Power Delivery and Utilization - Distribution and Utilization
Program 183 - Cyber Security and Privacy
Last Updated: 13-Jan-2017
Cyber and physical security have become critical priorities for electric utilities. The evolving electricity sector is increasingly dependent on information technology and telecommunication infrastructure to ensure the reliability and security of the electric
grid. Specifically, measures to ensure cyber security must be designed and implemented to protect the electric grid from attacks by terrorists and hackers, and to strengthen grid resilience against natural disasters and inadvertent threats such as equipment
failures and user errors.
The Cyber Security and Privacy Program of the Electric Power Research Institute (EPRI) focuses on addressing the emerging threats to an interconnected electric sector through multidisciplinary, collaborative research on cyber security technologies, standards,
and business processes.
The rapid pace of change in the electric sector creates a challenging environment for asset owners and operators to monitor the cyber security activities of industry groups, develop an understanding of how new technologies affect security, and maintain the
right internal resources for assessing those technologies. EPRI employs a team of experts with comprehensive backgrounds in cyber security who address these challenges by providing insight and analysis of various security tools, architectures, guidelines,
and results of testing to program participants.
Participation in EPRI’s Cyber Security and Privacy Program can provide the following benefits:
- A better awareness of industry and government collaborative efforts, where members can "plug in" to current activities;
- Guidance on developing cyber security strategies and requirements for selecting effective technologies;
- Guidance on security metrics;
- Techniques for assessing and monitoring risk;
- Practical approaches to mitigating the risk of operating legacy systems;
- Early identification of security gaps through laboratory assessments of security technologies; and
- Technologies which support the management of cyber incidents and increase the cyber security and resiliency of the grid.
The Cyber Security and Privacy Program focuses on developing security requirements, creating new security technologies, and performing laboratory assessments of existing, relevant technologies. Members may use the products to enhance their current cyber
security posture and increase the security of systems that are deployed in the future.
Key deliverables in this program include:
- Newsletters and whitepapers to address high-impact issues;
- Guidance on security metrics;
- Guidance on assessing and monitoring risk;
- Tools to manage networks and devices for power delivery systems;
- Tools to support improved incident and threat management; and
- Tools and techniques for assessing grid security, resiliency, and cyber security posture.
The portfolio of projects in the Cyber Security and Privacy Program has delivered several key accomplishments that have helped its members specifically and the industry as a whole.
National Electric Sector Cybersecurity Organization Resource (NESCOR): National Electric Sector Cybersecurity Organization Resource (NESCOR): The U.S. Department of Energy (DOE) awarded EPRI a contract to provide research and development
resources for DOE’s public-private partnership, NESCOR. EPRI led the working groups that focus on identifying vulnerabilities and threats, assessing cyber security standards, and testing and validating technologies. The results of this work have been used
to develop improved threat models, cyber security requirements, and security technologies. NESCOR delivered the following documents:
- Electric Sector Failure Scenarios and Impact Analyses
: This document includes cyber security failure scenarios and impact analyses for the electric sector. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of
sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power.
- Analysis of Selected Electric Sector High Risk Failure Scenarios
: The failure scenarios in this document provide detailed analyses for a subset of the failure scenarios identified in the document listed above, which were prioritized for inclusion in this document, based upon the level of risk for
the failure scenario and the priorities of NESCOR utility members.
- Attack Trees for Selected Electric Sector High Risk Failure Scenarios
: This briefing includes the modified attack tree diagrams from the detailed analysis documents.
- Guide to Penetration Testing for Electric Utilities
: This security test plan provides guidance to electric utilities on how to perform penetration tests in the smart grid domains of advanced metering infrastructure (AMI), demand response (DR), distributed energy resources (DER), distribution
grid management (DGM), electric transportation (ET), and wide-area monitoring, protection, and control (WAMPAC). Penetration testing is one of the many different types of assessments that utilities can perform to evaluate their overall security posture.
- Guidelines for Leveraging NESCOR Failure Scenarios in Cyber Security Tabletop Exercises: This document provides exercise facilitators with guidance concerning procedures and responsibilities for exercise development, facilitation,
simulation, and support. It also includes a NESCOR failure scenario and explains how to expand this scenario for use in a cyber security tabletop exercise.
Incident and Threat Management: Within the Security Technologies Project Set, EPRI is addressing the challenge of managing cyber and physical threats to substation and field devices. In 2016, EPRI:
- Developed and tested use cases for real world situations correlating aggregated data from substation sources in the Cyber Security Research Lab (CSRL);
- Identified incident detection architectures for the Integrated Security Operations Center (ISOC) field devices and developed a corresponding test bed in the CSRL; and
- Specified the requirements and tasks necessary to integrate the incident detections systems with SIEM tools.
Assessing and Monitoring Risk: Within the Information Assurance Project Set, EPRI focuses on security challenges that affect multiple operations domains, such as designing security into products, creating security metrics for the electric
sector, and developing technical solutions for meeting security compliance requirements. In 2016, EPRI:
- Built on the 2015 Cyber Security Architecture Methodology report (3002005942) to include applicable device classes, security tools, and NESCOR failure scenarios for testing.
- Revised the 2015 Creating Security Metrics for the Electric Sector report (3002005947) to include more in-depth parameters for creating a metrics program as well as risk-based security metrics.
- Updated the Security, Cyber, Risk Assessment Methodology (SCRAM) database (3002005943).
In 2017, this program expects to accomplish the following objectives:
- Industry Collaboration: Track industry and government activities and provide technical contributions to key working groups;
- Situational Awareness: Develop tools and technology for improved situational awareness for transmission and distribution systems;
- Event and Incident Response: Improve the electric sector’s ability to detect, respond, and recover from cyber incidents. The program will also continue technical development of the Integrated Security Operations Center (ISOC);
- Threat and Vulnerability Management: Develop guidelines for advanced threat management for power delivery systems;
- Cyber Security Program Management: Extend the security architecture methodology to include DER systems and address the technical challenges of cyber security compliance;
- Asset, Change, and Configuration Management: Develop guidelines for effective configuration management;
- Risk Management: Provide a methodology and metrics to establish a framework to evaluate the effectiveness of implemented security controls within power-delivery systems and operational environments; and
- Supply Chain and External Dependencies: Examine various measures to reduce supply chain risk.
Estimated 2017 Program Funding
Galen Rasche, 650-855-8779, email@example.com
Contact Program Manager -
PS183A: Industry Collaboration and Technology Transfer
P183.001: Industry Collaboration
The landscape of cyber security activities in the electricity sector involves numerous industry, government, and regulatory groups. Although tracking these groups can be a daunting effort, it is critical for utilities to be up-to-date on key industry activities.
This project set provides members with an up-to-date view of industry activities and supports technical contribution to these groups. It also supports white papers and working groups on key cyber security topics.
PS183B: Security Technologies
The Security Technologies project set addresses several security challenges facing power-delivery and control systems, including threat and vulnerability management, incident response, identity and access management, and situational awareness. The technology
addressed within these focus areas can increase the security of next-generation power-delivery systems through a combination of new security tools and procedures to provide end-to-end security and support defense-in-depth strategies. Additionally, this project
set will explore technology that helps organizations remain resilient to cyber security threats and continue to perform critical operations while under duress and during the recovery process.
P183.004: Security and System Monitoring
Situational awareness involves developing near real-time knowledge of a dynamic operating environment. In part, this is accomplished through the logging and monitoring of IT, OT, physical security systems, and communication infrastructure assets essential
for the delivery of the function. It is equally important to maintain knowledge of relevant, current cybersecurity events external to the enterprise.
P183.005: Incident Response
Incident response includes detecting cyber security events, establishing criteria for event prioritization, and correlating multiple cyber security events. Utilities need to establish and maintain plans, procedures, and technologies to detect, analyze, and
respond to cybersecurity events and to sustain operations throughout a cybersecurity event. These criteria should align with the organization’s cyber security risk management strategy and ensure consistent assessment of events.
This project covers four primary areas of incident response:
Detect cyber security events
Escalate cyber security events and declare incidents
Respond to incidents and escalated cyber security events
Plan for recovery and continuity
P183.006 Threat Management
The objective of threat management is to establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cyber security threats, commensurate with the risk to the organization’s infrastructure (e.g., critical,
IT, operational) and organizational objectives.
A cyber security threat is defined as any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), resources, and other organizations through IT, OT, or communications infrastructure
via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
P183.007 Identity and Access Management
Controlling access includes determining access requirements, granting access to systems and networks based on those requirements, and revoking access when it is no longer required. Secure communication tools should include capabilities to manage user and
device credentials, avoid unauthorized access, and ensure the integrity of communications.
Identity and access management tools should:
Provide access to assets based on cyber security risk to the system
Monitor anomalous access attempts as indicators of cyber security events
Provide user and device-to-device authorization of activities and source of data/commands
PS183D: Information Assurance
This project set focuses on security challenges that affect multiple operations domains, such as designing security into products, creating security metrics for the electric sector, and developing technical solutions for meeting security compliance requirements.
P183.012: Cyber Security Architecture
For grid modernization, increased interconnection in electric sector devices is required and this will result in a larger attack surface that may be exploited by potential adversaries such as nation-states, terrorist organizations, malicious contractors,
and disgruntled employees. A security architecture methodology that is used for attack vector analysis needs to be developed to support cyber security risk management in this new environment.
The objective is to provide a common methodology that may be used by utilities of all sizes – from large investor owned utilities (IOUs) to smaller cooperatives and municipalities. EPRI is collaborating with other research efforts that are defining enterprise
architecture methodologies to ensure that the security architecture methodology does not conflict with these other efforts.
This research project is mapped to the following C2M2 domains: Risk Management (RM), Cybersecurity Program Management (CPM), and Threat and Vulnerability Management (TVM).
P183.013 Cyber Security Compliance
Cyber security standards, guidance, and regulations have been developed as a result of continual threats to business and process control networks. In recent years, electric utilities that are part of the North American bulk electric system (BES) have established
cyber security programs to ensure compliance with the critical infrastructure protection (CIP) standards of the North American Electric Reliability Corporation (NERC). New cyber security requirements for critical infrastructure are being introduced in other
regions as well, such as the Network and Information Security (NIS) Directive of the European Commission. In addition, some states are developing cyber security requirements for the distribution sector of the grid.
Compliance with cyber security regulations and cyber security requirements is non-trivial and requires IT staff and control system engineers to work together to implement and maintain a cyber security program for control systems.
This research project is mapped to the following C2 M2 domains: Risk Management (RM), Asset, Change and Configuration Management (ACM), Identity and Access Management (IAM), Threat and Vulnerability Management (TVM), and Cyber Security Program Management
(CPM). Note: compliance is referenced in all of the C2M2 domains, but this project focuses on the ones listed above.
P183.014 Cyber Security Metrics
Over the past decade, the electric sector has produced both mandatory and voluntary standards and guidelines to address cyber security. Each of these attempts to enhance the security posture of a utility, despite the fact that each utility has unique environments,
ownership structures, and functions for the overall reliability of the nation’s power grid. These standards and guidelines were developed in similar ways to the sector’s creation of documents in other fields—balancing of load and generation, management of
reliability events, and other functions required for reliable operations. The science and engineering behind power systems dates back to the late 1800s, with thousands of studies and measurement behind each model used for planning and operations. Unfortunately,
cyber security is not as mature—as a field, the science involved in protecting digital systems has only existed for a fraction of the history shared with power systems engineering. Over the past two decades, research has continued to evolve in the field of
cyber security measurement. These advancements make it possible to implement a cyber security metrics program within any utility, regardless of size, organization, or ownership structure.
There are several challenges with cyber security metrics. While there are many business and regulatory pressures driving utilities to improve process efficiency, there is also a lack of data sharing required to have a dialogue regarding “what metrics matter”
in cyber security. As a result, security metrics routinely focus on standards development or other frameworks that may not be entirely appropriate for measurement.
This research project is mapped to the following C2M2 domain: Risk Management (RM). (Note: metrics is not specifically referenced in the C2M2, but is used as part of risk management.)
P183.015 Security Supply Chain
Commercially available information and communications technology (ICT) solutions present significant benefits including low cost, interoperability, and choice among competing vendors. These commercial off-the-shelf (COTS) solutions can be proprietary or
open source and can meet the needs of a global base of customers. However, the same globalization and other factors that allow for such benefits also increase the risk of a threat event which can impact the ICT supply chain. These ICT supply chain risks may
include insertion of malicious software and hardware.
The project is mapped to the following C2M2 domains: Risk Management (RM), Threat and Vulnerability Management (TVM), and Supply Chain and External Dependencies Management (EDM).