NSF Workshop Security Efforts and Issues in the National Energy Grid 18 November 2002

1
NSF WorkshopSecurity Efforts and Issuesin the
National Energy Grid18 November 2002
2
Agenda

• Rainbow/Mykotronx
• Who are we and why are we here? (short, no
  commercial)
• Current efforts underway to define security
• Government and Industry
• Findings
• What we need to do
• Recommendations

3
Rainbow/Mykotronx Products
4
Rainbow/Mykotronx Customers
5
Rainbow/Mykotronx Activities

• Critical Infrastructure Protection
• American Gas Association
• SCADA Cryptographic Protection (active)
• Institute of Electrical and Electronic Engineers
• C2 Sub-committee for Substation Automation
  (monitoring)
• National Security Agency
• Information Assurance, Liaison to OHS/DoE/CIAO
  (active)
• National Institute of Science and Technology
• Process Control Security Requirements Forum
  (active)
• National Imaging and Mapping Agency
• National GIS Map/database of utility
  infrastructure (active)
• Disruptive Technology Innovations
  Partnership/DoD-DIA
• Identifying and Quantifying threat assessments
  (active)

6
Current Efforts

• American Gas Association
• Possibly the oldest and most active organization
• Charter
• Define cryptographic protection specifications
  for utility (gas, water, electricity, pipeline)
  control systems (SCADA, DCS, EMS, DMS, PR)
• Retrofit and enhance new product designs
• Supported by
• NIST PCSRF
• DoD TSWG
• DoT Pipeline Safety
• Utility Industry GTI, IEEE C2 TF4/H4, IEC TC 57
  WG 10/12/14/15, Cigre 23.05/34.07, AWWA, AMWA,
  PE, WGE, DTE, others
• Manufacturers SCADA (8 hw, 2 sw), 3 crypto
• Monitoring DoE PNNL/SNL, ISA, BCIT, UNC

7
Current Efforts

• American Gas Association
• AGA Report 12-1 imperatives
• Low-cost retrofit
• Transparent existing systems must continue to
  operate
• Follow published national standards
• Products must conform to FIPS Publication 140-2
• Algorithms must be evaluated by industry experts
• Products must be validated by a CMVA lab
• Threat based on outsiders
• between the fences
• Serial-based field communications
• Vendor interoperability
• Building block to new product designs

8
Current Efforts

• American Gas Association
• AGA Report 12-1 product specifications
• Authentication shared secret or blind-faith PKI
• Signing RSA or ECDSA
• Confidentiality 3DES or AES-128, CBC for
  non-replay
• Native protocol filtering
• Configurable plaintext pass-through
• Integrity SHA-1
• Key Exchange X9.44 or X9.63
• Validation FIPS Publication 140-2 Level 2
• Dual RS232 asynchronous ports
• Operate at line speeds, 115Kbps
• Pass-through communications device (modem)
  commands
• Optional management port
• AGA specified link layer protocol

9
Current Efforts

• EPRI
• Just starting, second meeting in Dallas (9/02)
• Charter
• Electrical utilities only
• Retrofit, serial-based field communications
• Supported by
• Vendor Honeywell
• Imperatives
• Specifications for field communications based on
  power-relay in-plant timings (IEEE P1525)

10
Current Efforts

• National Institute of Science and Technology
• Process Control Security Requirements Forum
  (PCSRF)
• Started May 2002
• Charter
• Develop Common Criteria Security Policy for
  industrial automation networks
• Operating networks and enhance new product
  designs
• Supported by
• American Gas Association
• Automobile and heavy equipment manufacturers
• Chemical manufacturers
• Instrumentation Standards Association

11
Current Efforts

• National Institute of Science and Technology
• Process Control Security Requirements Forum
  (PCSRF)
• Current Activities
• Developing Security Policy Specifications
  document
• Funding evaluation of effect of adding
  cryptographic overhead to existing products and
  systems
• Performed by Gas Technology Institute

12
Current Efforts

• Department of Energy
• Pacific Northwest National Lab
• Bench-test of SCADA products and system
• Idaho National Electrical Lab
• Field-test of SCADA products and system
• Sandia National Lab
• Developing a Common Criteria Protection Profile
  for SCADA products and systems
• Vulnerability Assessment methodology for water
  utilities
• Disruptive Technology Innovations
  Partnership/DoD-DIA (hosting today)
• Office of Energy Assurance

13
Current Efforts

• Environmental Protection Agency
• Mandating Vulnerability Assessments of all water
  utilities
• Federal Energy Regulatory Commission
• Mandating Vulnerability Assessments of all
  electrical generators, operators, and brokers
• British Columbia Institute of Technology
• Compiling a list of current utility hacks, 40
  reports
• Instrumentation Standards Association
• Security standards for embedded processors and
  RTOS

14
Current Efforts

• Developing policy (DoE/EPA/CIAO)
• Developing Threat Assessments Scenarios (DIA)
• Compiling attacks (BCIT)
• Mandating Vulnerability Assessments (FERC EPA)
• Developing Security Policies (NIST PCSRF)
• Developing Protection Profiles (DoE SNL)
• Developing product specifications (ISA, AGA
  EPRI)
• Developing products (multiple vendors)
• Quantifying effect of adding protection
  (NIST/GTI)
• Evaluating the effectiveness (GTI, NIST DoE
  PNNL/INEL/SNL)

15
What should we be doing

• National policies practices
• Real policies from federal agencies, not
  feel-good documents like FERC NOPR
• Mandate operators and vendors to implement
  security measures
• NTSSPS-like mandate - if the Fed uses it, it
  must be secure
• Develop meaningful Security Policies based on
  national standard
• Recognize and address implied threats due to
  deregulation public networks
• Recognize acceptable use practices
• Continue expand Vulnerability Assessments
  mandates
• Implement security corrective measures

16
What should we be doing

• National policies practices
• Funding for research, development
  implementation
• Current market conditions
• No federal or association mandate to implement
  security
• No operator support due to fear of Y2K-like
  realities
• SCADA vendors not seeing customer demand or
  consistent specifications
• Vendor investment vs. sales potential too high,
  limited ROI, low expectation of profitability
• Result of not funding
• Natural evolution (technology refresh) 7-15 years
  likely
• Vendors imbedding pseudo security into products
• Inconsistent/incompatible vendor implementations

17
What should we be doing

• Product specifications and development
• More effort developing national Security Policies
  (SP) and device Protection Profiles (PP)
• Consolidate competing product specifications
• Rework specifications to meet SP and PP
• Remove complexity of running a PKI, yet meet SP
  and PP requirements
• Need a national Certificate Authority for
  vendors, to insure operability
• Develop forensics capabilities for SCADA, DCS,
  EMS, DMS, PR
• Native Industrial Automation Protocol Intrusion
  Detection Systems

18
Summary

• Thank you,
• Questions?
• Paul Blomgren
• Manager, Sales Engineering
• Mykotronx, Inc
• 357 Van Ness Way, Suite 200
• Torrance, CA 90501
• 310.533.8100 ext 6254
• pblomgren_at_mykotronx.com
• www.rainbow.com
• www.mykotronx.com