Marcelo Branquinho presented on protecting power distribution systems with zero trust cybersecurity. He discussed how digital transformation brings risks from increased connectivity and attacks on industrial control systems. Network segmentation with a zero trust model using firewalls as the network core was proposed. TI Safe and Palo Alto Networks developed a joint product called TI Safe Cybersecurity for Energy to implement zero trust for energy companies through next generation firewalls, remote access security, and continuous monitoring by TI Safe's industrial control system security operations center.

1. Marcelo Branquinho
CEO & Founder
TI Safe, Brazil
Safety First: Protecting the Power Distribution with Zero Trust for ICS

2. About Marcelo Branquinho
• CEO & Founder of TI Safe
• Background in electrical engineering and ICS
Cybersecurity
• Senior Member of ISA
• Soccer fanatic, as all Brazilians ☺
Palo Alto Networks Proprietary and Confidential

3. Agenda
Digital
transformation
and its risks for
Power Systems
Network
Segmentation and
the Zero Trust
Model
What TI Safe and
PAN did to help
Q&A

4. Digital transformation and its
risks for Power Systems

5. Generation Transmission Distribution Consumption
Electric Power Systems
https://electrical-engineering-portal.com/electric-power-systems

6. Digital Transformation of Electric Power Systems
Asset Lifecycle
Management
Grid Optimization
Integrated Customer
Services
General services, beyond
electricity
Sources: Accenture research for the Digital Transformation of Industries project &
Global Digital Transformation Benefits Report 2019, Schneider Electric
Building blocks of digitization
Service platforms Smart devices The ‘cloud’ Advanced analytics

7. IoE – IIoT in Energy Networks (Internet of Energy)
• Internet of Energy (IoE) refers to the modernization
and automation of electricity infrastructures for
energy producers.
• This allows energy production to progress more
efficiently and cleanly with the least amount of waste.
• An example of IoE technology includes the use of
intelligent sensors, common among other IoT
technology applications, which enable IoE facilitated
mechanics such as power monitoring, distributed
storage and renewable energy integration.

8. Smart digital substations
• The Digitization of substations has an
architecture based on the IEC 61850
standard.
• The digitization converts data from primary
equipment into the substation - such as
current transformers, voltage transformers,
circuit breakers, switches and power
transformers for digital protections by sample
values and GOOSE messages.
• All signals are transmitted through fiber optics,
eliminating completely the use of metal cables
and reducing the risk of fatal accidents caused
by electric shocks and open circuits in current
transformers, which can reduce infrastructure
costs and maintenance at the substation.

9. Attacks on IEDs via GOOSE protocol
Protocol
•The IEC 61850 protocol provides a model and
rules for organizing data in a consistent
manner across all types of IEDs.
•The GOOSE (GenericObject Oriented
Substation Events) is part of the IEC-61850
protocol and encapsulates logic and analogue
data such as the status of disconnectors,
shutter control, interlocks, general alarms and
the temperature of power transformers that
are transmitted in Ethernet packets.
Threat
•Thus, malware can be created to capture,
alter and re-inject GOOSE messages into the
network and, exploiting security holes in the
GOOSE message protocol, attack the power
grid causing service interruption.
•The attack uses an Exploit GOOSE via spoofing
where an attacker publishes false Layer 2
packets and devices that receive these packets
mistakenly believe that they are receiving
valid packets sent by a secure and trusted
entity.
Vulnerability
•This attack is possible due to lack of
encryption and authentication in GOOSE
messages because of latency problems in IED
devices (the IEC-61850 protocol specifies a
maximum delay of 4ms for GOOSE messages)
Transmission Time
Attack
Event

10. Cyber attacks may paralyze
digital power structures

11. Electricity is the core of the critical infrastructure
Palo Alto Networks Proprietary and Confidential 11

12. Interconnected systems – Chain Disconnections
• Integrated
power
generation &
distribution
• Critical paths
on a few
substations
• Vulnerabilities
exploitaition
can easily lead
to blackouts
Palo Alto Networks Proprietary and Confidential 12

13. A falta de segurança no
setor elétrico pode se
transformar em um
desastre!
How digital
energy
networks
will respond
to the next
global
attack?
Are there ICS
cybersecurity
experts in the
national
energy
companies?
Are the digital
networks in the
energy sector
protected?

14. Network Segmentation and the
Zero Trust Model

15. Why security solutions fail?
One popular solution used in ICS Cybersecurity is to
install a firewall between business and control
networks.
Known as “Bastion Model” since it is based on a
single point of security.
Example: Chinese Wall

16. Pathways inside the control network
• Protecting only the perimeter of the OT
network is not enough.
• There are lots of pathways inside the OT
network that bypass perimeter security.
• It’s necessary to protect the factory floor
with modern and in-depth defense
technologies where problems in one area
are not allowed to migrate to another
area.
• The Solution is the use of security zones,
as defined in ISA-IEC 62443 standard.

17. ISA/IEC 62443 – The Zones and Conduits Model
HMI Zone
Parent Zone
Conduit
Security technologies and policies must be added to enforce
communications security between different zones
Security ZoneSecurity Zone

18. Network Segmentation with NGFW and Services
• Maximize visibility over OT traffic
• Reduce the attack surface
– Granular inter-zone policy (L7)
– Secure mobile/internet access
as allowed
• Stop known exploits, malware, C2
traffic
• Quickly discover and stop 0-day
threatsNGFW as a
Security “Conduit”
(ISA 62443)
Zone
1
Zone
2
Zone
3

19. Business Case
Scenario
Palo Alto Networks Proprietary and Confidential 19
Cyberprotect a countrywide automation
network of a electric power distribution
company
Establish zones and conduits
Create a security layer over 3rd party
links
Ensure remote access security

20. 1st Generation
Standard Cabling
2nd Generation
Peer-to-peer connections
Since 1985
3rd Generation
Digital
Substations
HMI
Substation
Controller
Serial Connection
Bay
Bay
Parallel wiring
Fault recorder
Protection
RTU
Mimic board
Ancient past
Parallel wiring
1st generation:
Standard cabling
RTU
Registrador
Proteção
Control center
Local HMI
Substation
Controller
Firewall
IEC 61850
GOOSE
IEC 61850 MMS
Engineering PC
Firewall
Virtual Private
Network (VPN)
Trusted Zone
18/5000
Untrusted
Zone
The customer is digitizing its infrastructure
Recorder
Protection
Parallel Cabling Parallel Cabling

21. And Segmenting ICS and SCADA is a challenge
• Production system runtime
• Legacy systems
• Cost to implement
• Flat networks
IntelligentDevice
Level 1
Process
Level 0 Actuator
PLC,RTU,IE
D
ManufacturingOperations
Level 3
Historian
Process sys
DMZ
Level 3.5
Patch Srv
Jmp Srv
Controls Systems
Level 2 HMI
Eng. Sta

22. Implementing firewalls in
power grids is a critical task
• Power grids cannot stop. SCADA servers
cannot be restarted.
• Communication between control centers and
substations will necessarily pass through
perimeter firewalls. Any interruption in this
communication will cause the control center to
operate blindly, even for a short time.
This unattended operation time can cause
several problems, including power failures
(blackouts)
• Industrial power protocols should be
addressed in the Firewall (DNP-3, IEC 104,
and others). Errors in treatment can block
critical operations and cause major problems. 22 | ©
2018 Palo
Alto
Networks,
Inc. All
Rights
Reserved.

23. Zero Trust – Firewall is the new core of the OT Network
• Zero Trust, based in the principle of “never trust, always verify,”
• As a company focused on ICS Cybersecurity, TI Safe developed a methodology to implement zero
trust on critical infrastructures.
• The main challenge is to implement the firewall as network core, replacing switches’ routing
functionalities on an operational network.
Users Control Application
control
TI Safe
ICS-SOC
Malware
containment
Third party
network isolation
Network
visibility

24. Zero Trust Design Concepts
Define business
outcomes
Design from the
inside out
Determine who/what
needs access
Inspect and log
all traffic
24 | © 2019, Palo Alto Networks. All Rights Reserved.

25. 5 Steps to implement a Zero Trust Network
1. Define protection
surface
2. Map the
transaction flows
3. Architect a
Zero Trust network
4. Create Zero
Trust Policy
25 | © 2019, Palo Alto Networks. All Rights Reserved.
5. Monitor and
maintain the
network

26. 1. Define protection surface
Understand external requirements
– Contractual obligations
– Laws & regulations (e.g NERC-CIP)
Palo Alto Networks Proprietary and Confidential 26
Translate external requirements
into cybersecurity requirements

27. 2. Map the transaction flows (zones and conduits)
Prior to the project implementation, zones were physically mapped to the firewalls and then
logically interconnected on a security rules plan.
Sample relationships between zones
SCADA
OPC
SCADA OPC

28. 3. Architect a Zero Trust Network
Unknown TCP and UDP protocols, non-standard communication ports, multiple links (i.e. fiber, telecom
operator, satellite, etc.) to connect one or more sites, are a few elements that increase the project complexity.
Example of physical planning of a firewall
IP info IP info IP info IP info IP info IP info IP info
Zone
description
Zone
description
Zone
description
Zone
description
Zone
description
Zone
description
SCADAOPC

29. OCC Control
Operator Zone
Historic
Engineering Zone
DMZ
between IT
and OT zones
Antivirus Patch Web
Processes
Level 0
Level 1
Level 2
Level 3
Level 3,5
Level 4
SCADA
Servers Zone
PLCs Zone
Corporate Zone
(IT)
Historic Replica
PLCs Zone
Engineering StationsIHM
Remote Access
3. Architect a Zero Trust Network
Sample Architecture - Operational Control Center
CybersecurityManagement
Network
TI Safe´s ICS-SOC
Cortex
Wildfire
Development Stations

30. 3. Architect a Zero Trust Network
Sample Architecture – Small Hydroelectric Plant
SCADA
Level 2
SHP Control
Nível 3
Dispatch
Control
SDSC
Level 1
Local control
room
UAC IED
CybersecurityManagement
Network
TI Safe´s ICS-SOC
Engineering
Cortex
Wildfire

31. Generation Units (Turbines)
PLC
Engineering Supervisory Historian
OT Firewall
Zero trust
Control Network
TI Safe´s ICS-SOC
3. Architect a Zero Trust Network
Sample Architecture - Power Generating Units

32. 4. Create Zero Trust Policy ➔ App-ID
Palo Alto Networks Proprietary and Confidential 32
Allow all
Assess IT
and OT
protocols
(investigate
Unknown
TCP!)
Validate
collected
protocols
Create
apps and
services (if
needed)
Lockdown
policies

33. 4. Create Zero Trust Policy ➔ User-ID
Palo Alto Networks Proprietary and Confidential 33
Understand
user
identification
requirements
Configure
user database
(ex. MS Active
Directory)
Create user
groups based
on field roles:
operation,
engineering,
maintenance
Configure
internal and
external VPNs
(remote users
must use
jump servers)
Lockdown
policies

34. 4. Create Zero Trust Policy ➔ Content-ID
Palo Alto Networks Proprietary and Confidential 34
Do not allow
direct access
to the
internet
Block all
medium to
critical
threats by
default due
to legacy
systems
Implement
antimalware
to create
secure
fileshares
Restrict
access to
operational
files
Lockdown
policies

35. 5. Monitor and maintain the zero trust network
Only implementing NGFW in
the Zero Trust architecture on
a power grid does not solve all
the problems.
It´s necessary to monitor and
manage equipments
24x7x365 to respond to cyber
attacks without causing a
production outage.
We did it through our ICS-SOC
TI Safe's ICS-SOC integrates
cybersecurity functions with
industrial processes
monitoring to prevent and
respond to cyber attacks
against critical infrastructures.
Palo Alto Networks Proprietary and Confidential 35

36. 5. Monitor and maintain the zero trust network
Log sources for ICS-SOC
Palo Alto Networks Proprietary and Confidential 36
Active Directory Firewall Industrial Firewalls
Network Services
such as DNS,
DHCP, etc
SCADA Industrial IDS
Network events
from Switches and
Firewalls (Physical
and virtuals)
Netflow and JFlow
Layer 7 Packet
Analisys
Proxy Servers
Operating Systems
Events (Linux /
UNIX / Windows)
Physical Security
Systems

37. 5. Monitor and maintain the zero trust network
Energy SIEM – Event Management for the Electrical Sector
• Security intelligence platform with unified architecture
to collect, store, analyze and structure data of events
(logs), network flows, threats, vulnerabilities and risks
of electrical energy environments: generation,
transmission and distribution.
• Event correlation activities are performed on a single
screen, with the possibility of clear incident
identification, flow telemetry, risk modeling, and
impact analysis.
• Modular and scalable structure that allows you to
manage the security of environments of all types and
sizes.
• Platform established in partnership with leading
technology of big data and analytics.
• Integrated cyber security dashboards and operating
information, including information on Modbus, ICCP,
DNP-3, IEC 60870-5-104, Siemens S7 protocols,
among others specific to power.

38. What TI Safe and Palo Alto
Networks did to help?

39. A new joint product
Energy
clients
PAN
NGFW
TI Safe
ICS-SOC
TI Safe ICS
Cybersecurity
for Energy

41. TI Safe Cybersecurity for Energy
• Generating Units
• Power Substations
• Operational Control Centers
TI Safe´s ICS-SOC

42. TI Safe Cybersecurity for Energy
Cybersecurity policies
Edge Security with Next
Generation Firewall
Secure Remote Access
Secure cloud
communication for
industry 4.0
Zones and Conduits
Segmentation with zero
trust
Vulnerability
Monitoring
Malware protection and
control
Continuous monitoring
by TI Safe´s ICS-SOC
4-eyed Auditing and
Management

43. TI Safe Cybersecurity for Energy
– Strategic planning
and logistics
• Industrial
execution systems
• Batch control
• Continuous control
• Discrete control
Level 4
Level 3
Level 2, 1
Level 0
PA-3220
PA-820
PA-220
PA-220R
Cortex
Wildfire
TI Safe´s ICS-SOC

44. TI Safe’s ICS-SOC current coverage
Energy distribution
companies that supply 40
million Brazilians are
already protected by
TI Safe´s ICS-SOC.

45. 45Palo Alto Networks Proprietary and Confidential
Questions?
Marcelo Branquinho
marcelo@tisafe.com
+5521994002290
www.tisafe.com