critical infrastructure protection - techadvantage · 07.03.2014 · › more capabilities at the...

VIASAT PROPRIETARY

Critical Infrastructure Protection Securing Electric Grid Control Systems and Assets NRECA TechAdvantage March 6, 2014

VIASAT PROPRIETARY 2

The bright, shiny, clean future awaits

Renewable Reliable

Resilient

Efficient

Distributed

Intelligent

Customer-centric Secure

Integrated Smart Grid

©2013 ViaSat Inc.


Smart Grid Value Realization

SCADA and Phasor Measurements

Substation Automation Distribution Automation

Smart Metering, Demand Response, Energy Conservation and Distributed

Resources

The value of the Smart Grid is realized by merging data from these islands of automation to achieve a total end-to-end systems view by integrating information technology and operational technology

IT Enabled Integration

©2013 ViaSat Inc.


Smart Grid Systems of Systems Characteristics

» An increasingly smarter electric grid is characterized by increasingly complex systems that are network-centric, real-time, cyber-physical-social systems › Thousands of platforms,

operators, users supporting millions of sensors, decision nodes, actuators and customers

› Connected through heterogeneous wired and wireless networks

› Operating in a dynamic and evolving threat environment

Webearth from www.ibiblio.org/.../de2007/webearth.jpg Adapted from: SEI Ultra-Large Systems Study

©2013 ViaSat Inc. Used with Permission from Southern California Edison


Smart Grid Layered Architecture: Common Cybersecurity is Mission Critical

» Operational capabilities are supported by applications and common services

» Services are available to devices at the edge of the network and are event driven

» Communications design allows for connectivity across multiple network domains

» Security is end-to-end and enables systems integration

» Architecture is supported by common semantic models and standards

©2013 ViaSat, Inc.


Smart Grid Control Ecosystem: Increased Attack Surface and Vulnerability Increasingly Complex and Interconnected across Multiple Domains (ISO to End User)


Consumer Internet Service

Provider

Government and Enterprise

Mobile SATCOM and Services

Information Assurance and Cyber Security

Communications Technologies

High Capacity Satellite

ViaSat Communications and Networking

Founded in 1986 $1.2B Revenue

2800 Employees

©2013 ViaSat, Inc.


High Grade Secure

Modules

Secure Networking Products

Secure Architecture

SOC Services and Technology

DoD/NIST Certification

Information Assurance Heritage


Mission Assurance Capability Using military grade cybersecurity to enhance resiliency

CIP owners/operators facing transition that DoD started 10+ years ago

Networked Battlefield Networked Utility Operations

©2013 ViaSat, Inc.


Smart Grid System of Systems (SoS) Communications

Silos ESB Adapter-based Common

Evolution of Smart Grid SoS Architectures

Current-state Typical SI Approach DoD-style approach

Standards –based Internet-style


VIASAT PROPRIETARY

Case Study Southern California Edison The Irvine Smart Grid Demonstration Project


Southern California Edison (SCE) is committed to safely providing reliable and affordable electricity to its customers

» Nearly 14 million people

» 180 cities in 50,000 square miles of service area, encompassing 11 counties in central, coastal and Southern California

» Commercial industrial and nonprofit customers, including: › 5,000 large businesses

› 280,000 small businesses

On an average day SCE provides power to:



California Climate & Energy Policies Multi-faceted External Forces Impacting Smart Grid Architecture and Deployment



SCE Smart grid design goals

» More – increased capabilities › More capabilities at the edge and enterprise, pervasive automation

» Better – faster, more reliable & secure › The electric grid is more resilient › Dynamic control of all security elements allows the system to

adapt to evolving threats

» Easier – usability (convergence, unified control, visualization, information on demand) › Tens of Millions of nodes are manageable › Situational awareness › Common Services allow for easier integration of new capabilities

and technologies


SCE Architecture challenges

» How to ensure investments in SG technologies and systems today are able to participate in the SG architecture of tomorrow?

» How do legacy systems participate in the SG architecture?

» How do they manage the complexity of the system over time?

» How to represent an architecture trajectory that decision makers (policy makers, regulators etc.) can understand?

» How do they represent an architecture that is actionable?

» How do they relate the architecture to the emerging SG market and standards development efforts?


SCE will demonstrate an integrated, scalable end-to-end smart grid system (Irvine Smart Grid Demonstration)

Irvine Smart Grid Overview



Define Infrastructure Required for Smart Grid Functions and Strategy for Organizing Deployment

SCE’s Smart Grid

Management & Control SystemsSG Functions

Bulk Renewable Integration

Dynamic Pricing

Cust. Information Provision

DER Integration

Load Control

Adv. Transmission Protection

Dynamic Asset Management

Wide Area Awareness&Control

Dynamic Asset Optimization

Advanced Outage Management

Advanced Vot/VAR Control

Automated Customer Service

AMI Back Office Systems

Communications Networks

Substation LAN

Field Devices

FACTS Devices

Premise-Area Networks

SCE.com

Field Area Network

High-Speed Backbone High Speed Protection Communications

Inter-Utility Network

Customer Information Systems

Energy Service Provider Interface

Distribution Management System

Advanced Load Control System

Outage Management System

Energy Management System

Wide-Area Situational Awareness System

C-RAS Central Controller

Wide-Area Control System

Cyber Security

Geographical Information Systems

PEV Readiness

AMI Network

Advanced Robotics

Energy Storage Phasor Measurement Units

Smart Inverters Online Transformer Monitors

Advanced Relays Workforce Computing Devices

Advanced Switching Devices Smart Distribution Transformers

Advanced Volt/VAR Devices Customer Premise Devices

PEV Metrology Smart Meters

Cyber Security

Cyber Security

Cybersecurity is the over-arching capability that enables all domains to function and interact

SCE’s Smart Grid consists of both functions and infrastructure required to deliver functions

Strategy section describes required infrastructure for each function and guidelines for deployment



Example: Wide Area Situational Awareness & Control

SB 17 Self-Healing

Empower Customers

Resist Attack

Power Quality & Reduced Outages

DG & Storage

Enable Markets

Efficiency

Enable Intermittency

Energy Policies AB 32

33% RPS

Once-Thru Cooling

DG Incentives

PEV Adoption

500 MW Solar Prog.

ZNE Buildings

DR Goals

SG OIR Information

SG Functions


Dynamic Pricing


DER Integration

Load Control








PEV Readiness

Definition: Real-time monitoring and automated control of

transmission system conditions, including voltage, current, frequency, and phase angle through use of visualization and intelligent alarming tools.

Policy Drivers: AB 32, 20% RPS by 2010, 33% RPS by 2020 Once Through Cooling Implementation Challenges: Interconnection of renewables across western grid and

retirement of coastal plants creates need for enhanced real-time information about transmission system conditions

Intermittent renewable generation creates sub-second fluctuations in transmission system power, voltage, and frequency

SB 17 Characteristics Achieved: Power quality/reduced outages Enable intermittency



Example: Wide Area Situational Awareness & Control

Management & Control SystemsSG Functions


Dynamic Pricing


DER Integration

Load Control








Market Integration

AMI Back Office Systems

Communications Networks

Substation LAN

Field Devices

FACTS Devices

Premise-Area Networks

SCE.com

Field Area Network

High-Speed Backbone High Speed Protection Communications

Inter-Utility Network

Customer Information Systems

Energy Service Provider Interface

Distribution Management System

Advanced Load Control System

Outage Management System

Energy Management System

Wide-Area Situational Awareness System

C-RAS Central Controller

Wide-Area Control System

Cyber Security

Geographical Information Systems

PEV Readiness

AMI Network

Advanced Robotics

Energy Storage Phasor Measurement Units

Smart Inverters Online Transformer Monitors

Advanced Relays Workforce Computing Devices

Advanced Switching Devices Smart Distribution Transformers

Advanced Volt/VAR Devices Customer Premise Devices

PEV Metrology Smart Meters

Cyber Security

Cyber Security

Deployment-Ready Infrastructure:

• PMUs • High Speed Backbone

Communications • Back office systems to process

>30 data points/second

Possible Future Deployments:

• Automated Control Systems



» CCS is a real-time cyber-security monitoring, detection and response platform that provides complete network visualisation. By using sensors and traffic flow analysis it can identify and respond to suspicious and anomalous behaviour on operational control systems.

What is CCS?


Cybersecurity System Capabilities

•Integrated Operational Public Key Infrastructure (PKI), Identity Management Authentication

•Role and Group Based Access Control (RBAC) Authorization

•Security Information and Event Management (SIEM) Accounting

•Authenticated communication •Defense in Depth Peer to Peer

•Continuous device to device trust monitoring •Cyber & Physical alerts, device health, operator actions Quality-of-Trust

•Trusted Boot, Trusted Network Connect •Device Bill-of-Health Integrity

•Central operations security visualization GUI accessed via web browser •Multi-Tier Security Operations Capability •Large scale System Planning and Test Capabilities

Dynamic Scalable GUI

21 Dissemination restricted as described on cover page.


TRUST IS

EVERYTHING

Without TRUST you cannot achieve your operational and business objectives

QUALITY OF TRUST gives you a metric to determine the health of your operational networks and systems and be

CONFIDENT about their interaction

©2013 ViaSat Inc.


Determining QoT

Dissemination restricted as described on cover page. 23

Status

Identity

Quality of

Trust

Bill of Health

A device reporting about itself based on a defined list of characteristics/attributes

Establishes that a device is what it’s meant to be

A device has been authenticated and has joined the “fabric” of CCS enabled devices

QoT – Devices are monitoring each other’s behaviour and reporting on those that they are physically and/or logically connected to.


Conceptual Operation

Bump-In-The-Wire

Bump-In-The-Stack Proxy – CCS-Enabled Gateway


Security


Status HEARTBEAT

BoH INTEGRITY

QoT QUALITY of TRUST

ID CERTIFICATE

Status: Trusted Questionable Untrusted Unknown

©2013 ViaSat, Inc.

Common Cybersecurity Service Concepts Security Policy Enforcement & Status based on device and function

Device A

Policies

Device B

Policies

Device C

Policies


Common Cybersecurity Service Highlights

» The most advanced security system in the energy sector › Next generation utility technologies › DoD technology transfer › Best practices from many sectors › Modern SOA style architecture

» The most compliant security system

› NERC CIP Version X › All Federal Processing Standards (DHS, FIPS) › NIST Compliant (NISTIR, SP)

» The most scalable and dynamic security system

› Supports all Grid Applications › Supports current and next generation networking (MPLS) › Supports all major protocols used on the Grid › Modular Construction

©2013 ViaSat Inc.


CCS Highlights

» Easily Integrated into existing environment › Supports existing control and IT investments (Directory Services,

Enterprise PKI) › 8 inflight advanced programs are relying on new services (e.g.

ISGD, Phasor Measurement, SA3, C-RAS, etc.) › Supports gradual evolution to full compliance over time

» Ease of Use

› AMI Security uses command line and requires vendor support › CCS has next generation web based graphical user interface › Enables a powerful and unified security operations center

» IEC has committed to align with CCS principles

› Hosted IEC TC 57 Security Meetings › New Part to FERC reviewed/recommended 62351

©2013 ViaSat Inc.

critical infrastructure protection - techadvantage · 07.03.2014 · › more capabilities at the...

Documents