks in advance

throw all those plans

Coordination with Third Parties

coordinated with 2 or 3 third parties

Can’t Touch This

changes allowed (it is critical infrastructure)

Complexity

complete up-to-date network diagrams

everything before you start

Don’t Screw Up!

have backup plans for your backup plans

Safety Briefings

If everyone else is running you better catch up!

Questions?