PNNL Cyber-Physical Security · 2018. 11. 13. · Protect • Digital Ants • SSCP • Cyber...
Transcript of PNNL Cyber-Physical Security · 2018. 11. 13. · Protect • Digital Ants • SSCP • Cyber...
2
PNNL Control System Security Innovation
David Manz, PhDCyber Security ScientistNov. 14th 2018APPA cyber security summitAustin TX
Topics
3
TestbedspowerNETcyberNET
Applied researchPACIFICSSASS-E
Transition to operationsTrainingCommercialization
Science of Cyber Security
4
Problem: Treating as applied science without fundamental science foundationApproach:
Theories for the field to begin building a body of knowledge ANSWERSMethods for performing rigorous scientific experimentation and testing TESTBuild upon successful research to identify key technology DEVELOP
Impact: Move toward symmetry for defenderEnable metrics – ability to measureSupport decision making
Vision for a Testbed
5
Experiment-basedFidelity and repeatability
Simulated environmentsLow-level access to equipment
ScalableEmulation and simulation
Dynamic and flexibleUser-friendlyCommon library of scenario templatesReset to known between configurations
Multi-user capabilityExperiment and data separationAccess controls
Modular and expandableFederation capable
Self supported user community
Cloud technology based orchestration with web based user portalNetwork Emulation
Emulate LAN/WAN communication characteristics. Examples:
Dedicated LineDial-upWireless
SCADA environmentsReal equipment to model ~2 substations
ABB, GE, Siemens, SEL, …Software simulation of dozens of SCADA equipmentSupport for legacy communications
PNNL powerNET Facilities
powerNET Facilities (cont.)
Physical Process EmulationHardware-in-the-loop modelingOpal-RT Large scale simulation
Synchrophasors9 PMUs from variety of vendors
1 PMU Development Platform1 Hardware PDC
(Many software PDCs possible)
Up to ~1000 general purpose virtual nodes possible
XenServer hypervisorEnergy Management System
Alstom System
7
PNNL cyberNET Facilities
8
Facility investment by PNNLScientific experimentationReal world scenariosCyber security metrics
LeveragesCommodity hardwareCommercial and open source software
Citrix XenServer, OpenStackAgent platform for user emulation
PNNL modifications for scienceRepeatability, sensoring, control…
cyberNET Facilities (cont.)
9
Combination of simulation, virtualization, and real equipmentRepository for storage/retrieval of experiment data
120TBSupport development of “gold standard”test datasets
Multi-user/multi-project supportShare resourcesQuick setup/configuration
Simulate up to ~4000 virtual nodesCurrently 28 nodes (32 core, 256GB)
ApproachProblem
Proactive Adaptive Cybersecurity for Control (PACiFiC)
• Operational technology (OT), [control systems & their environment], are in use in our high consequence infrastructures.
• Current OT is insecure, out of date, static, and targeted by our adversaries
• Define secure design and development principles that apply to all OT systems
• Develop and test adaptive cyber defenses holistically• Include human, cyber, communications, and process
physics
10
PACiFiC in a Nutshell
11
PACiFiC Microgrid (PµG) Model
PµG topology specifications 37-node feeder Controllable Generation
• 2*Solar farms -• 3*Roof-top solar -• 2*Battery storage units -
Controllable Load• n*Simulated buildings –• 1*Real-world building -
12
PACiFiC Progress
Microgrid and Building Sandbox
Sensor Fusion
1. Operating Context2. Threat-Based Response
Risk-Informed Action
1. Deception2. Operational Segmentation
13
PACiFiC Progress
14
Outcomes
PACiFiC Impact
• Demonstrations of measurably more secure, reliable, robust, and resilient control systems retaining performance
• Facilities for next generation OT testing, evaluation and experimentation
• Prototype technologies for analysis and defense of OT environment
• Drive new & secure products to market• Enable vendors to compete on security• Promote testing and independent certification• Enhanced national capability in measuring, testing,
and demonstrating OT cyber security
Deliverables FY 19
15
Protect• Digital Ants• SSCP• Cyber Security Component
Manager• GPS Security• Secure Power System
Professionals• IEC 61850 Cybersecurity
Acceleration• Facilitate Secure ICCP• Secure Coding• Load Drop Study• SIEgate• Substation Watchdog• SPIDERS
Detect• Cybersecurity for EMS Decision
Support• SCI-FI• CRISP• CLIQUE• Traffic Circle• Scalable Reasoning System
Respond• NERC E-ISAC GridEx• FedSec• LiveWall• CORE• Incident Response
PNNL Grid Cyber Security at a Glance
Collaboration with Academia, National Labs,
Utilities, and Vendors.
Identify• ARRA SGIG• Procurement Language• ES-C2M2 / Pilot Analytics• NIST Framework & ES-C2M2 Mapping• NERC CSSWG Support
Recover• EDS Forensics
Build a Culture of Security
Assess & Monitor Risk Develop & Implement
New Protective Measures to Reduce Risk
Sustain Security Improvements Manage
Incidents
The PNNL Mission supports DOE with Incident Response, Exercises, Assessments, and Grid Cyber Research
16
SSASS-E: Safe, Secure Autonomous Scanning Solution for Energy Delivery Systems An Innovative Solution for Real-Time Vulnerability Discovery and Monitoring
► Goal: This solution will develop, validate and verify innovative safe scanning methodology, models, architectures and produce a prototype to transform the most widely deployed vulnerability scanner in the IT space to secure operational technology (OT) installed in critical energy infrastructure.
► Technical Approach: Leverage, validate, verify and improve methodologies and technology supporting Tenable’s IT/OT platform, which is the world’s most widely deployed vulnerability, configuration, and compliance assessment product in order to:► Improve the state of the art in asset discovery and vulnerability identification of EDS for active, passive, intermittent and
continuous scanning approaches► Validate and verify methodologies for automatic safe scanning of legacy EDS, IT, OT and web
applications to accurately identify vulnerabilities
► Outcomes/Impacts: Autonomous detection of vulnerabilities targeting EDS.
Partners: Tenable Security, Chelan County PUD, National Rural Electric Cooperative Association (NRECA), University of Illinois at Urbana-Champaign (UIUC), and Siemens.
Safe and Secure Autonomous Scanning Solution for Energy Delivery Systems
17
Hands on Training
Tailored content and format for audienceWorked with utility industry on human factors
Provided 1,3,4 day training for USG analystsOn site and remote training options as wellMulti-directorate team
18
National Collegiate Cyber Defense Competition
Fabricated 10 physical SCADA models
3 Raspberry Pi + Codesys PLCs1 Arduino ground truthLights, displays, etc
Developed 10 virtual substation environments
Wonderware HMITriangleMicroworksSCADA DatagatewayAudit, log, IDS servers
Real world protocols, architectures and applications19
Problem: R&D has little value if it is not transitioned into operational environments150+ companies trace origins to PNNLTechnology Transfer
Secure SCADA Communication ProtocolSerial Tap
Commercializing Science and Technology
20
Designed and developed with industry guidanceMeets control system security objectives
ConfidentialityIntegrityAvailability
SSCP is going to ballot as IEEE standard 1711.2
SSCP Overview
21
Bump-in-the-wire tap sits in front of legacy devices
Extends vision into field locationsPassive failure for no impact on operationsTransmit in form easily digestible by enterprise tools
Light processing at edge; centralization of data for high resource analyticsCynash licensed https://cynash.com/
Available now
Serial Tap
22
New Opportunities
Custom testing/ experimentation environments for assurance and evaluation
Assurance before technology is deployedScientifically based, collaborative processes for validation and verification
Evaluate consequences and risk for critical assetsTailored training and education
For desirable cyber-physical intersections
23
24
David Manz, PhDSenior Cyber Security ScientistNational Security Directorate
pacific.pnnl.gov
24