automation world article

8/4/2019 Automation World Article

http://slidepdf.com/reader/full/automation-world-article 1/6

iT Hps wth Pant Scuengns ensu Pant Uptm

engns Budng MdBtt Standads, lss Ambgu

Dpatmnt engy n Cyb Scuexcusv intv

Spca Puut SctPackagng Autmatn rv

J 20

FIFTH ANNIVERSARY ISSUE



Among the many initiatives aimed at providing cyber security or thenation’s critical inrastructure, the eort that led to a January

2006 document known as the “Roadmap to Secure Control Systems in the Energy Sector” stands out as one involving signiicant public/private sector collaboration.

The Roadmap, which lays out a 10-year vision, has been recommended by the Na-tional Inrastructure Advisory Council as a model or other industries to ollow indeveloping their own sector-specifc roadmaps. In March this year, the Water SectorCoordinating Council Cyber Security Working Group published a “Roadmap toSecure Control Systems in the Water Sector,” which lays out a similar 10-year vision.

Hank Kenchington, a senior manager with the U.S. Department o Energy’s O-fce o Electricity Delivery and Energy Reliability (OE), was a member o the Con-trol Systems Roadmap Steering Group or the Energy Roadmap, and is called out inthe oreword or his “outstanding leadership” on the project. Kenchington serves asprogram manager or the OE’s National SCADA Test Bed (NSTB), which is play-ing an important role in achieving the Roadmap vision.

To get an update on the Roadmap initiative as well as the latest NSTB activities, Automation World Managing Editor Wes Iversen recently submitted a series o e-mail questions to Kenchington.

A 10-year roadmap

for achieving control

system cyber security in the energy industry

has been hailed as

a model for other

ndustries. Here’s a look

at progress to date.

on the roadto cyber security



Automation World: The Roadmap to Secure Control Systems

in the Energy Sector was published in January 2006. Can you

briefy describe the genesis o that document?

Hank Kenchington: The importance o adequately securingcontrol systems has been known or some time. In 1998, thePresident’s Commission on Critical Inrastructure Protectionhighlighted the criticality o control systems and the increas-ing risk o energy disruptions due to cyber attack. In 2003, the

Bush Administration elevated the issue, stating in its “NationalStrategy to Secure Cyberspace” that “securing SCADA/DCS isa national priority” (in reerence to supervisory control and dataacquisition/distributed control systems).

The Department o Energy’s (DOE’s) Ofce o Electricity Delivery and Energy Reliability (OE) has been working withthe private sector to enhance critical inrastructure protectionsince the 1990s. In 2003, the Bush Administration, throughthe DOE, initiated the development o the Roadmap, workingin partnership with the oil, gas, and electricity industries. Atthat time, a number o activities designed to help secure con-trol systems were underway. However there was no clear vision

or strategic ramework or coordinating these diverse activities.Moreover, while a number o reports recognized the threat andpotential consequences o a cyber attack on control systems,the control system security needs o private sector asset own-ers and operators were not being addressed. The private sector– which collectively owns and operates approximately 80% o U.S. energy sector assets – lacked a compelling business case tosupport investment in cyber security. Coupled with the scopeand complexity o the problem, these issues underscored a sig-nifcant need or increased public-private partnership to maxi-mize limited resources and eectively enhance control systemsecurity. Private- and public-sector energy stakeholders alike

recognized that securing energy sector control systems was ashared responsibility.

To develop the Roadmap, DOE collaborated with the U.S.Department o Homeland Security (DHS), and Natural Re-sources Canada to acilitate a two-day workshop in 2005. We

worked closely with industry leaders through a 17-memberRoadmap Steering Group to design and conduct the workshopand synthesize the results, careul to ensure that the resultingRoadmap was an industry-driven plan. Accordingly, the major-ity o the workshop’s 55 participants were electricity, oil, andnatural gas asset owners and operators, while the remainderconsisted primarily o control systems vendors, national labo-ratories, and academia. The fnal Roadmap was published in

January o 2006.In 2003, Homeland Security Presidential Directive-7

(HSPD-7) designated DOE as the Sector-Specifc Agency responsible or coordinating activities with the energy sector

to enhance protection o Critical Inrastructure and Key Re-sources (CI/KR). These activities are carried out within theramework o the DHS National Inrastructure ProtectionPlan (NIPP). As noted in the Energy Sector-Specifc Plano the NIPP, the Roadmap established the key cyber securitygoals addressing the “ull spectrum o cyber security prioritiein the energy sector.”

AW: The overriding vision stated in the Roadmap is that in 10years, control systems or critical applications will be designed

installed, operated and maintained to survive an intentional cy

ber assault with no loss o critical unction. At just beyond two

years into that 10-year period, how would you assess the early

progress toward that goal?

Kenchington: I think we are making progress along severaronts. From a technology perspective, 85 projects rom nearly20 public and private organizations have been launched support-ing the goals identifed in the Roadmap. To help track progressDOE created the ieRoadmap (Interactive Energy Roadmap)a Web-based tool that allows principal investigators to register

and sel-populate a database that links to the challenges identi-fed in the Roadmap. The ieRoadmap, hosted on the ProcessControl Systems Forum Web site (www.pcsorum.org), providea mechanism to encourage collaboration, identiy active areas o

work, expose gaps and enable partners to leverage resources, as well as inorm owners and operators o emerging technologies.

DOE supports the Roadmap primarily through our NationaSCADA Test Bed (NSTB) program, which conducts cybersecurity assessments o control systems and related technolo-gies, develops advanced control system technologies, conductmodeling and simulation to better evaluate risk, and engagein industry partnership and outreach. To date, the NSTB ha

conducted test bed and on-site feld vulnerability assessmento 15 control systems rom vendors including ABB, Areva, GEOSI, Siemens, Telvent and others, as well as assessments o ourcontrol system component technologies at the test bed. As aresult o this work, six next-generation “hardened” systems havebeen developed by the participating vendors—21 o one ven-dor’s hardened systems have been deployed in the marketplaceParticipating vendors have issued fve sotware patches address-ing six critical security issues in response to vulnerabilities dis-covered by NSTB. One particular sotware patch issued by one

vendor to secure its legacy systems has been downloaded by 82utilities currently operating those systems.

System assessments have revealed common vulnerabilities andeasy-to-implement, immediate security fxes that apply acrossthe board. Outreach has helped disseminate this knowledgeFor example, more than 1,200 energy sector stakeholders haveparticipated in training workshops conducted by NSTB thaeducate system operators on best practices or control systemssecurity. Approximately another 500 individuals were expectedto participate in scheduled NSTB training events through Apriand May o 2008. In addition, NSTB partners with the NorthAmerican Electric Reliability Corp.’s (NERC) Control Sys-tems Security Working Group to publish mitigations or the

vulnerabilities in the annual “Top 10 Vulnerabilities o Contro

From a technology perspective, 85projects from nearly 20 public andprivate organizations have beenlaunched supporting the goalsidentified in the Roadmap.



Systems and Their Associated Mitiga-tions” report.

The recently ormed Energy SectorControl Systems Working Group willdrive urther implementation o theRoadmap and has already launchedkey initiatives to accelerate prog-ress. For example, the working group

was scheduled to hold an ieRoadmap Workshop in Chicago on May 28-29. The workshop was designed to provide presenters with an opportunity todiscuss their control systems security research and projects with the workinggroup and other stakeholders, and toreceive eedback on how each projectaligns with the Roadmap goals andpotential ways to improve the rele-

vance o project results. The workshop was intended to provide participating

energy sector owners and operators with a better understanding o the rel-evance o each project to the Roadmapand how it can help them better securetheir control systems.

AW: What are among the key elements in the strategy or achiev-

ing the 10-year goal?

Kenchington: To achieve the Roadmap vision, a ramework based on sound risk management principles emphasizes ourstrategic areas:lMeasure and Assess Security Posture. Within 10 years, the sector

will help ensure that energy asset owners have the ability and com-mitment to perorm ully-automated security state monitoring o their control system networks with real-time remediation.lDevelop and Integrate Protective Measures. Within 10 years, next-generation control system components and architectures that oerbuilt-in, end-to-end security will replace many older legacy systems.l Detect Intrusion and Implement Response Strategies. Within10 years, the energy sector will operate control system networksthat automatically provide contingency and remedial actions in re-sponse to attempted intrusions into the control systems.l Sustain Security Improvements. Over the next 10 years, energy asset owners and operators are committed to working collabora-tively with government and sector stakeholders to acceleratesecurity advances.

The existence o the Roadmap will not by itsel create action.Strong leadership and commitment is needed at each step to en-sure that important requirements do not all through the cracks.Collaboration rom both industry and government is essential toachieving success.

To help guide implementation o the Roadmap, industry lead-ers ormed the Energy Sector Control Systems Working Group.

The working group, which ratifed its charter in December 2007,is made up o representatives rom the Government CoordinatingCouncil or Energy, the Electric Sector Coordinating Council, and

the Oil & Natural Gas Sector CoordinatingCouncil. It operates under the ramework othe Critical Inrastructure Partnership Ad-

visory Council, a group ormed under thNational Inrastructure Protection Plan tosupport the private sector and governmentin collaborating on critical inrastructureprotection activities.

Working group members have outlinedfour objectives or their eorts:

1. Help identiy and implement practicalnear-term activities that are high priorityor the industry

2. Promote the value to the industry oachieving the goals o the Roadmap

3. Recommend critical areas or publicand private investment

4. Measure progress toward Roadmapgoals and milestones.

AW: What would you say are among thebiggest challenges in achieving that 10

year vision?

Kenchington: Some o the biggest chal-lenges to achieving the vision include:l Keeping pace with the rapidly changing

and growing threat environment. New cyber vulnerabilities arediscovered on a weekly basis. Sophisticated sotware tools, widelyavailable on the Internet and sometimes traded or proft by cy-ber extortionists, allow hostile actors to develop and launch newcyber attacks aster than ever (even with limited control systemknowledge). The result is a vicious cycle in which there is a con-

stant need or new countermeasures that require increasingly asterimplementation.lAccelerating the commercialization o inherently secure and re-silient control systems. As these systems become more integratedinto enterprise and corporate-wide systems, it is essential to trans-orm the state-o-the-art or control systems technology rom aninherently insecure technology that requires layers o deense andcostly management processes to provide adequate security to atechnology that provides built-in security and robustness.l Increasing understanding o cyber risks. While our understand-ing o the risk o cyber attacks on the energy inrastructure has beenimproved through Roadmap-related research, energy asset ownersand operators still do not have the capabilities to ully understandthe risk associated with the cyber threats o today and tomorrow

Without a better understanding o the risks, costs, and potentiaconsequence, it will continue to be difcult to make a strong busi-ness case or cyber security investments.

AW: How has the response to the Roadmap been rom asset own

ers, and rom vendors?

Kenchington: So ar, we’ve received very positive eedback on theRoadmap rom the energy sector. For example, the NERC CriticaInrastructure Protection (CIP) Committee voted unanimously toapprove and support the implementation o the Roadmap. In addi-

Energy Sector ControlSystems Working Group

In December 2007, leaders from the

electric, and oil and natural gas industries,

and government formed the Energy Sector

Control Systems Working Group to help

guide implementation of Roadmap priorities.

The Working Group members are:

Dave Batz, Alliant Energy

Stuart BrinDley, IESO Ontario

Page Clark, El Paso Corp.

Steve elwart, Ergon Refining Inc.

eriC FletCher, NiSource

tom FlowerS, CenterPoint Energy Inc.

eD goFF, Progress Energy

morgan henrie, Alyeska Pipeline

hank kenChington, DOE

Doug maughan, DHS S&T

Seán mCgurk, DHS NCSD

Dave norton, Entergy Corp.

Dave SCheulen, BP

June 2008 l Automation World



Hank Kenchington is a senior manager with

the Department of Energy’s Office of Electricity

Delivery and Energy Reliability (OE). Kenchington

currently manages OE’s National SCADA Test

Bed program designed to help reduce the risk of

energy disruptions (oil, gas, and electricity) due to

cyber attacks on control systems. Prior to joining

DOE, Kenchington directed a strategic business

unit for a major manufacturer of industrial equip-

ment and automated control systems with respon-sibility for systems engineering, sales and marketing, and new

product development. He holds a Bachelor of Science degree

in mechanical and nuclear engineering from Virginia Polytechnic

Institute and State University and a master’s degree in engineer-

ing management from the George Washington University.

Profile

tion, in 2007, the Government Accountability Ofce (GAO) in-terviewed industry experts in developing their report “CriticalInrastructure Protection: Multiple Eorts to Secure Control Sys-tems Are Under Way, but Challenges Remain.” The experts statedthat the “roadmap was a positive step or the industry” and that

the roadmap process “succeeded in identiying industry needs and was a catalyst or bringing agencies and government coordinatingcouncils together and that it was a good idea or other industries todevelop plans similar to the roadmap.”

Asset owners and vendors have embraced the Roadmap and areactively pursuing solutions to achieve its goals. In December 2007,leaders rom the electric, oil and natural gas industries, and govern-ment ormed the Energy Sector Control Systems Working Groupto help guide implementation o Roadmap priorities. The workinggroup planned to conduct the frst ieRoadmap Workshop in May and based on pre-workshop response, strong participation by assetowners, vendors, and researchers was expected.

Roadmap recognition has also come rom outside the energy sector. In a January 16, 2007 report, President Bush’s NationalInrastructure Advisory Council (NIAC) recognized the Roadmap’ssuccess in developing and implementing cyber security solutions orcontrol systems. The report recommended that all critical inrastruc-tures use the energy sector Roadmap as a model to develop theirown sector-specifc roadmaps.

Also in 2007, the Council on Competitiveness, in its report“Transorm. Enterprise Resilience: The Resilient Economy: In-tegrating Competitiveness and Security,” stated that each controlsystem that has been assessed by NSTB “represents a class o moresecure SCADA technology, creating a powerul multiplier eecton energy resilience nationwide.”

AW: Can you provide some examples o projects or initiatives un-

derway in support o the Roadmap?

Kenchington: DOE has aligned the NSTB program to supportthe goals identifed in the Roadmap. Recently, DOE also awardedfve industry projects that are developing and integrating techno-logically advanced controls and cyber-security devices into ourelectric grid and energy inrastructure. These projects include:

1. Hallmark Project. This project will commercialize the SecureSCADA Communications Protocol (SSCP). - Schweitzer Engi-

neering Laboratories, Pacifc Northwest National LaboratoriesCenterPoint Energy

2. Detection and Analysis o Threats to the Energy Sector(DATES). The team will develop an intrusion detection system(IDS) (network, host, and device level), event correlation rame-

work, and a sector-wide, distributed, privacy-preserving repository o security events or participants to automatically contribute

without attribution. - SRI International, ArcSight, Sandia Nation-

al Laboratories, ERCOT3. Cyber Audit and Attack Detection Toolkit. The team will ex-

tend the capability o existing vulnerability scanning tools to eval-uate SCADA security confgurations (supports compliance withNERC CIP-005 and CIP-007); develop templates or a securityevent monitoring system by mining data in PI Systems. - DigitalBond, Tenable Network Security, OSIsot, Constellation EnergyPacifCorp, TVA

4. Lemnos Interoperable Security Program. The project wilconduct testing, validation, and outreach to increase the availabil-ity o cost-eective, interoperable security solutions or IP-basedcommunications. - EnerNex Corp., Schweitzer Engineering Lab-

oratories, TVA, Sandia National Laboratories5. Protecting Intelligent Distributed Power Grids Against Cyber

Attacks. The team is developing a risk-based critical asset identi-fcation system and an integrated and distributed security system

with optimization to establish the best topology or networking thesecurity components - Siemens Corporate Research, Idaho NationaLaboratory, Rutgers Center or Advanced Energy Systems

For a more complete listing and description o additional pub-lic- and private-sector projects addressing Roadmap challengesand goals, visit http://www.pcsorum.org/roadmap.

AW: How are these initiatives being unded?

Kenchington: Many organizations are unding projects to sup-port the Roadmap. For example, DOE is unding NSTB andcost-sharing fve industry projects mentioned above. DOE, DHSand the National Science Foundation (NSF) are unding the

Trustworthy Cyber Inrastructure or the Power Grid initiativeled by the University o Illinois – Urbana-Champaign. DHS hadeveloped the Control System Cyber Security Sel-Assessmen

Tool (CS2SAT), which helps utilities determine their compliance with standards through a questionnaire. DHS is also und-ing the Institute or Inormation Inrastructure Protection (I3Pprojects. The Electric Power Research Institute (EPRI) is und-ing a project titled “Security Metrics or Energy ManagementSystems.” Other organizations unding research include CiscoSystems, Digital Bond, TNS, Inc., Mu Security, Raytheon, theDOD Technical Support Working Group (TSWG), WurldtechSecurity Technologies, and more.

AW: What role do the NERC CIP standards play as part o the

plan laid out in the Roadmap?

Kenchington: The Roadmap provides a strategic ramework toguide the development o projects and align activities with a com-mon vision. Industry standards (including the NERC CIP stan-dards) are critical to achieving the Roadmap vision. Standards can

Automation World l June 2008



(#17239) Copyright 2008 Summit Media, LLC. Reprinted with permission from the June 2008 issue of Automation World.For more information about reprints from Automation World, contact PARS International Corp. at 212-221-9595.

ensure that ongoing control systems security practices are con-ducted consistently across an organization, as well as the entiresector. Standards also help owners and operators determine thedegree to which security integration is occurring and measureprogress. For example, the Roadmap identifed standards or se-cure data exchange and communications as a priority need to helpsustain security improvements.

AW: What role does the National SCADA Test Bed play in achiev-ing the Roadmap goals?

Kenchington: The need or a national test bed has been identi-fed in several documents, including the “National Strategy to Se-cure Cyberspace,” and most recently in President Bush’s Councilo Advisors on Science and Technology report “Leadership Un-der Challenge: Inormation Technology R&D in a Competitive

World” (August 2007). The Roadmap also identifes this need. The NSTB provides a singular, state-o-the-art national re-

source to support industry and government eorts to secure con-trol systems in the energy sector. NSTB researchers have developedconsiderable expertise in conducting cyber security assessments o

controls systems in the test bed and in actual feld installations.NSTB has developed specialized modeling and simulation capa-bilities to more comprehensively understand the risk associated

with cyber attacks on our energy inrastructure. NSTB has aidedthe development o advanced security technologies primed orcommercialization, such as the Secure SCADA CommunicationsProtocol (SSCP), which marks SCADA messages with a uniqueidentifer that must be authenticated beore the unction is car-ried out, ensuring message integrity. The NSTB also conductsoperator training in control systems security, as well as outreachactivities to help raise awareness o cyber vulnerabilities and risksamong energy executives and operators.

AW: How does the NSTB process work, and how many vendors

have had their products tested at NSTB?

Kenchington: The NSTB program involves several activities,including cyber security assessments o control systems in a con-trolled environment—the test bed. Vendors are providing controlsystems and security technologies or assessment in the test beds,and owners are providing access to their control systems or on-siteassessments and validation o test bed results. Interested vendors

work with DOE through a Cooperative Research and Develop-ment Agreement (CRADA). Vendors provide approximately 50percent in cost-sharing to perorm the tests. The vendor and DOEdevelop a test plan with specifc targets o evaluation and goals orthe assessment. Researchers then install the system in the test bedand assess it using the most up-to-date security exploits and pro-

vide a report to the vendor identiying the identifed vulnerabilitiesalong with recommendations to mitigate the vulnerability. Fiteensystem assessments have been completed so ar, and another ourare underway. NSTB has conducted system vulnerability assess-

ments in partnership with vendors including ABB, Areva, GE,OSI, Siemens, Telvent, PacifCorp, and Teltone.

Vendor and asset owner interest in NSTB assessments con-tinues to grow. Twelve utilities rom the U.S. and Australia haveormed a consortium with ABB, a SCADA system vendor, toprivately und advanced research and testing through the NSTB.

The newly ormed consortium will und testing o the latest as-sessment targets or ABB’s SCADA/EMS product, NMR3, and

ensure that all previously discovered vulnerabilities have beenmitigated. The assessment will be completed this year. Utilitiesmaking up the consortium include: Austin Energy, Detroit Edi-son, Indianapolis Power & Light Company, ITC Transmission,Kansas City Power & Light (KCP&L), LCRA, the New York Independent System Operator (NYISO), Snowy Hydro Ltd., and

Tri-State G&T Association. The NSTB program has also been recognized by other orga-

nizations. In December o 2007, the SANS Institute released areport highlighting the NSTB as one o six ederal projects thathave had the most success in increasing the nation’s capacity tosecure cyberspace. The report noted that the test bed has “already

substantially and measurably improved the security o systemsthat control much o the nation’s most critical inrastructures.”

AW: To what degree, to your knowledge, have controls system and

SCADA vendors taken steps to “harden” their products, based on

NSTB test results?

Kenchington: Fiteen control system vulnerability assessmentshave been completed to date, and another our are currently inprocess. Vendors have shared details o the assessments with theirusers, and some have shared the assessment reports directly. Ven-dors have also rapidly acted to create system fxes and alert op-erators o security threats, and six vendors have developed next-

generation hardened systems. One vendor who is working withNSTB to improve system security has now sold its improved sys-tems to 21 customers who collectively control more than 235,000MW o electrical power—about 5.8 percent o net U.S. generationin 2005. Another vendor reported that 82 o its utility customershave downloaded its vendor-specifc security patch developed us-ing mitigations recommended by NSTB. The remaining vendorshave implemented or are in the process o implementing the rec-ommended mitigations on their systems.

Where can interested parties fnd out more about the Roadmapand other topics discussed in this interview?

Hank KenchingtonProgram Manager, National SCADA Test BedU.S. Department o Energy Ofce o Electricity Delivery and Energy Reliability 1000 Independence Ave., SW

Washington, DC [email protected]

http://www.oe.energy.gov/controlsecurity.htm

automation world article

Documents