Formation of WG-5 Physical Security, Standard & spectrum

Download Report

Transcript Formation of WG-5 Physical Security, Standard & spectrum

CYBER THREATS
AND
SECURITY
FOR
POWER SECTOR
By
Vivek Goel, Director (DPD), CEA
Cyber threats in power sector
With the introduction of Information & Communication
Technology (ICT) in the power sector, the Power Systems is
exposed to the cyber space and thus have become vulnerable
to Cyber Attacks.
• The introduction of smart grid has opened up power sector
•
•
space to the outsider as Smart grid is more and more
dependent on IT system.
With automated operation of grid elements, the cyber space
in the Power Sector has increased and so have the Cyber
Security vulnerabilities.
Increased no of entry points and paths are available now for
potential adversaries with automation and an attack on
Smart meters and Smart appliances may lead to commercial
loss apart from breach of privacy to individual consumers at
distribution level.
power sector areas where cyber
threats are to be dealt
1. Information Technology for system operation
• * Grid SCADA systems
• * System Data Acquisition System (DAS)
• * Outage Management System/ Distribution Management
System of DISCOM
• * Advanced Metering Infrastructure (AMI)
2. Information Technology for other business
functions
• * Metering, Billing and Collections
• * Consumer Web Portal
• * Office IT
3. Communication Systems for coordination
amongst operators and the above data
exchange/ processing nodes
Impact of cyber attack in power sector
Impact of cyber attack in Generation sector
• Any cyber attack on a generation plant can put the
•
•
whole plant down and lead to outage of the
generation capacity.
Vulnerability on Control systems used for set of Plant
can lead to a possible safety incident in case
exploited simultaneously
However, cyber attack at one node may not disrupt
multiple plants and grid operation planning takes
care of one plant disruption contingency.
Impact of cyber attack in power sector
Impact of cyber attack in Transmission sector
• Power Transmission is geographically spread across the
•
•
country and deployment of SCADA system is necessary
for efficiently monitoring and effectively controlling the
transmission system . Any attack on the SCADA/EMS
systems will jeopardize controlling/monitoring of grid
which will impact reliability of the Power System.
A coordinated cyber Incidence at critical grid nodes
(substations) can also cause disruptions in the Integrated
Operation of Grid.
Cyber attacks on sub-station automation systems can
cause damage to equipment in the substations and safety
of operating personnel, the impact of which will be
localized but could be severe depending on criticality of
node.
Impact of cyber attack in power sector
Impact of cyber attack in Distribution sector
• IT penetration in Indian Distribution sector for control and
operation is relatively low. These are presently concentrated
in MIS, Metering and Billing. Cyber Incidence in Distribution
may not affect the operation of the Grid. However,
Distribution systems operations are increasingly being
centralized and any cyber incidence at Central Location can
cause power supply failure. A disruption to critical
infrastructure/customers like Hospitals, Metro, and Railways
etc is of strategic concern.
• Interruption / wrong reporting in data collected through
Automatic Advanced Metering Infrastructure (AMI) may
result wrong/non operational decision
Cumputer Emergency Response TeamIndia (CERT-IN)
InformationTechnology Act 2000 & Amendment Act 2008
designates CERT-In as the National Nodal agency to serve
as the national agency to perform the following functions in
the area of cyber security:
•Collection, analysis and dissemination of information on cyber
incidents
•Forecast and alerts of cyber security incidents
•Emergency measures for handling cyber security incidents
•Coordination of cyber incident response activities
•Issue guidelines, advisories, vulnerability notes and whitepapers
relating to information security practices, procedures, prevention,
response and reporting of cyber incidents
•Such other functions relating to cyber security as may be prescribed
CERT-In enabling assistance
• Development and implementation of sectoral crisis
•
•
management plan (CMP) in line with National crisis
management plan (CMP) of CERT-In.
Remote profiling of IT systems and Networks to
determine the Cyber security enabling assistance
security posture.
Cyber Security drills to enable the organizations to
assess their preparedness to resist cyber attacks
and enable timely detection,response, mitigation
and recovery actions in the event of cyber attacks.
CERT-In enabling assistance
Information security management best practices as per
international standard have been mandated for compliance
within Govt. and critical sectors. Following enabling actions have
been taken to assist compliance efforts, covering process,
product, system and people:
•
•
•
•
•
•
•
Certification scheme as per ISO 27001 standard
Tool for assisting ISMS implementation and self-assessments
Cyber Security Assurance Framework
Security test/evaluation facility for test and evaluation IT
products as per ISO 15408 Common criteria standard
Empanelment of IT security auditing organisations for IT
infrastructure audits for Govt and critical sectors
IT security skill specific training courses for people
Guidelines for infrastructure security, user-end equipment
security and information security
various cyber threats listed
in the CMP of CERT
Cyber threatsLarge Scale defacement and semantic attacks on websites.
•
A Website defacement is when a Defacer breaks into a web server and
alters the contents of the hosted website. Attackers change the content of
a web page subtly, so that the alteration is not immediately apparent. As
a result, false information is disseminated.
Malicious Code attacks (virus/worm/Trojans/Boot nets Boot nets)
•
Malicious code or malware is software designed to infiltrate or damage a
computer system without the owner’s informed consent. Malicious code is
hostile, intrusive, or annoying software or program code. Commonly
known malware are virus, worms, Trojans, spyware, adware and Bots.
Large Scale SPAM attacks
•
Spamming is the abuse of electronic messaging systems to
indiscriminately sent unsolicited bulk messages. SPAM mails may also
contain virus, worm and other types of malicious software and are used to
infect Information Technology systems. As a result spamming could
disrupt e-mail services, messaging systems and mobile phone
communications.
various cyber threats have been listed
in the CMP of CERT
Cyber threats-
Large scale spoofing - Spoofing is an attack aimed at ‘Identity theft’.
Spoofing is a situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining
access to modify the original process/response/undermining
legitimate operation with or without illegitimate advantage to
perpetrator.
Phishing attacks - Phishing is an attack aimed at stealing the
‘confidential data’ like sensitive information, such as usernames,
passwords and credit card details that can lead to committing
online frauds.
Vishing attacks - Vishing is a combination of ‘voice’ and ‘phishing’. It is
the practice of using social engineering over the telephone system,
most often using features facilitated by Voice over IP (VoIP), to
gain access to private personal and financial information from the
public for the purpose of financial reward. It exploits the trust in
landline telephone services and uses (VoIP) to trick the user.
various cyber threats have been listed
in the CMP of CERT
Cyber threats-
Denial of service (DoS) attacks and Distributed Denial of Service
(DDoS) attacks.
•
DoS is an attempt to make a computer resource unavailable to its
intended users. A distributed denial of service attack (DDoS)
occurs when multiple compromised computer systems flood the
communication link (called bandwidth or resources) of a targeted
system
•
DDoS attacks are launched through a Botnet which is a network of
compromised computer systems called ‘Bots’
Domain Name Server (DNS) attacks
•
Attacks on DNS Servers aim at denying resolving of a domain
name into a IP address, reverse DNS queries or redirecting users
and traffic to fake/malicious domains in some other country to
disrupt internet and mail traffic in the country / domain of target.
Application Level Attacks
•
Exploitation of inherent vulnerabilities in the code of application
software such as web/mail/databases/controllers
various cyber threats have been listed
in the CMP of CERT
Cyber threats-
Infrastructure attacks
•
Attacks such as DoS, DDoS, corruption of software and
control systems such as Supervisory Control and Data
Acquisition (SCADA) and Centralized/Distributed Control
System (DCS), Gatewards of ISPs and Data Networks
Compound attacks
•
By combining different attack methods, hackers could
launch an even more destructive attack. The
Compound attacks magnify the destructiveness of a
physical attack by launching coordinated cyber attack
Router level attacks
•
Routers are the traffic controllers of the Internet to
ensure the flow of information (data packets) from
source to destination. Routing disruption could lead to
massive routing errors resulting in disruption of
Internet communication.
various cyber threats have been listed
in the CMP of CERT
Cyber threats-
High Energy Radio Frequency Attacks
•
Use of physical devices like Antennas to direct focused beam which
can be modulated from a distance to cause RF jamming of
communication system including Wireless networks leading to
attacks such as Denial of Service.
Cyber Espionage
•
Targeted attack resulting in compromise of computer system
through social engineering techniques and specially crafted
malware. The data from compromised system is siphoned off to
remote locations. Common channel of attacks include
spoofed/compromised email accounts of key officials.
Unauthorized Access
•
Targeted Scanning, Probing and reconnaissance of Networks and
IT Infrastructure in sensitive Government and critical information
infrastructure.
CYBER SECURITY STANDARDS / REGULATORY
FRAMEWORK FOR POWER SYSTEMS:
Standards and guidelines can be used to help identify problems
and reduce the vulnerabilities in an ICT system deployed
for power sector to reduce cyber security concerns.
Relevant International standards:
• Product and application level – IEC 62351 part 1 to 7
• IEC TC 57 WG15 Security Standards
• Organization and Regulatory level – NERC CIP 002 through
009
• NIST Guide to Industrial Control Systems Security 800-82
• NIST Guide to Smart Grid Cyber Security NISTIR-7628
• Guidelines from Center for Protection of National
Infrastructure (CPNI) UK.
National Initiatives
•
Department of Information Technology, Ministry of Communication
and Information Technology, Government of India has prepared a
Crisis Management Plan for countering cyber attacks and cyber
terrorism for preventing the large scale disruption in the functioning
of critical information systems of Government, public and private
sector resources and services.
•
In December 2010, Ministry of Power has constituted CERT-Thermal
( Nodal agency:NTPC), CERT-Hydro(Nodal agency NHPC) and CERTTransmission (Nodal agency PGCIL) to take necessary action to
prevent cyber attacks on the Utilities under their jurisdiction. The
State Utilities were requested to prepare their own Crisis
Management Plan (CMP) and be in touch with the Nodal Agencies i.e
NTPC, NHPC & PGCIL and CERT-In for the necessary actions.
Nodal Agencies of Hydro & Thermal i.e NHPC & NTPC have prepared
Crisis Management Plan (CMP) for Hydro/ Thermal Power Stations
and The Nodal agency of CERT-Transmission i.e POWERGRID is
preparing Crisis Management Plan (CMP) for Transmission Sector.
They are also participating in mock drills carried out by CERT-In and
has also carried out audit of cyber security in their Organisation.
•
•
•
•
National Initiatives
The guidelines for cyber security frame work,
issues and standards are being prepared by BIS
in association with CPRI under Sectional
Committee LITD-10 and the work for preparation
of standards are under progress.
Under LITD 10, it was decided to adopt IEC/TS
62351-1 to 62351-7 specifications as Indian
Standards as these were considered to be
important technical specification from security
point of view. These 07 documents of IEC 62351
series are still into the printing stage.
Further, Panel 2 on Security, LITD 10/P2 has
submitted the draft standard “Security Standard
for Power Control Systems” which has been
prepared indigenously. During the last meeting of
LITD 10 held on 09 Jan 2013, it was decided that
this draft standard would be sent into wider
circulation for a period of one month to seek
comments from stakeholders.
Immediate measures for prevention of
cyber attacks
•
•
•
•
•
Physical Security:
All the vulnerable areas like control centre area should be notified as
restricted Area and only authorized persons should be allowed to
enter the area.
The Security should be manned by the armed personnel of Central
Industrial Security Force (CISF) / other security agencies approved by
GOI on round the clock basis equipped with metal detector system
etc.
For important locations e.g. entry gate, building door control room
door etc; a video surveillance system should also been installed and
all the movements may be monitored from the Control Room.
The video images should also be continuously recorded for review,
record and investigation purpose.
Further control room and computer room doors should be equipped
with Access Security System which can be opened with Identity card
only so that all the equipments deployed in nerve centre are
protected against intrusion and surveillance is performed to keep an
integrity check.
Immediate measures for prevention of
cyber attacks
Identification of Critical Cyber assets/areas:
There is need for formal identification/ notification of critical cyber
assets for:
–
–
–
–
–
–
Major Power Station Control rooms
All LDC i.e. NLDC, all RLDCs and SLDCs.
All EHV-AC Substations (>400 kV)
HVDC stations (>500 MW).
Generating Plants
Distribution Grid feeders to critical infrastructure
Risk assessment and Vulnerability study in each area of
responsibility.
–
Generation plants
–
All Load Dispatch Centers
–
All Transmission Substations
–
Distribution substations
Creation & Enactment of Cyber Security Policy covering all the
stakeholders of Cyber space in Indian Power system.
Immediate measures for prevention of
cyber attacks
Secure Product Deployment
•
•
•
•
•
Deploy secured network architecture for control centers.
Deploy various network security products like firewalls,
IDS/IPS, VPN, IPSec and Central logging server in line with
CERT-In guidelines.
Deploy physical access control devices to Power Utility
premises like CCTV cameras, Biometric scanning etc.
All Application or proprietary software to be deployed in the
Power System applications shall be tested for cyber
vulnerabilities.
To follow all the guidelines suggested by ISGTF / CERTInd
Immediate measures for prevention of
cyber attacks
Process management:






Continuous evaluation of vulnerabilities.
Device Configuration management.
Cyber security audit process management
Process of Obscurity
Process of Segregation
Necessary screening before choosing process of outsourcing
Personnel & Training Management:




Authorized users of secured control rooms (Zone Blue) in
the Power Sector should be adequately trained and
certified.
Certification of the users shall entitle a person with different
set of user access permissions to critical cyber assets.
Other Users with indirect access to the critical cyber assets
should be trained for Cyber security awareness.
Each user action to be logged and monitored to check the
employee behavior at various levels for possible internal
vulnerabilities, which are hard to tackle than intruders and
do more harm.
Immediate measures for prevention of
cyber attacks
Mock Drill
i)
In view of IT framework and the security of information, utilities have
to develop a crisis management plan and undertake to periodic mock
drill exercise initiated by CERT-IN
ii)
Utility needs to continuously interact with CERT to imbibe all the new
tools for mitigating any risks from various cyber attacks.
iii)
Utility needs to appoint a cyber security officer in their IT cell for cyber
security.
iii)
CERT-IN have empanelled the cyber auditors and utilities may take the
help of these cyber auditors
CMP of CERT-IN also listed out the Steps to be taken by the
organizations / utilities in case of any cyber attack / crisis
happened
ROAD MAP FOR CYBER SECURITY IN INDIAN POWER SECTOR
• Harmonization of various Standards and Guidelines on Cyber
Security for Power Systems in Indian context.
• Formulation and Enactment of Cyber Security Policy for
Indian Power Sector in synchronization with CERT
Transmission /Thermal/Hydro.
• Strengthening of Communication Network through laying of
Optical Fiber cables by State Transmission & Distribution
utilities.
• Prepare Disaster Recovery / Crisis Management Plan for
countering cyber attacks in the system as per the “Crisis
Management Plan for countering cyber attacks and cyber
terrorism” issued by Ministry of Communication & Information
Technology , CERT in
ROAD MAP
conti..
• Mitigation strategies for countering physical attacks has to be
drawn by all the power utilities.
• Capacity building through identification of Agencies for
training of the personnel in Cyber Security aspects.
• Creation of Regulatory Framework for cyber security in Power
Systems.
• Vendor development for Cyber Security Systems as per
International/National standards.
• Identification of Cyber Security Vulnerabilities through
comprehensive annual security audits with respect to the
Best Security practices employed in Power Sector globally.
ROAD MAP cont..
• Establishment of Security teams to identify, evaluate
work against and perform drill for possible attack
scenarios .
• Ministry of Power has constituted following CERTs
(Computer Emergency response Team) by the nodal
agency identified for the purpose:
• CERT- Hydro
- NHPC
• CERT- Transmission - POWERGRID
• CERT- Thermal
- NTPC
Power Utilities may get in touch with
these nodal agencies for necessary help
regarding cyder security in their system.
Cyber security aspect in Grid failure
Central Electricity Authority constituted five SubGroups to enquire the grid disturbance in Northern,
Eastern & North Eastern Region on 30th and 31st July,
2012. One of the Sub-committee was to look into the
Cyber Security aspects for grid disturbance.
The sub –committee focused its examination on the
following aspects– Status of IT intervention in the operation of Power
Sector
– Measures taken by various stakeholders to counter
any possible cyber attack in their system
– Communication facilities available between various
stake holders
Cyber security aspect in Grid failure
The Committee in course of meeting with stakeholders,
reviewed existence of appropriate security policies and
procedures as envisaged in the Crisis Management Plan
prepared and circulated by CERT- India. Based on the feed
back provided by the stakeholders during the discussion, it
emerged that –
• No abnormal cyber event was observed by the stakeholders prior to
and during grid disturbances on both occasions.
• They have their own dedicated PLCC/ Fibre Optics based
communication network which have no connection with the public
domain.
• Adequate steps have already been taken up by the various
organisations including PGCIL, NTPC, NHPC & POSCO to prevent the
cyber attack on their system and they also have dedicated
organisational policies in force.
• Regular cyber vulnerable test/mock drills/cyber audit/and other
measures as per the Crisis Management Plan of CERT-In are
reportedly being conducted by them.
Findings of the sub committee
for Grid failure
After going through the records,
discussion & field visits, it is observed
that the operations of generating stations
and substations are primarily manual and
operations are done locally except in case
of few 400 KV S/Ss which are controlled
from remote locations through dedicated
networks. At present there is no wide area
network at generation/ grid control level
and there is no communication with power
utilities using public domain. The Sub
Committee is of the opinion that this Grid
Disturbance could NOT have been caused
by a cyber attack.
recommendations of the sub committee
for Grid failure
•
Although it emerged that Power Sector stack holders have
taken adequate steps to prevent the cyber attack on their
system and also have dedicated organisational polices in
this regard, but considering the latest developments in the
SCADA and System Automation, CERT-Thermal, CERT-Hydro
and CERT-Transmission need to expedite the process of
preparation of sectoral based Crisis Management
Plans(CMP) in line with the CMP prepared by CERT-In,
considering the specific threats to their system including
SCADA and PLCs and should also extend the support to
other concerned Central & Stats power utilities as per the
mandate of Ministry of Power.
•
The existing communication network should be maintained
properly. RTUs and communication equipments should have
uninterrupted power supply with proper battery back up so
that in case of total power failure, supervisory commands &
control channels do not fail.
recommendations of the sub committee
for Grid failure
•
•
•
•
•
Regular cyber vulnerability test/mock drills/cyber audit/and
other measures as per the crisis management plan of CERTIn should be carried out regularly by all the stakeholders.
The organizations need to create a mechanism to collect
and analyze all events/logs across the networks to detect
abnormal events and report the same to sectoral
CERT/CERT-IN.
A cyber audit specifically to detect malware targeting
Industrial Control Systems (ICS) should be conducted at
critical plants and sub-stations after any abnormal event.
A dedicated team of IT Personnel for cyber security in all
the Power Stations and Sub-stations should be developed
and proper training for the team members should also be
conducted regularly by the respective organizations to
upgrade their skills.
Mitigation strategies for countering physical attacks have to
be drawn by all the power utilities.
recommendations of the sub committee
for Grid failure
•
•
•
•
•
•
Regulatory framework should be created for cyber security
in the power sector.
An Office/ Body of Cyber Security Auditors should be
created within Power Sector.
Vendors for cyber security systems should be developed
as per International / National standards.
For smooth operation of grid systems, it is absolutely
important that all the power generating and distributing
stations are connected on a very reliable telecom network.
A proper network may be built up preferably using
MPLS(Multi Protocol Label Switching) which is simple, cost
effective and reliable. In remote place where connectivity
is a problem, the stations can use dedicated fibre cable
from the nearest node
Since power grid has its own fibre optic cables, practically
covering all major nodes and power stations, a proper
communication/IT network may be built using dedicated
fibres to avoid any cyber attack on the power system.