Andy Taylor, profile picture
Uploaded byAndy Taylor
PPTX, PDF58 views

AEE Cybersecurity for the IOT in Facility Energy Distribution Slides

The document discusses cybersecurity challenges specific to IoT devices used in facility energy distribution, emphasizing the risks posed by such devices in controlling utilities. It highlights California's new regulations requiring robust security features for connected devices and outlines necessary steps for securing existing and new systems, including encryption and authentication measures. The conclusion stresses the urgency of engaging with cybersecurity issues now to protect industrial systems from potential threats.

Embed presentation

Download to read offline
Cybersecurity for the IoT in Facility Energy Distribution Andrew E. Taylor, PE Applied Power Technologies 12/02/2020 AEE Technical Session - Cybersecurity for IoT 1
The Problem • The specific IoT devices involved in the delivery of energy and utilities facilities and outside in the grid) are especially problematic. • The devices can control the flow of these utilities which make the impact of much more dangerous. • Your plant’s diesel generator requires a higher level of security than thermostat. New regulatory requirements (led by California) require security features for all devices 12/02/2020 AEE Technical Session - Cybersecurity for IoT 2
Background • IoT security problems are so pervasive that the Department of Homeland Security has set up a special division just to deal with cybersecurity problems for Industrial Systems: ICS-CERT Cybersecurity of the IoT for Industrial not just a California problem 12/02/2020 AEE Technical Session - Cybersecurity for IoT 3
CA Senate Bill 327 - Security of Connected Devices became law on January 1, 2020 In order to sell a connected device in the state of CA, manufacturers must: Background Detail • Appropriate to the nature and function of the device. • Appropriate to the information it may collect, contain, or transmit. • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified. Equip the device with a reasonable security feature or features that are: • The preprogrammed password is unique to each device manufactured. • The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature if either of the following requirements are met: 12/02/2020 AEE Technical Session - Cybersecurity for IoT 4
If you are thinking you can define ‘reasonable security’ on your own, let me share guidance from California Energy Department for solar inverters: Reasonable Security • Use a hash algorithm for all communications to them private. • Authenticate the Master to eliminate Man in the Middle (MiM) spoofing. • Use time stamps to eliminate the possibility of schemes. •California Rule 21 (not to mention IEEE 2030.5) requires the following for smart inverters sold in California: • Circuit Breakers • Trip Units • UPS • Generators • Automatic Transfer Switches • Relays • Inverters •CA Rule 21 sets the legal precedent for the security of any network connected power device in California. 12/02/2020 AEE Technical Session - Cybersecurity for IoT 5
The Modbus protocol has become the de facto industrial communications standard… The Modbus protocol lacks the ability to authenticate a user and hence middleman (MiM) attacks can easily take place in Modbus 1 Protocol Security - Modbus • Use a hash algorithm for all communications to keep them private. • Authenticate the Master to eliminate Man in the Middle (MiM) spoofing. • Use time stamps to eliminate the possibility of replay schemes. • FN1 – Guidelines for Smart Grid Cybersecurity – NIST •A new Modbus secure architecture is required to satisfy these new key security requirements: 12/02/2020 https://www.nist.gov/publications/guidelines-smart-grid-cybersecurity https://modbus.org/ AEE Technical Session - Cybersecurity for IoT 6
Protocol Security- BACnet • “Network security in BACnet is optional. The existing BACnet existing BACnet Network Security architecture defined in Clause 24 in Clause 24 is based on the 56-bit DES cryptographic standard standard and needs to be updated to meet the needs of of today’s security requirements.” 2 • The BACnet SecureWorking Group is in the process of developing a standard that will include all 3 key security features that California has made their standard but may not be available for 2 years or more. • FN2 – ASHRAE BACnet SecureWorkingGroup Paper •Current BACnet protocol also lacks secure authentication. 12/02/2020 http://www.bacnet.org/ AEE Technical Session - Cybersecurity for IoT 7
Example of a typical Industrial communication network for power devices in a unit substation. 12/02/2020 Real World Electrical Substation Communications Diagram AEE Technical Session - Cybersecurity for IoT 8
Physical Port Security – Lock it up! • Serial Ports – DB9, DB15 • Modem and Ethernet Ports – RJ11, RJ45 • USB and Display Ports, SD Cards, etc •Physical port security devices ​are simple 12/02/2020 Want to find an expert in physical port security? Talk to any teacher! There are literally hundreds of products out there to provide cheap, reliable, secure controlled access to every type of port on every device. AEE Technical Session - Cybersecurity for IoT 9
The Solution Start now to address this problem, in two suggested ways: • Start with a systematic approach to security: • Require encryption for all communications. • Require authentication of Master’s identity. • Require Authentication of Master commands with date and time stamps. •New Devices • Create device inventories for each system • Change default usernames and passwords • Install physical security for the ports on those devices. •Existing Devices SPECIFY and confirm security for each device, gateway, and server you purchase 12/02/2020 AEE Technical Session - Cybersecurity for IoT 10
Existing Systems and Devices • Make a prioritized list of systems based on what the devices control • (i.e. Electrical, Process, Mechanical, Chemical, Fire Life Safety, etc.) • Inventory those devices, including the gateways and switches, for each system • (This almost always requires corporate IT/IS support.) • Make-a-plan to “harden” these systems and devices: •Maintain the “approved” device list for each system. • Change default usernames and passwords on those devices. •Implement physical security on the approved devices and ALL their ports. •Ensure gateways and switches communicating with those devices include security features (encryption, port locking, routing rules, etc.) •Secure your most critical system’s industrial networks connected devices: 12/02/2020 AEE Technical Session - Cybersecurity for IoT 11
New Equipment • Update purchase specifications for approved systems and devices • Update installation details for approved systems and devices for their communications connections to verify that physical ports are secured. • Update IT/IS procedures for gateways and switches to ensure Cyber Security features are configured. Then test each one. Don’t make the problem worse – start requiring Cybersecurity for new equipment 12/02/2020 AEE Technical Session - Cybersecurity for IoT 12
Conclusion • Prioritize existing systems and devices. • Inventory and harden those systems and devices. • Don’t hide it – just ‘disconnecting’ is NOT a solution. • Don’t make it worse – change specs and details for new systems and devices • Use resources available to you to rise to this challenge (and stay out of the news!) Cybersecurity challenges are real and require you to engage NOW! 12/02/2020 AEE Technical Session - Cybersecurity for IoT 13
Questions & Answers •Department of Homeland Security Cybersecurity for Industrial Systems: ICS-CERT •Cyber Resilience Review and other Resources •https://us-cert.cisa.gov/resources •NIST Guidelines •https://www.nist.gov/publications/guidelines-smart-grid-cybersecurity •Modbus Protocol •https://modbus.org/ •BacNet Protocol •http://www.bacnet.org/ More information available at these links 12/02/2020 AEE Technical Session - Cybersecurity for IoT 14
Thank you Andrew E. Taylor, P.E., Applied Power Technologies, Inc. 1550 The Alameda, Suite 305 San Jose, CA 95126 direct: 408 340-7116 mobile: 408 218-3548 www.apt4power.com ataylor@apt4power.com 12/02/2020 AEE Technical Session - Cybersecurity for IoT 1512/02/2020

More Related Content

PPTX
CyberSecurity Best Practices for the IIoT
byCreekside Marketing Group, LLC
 
PDF
Cyber Security: Differences between Industrial Control Systems and ICT Approach
byCommunity Protection Forum
 
PDF
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
byHoneywell
 
PPSX
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
byByres Security Inc.
 
PDF
Secure Systems Security and ISA99- IEC62443
byYokogawa1
 
PPTX
IEC and cyber security (June 2018)
byInternational Electrotechnical Commission (IEC)
 
PPTX
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
PDF
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
bynull The Open Security Community
 
CyberSecurity Best Practices for the IIoT
byCreekside Marketing Group, LLC
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
byCommunity Protection Forum
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
byHoneywell
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
byByres Security Inc.
 
Secure Systems Security and ISA99- IEC62443
byYokogawa1
 
IEC and cyber security (June 2018)
byInternational Electrotechnical Commission (IEC)
 
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
bynull The Open Security Community
 

What's hot

PPTX
CCNA 1 Routing and Switching v5.0 Chapter 11
byNil Menon
 
PPTX
Practical Approaches to Securely Integrating Business and Production
byJim Gilsinn
 
PDF
Effective Network Security Against Cyber Threats - Network Segmentation Techn...
byJiunn-Jer Sun
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
byJiunn-Jer Sun
 
PDF
Nist 800 82 ICS Security Auditing Framework
byMarcoAfzali
 
PPTX
Power System Cybersecurity: Barriers and Challenges
byNathan Wallace, PhD, PE
 
PPTX
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
byHoneywell
 
PPTX
Cyber security of power grid
byP K Agarwal
 
PPTX
Industrial IoT Security Standards & Frameworks
byPriyanka Aash
 
PPTX
Critical Infrastructure and Security
byCan Demirel
 
PPTX
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
PDF
How I learned to Stop Worrying and Start Loving the Smart Meter
byEnergySec
 
PDF
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
byAgence du Numérique (AdN)
 
PPTX
Cybersecurity Implementation and Certification in Practice for IoT Equipment
byOnward Security
 
PDF
Security Updates Matter: Exploitation for Beginners
byEnergySec
 
PDF
Cybersecurity for modern industrial systems
byItex Solutions
 
PDF
Augmentation of a SCADA based firewall against foreign hacking devices
byIJECEIAES
 
PDF
IT vs. OT: ICS Cyber Security in TSOs
byCommunity Protection Forum
 
PDF
IEEE PES GM 2017 Cybersecurity Panel Talk
byNathan Wallace, PhD, PE
 
PPTX
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
byJim Gilsinn
 
CCNA 1 Routing and Switching v5.0 Chapter 11
byNil Menon
 
Practical Approaches to Securely Integrating Business and Production
byJim Gilsinn
 
Effective Network Security Against Cyber Threats - Network Segmentation Techn...
byJiunn-Jer Sun
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
byJiunn-Jer Sun
 
Nist 800 82 ICS Security Auditing Framework
byMarcoAfzali
 
Power System Cybersecurity: Barriers and Challenges
byNathan Wallace, PhD, PE
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
byHoneywell
 
Cyber security of power grid
byP K Agarwal
 
Industrial IoT Security Standards & Frameworks
byPriyanka Aash
 
Critical Infrastructure and Security
byCan Demirel
 
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
How I learned to Stop Worrying and Start Loving the Smart Meter
byEnergySec
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
byAgence du Numérique (AdN)
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
byOnward Security
 
Security Updates Matter: Exploitation for Beginners
byEnergySec
 
Cybersecurity for modern industrial systems
byItex Solutions
 
Augmentation of a SCADA based firewall against foreign hacking devices
byIJECEIAES
 
IT vs. OT: ICS Cyber Security in TSOs
byCommunity Protection Forum
 
IEEE PES GM 2017 Cybersecurity Panel Talk
byNathan Wallace, PhD, PE
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
byJim Gilsinn
 

Similar to AEE Cybersecurity for the IOT in Facility Energy Distribution Slides

PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
PDF
Security and Privacy in IoT and Cyber-physical Systems
byBob Marcus
 
PPTX
March cybersecurity powerpoint
byCourtney King
 
PDF
Bridgera enterprise IoT security
byRon Pascuzzi
 
PDF
Standards based security for energy utilities
byNirmal Thaliyil
 
PDF
A reliable next generation cyber security architecture for industrial interne...
byIJECEIAES
 
PDF
Conférence ENGIE ACSS 2018
byAfrican Cyber Security Summit
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
PPTX
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
byAbhishek Goel
 
PDF
Can you trust your smart building
byDuncan Purves
 
PDF
Ignite 2019
byTI Safe
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
byRyan Wilson
 
PDF
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
PPT
Cybersecurity for Control Systems: Current State and Future Vision pt.1
byEnergySec
 
PDF
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
byfisberngodoo
 
PDF
SAM-IoT: Securing low power device communication in critical infrastructure m...
byBrain IoT Project
 
PPTX
chile-2015 (2)
byMassimiliano Falcinelli
 
PDF
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
bypatenekernaf
 
PPTX
All The Things: Security, Privacy & Safety in a World of Connected Devices
byJohn D. Johnson
 
PDF
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
byGlobalSign
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
Security and Privacy in IoT and Cyber-physical Systems
byBob Marcus
 
March cybersecurity powerpoint
byCourtney King
 
Bridgera enterprise IoT security
byRon Pascuzzi
 
Standards based security for energy utilities
byNirmal Thaliyil
 
A reliable next generation cyber security architecture for industrial interne...
byIJECEIAES
 
Conférence ENGIE ACSS 2018
byAfrican Cyber Security Summit
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
byAbhishek Goel
 
Can you trust your smart building
byDuncan Purves
 
Ignite 2019
byTI Safe
 
Ryan Wilson - ryanwilson.com - IoT Security
byRyan Wilson
 
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
byEnergySec
 
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
byfisberngodoo
 
SAM-IoT: Securing low power device communication in critical infrastructure m...
byBrain IoT Project
 
chile-2015 (2)
byMassimiliano Falcinelli
 
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
bypatenekernaf
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
byJohn D. Johnson
 
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
byGlobalSign
 

Recently uploaded

PPTX
Qui aut sit esse qu Qui aut sit esse quQui aut sit esse quQui aut sit esse qu...
bysheikhshahib123
 
PPTX
Plant Performance Strategies: Enhanced Reliability & Operational Efficiency w...
byMaintWiz Technologies Private Limited
 
PPTX
Design and Thermal Analysis of Plate Type Heat Exchanger
byKhageshKumarDansena
 
PPTX
Technology Stack Evolution: Analyzing Programming Language & Database Trends ...
byzouhairfezzaz54
 
PPTX
Importance of Asset Register in Maintenance Management
byMaintWiz Technologies Private Limited
 
PPT
Theory Of Computation-viruses Theory Of Computation-viruses
bySandeepGupta229023
 
PPTX
Natural Gas fundamentals and GRU for associated gas trap.pptx
byengineerhassan
 
PPTX
Assessment 4 SRS Presentation - Final (2).pptx
byayush445302
 
PPTX
Salesforce Bulk Connector V1 and V2 Deep Dive!
byRajeevRanjan368982
 
PPTX
Inventory Excellence: Achieve Efficient Inventory Management with CMMS
byMaintWiz Technologies Private Limited
 
PPTX
Keeping the Home Fires Burning - How cesium formate brine has helped to keep ...
byJohn Downs
 
PPTX
The Importance of Maintenance Budgets — Maximize Reliability & Control Costs ...
byMaintWiz Technologies Private Limited
 
PPTX
How to Use Mobile CMMS to Improve Maintenance Operations & Field Productivity
byMaintWiz Technologies Private Limited
 
PDF
Narrows Planning Collective Transportation Capstone.pdf
bycj2392
 
PDF
Lecture -06-Hybrid Policies - Chapter 7- Weeks 6-7.pdf
bysalaarmike
 
PPTX
IEC60079-10-1 -Annex F -Hazardous Area Classification -HAC-Annex F.pptx
byasifmirzamakki
 
PDF
Albert Pintoy - Specializing In Low-Latency
byAlbert Pintoy
 
PDF
Structural Conservation Appraisal of Indian Monuments Preserving India’s Arch...
byAman Kumar Singh
 
PPTX
Chen,Usmani,Li - Optimizing PATH Weekend Operations - Presentation.pptx
byLeyanChen3
 
PPT
63490613-Boiler-Tube-Leakage-analysis-symptoms-causes.ppt
byallahdittashafi
 
Qui aut sit esse qu Qui aut sit esse quQui aut sit esse quQui aut sit esse qu...
bysheikhshahib123
 
Plant Performance Strategies: Enhanced Reliability & Operational Efficiency w...
byMaintWiz Technologies Private Limited
 
Design and Thermal Analysis of Plate Type Heat Exchanger
byKhageshKumarDansena
 
Technology Stack Evolution: Analyzing Programming Language & Database Trends ...
byzouhairfezzaz54
 
Importance of Asset Register in Maintenance Management
byMaintWiz Technologies Private Limited
 
Theory Of Computation-viruses Theory Of Computation-viruses
bySandeepGupta229023
 
Natural Gas fundamentals and GRU for associated gas trap.pptx
byengineerhassan
 
Assessment 4 SRS Presentation - Final (2).pptx
byayush445302
 
Salesforce Bulk Connector V1 and V2 Deep Dive!
byRajeevRanjan368982
 
Inventory Excellence: Achieve Efficient Inventory Management with CMMS
byMaintWiz Technologies Private Limited
 
Keeping the Home Fires Burning - How cesium formate brine has helped to keep ...
byJohn Downs
 
The Importance of Maintenance Budgets — Maximize Reliability & Control Costs ...
byMaintWiz Technologies Private Limited
 
How to Use Mobile CMMS to Improve Maintenance Operations & Field Productivity
byMaintWiz Technologies Private Limited
 
Narrows Planning Collective Transportation Capstone.pdf
bycj2392
 
Lecture -06-Hybrid Policies - Chapter 7- Weeks 6-7.pdf
bysalaarmike
 
IEC60079-10-1 -Annex F -Hazardous Area Classification -HAC-Annex F.pptx
byasifmirzamakki
 
Albert Pintoy - Specializing In Low-Latency
byAlbert Pintoy
 
Structural Conservation Appraisal of Indian Monuments Preserving India’s Arch...
byAman Kumar Singh
 
Chen,Usmani,Li - Optimizing PATH Weekend Operations - Presentation.pptx
byLeyanChen3
 
63490613-Boiler-Tube-Leakage-analysis-symptoms-causes.ppt
byallahdittashafi
 

AEE Cybersecurity for the IOT in Facility Energy Distribution Slides

  • 1.
    Cybersecurity for theIoT in Facility Energy Distribution Andrew E. Taylor, PE Applied Power Technologies 12/02/2020 AEE Technical Session - Cybersecurity for IoT 1
  • 2.
    The Problem • Thespecific IoT devices involved in the delivery of energy and utilities facilities and outside in the grid) are especially problematic. • The devices can control the flow of these utilities which make the impact of much more dangerous. • Your plant’s diesel generator requires a higher level of security than thermostat. New regulatory requirements (led by California) require security features for all devices 12/02/2020 AEE Technical Session - Cybersecurity for IoT 2
  • 3.
    Background • IoT securityproblems are so pervasive that the Department of Homeland Security has set up a special division just to deal with cybersecurity problems for Industrial Systems: ICS-CERT Cybersecurity of the IoT for Industrial not just a California problem 12/02/2020 AEE Technical Session - Cybersecurity for IoT 3
  • 4.
    CA Senate Bill327 - Security of Connected Devices became law on January 1, 2020 In order to sell a connected device in the state of CA, manufacturers must: Background Detail • Appropriate to the nature and function of the device. • Appropriate to the information it may collect, contain, or transmit. • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified. Equip the device with a reasonable security feature or features that are: • The preprogrammed password is unique to each device manufactured. • The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature if either of the following requirements are met: 12/02/2020 AEE Technical Session - Cybersecurity for IoT 4
  • 5.
    If you arethinking you can define ‘reasonable security’ on your own, let me share guidance from California Energy Department for solar inverters: Reasonable Security • Use a hash algorithm for all communications to them private. • Authenticate the Master to eliminate Man in the Middle (MiM) spoofing. • Use time stamps to eliminate the possibility of schemes. •California Rule 21 (not to mention IEEE 2030.5) requires the following for smart inverters sold in California: • Circuit Breakers • Trip Units • UPS • Generators • Automatic Transfer Switches • Relays • Inverters •CA Rule 21 sets the legal precedent for the security of any network connected power device in California. 12/02/2020 AEE Technical Session - Cybersecurity for IoT 5
  • 6.
    The Modbus protocolhas become the de facto industrial communications standard… The Modbus protocol lacks the ability to authenticate a user and hence middleman (MiM) attacks can easily take place in Modbus 1 Protocol Security - Modbus • Use a hash algorithm for all communications to keep them private. • Authenticate the Master to eliminate Man in the Middle (MiM) spoofing. • Use time stamps to eliminate the possibility of replay schemes. • FN1 – Guidelines for Smart Grid Cybersecurity – NIST •A new Modbus secure architecture is required to satisfy these new key security requirements: 12/02/2020 https://www.nist.gov/publications/guidelines-smart-grid-cybersecurity https://modbus.org/ AEE Technical Session - Cybersecurity for IoT 6
  • 7.
    Protocol Security- BACnet •“Network security in BACnet is optional. The existing BACnet existing BACnet Network Security architecture defined in Clause 24 in Clause 24 is based on the 56-bit DES cryptographic standard standard and needs to be updated to meet the needs of of today’s security requirements.” 2 • The BACnet SecureWorking Group is in the process of developing a standard that will include all 3 key security features that California has made their standard but may not be available for 2 years or more. • FN2 – ASHRAE BACnet SecureWorkingGroup Paper •Current BACnet protocol also lacks secure authentication. 12/02/2020 http://www.bacnet.org/ AEE Technical Session - Cybersecurity for IoT 7
  • 8.
    Example of a typicalIndustrial communication network for power devices in a unit substation. 12/02/2020 Real World Electrical Substation Communications Diagram AEE Technical Session - Cybersecurity for IoT 8
  • 9.
    Physical Port Security– Lock it up! • Serial Ports – DB9, DB15 • Modem and Ethernet Ports – RJ11, RJ45 • USB and Display Ports, SD Cards, etc •Physical port security devices ​are simple 12/02/2020 Want to find an expert in physical port security? Talk to any teacher! There are literally hundreds of products out there to provide cheap, reliable, secure controlled access to every type of port on every device. AEE Technical Session - Cybersecurity for IoT 9
  • 10.
    The Solution Start nowto address this problem, in two suggested ways: • Start with a systematic approach to security: • Require encryption for all communications. • Require authentication of Master’s identity. • Require Authentication of Master commands with date and time stamps. •New Devices • Create device inventories for each system • Change default usernames and passwords • Install physical security for the ports on those devices. •Existing Devices SPECIFY and confirm security for each device, gateway, and server you purchase 12/02/2020 AEE Technical Session - Cybersecurity for IoT 10
  • 11.
    Existing Systems andDevices • Make a prioritized list of systems based on what the devices control • (i.e. Electrical, Process, Mechanical, Chemical, Fire Life Safety, etc.) • Inventory those devices, including the gateways and switches, for each system • (This almost always requires corporate IT/IS support.) • Make-a-plan to “harden” these systems and devices: •Maintain the “approved” device list for each system. • Change default usernames and passwords on those devices. •Implement physical security on the approved devices and ALL their ports. •Ensure gateways and switches communicating with those devices include security features (encryption, port locking, routing rules, etc.) •Secure your most critical system’s industrial networks connected devices: 12/02/2020 AEE Technical Session - Cybersecurity for IoT 11
  • 12.
    New Equipment • Updatepurchase specifications for approved systems and devices • Update installation details for approved systems and devices for their communications connections to verify that physical ports are secured. • Update IT/IS procedures for gateways and switches to ensure Cyber Security features are configured. Then test each one. Don’t make the problem worse – start requiring Cybersecurity for new equipment 12/02/2020 AEE Technical Session - Cybersecurity for IoT 12
  • 13.
    Conclusion • Prioritize existingsystems and devices. • Inventory and harden those systems and devices. • Don’t hide it – just ‘disconnecting’ is NOT a solution. • Don’t make it worse – change specs and details for new systems and devices • Use resources available to you to rise to this challenge (and stay out of the news!) Cybersecurity challenges are real and require you to engage NOW! 12/02/2020 AEE Technical Session - Cybersecurity for IoT 13
  • 14.
    Questions & Answers •Departmentof Homeland Security Cybersecurity for Industrial Systems: ICS-CERT •Cyber Resilience Review and other Resources •https://us-cert.cisa.gov/resources •NIST Guidelines •https://www.nist.gov/publications/guidelines-smart-grid-cybersecurity •Modbus Protocol •https://modbus.org/ •BacNet Protocol •http://www.bacnet.org/ More information available at these links 12/02/2020 AEE Technical Session - Cybersecurity for IoT 14
  • 15.
    Thank you Andrew E.Taylor, P.E., Applied Power Technologies, Inc. 1550 The Alameda, Suite 305 San Jose, CA 95126 direct: 408 340-7116 mobile: 408 218-3548 www.apt4power.com ataylor@apt4power.com 12/02/2020 AEE Technical Session - Cybersecurity for IoT 1512/02/2020

Editor's Notes

  • #2 Andrew Taylor, PE, CEO, Applied Power Technologies, Inc. Wednesday December 2nd 2020 11:00 am - 11:40 am Cybersecurity for the Internet of Things (IoT) in Facility Energy Distribution
  • #3 My handful of takeaways from this technical session are simple: Cyber Security for connected devices is a real and pervasive problem in our industry. Government regulations are placing the burden for compliance on both the manufacturers and the customers. That means you. Waiting will not make the problem go away; or get smaller – the longer you wait the worse this will get. This is not just about hackers – Cyber Security vulnerabilities are exploited by disgruntled employees, your competitors, organized groups, and even other governments. There are lots of resources out there for your use to start addressing Cyber Security problems, so please use them!
  • #4 Don’t believe this is a problem? Check this out – there are literally hundreds of vulnerabilities and case studies of exploitation (only some of which make the news). The Department of Homeland Security (DHS) offers the Cyber Resilience Review (CRR) on a voluntary, no-cost basis for critical infrastructure organizations. There are two options for the CRR: (1) a downloadable self-assessment or (2) a facilitated six-hour session with trained DHS representatives at your location. This Cyber Resilience Review helps your organization will develop an understanding of its operational resilience and ability to manage cyber risk during normal operations and times of operational stress and crisis. No manufacturer, no product, no communication protocol, no software is excluded.
  • #5 APT saw the CA state law SB-327 requiring CyberSecurity for all Internet connected devices coming for 2020 and started to prepare for it after it passed in late 2018. Though the bill does not require protection of existing infrastructure, we believe customers will want to address the CyberSecurity concerns with the purchase of ANY new electrical meter, gateway, trip unit, relay, or connected electrical device. This is an early example of legislation attempting to resolve this problem – you can expect more regulation to come from other states and the US. I’ll let you read and think about the security requirements – I don’t know of manufacturers who generate unique passwords for each device yet. Nor do I know of manufacturers who require the user to generate a unique password when they configure a new device. Every device my company has configured for the past 25 years has a default user name and password – and almost every one of them stayed that way. This is a huge problem to start addressing now.
  • #6 California’s Rule 21 governs CPUC-jurisdictional interconnections, which include the interconnection of all net energy metering (NEM) facilities, "Non-Export" facilities, and qualifying facilities intending to sell power at avoided cost to the host utility. IEEE 2030.5-2018 - IEEE Standard for Smart Energy Profile Application Protocol. The application layer with TCP/IP providing functions in the transport and Internet layers to enable utility management of the end user energy environment, including demand response, load control, time of day pricing, management of distributed generation, electric vehicles, etc. is defined in this standard. This standard defines the mechanisms for exchanging application messages, the exact messages exchanged including error messages, and the security features used to protect the application messages. And this is just for a solar inverter – why? Because it is connected to electrical (so a life safety and fire hazard danger) and there are a lot of them out there in the marketplace. I’m no lawyer, just a professional electrical engineer – but this sounds a lot like what lawyers like to call a “legal precedent”.
  • #7 Modbus is one of the most widespread industrial protocols, used both for serial communications (RS-232 and RS-485) over a twisted pair of wires as well as Modbus TCP for use over Ethernet and Fiber networks. Unfortunately – Modbus is not a secure protocol, and does not contain even basic security features – No encryption for communications​ No authentication the Master’s identity​ 3. No Authentication of the Master/Slave’s commands with time stamps
  • #8 Next most prevalent is BacNet – another widespread industrial protocols, used both for serial communications (RS-232 and RS-485) over a twisted pair of wires as well as BacNet over TCP/IP for use over Ethernet and Fiber networks. Unfortunately – BacNet is also not a secure protocol, and does not contain even basic security features – No encryption for communications​ No authentication the Master’s identity​ 3. No Authentication of the Master/Slave’s commands with time stamps
  • #9 We just discussed two of the most common industrial communication protocols and decided they were not secure – and won’t be soon. Now I want to show you a real world example of an electrical substation. High risk if any of these devices is breached, or even used accidentally – the trip units on the circuit breakers are capable of controlling the breakers (open and closing) The transformer temperature controller runs the fans and can trip the main if it detects a high temperature on the transformer. But what about something even simpler – physical port security Your IT organization physically secures every port on the Ethernet switches they control (hopefully they know about this one in a substation) What about the serial to Ethernet gateway? The UPS supplying control power to all these control devices? The additional serial ports on the meter and the protective relay? Is there any way to prevent physical access to these unsecured ports out in the field? The answer might surprise you – unless you have children attending school from home due to COVID.
  • #10 The public school system has just endured one of the toughest stress tests ever due to COVID on their network bandwidth; and the physical security of the devices they provide their students to attend school remotely. How do they prevent those students from accessing unauthorized content and changing their Chromebook configuration? They lock up EVERY port with port locks! Every port on every device connected to your industrial network needs to start with physical security – this is the fastest and easiest thing you can do to secure your existing devices.
  • #11 First, we’ll address the problem you already have with your installed base of devices connected to your industrial networks. Then we’ll go look at strategies for not making the problem worse when you buy new equipment and new products for your facility.
  • #12 Here’s how APT is assisting our customers on the west coast secure their existing devices: We start with making a prioritized list of the systems – as you can imagine, the electrical system is usually one of the top priorities, but in general the FACILITY systems are a known headache for your corporate IT or IS department and nobody wants to go after it. For those of you old enough – think of how organizations dealt with the Year 2000 bug back in 1999. With attention comes funding, the actions we’re recommending are simple, effective, and low cost. You can build a career on this specialty because it is so pervasive across all industries, all systems, all equipment. Start with an inventory, then address the simplest items first. Remember that Department of Homeland Security (DHS) Cyber Resilience Review (CRR) you rolled your eyes at back at the beginning of this session. This is what the self assessment is going to focus on first.
  • #13 Here’s how APT is assisting our customers on the west coast purchase new devices: We help customers (this usually starts with owners and operators but also includes Architectural Engineering firms and contractors) update their specifications. You would be amazed at hos hard it is to change a specification at many organizations, ESPECIALLY when the specs are not being provided by the equipment manufacturer themselves. Then we focus on the install configuration and commissioning testing process to ensure the new equipment meets these new specifications – this can include simple port security, changing default passwords, and updating the approved system device list to include the new equipment. Finally, we go to the team that owns Cyber Security now – your corporate IT and IS organizations. In the past, these organizations treated the facility networks as a necessary evil. They knew there was a network out there connected to the corporate network, but they ignored it or delegated responsibility for that network to the operations or corporate real estate organization. When an operations support organization like APT comes to corporate IT with a prioritized list of devices and a plan to help reduce CyberSecurity vulnerability of these facilities industrial networks most IT organizations welcome the help with open arms and funding support.
  • #14 I’ll remind you again of those five takeaways from this technical session that we started with - Cyber Security for connected devices is a real and pervasive problem in our industry. Government regulations are placing the burden for compliance on both the manufacturers and the customers. That means you. Waiting will not make the problem go away; or get smaller – the longer you wait the worse this will get. This is not just about hackers – Cyber Security vulnerabilities are exploited by disgruntled employees, your competitors, organized groups, and even other governments. There are lots of resources out there for your use to start addressing Cyber Security problems, so please use them!