The document discusses a case study on enhancing cybersecurity for electric utility infrastructure through asset baselining, threat detection, and response strategies. It highlights challenges such as limited personnel, compliance issues, and the need for better threat awareness, along with proposed solutions including improved visibility and proactive threat hunting. The collaboration between Schweitzer Engineering Laboratories (SEL) and Dragos emphasizes the importance of integrating technology and personnel for effective defense against increasing cyber threats.

1. © SEL 2019
Securing Electric Utility Infrastructure
Case Study on Asset Baselining, Threat
Detection, and Response
Tim Watkins, Schweitzer Engineering Laboratories, Inc.
Matt Cowell, Dragos, Inc.

2. • Overview of energy control systems
• Holistic look at risk
• Importance of baselining and
defense-in-depth security
• Dragos overview and case study
• SEL solution components
Today’s Webinar

3. Power – The Most Critical
of Critical Control Systems

4. • Detect and isolate energy system fault
• Respond and reconfigure alternate path or source
• Recover and restore energy flow
Energy Flowing at the Speed of Light

5. Growing Target
2018 Dragos Engagements
Electric industry
contributed to 56% of
all threat operations
37% of incident responses
involved initial vector dating
over 365 days of adversary
dwell time

6. Lack of Historical Data Makes It Difficult to
Monetize and Prioritize Human Cyber Risk
Holistic
Risk
Natural
Technical
HumanEnvironmental
Operational
Low
Probability
High
Impact
$

7. Baseline – What Is Normal?
30,000 SEL Devices Over Large Geographic Area

8. Defendable
by Design

9. Defense in Depth
IT Services SEL Software App Servers
L0 – Sensors
and Actuators
L1 – Protection
L2 – Automation
L3 – Access
L4 – SCADA
L5 – DMZ
L6 – Remote
LAN
WAN
Corporate IT Services
DMZ IT Services DMZ App Servers
LAN / WAN Devices
Automation Devices
IEDs
52
Midpoint
Sensor
Sitestore
IT
H2M
M2M

10. How would you know if
your systems were being
explored and exploited?
Plenty of Places to Detect

11. Dragos
WorldView
Threat Operations
Center
Dragos Platform

12. • Mid-sized U.S. electric utility
• Generation, transmission, and distribution networks
• Control system manufacturer diversity
• Limited team for OT cybersecurity functions
• Network infrastructure that supports monitoring
• IT and OT SOC convergence
Case Study Background

13. Case Study Objectives
Improve visibility of networked OT assets
Improve NERC CIP compliance functions
Better enable limited OT security team
Improve visibility of OT threats

14. • Passive network
monitoring
• Sensor- and
server-based system
• 16 distributed sensors
• Centralized monitoring
Dragos Platform Architecture
Hydro
Gas
Dragos
Platform
Wind
Solar
Coal
Sitestore

15. • 30,000+ assets
• Vast volumes of
data available
• Distribution across
hundreds of miles
• Some physical
network separation
Challenge 1 – Asset Visibility
Summary

16. • Asset
characterization
• Connections
and protocols
• Zoning
• Timeline analysis
Solution 1 – Asset Visibility

17. • NERC CIP
• High level of manual effort
• Lack of trusted partners
Challenge 2 – Compliance
Summary

18. Address specific
NERC CIP requirements
through technology
Solution 2 – Compliance
Discuss
compliance
pains
Establish credibility
through industry-
trusted partners

19. Challenge 3 –
Limited Personnel
Summary
• Small, dedicated team
• Varied experience levels
• Many different functions
• IT and OT SOC
convergence

20. Solution 3 – Limited Personnel
Dragos team experience (leverage through technology)
Onsite assistance and ongoing support
Training (to empower existing team)
IR support escalation through retainer

21. Challenge 4 – OT Threat Awareness
Summary
Need better
information sharing
of industry-wide
threats
Improve detection
based on known
TTPs and behaviors
Reduce amount
of work analysts
perform to
validate alerts
Know how to
respond to
threats

22. • Threat behavior analytics
• Query-focused datasets
• Investigation playbooks
• Threat intelligence reports
(provide additional context
and details)
Solution 4 – OT Threat Awareness

23. • Many customers are facing similar challenges
• IT and OT teams are blending
• Solution requires combination of technology
and personnel to be effective
• Threats are increasing, but defense is doable
Case Study Summary
Pursue Proactive Threat Hunting vs. Reactive IR

24. Integrating SEL Innovation
Into the Dragos Platform
RTAC (SEL-3555)
OT SDN (SEL-2740S
and SEL-5056)
Security Gateway (SEL-3620)

25. • Minimizes CIP-007-3 R3 or CIP-007-5 R3.1
• Addresses CIP-007 R4
RTAC Security Features
Verifying RTAC Application Integrity With exe-GUARD®
Refer to SEL Whitepaper, “Leveraging Security – Using the SEL
RTAC’s Built-In Security Features,” for more information
Syslog
Dragos MPSSEL-3555 RTAC

26. RTAC Security Features
Securing Engineering Access
Syslog
Packet Capture and Syslog
Dragos MPSSEL-3555 RTAC
Telnet
or FTP
Engineering
Access
SEL OT SDN
User authenticates and
creates SSH or TLS
connection to RTAC
RTAC determines access
level of user to relay
RTAC acts as proxy
for user to relay
Syslog adds context
to packet capture

27. RTAC Security Features
Security Auditing – Event Monitoring and Reporting
Event
Report
Syslog
Dragos MPSSEL-3555 RTAC
SEL OT SDN
RTAC collects events
RTAC stores and
forwards events to
data concentrator
Certain events trigger
Syslog message
Packet Capture

28. RTAC Security Features
Relay Settings Monitoring
DNP3
Syslog
Dragos MPSSEL-3555 RTAC
SEL OT SDN
RTAC periodically pulls
information from relays
Important events occur
(e.g., new logons, settings
or firmware changes, or
other new events)
Certain events trigger
Syslog message
Ethernet Tap and Syslog

29. RTAC Security Features
Ethernet and Serial Taps
Syslog
Ethernet Tap and Syslog
Dragos MPSSEL-3555 RTAC
Serial Tap
SEL OT SDN
RTAC can send serial
packet captures for
visibility

30. SEL-2740S and SEL-5056
SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740S
SEL-3555
SEL-411L
SEL-2740S
SEL-411L
SEL-5056

31. SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740S
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
SEL-3555
SEL OT SDN and Dragos Combined Solution
Add context to
passive monitoring
Selective packet
capture flows out
multiple ports

32. SEL-3355-2 SEL-3355
DNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740S
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
Engineering
AccessUnauthorized
Device
SEL-3555
Instant Visibility Against Baseline
Engineering
Access
Suspicious
behavior occurs
Unknown packets are sent
to Dragos midpoint sensor
with a VLAN tag
Insider Threat or
Compromised
System

33. IPsec VPN
Dragos MPS
SEL-3620 – Substation Firewall
and ESP Boundary
SEL-3620 SEL-3620WAN
SEL OT SDN
User requires remote access to
substation to review event reports
SEL-3555 RTAC
Tap
Operations Center Substation
Authorized
User
Unauthorized
User
IPsec VPN tunnel connects
operations center to substation
Unauthorized user is stopped by
IPsec VPN and firmware rules

34. SEL-3620 Password Management
Centralized Authentication to SEL-3355
With Active Directory or RADIUS
Dragos MPS
Ethernet Tap
SEL-3620
SEL OT SDN
User authenticates with
centralized credentials
SEL-3620 authenticates
with relays
Each relay has its own
complex password
Syslog
User connects to relay by
security gateway proxy

35. SEL-3620 Password Checkout
Ethernet Tap and Syslog
SEL OT SDN
User authenticates to SEL-3620
and performs a relay checkout
Syslog
SEL-3620 sets password on
relay to an approved password
User connects to front serial
interface and authenticates
Dragos MPS
SEL-3620

36. • OT SDN telemetry data
• Dragos using SEL device API or REST interface
• Development of Dragos playbooks for SEL systems
• Active defense on noncritical devices
Future Innovation Ideas
SEL and Dragos

37. SEL-Dragos Solution Combines
Expertise of Two Trusted Companies
Contact SEL Secure Solutions at
secure@selinc.com for more information

38. Questions?