SMART GRID SECURITY IN EPBIH

Andrea Hrustemović, Expert associate for IT Security

Adnan Ahmethodžić, Expert associate for tehnical information systems

JP Elektroprivreda BiH d.d. Sarajevo

ABOUT THE COMPANY

JP Elektroprivreda BiH d.d. Sarajevo (Public Enterprise Electric Utility of

Bosnia and Herzegovina) is the largest Electric Utility Company whose

activities include:

Generation and distribution of electricity

Supply of electricity

Trading of electricity

Export and import of electricity, including the management of electricity

system

ELEMENTS OF SMART GRID IN EPBIH

SCADA/EMS – real time data collected from remote terminal

units (RTUs)for monitoring and control on the distribution and

production level

AMM/AMR system - Smart Meter Data Collection and

management on the distribution and production level

MDM – meter data management for collection and processing

smart metering data

Hydrology stations monitoring system

Electrical vehicle charging points monitoring system

AMR – EPBIH IMPLEMENTATION

- PRODUCTION LEVEL

LAN LAN LAN

LAN

... ... ...

...

Advance Direkcija

Advance NOSBiH

Advance TE Tuzla

Advance TE Kakanj

AdvanceHE na Neretvi

WAN

SEP2W System ED Sarajevo

... ... ...

► System is dated to 2009, basic security

policy

► 1st upgrade in 2012, no major

improvements

► Pen. Test in 2013

► 2nd ugrade in 2015, after pen test.

► VLAN implementation In central system,

► VMs as part of data center, Access lists,

domain and AD Integration,

► Patching and update policies

► Last, local AMRs trqansfered to local VM

systems

SCADA – EPBIH IMPLEMENTATION

- PRODUCTION LEVEL

► System is dated to 2001, basic

security

► policy

► 1st upgrade in 2007, no major

improvements

► Firist, Pen. Test in 2012

► 2nd upgrade in 2012, durring pen test.

► 3rd upgrade in 2015, VLAN

implementation

► Access lists, domain and active

directory

► Integration, patching and update

policies,

► SCADA as part of Data centar (VMs).

HYDROLOGY MONITORING

► System has been dated to 2000, basic with

modem

► connections

► 1‘st upgrade in 2013, became distributed

► System, with GPRS conn. module

► No Pen. Test is done

► System is on VM, Access lists, domain and active

directory integration,

► Patching and update policies

EV CHARGING POINTS MONITORING

SYSTEM

► System is to be installed in 2019,

basic functionality

► System is will be cloud based

IEC 61851-1ISO 15118

OCPPIEC 63110 (buduće)

Sistem za upravljanje punionicamaRoaming provajder ili

Emob provajder

Mobile app/Web portal

pristup

OCHPOCPIeMIPOICP

DMS

OPENAdrOSCP

https

Različiti eksterni sistemi : Elektronsko plaćanje

Sistem za naplatu i izdavanje računaKontaktni centar

API interfejs

SCADA – EPBIH IMPLEMENTATION -

DISTRIBUTION LEVEL

► System is dated to 2009, basic

security policy

► Last upgrade in 2014, became

distributed system (Zenica and

Travnik on same platform)

► No, Pen. Test is not done

► System is on separate hardver,

Access lists through password with

different rights (different users and

admin privilegis)

► Manual patching and update

policies

AMM – EPBIH IMPLEMENTATION

- DISTRIBUTION LEVEL

PLC

B

B

B

Domaćinstva

TS 10/04

K

DRM

FO

TK sistem

EPBiH

Telecom operateriGPRS

AMM centar

Isključenje

kupcaPSTN/GSM

B – brojilo DRM – digitalna radio mreža

K – koncentrator FO – optička prenosna mreža

PLC – uskopojasna PLC komunikacija PSTN – javna telefonska mreža

GPRS - prenos podataka bežičnim putem kroz GSM mrežu

Komunikacioni

serveri

Server baze

podataka

Aplikativni

server

Očitanja i

događaji

Legenda

F

i

r

e

w

a

l

l

► System implementation started in 2008, in

ED Sarajevo, as pilot project

► Expansion of system to all five distribution

areas

► Currently around 100 thousand smart

meters included

► Decentralized architecture, virtualized

servers, three meter vendors

► Pen. test in 2013 including only

communication from data concentrator

to meters

► Communication of AMM center with

smart meters through telecom operators

(GPRS network) and EPBiH telecom

infrastructure

► Dedicated AMM VLAN, secure

communication through GPRS network

MDM – EPBIH IMPLEMENTATION

Web portal

SOEEDISP

CRM

SDO

DEEO

SEP2W

SEP2W

SEP2W

SEP2W

SEP2W

Advance

BI

MDM

AM MRM

Drugi snabdjevači

Matični podaci MMKreiranje mjernih uređaja

Očitanja i događaji

Matični podaci MMMatični podaci MM

Odrednice za obračun

Matični podaci MMMatični podaci brojila

Podaci o potrošnji kupaca

Matični podaci Odrednice za obračun

Podaci o trafopodručjimaTopologija

Matični podaci MMMatični podaci MUEnergetski podaci

Matični podaci (mjerna mjesta, brojila)

Energetski podaci

Matični podaci MMProfili opterećenja

Planska isključenja i kvaroviOčitanja i događaji

Budući tokovi podataka

Implementirani tokovi podataka

Planirani sistemi/sistemi u implementaciji

Postojeći sistemi

Legenda:

► MDM (Meter Data Management)

aggregates meter reading data and

events from all AMM and AMR

systems

► MDM exchanges data with other

parts of information system, for the

purpose of different business

processes, currently

► Billing system (customer

consumption)

► CRM (service point master data)

► Web portal (customer

consumption)

► Business intelligence (data

analytics)

CYBER SECURITY –

WHAT HAS BEEN DONE ...

EPBiH has developed ISMS based on ISO 27001 standard

Policies: Information Security Policy, Information Security Policy for third party, Data Classification Policy, ISMS Metrics Policy for measuring performance, Policy of Physical and Environmental protection of ICT assets, Policy for Acceptable use of IT assets

Methodologies: Information Security Risk Assessment methodology

Plans: Data Protection plan for protection of Personal Data Collections

Procedures: IS Risk Assessment, backup, Remote Access, software development, auditing procedure integrated with ISO 9001 audit procedure...

Prepared educational materials for Information Security for all employees; training for C level and middle management level

Penetration tests for SCADA system, AMR system on production level and AMM on distribution level

BIA analysis - Business Impact Analysis of ICT services in 2014 , SCADA at production level – critical ICT service

SOME IDENTIFIED RISKS AND TREATMENTS

FOR SCADA SYSTEMS

Identified Risk Risk treatment

Security patches - not installed

Operating systems - not updated or

upgraded regularly

There is no formal procedure for regular update

and upgrade of operating system and security

patches for SCADA

SCADA network was not segregated from the

rest of the network

Logically isolated SCADA network within EPBiH

network

Privileged access control rules and Password

policies for access were not established

Access control for administration of SCADA is

established for administrator of SCADA on

production level.

SCADA on distribution level has local admin

policies for administrators and access control is

established on basic level.

Password policy is not established.

ISMS was not built in that specific moment

ISMS documentation (i.e. Information security

policy, Information Classification Policy,

Access Control Policy;

Process started in 2012 and continued in 2014

during the project of implementing ISMS in

accordance with ISO 27001 in 2014

SOME OF IDENTIFIED RISKS AND

TREATMENTS FOR AMR/AMM SYSTEM

Identified Risk Risk treatment

Application used for AMM system did not

pass any secure coding tests and has security

vulnerabilities

Even after pointing to vendor a discovered

vulnerability of application used in AMM/AMR

system, vendor did not make any corrections in

code

Only communication in private network or private

VPNs is allowed and only certain users have roles

and rights to access management application

Operating system vulnerabilities Operating systems has been changed or patched

or it has been hardened for all elements of

AMR/AMM system

Password policy for smart meters and

management application is not set up, no

password manager functions

Technical recommendation was made and it

prescribes password change for all elements of

AMM system

CYBER SECURITY –

CURRENT SITUATION

Established ISMS framework is not applied in EPBiH and system has not been revised since 2015

There is no role of Chief Information Security Officer like role that is independent from ICT department

IS Risk assessment is not automated and it occasionally done by some employees and for purchases that are considered security sensitive (it has been done only for ICT purchases – i.e. personal data protection, high confidentially classified information)

Penetration test have not been performed since 2014

No vulnerability assessment tools for automatic vulnerability/risk detection

CYBER SECURITY –

PLANS FOR THE FUTURE NEW SCADA/OMS/DMS project and defined Cyber security requirements

Logically separated network and domain

Single Sign On within the SDO domain

Access Control and account management, Password Policy, Access Logging, Failed Logon Attempts control

SDO Patch management

Secure coding tests - implementation

Defined list of used ports and protocols

Host based firewalls

Encryption mechanisms for data exchange in SDO system

Disabled removable media devices

Backup and restore procedures

Remote access procedure

CONCLUSION

Secure coding for smart grid applications – manufacurer should take care about coding

Building and maintaining ISMS according to PDCA cycle and with special focus on smart grid

CISO function independent from ICT department

IT Security Raising Awareness – continual process – top management

Automated tools for risk assessment

Documented systems

Penetration test of smart grid system before production

QUESTIONS?