Cyber Security

04/2011
Business Chalenge

● Ensure a high level of reliability and continuous availability

of the bulk power system

2
Addressing the business challenge

● How?
● Increasing the automation network availability
●Provide backup path in case of failure
●Reduce the network reconfiguration time (while using
redundancy)
●Embedding the redundancy at the IEDs level
● Securing the automation assets (and critical cyber assests)
●Provide secure access via access level and device hardening
features
●Provide the appropriate knowledge to people interacting with IEDs
– Reduces the probability of mis-configuration during configuration
and maintenance phases
– Reduces the likelihood of potential exploitation loss time
●Organizations must put in place complementary and stringent
procedures to maintain cyber security

Cyber Security is a system solution

3
Schneider Electric solution

● Enhancing the automation network with:

● Redundancy solution
● Schneider has the best solution (fastest recovery time in the
market) implemented in all the product range (stand alone
switches and embedded in IEDs)
– Self Healing Protocol: redundant ring topologies; with a
network reconfiguration time <1ms (entire network)
– Dual Homing Protocol: redundant star topologies; 0ms
reconfiguration time
● Cyber security offer
● Schneider cyber security approach
– Product Oriented Solutions
– Process Oriented Solutions

Comprehensive Offer
4
Product Oriented solutions
Cyber security for IEDs

● Feature implementation at IED, tools and switches level:

● Access control
● Hardening
● Log and event management
● User banner and disclaimer
● Traffic segregation (VLANs; MiCOM Hxxx)
● Redundant Ethernet topology (bump-less)

● A large amount of our IEDs and their configurators offer cyber

security features such as MiCOM Px4x, MiCOM C264 and MiCOM
H series.

Roll out in large variety of products

5
Product Oriented solutions Antivirus
● Specially tailored to devices running automation applications such
as protocol gateways

● Antivirus signature base update can be done:

● Using a direct link with the update server (if a direct internet connection is
available)
● Using a mobile memory.

● Best Practice document available on antivirus use

● Antivirus licenses from 1 to 3 years

● Possibility to choose the appropriate support level required by your

organization

Specific to the automation applications

6
Process Oriented solutions
Patch Management
● The patch management process enables to detect, mitigate and disclose
information on potential vulnerabilities that may affect our products and
systems.

● The process is as described below:

● Detection:
●The development team assures a high level of quality and security for new product
developments by natively embedding security features.
●Feedbacks are regularly collected from our customers.
●Our products are tested in extreme environments and are submitted to break-it tests
before release.
●The support team is continuously in contact with customers to address any potential
issue. This enables the support team to raise specific cyber security related issues
to the appropriate team for mitigation, correction and communication.
● Mitigation:
●If a potential security threat is detected, the appropriate R&D team performs the
assessment and the correction of the security threat. If the security threat cannot by
addressed by a technical solution, a technical or procedural countermeasure is
provided.
● Disclosure:
●A website access is provided to customers interested in security updates and
patches.
●Appropriate users can be notified for critical vulnerabilities and patches by security
bulletins. 7
Process Oriented solutions
Patch Management

● Tools are available to assess the security of a solution / product

8
Process Oriented solutions
Patch Management

● Web site is available to communicate on vulnerabilities

9
Process Oriented solutions
Training
● Designed for engineers, technicians and management people (power
utilities)

● Makes participants understand the cyber security basics, the applicable

standards, the Schneider Electric offering and the operational strategies to
strengthen their security policy, by providing some guidelines and best
practices.

● The customer will have to write the procedures to adapt the practices to
the standard.

● The training consists of 5 modules:

● Module 1: Introduction to cyber security
● Module 2: Cyber security basics
● Module 3: Cyber security standards
● Module 4: Cyber security offer
● Module 5: Architectural and Operational Strategies (Practical)

10
Customer cases & references

11
Case study: Manitoba Hydro
● Schneider Electric has been awarded a 5M Canadian dollar tender
to provide a substation automation solution enhanced with cyber
security.
● Project delivery is spread over three years, with the first delivery
scheduled for the end of 2010.

12
 Cyber security example in PACiS DCS
● DOLPHIN project (O&G Qatar)- 2009
● Anti-virus solution implemented in the local HMI and the Engineering Work-Station
● Password (2 levels) for all local HMI and the Engineering Work-Station

● NGT – 400/220kV 7 x SS (Transmission - UK) – 2002/2009

● Physical identification of the operator at local HMI level using magnetic card with
specific rights
● Dedicated archiving of the user local HMI log-on/log-off

● RATP project – (Transportation - France) – 2007

● Physical security of all PACiS elements (PC, IED, GTW) by lock cabinet with
specific rights
● Dedicated archiving of the user local HMI log-on/log-off

13
Cyber security example in PACiS DCS
● Channel Train Railway Line – 4 SS (Transportation UK)-
2006
● Physical identification of the operator at local HMI level using
magnetic card with specific rights
● Physical security of all PACiS elements (PC, IED, GTW) by key-lock
cabinets

● Qatar Phase 8 – 28 SS (Transmission Qatar) – 2008/2011

● Anti-virus solution implemented in at substation level
● Physical security of all PACiS elements (PC, IED, GTW) by key-lock cabinets
● Disable of unused communication ports

● Crystal Computing- Google project – (Infrastructure - Belgium) –

2010
● Physical security of all PACiS elements (PC, IED, GTW) by key-lock cabinets
● Dedicated archiving of the user local HMI log-on/log-off
14
Lesson learn from Security Audit
Recommended architecture
SSL / SSH SSL / SSH

RTU
CMT Light IP Network or Scada
(Local) IP over SDH/Sonet
RTU or IP over TDM
Security
Server

router firewall firewall router CMT Light

RTU (remote)

SubStation defined as
Security perimeter
(NERC)

Following the audit done we have released a Cyber Security

recommendation guides for the RTU
15
Physical Protection and Isolation
Remains the Utility domain
● No link from outside substation to internal substation zone

● Document the organizational processes and technical and procedural

mechanisms for all remote access point

● Use secure communication technology when internet is used (VPN,

IPSEC, SSH or SSL) and setup firewall or physical disconnection when
not in use

● Use Defence-in-Depth principle

● Use of multiple security controls
● Physical security
● Segmentation

● Update policy to be managed regularly (anti virus …)

16
Password recovery process

17
 IED User Contact Centre
User looses the
password

User interrogates the IED

via the Front Panel Only

IED generates recovery

code
The IED provides with the
serial and IED security code
IED recovery
The user sends the serial password is only
and security code to the valid for 72 hours,
AREVA T&D contact centre after that user has to
generate new
recovery password
Checking the authenticity
of requestor vs a file and
generate recovery
password using a program.

Recovery code sent to

User applies recovery code
the appropriate user
to IED using comms or HMI.

Device resets
passwords to default

The IED send a

confirmation to the user

User logon using default

password
18
Conclusion

19
Standards:
The philosophy / the Golden rules
set-up an organization/processes to allow an assigned
people to do what he has been trained for

set-up an organization/processes to stop all others to

access to the devices / system etc

Set-up a permanent organization to be able to update

each component of your system when it is required

20
Appendix

21
 NERC CIP overview
● CIP-002-1 Critical Cyber Assets
● Define and document the Critical Assets and the Critical Cyber Assets
● CIP-003-1 Security Management Controls
● Define and document the Security Management Controls required to protect the Critical Cyber
Assets
● CIP-004-1 Personnel and Training
● Define and Document Personnel handling and training required protecting Critical Cyber
Assets.
● CIP-005-1 Electronic Security
● Define and document logical security perimeter where Critical Cyber Assets reside and
measures to control access points and monitor electronic access.
● CIP-006-1 Physical Security
● Define and document Physical Security Perimeters within which Critical Cyber Assets reside.
● CIP-007-1 Systems Security Management
● Define and document system test procedures, account and password management, security
patch management, system vulnerability, system logging, change control and configuration
required for all Critical Cyber Assets.
● CIP-008-1 Incident Reporting and Response Planning
● Define and document procedures necessary when Cyber Security Incidents relating to Critical
Cyber Assets are identified.
● CIP-009-1 Recovery Plans
● Define and document Recovery plans for Critical Cyber Assets.

22
CIP-002 Critical Cyber Assets
● Description:
● CIP 002 are requirements about identifying critical assets and Critical Cyber
Assets
● The critical assets are the ones essential for the right operation of the electric
network
●Overhead lines, transformer…
● The critical cyber assets are the ones that uses a routable protocol to
communicate outside or inside the Electronic Security Perimeter; or are dial-up
accessible
●IED’s

● Power utility side:

● Create the list of the assets

● Manufacturer side:
● We can help the power utilities to create this list in an automatic way
● We can offer an audit to list the Cyber assets

23
 CIP-003 Security Management Controls
● Description:
● Standard CIP-003 requires to have documents and implement a cyber
security policy that represents management’s commitment and ability to
secure its Critical Cyber Assets.
● Change control: document all entity or vendor-related changes to
hardware and software components

● Power utility side:

● Shall create internally this policy (cyber security policy)

● Manufacturer side:
● We can help the power utilities to have an access control to its critical
assets by providing:
●Centralized Access control
●We can help the customer for the change control:
A section in all the documentation where
it describes changes affecting the hardware
and software.

24
CIP-004 Personnel and Training

● Standard CIP-004 requires that personnel having authorized

cyber or authorized unescorted physical access to Critical
Cyber Assets, including contractors and service vendors, have
an appropriate level of personnel risk assessment, training, and
security awareness

● Power utility side:

● Should train it’s personnel

● Manufacturer side:
● We offer a cyber security training

25
CIP-005 Electronic Security
● CIP-005 requires to have an Electronic Security Perimeter that
should be established,this ESP should provide the following:
● Disable ports and services that are not required
● Monitor and Log Access 24x7x365
● Perform Annual Vulnerability Assessments (at a minimum)
● Documentation of Network Changes

● Power utility side:

● Shall monitor access to the ESP
● Perform annual Vulnerability Assessments
● Document network changes

● Manufacturer side:
● All ports not used in the IED’s will be disabled
● Monitor the access at all access points of the ESP

26
CIP-006 Physical Security

● CIP-006 physical security controls should be documented and

implemented that provide perimeter monitoring and logging
along with robust access controls. All cyber assets used for
Physical Security are considered Critical and should be treated
as such.

● Power utility side:

● Provide physical security controls and perimeter
● Ensure that people who has access to critical cyber assets don’t have
criminal records

● Manufacturer side:
● Nothing

27
CIP-007 Systems Security Management
● CIP-007 Systems Security Management covers the following points
● Test procedures
● Ports and services
● Security patch management
● Antivirus
● Account management
● Monitoring
● An annual vulnerability assessment should be performed

● Power utility side:

● Have an incident response team and processes

● Manufacturer side:
● All above

28
CIP-008 Incident Reporting and Response
Planning
● A cyber security incidents response plan should be
developed, including: defining incident response team and
responsibilities, and procedures.

● Power utility side:

● Have an incident response team and processes

● Manufacturer side:
● Nothing

29
CIP-009 Recovery Plans

● A disaster recovery plan should be created and tested with

annual drills

● Power utility side:

● To have a recovery plan

● Manufacturer side:
● Not so much but
●Recovery plans guidelines
●Backup and restore documentation and guidelines

30