Network Security and Survivability

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 8 months ago)

57 views

Assessing Power Substation
Network Security and Survivability

Carol Taylor, Axel Krings, Paul Oman

Computer Science Department, University of Idaho,
Moscow, Idaho

The 2003 International Conference on Security and
Management

June 23
-
26, 2003

Graduate of Dept. of IM

Wendy Y.F. Wen

Incentives

1.
Electric power grid can be regarded as a
complex network.


Risk Management & Survivability


2.
The failure of power substation network
will result in cascading failure.


Node Dependency

Outline

0.

Risk Management Concepts


1.
Introduction

2.
Current State of Power Networks

3.
Mitigation Strategies

4.
Survivability and Vulnerability
Assessment

5.
Conclusion


Outline

0.

Risk Management Concepts


1.
Introduction

2.
Current State of Power Networks

3.
Mitigation Strategies

4.
Survivability and Vulnerability
Assessment

5.
Conclusion


Risk Management Concepts

The process of identifying, assessing and
reducing risks to an acceptable level
.

Reference: Symposium of Risk Management, 2005/11/11, Po
-
Hao Tsang

Risk Management Concepts

(con’t)

1.
Risk
Assessment


Risk Analysis


Risk Evaluation


2.
Risk Treatment

Reference: Symposium of Risk Management, 2005/1/1, Po
-
Hao Tsang

G
oals
of
Risk Analysis

Asset valuation and threat identification


To quantify or qualify the impact


To provide cost
-
benefit comparison for
safeguards or countermeasures

Reference: Symposium of Risk Management, 2005/1/1, Po
-
Hao Tsang

Risk Management

價值

安全需求

威脅

控制措施

弱點

利用

降低

資產價值
×
弱點
×
威脅

軟體

硬體

人員

資料
/
文件

資訊資產

風險

Outline

0.

Risk Management Concepts


1.
Introduction

2.
Current State of Power Networks

3.
Mitigation Strategies

4.
Survivability and Vulnerability
Assessment

5.
Conclusion


Incentives

The on
-
going problem of securing our
critical infrastructures

from cyber
threats

is becoming more acute.


Terrorism and its consequences


Dependency on the computer networks that support
our daily lives


As the critical infrastructure industries have
become more computerized, the risk of
digital disruption has increased.


The threat groups range from casual hackers to
terrorists.

PCCIP

In 1997, the
President’s Commission on
Critical Infrastructure Protection
(PCCIP)

to investigate threats and
mitigation strategies for
cyber
controlled critical networks
.


This group identified eight critical
infrastructure systems.

PCCIP
--

Electric Power Grid

Power grid vulnerabilities and mitigations
were documented in the
PCCIP’s NSTAC
Electric Power Risk Assessment
report
.


PCCIP: President’s Commission on Critical
Infrastructure Protection


NSTAC: National Security Telecommunications
Advisory Committee


Their suggestions included a broad program
of education and awareness.


Between government and industry, sharing of
information and cooperatively developing risk
assessment methods.

Assessment techniques

To adapt existing vulnerability
assessment methods and/or develop
new approaches.

1.
Checklists

2.
Survivable Systems Analysis (SSA)/
Probability Risk Assessment (PRA)

3.
Expert system

Goals of Paper

1.
To report the results of applying these
techniques to the assessment

of power
substation control networks for cyber
based attacks.


2.
To report on the cyber security challenges
still facing the electric power industry

after
the vulnerabilities were documented.


3.
To examine some of the underlying
design issues

typical of power substation
networks that impact security efforts.

Outline

0.

Risk Management Concepts


1.
Introduction

2.
Current State of Power Networks


2.1 Current Vulnerabilities


2.2 Current Challenges

3.
Mitigation Strategies

4.
Survivability and Vulnerability Assessment

5.
Conclusion


On
-
site Visit

To conduct site assessments.

To interact with people knowledgeable
about the systems.



2.1 Current Vulnerabilities

The greatest vulnerability of the power
substation control networks is
the lack of
cyber security awareness
within the power
industry.


Lack of security awareness can be found at
all levels of the industry.


developers of systems and software


operators of the power control systems


power engineers


Power Grid Vulnerabilities

Power Grid Vulnerabilities

Why Old
-
Vulnerabilities Exist?

1.
There still appears to be
a lack of urgency in
the attitude of

power industry executives.


2.
Power industry deregulation

has created
competition, forcing power companies to
trim development and work closer to their
margins without extra resources.


3.
Executives that make company decisions are
business oriented

and
lack the technical
background
.

2.2 Current Challenges

1.
Geographic distribution of these
networks


the sheer number of devices connected to a
single network


the sheer size of the network


2.
Diversity of equipment and protocols


Diversity and lack of interoperability in these
protocols


Diversity of electronic control equipment

A.
Proprietary SCADA protocol or Ethernet

B.
Proprietary, EIA232, EIA485, Ethernet, UCA, or ControlNet

C.
Vendor Proprietary Protocol

D.
Ethernet

E.
Local Ethernet or Internet

F.
EIA
-
232

G.
V.32, V.34, WAP, or WEP

H.
DNP, Modbus, Profibus, Fieldbus

Outline

0.

Risk Management Concepts

1.
Introduction

2.
Current State of Power Networks

3.
Mitigation Strategies

a)
Cyber Security Education

b)
Enforcement of Cyber Security Policy

c)
Authentication Enforcement

d)
Enact Encryption

e)
Firewalls, Virus Scanners, Intrusion Detection
Systems

f)
Keep SCADA control and Corporate networks
separate

4.
Survivability and Vulnerability Assessment

5.
Conclusion

Mitigation Strategies

1.
Cyber Security Education


Education creates employee cyber
awareness; employees assist with cyber
security.


2.
Enforcement of Cyber Security Policy


A security policy is critical for cyber security.


Mitigation Strategies (con’t)

The greatest reduction from the threat
of cyber intrusion can be achieved by
enacting a program of
cyber security
education

and training

combined with
an
enforced security policy
.



The
insider threat

is considered to be more
serious due to the insider's knowledge of
electric power system operations.



The education and enforcement will assist
with counteracting both external and insider
threats.

Mitigation Strategies (con’t)

3.
Authentication Enforcement


Strong password policy; multifactor
authentication.


4.
Enact Encryption


Communication data should be encrypted
--

encrypting modem or VPN device.

Mitigation Strategies (con’t)

5.
Firewalls, Virus Scanners, Intrusion
Detection Systems


Network security devices for both corporate
and power control networks will help reduce
cyber threats.


6.
Keep SCADA control and Corporate
networks separate


Connecting critical SCADA control networks
increases risk of intruder access.

Outline

0.

Risk Management Concepts


1.
Introduction

2.
Current State of Power Networks

3.
Mitigation Strategies

4.
Survivability and Vulnerability
Assessment


4.1

Standards Checklists


4.2

SSA/ PRA


4.3

Expert System Analysis

5.
Conclusion

4.1 Standards Checklists

Prior to undertaking several on
-
site
industry visits, we compiled checklists
derived from industry standards and
guidelines.


IEC 61850 TC 57


IEEE Standard 1402
-
2000


IEEE Draft Standard 1525


Standards Checklists (con’t)

Limitation of checklist:


The checklists require a certain level of
knowledge and computer security expertise in
the person performing the assessment.


In summary, checklist is a good
starting point, but not adequate.

4.2 SSA/ PRA




卓䄠⡓畲癩癡扩汩瑹⁓祳t敭⁁湡汹l楳i

卓䄠楳⁰ 牴楣畬慲汹 獵s瑡扬t 景爠
慳獥獳楮朠
畮扯畮摥u 湥瑷潲歳n睩瑨w楬i
-
defined boundaries

and
non
-
centralized
control
.


SSA emphasizes
survivability
.


The continued operation of the essential
services of a system in spite of deliberate
compromise or natural failure of some
components.

SSA (cou’t)

A problem with SSA is its
lack of
quantification
.


In an effort to add quantification
capability to SSA, we have combined
PRA with SSA.

4.2 SSA/ PRA




偒䄠⡐牯扡扩汩t礠剩y欠䅳獥獳浥湴


PRA utilizes
probabilities

to determine
the likelihood that adverse events will
occur.

1.
statistical sampling

2.
historical records

3.
solicitation of expert opinion


A PRA for cyber security threats


Quantification of the risk from these threats


Specification of mitigating actions including
costs

Problems with PRA (con’t)

1.
Lack of historical cyber security data
for estimating risk


2.
Difficulty of analyzing risk for large
networks

Combined Approach
--

RAPSA

Risk Analysis and

Probabilistic

Survivability Assessment

(
RAPSA
)

seeks to leverage the strengths of both
approaches.


There are four stages in
RAPSA

method.



RAPSA
(con’t)

Stage 1:
System Self
-
assessment


An analysis team performs a self
-
assessment
to understand system mission objectives.



Partition the system into services that are
essential to the mission and those services
that are identified.

RAPSA
(con’t)

Stage 2:
Threat Identification


Threats from cyber attacks are enumerated
for the essential services identified in the
previous step.



Intrusion scenarios/ attack stages are
outlined.



Vulnerabilities associated with each intrusion
scenario are identified
.

RAPSA
(con’t)

Stage 3:
Risk Quantification


Quantify the risks for each intrusion scenario.



Event/fault trees

will be used where needed
to assist with understanding how attacks can
be neutralized.



Mitigation mechanisms will be proposed.


RAPSA
(con’t)

Stage 4:
Risk Mitigation Trade
-
off


Several types of tradeoff analyses are
possible.

1.
Partitioned Multi
-
objective Risk Method (PMRM)

2.
Decision Tree Analysis



Produce survivability map including risks and
costs for mitigation strategies.

4.3 Expert System Analysis

To analyze the individual components
using a prototype ES.


Prolog


䅉A湧畡来

1.
Model the visibility conditions

2.
Implement the shortest path algorithm



visibility
path

visibility
condition


Output of ES Vulnerability Assessment


Visibility paths from Internet to CircuitBreaker:

1.
[“Internet”, "SubstationController", "IED2", "CircuitBreaker"] with
vulnerability level = 10


2.
[
"
Internet
"
,
"
IED2
"
,
"
CircuitBreaker
"
] with vulnerability level = 7


3.
[
"
Internet
"
,
"
CorporateNetwork
"
,
"
SCADAMaster
"
,
"
SubstationController
"
,
"
IED2
"
,
"
CircuitBreaker
"
] with vulnerability
level = 23



Most vulnerable visibility path from Internet to
CircuitBreaker:

["Internet", "CorporateNetwork", "SCADAMaster",
"SubstationController", "IED2", "CircuitBreaker"] with vulnerability
level = 23


Outline

0.

Risk Management Concepts


1.
Introduction

2.
Current State of Power Networks

3.
Mitigation Strategies

4.
Survivability and Vulnerability
Assessment

5.
Conclusion


Conclusion

In looking at the current state of power
industry cyber security, it appears to lag
behind the state
-
of
-
the
-
practice in both
network security and ultra
-
reliable systems
design.


In spite of the national emphasis on
terrorism awareness, the power industry
as a whole appears to be lacking in cyber
security awareness.

Thank you for your listening~


Wendy Y.F. Wen