Professional Documents
Culture Documents
8 - Cybersecurity
8 - Cybersecurity
04/2011
Business Chalenge
2
Addressing the business challenge
● How?
● Increasing the automation network availability
●Provide backup path in case of failure
●Reduce the network reconfiguration time (while using
redundancy)
●Embedding the redundancy at the IEDs level
● Securing the automation assets (and critical cyber assests)
●Provide secure access via access level and device hardening
features
●Provide the appropriate knowledge to people interacting with IEDs
– Reduces the probability of mis-configuration during configuration
and maintenance phases
– Reduces the likelihood of potential exploitation loss time
●Organizations must put in place complementary and stringent
procedures to maintain cyber security
Comprehensive Offer
4
Product Oriented solutions
Cyber security for IEDs
8
Process Oriented solutions
Patch Management
9
Process Oriented solutions
Training
● Designed for engineers, technicians and management people (power
utilities)
● The customer will have to write the procedures to adapt the practices to
the standard.
10
Customer cases & references
11
Case study: Manitoba Hydro
● Schneider Electric has been awarded a 5M Canadian dollar tender
to provide a substation automation solution enhanced with cyber
security.
● Project delivery is spread over three years, with the first delivery
scheduled for the end of 2010.
12
Cyber security example in PACiS DCS
● DOLPHIN project (O&G Qatar)- 2009
● Anti-virus solution implemented in the local HMI and the Engineering Work-Station
● Password (2 levels) for all local HMI and the Engineering Work-Station
13
Cyber security example in PACiS DCS
● Channel Train Railway Line – 4 SS (Transportation UK)-
2006
● Physical identification of the operator at local HMI level using
magnetic card with specific rights
● Physical security of all PACiS elements (PC, IED, GTW) by key-lock
cabinets
RTU
CMT Light IP Network or Scada
(Local) IP over SDH/Sonet
RTU or IP over TDM
Security
Server
SubStation defined as
Security perimeter
(NERC)
16
Password recovery process
17
IED User Contact Centre
User looses the
password
Device resets
passwords to default
19
Standards:
The philosophy / the Golden rules
set-up an organization/processes to allow an assigned
people to do what he has been trained for
20
Appendix
21
NERC CIP overview
● CIP-002-1 Critical Cyber Assets
● Define and document the Critical Assets and the Critical Cyber Assets
● CIP-003-1 Security Management Controls
● Define and document the Security Management Controls required to protect the Critical Cyber
Assets
● CIP-004-1 Personnel and Training
● Define and Document Personnel handling and training required protecting Critical Cyber
Assets.
● CIP-005-1 Electronic Security
● Define and document logical security perimeter where Critical Cyber Assets reside and
measures to control access points and monitor electronic access.
● CIP-006-1 Physical Security
● Define and document Physical Security Perimeters within which Critical Cyber Assets reside.
● CIP-007-1 Systems Security Management
● Define and document system test procedures, account and password management, security
patch management, system vulnerability, system logging, change control and configuration
required for all Critical Cyber Assets.
● CIP-008-1 Incident Reporting and Response Planning
● Define and document procedures necessary when Cyber Security Incidents relating to Critical
Cyber Assets are identified.
● CIP-009-1 Recovery Plans
● Define and document Recovery plans for Critical Cyber Assets.
22
CIP-002 Critical Cyber Assets
● Description:
● CIP 002 are requirements about identifying critical assets and Critical Cyber
Assets
● The critical assets are the ones essential for the right operation of the electric
network
●Overhead lines, transformer…
● The critical cyber assets are the ones that uses a routable protocol to
communicate outside or inside the Electronic Security Perimeter; or are dial-up
accessible
●IED’s
● Manufacturer side:
● We can help the power utilities to create this list in an automatic way
● We can offer an audit to list the Cyber assets
23
CIP-003 Security Management Controls
● Description:
● Standard CIP-003 requires to have documents and implement a cyber
security policy that represents management’s commitment and ability to
secure its Critical Cyber Assets.
● Change control: document all entity or vendor-related changes to
hardware and software components
● Manufacturer side:
● We can help the power utilities to have an access control to its critical
assets by providing:
●Centralized Access control
●We can help the customer for the change control:
A section in all the documentation where
it describes changes affecting the hardware
and software.
24
CIP-004 Personnel and Training
● Manufacturer side:
● We offer a cyber security training
25
CIP-005 Electronic Security
● CIP-005 requires to have an Electronic Security Perimeter that
should be established,this ESP should provide the following:
● Disable ports and services that are not required
● Monitor and Log Access 24x7x365
● Perform Annual Vulnerability Assessments (at a minimum)
● Documentation of Network Changes
● Manufacturer side:
● All ports not used in the IED’s will be disabled
● Monitor the access at all access points of the ESP
26
CIP-006 Physical Security
● Manufacturer side:
● Nothing
27
CIP-007 Systems Security Management
● CIP-007 Systems Security Management covers the following points
● Test procedures
● Ports and services
● Security patch management
● Antivirus
● Account management
● Monitoring
● An annual vulnerability assessment should be performed
● Manufacturer side:
● All above
28
CIP-008 Incident Reporting and Response
Planning
● A cyber security incidents response plan should be
developed, including: defining incident response team and
responsibilities, and procedures.
● Manufacturer side:
● Nothing
29
CIP-009 Recovery Plans
● Manufacturer side:
● Not so much but
●Recovery plans guidelines
●Backup and restore documentation and guidelines
30