-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
1/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Cyber Security
Automation of energy systems provides attack surfaces thatpreviously did not exist
Cyber attacks have matured from teenage hackers to organized crimeto nation states
Centralized control is vulnerable, decentralized mitigates some of theriskNSA multi-layered defense-in-depth architecture is the standardAdvanced analytics and cyber/physical event correlation provide
protection against increasing threats
Securing communications to end devices (Gens, Switch Gear, etc) --which may not have intrinsic security--is criticalRole level protection at the end device versus traditional user
interface roles is a critical capability
Cyber threats are real and rapidly evolving as are the standards tobuild and deploy solutions to mitigate them
| 1
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
2/36
Boeing Defense, Space & Security
PhantomWorks
BOEING is a trademark of Boeing Management Company.Copyright 2011 Boeing. All rights reserved.
. . I
I
Cyber Security
Concepts Demonstration
Joe McCormick - Boeing
Author, date, filename | 2
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
3/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Electric Grid Cybersecurity Risks (NIST)
Greater communications complexity increases exposure topotential attackers and unintentional errors
Networks linked to other networks may introduce commonvulnerabilities spanning multiple domains
More interconnections present increased opportunities forlegacy and new cybersecurity attacks
More network nodes means more entry points and vectorsthat potential adversaries might exploit
Extensive data gathering and two-way information flows maybroaden potential for compromises of data confidentialityand breaches of customer privacy
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
4/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Distributing Operational Control
Distributed grid control is necessary to achieve goals ofincreasing efficiency and resiliency of electric grid
Electric grid will become a grid of grids over the next 20 to 30years with wide distribution of (renewable) energy resourcesand resulting microgrid technology
TCP/IP over multiple media will be the communicationsplatform, replacing proprietary, un-routable protocols overphone lines and low-bandwidth wireless
Intelligence will be decentralized within the control,communication, and cybersecurity architectures
Analogues in other areas include avionics, military command andcontrol, and telecommunications
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
5/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Defense in Depth Cybersecurity Model
Model created by US National Security Agency (NSA)Balanced Best Practices strategyNISTIR 7628 guidelines support this modelShould be integral to Smart Grid deployment platforms
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
6/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Evolution of Cybersecurity Requirements
Current: NERC CIP 002-009 applied to Generation and
Transmission Various input sources including power industry
players
Very basic controls and processes on order of 20Over next 2 years: NERC CIP will be applied to Distribution critical
assets Input sources to NERC CIP will include NIST with
NISTIR 7628, which is sourced on various DHS
cybersecurity standards with many more controls onorder of several hundred
Beyond Legislation calling for enhanced cybersecurity
standards for critical infrastructure, which will requireenforcement of cybersecurity over an even larger,
more distributed set of controlsAuthor, date, filename | 6
NERC CIP(Generation and
Transmission Only)
DoD / DHS
NERC CIP(NISTIR 7628)
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
7/36
BDS | Boeing Energy
Copyright 2011 Boeing. All rights reserved.
Protection at Every Level
Author, date, filename | 7
EnterpriseNetwork
Security
(ENS)
SecureDistributed
Operational
Service Bus
(SDOSB)
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
8/36
Boeing Defense, Space & Security
Mountain View, CA
BOEING is a trademark of Boeing Management Company.Copyright 2012 Boeing. All rights reserved.
. . I
I
Smart Grid LiveBoeing EnterpriseNetwork Security (ENS)
Robert Esposito, Cyber Security Solutions Architect
Integrated Situational
Awareness andAdvanced ThreatDetection for Securingthe Grid
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
9/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Agenda
The Threat Lifecycle Zero Day Advanced ThreatsWhat is Boeing ENS? Behavioral Detection vs. Signature Detection Boeing ENS Capability Details
Workflow DiscussionLive Demo Intrusion Attempt Incident Response
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
10/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
The Threat Lifecycle
Reconnaissance Priority 3 Blue
Intrusion / Penetration Priority 5 Yellow
Communication Beacons Priority 7 & 8 Orange
Suspicious Flows / Exfiltration Priority 9 & 10 Red
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
11/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Boeing Enterprise Network Security (ENS)
Self Contained & Passive Advanced Malware Detection Integrated Non-Signature Based Detection ApproachAdvanced Anomaly Based DetectionAdvanced Malware Detection Real-Time Network Forensics Correlation and Workflow Enabling Accurate
Detection
Integrates best of Industry capabilitiesinto one unit
Safe and Secure Detection Rack, 14U Portable Pelican Case Sanitization of Data Prior to Removal
Detect APTs at the earliest phases
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
12/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Security Information and EventManagement
Features Prioritize alerts and present to the NetworkAnalyst
Correlate alerts from sensor componentsthrough the implementation of customized rulesets
Case Management system for the aggregationof events & external data into individual casesthat may then be presented to any audience
Benefits Single system for access by Network Analyst
with custom dashboards to identify the severityof potential advanced threats
Integrated drill down into individual componentsserving as the single point of entry for theNetwork Analyst
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
13/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Anomaly Analytics
Features Up to 10 Gigabit/sec throughput Behavioral based anomaly detection Traffic inspection supporting full layer 7 extensible
analysis Entropy based statistical algorithms to identify
advanced threat behaviors
BenefitsAbility to identify advanced threats in early
reconnaissance - Phase 1
Ability to identify advanced threats incommunications establishment - Phase 3
Ability to identify advanced threats indata exfiltration - Phase 4
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
14/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Malware Detection System
Features 1Gigabit/Sec throughput of analyzed web traffic Early detection of malicious activity through
fingerprinting of malicious communications
before the affects are actually seen in thenetwork
Proprietary virtual machine mechanism toavoid advanced malware detection
Evaluated to EAL-2Benefits Locate malware as it enters the network
before a system is infected.
See potential intrusions that are blockedby existing systems or patches.
Identify advanced threats across Phases 2 - 4
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
15/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Network Forensics
Features 2Gigabit/Second throughput scalable to larger
installations
Full packet classification and storage to includenon-standard packet formats for meta-data
querying Seamless session retrieval and reconstruction
and rendering to support case management andarchiving
Intuitive visualization environment to identifyadditional stored documents leaving the network
Benefits Provides the Network Security Analyst with the
tools to research the affects of AdvancedPersistent Threat.
Arms the Network Security Analyst with context intailoring existing countermeasures to respond toattacks.
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
16/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Boeing ENS: Non-Intrusive & PassiveMonitoring
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
17/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Discovered Phase 1 ActivityReconnaissance
(Blue Priority 3 & 4)
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
18/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Example Phase 1 Event Pattern
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
19/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Discovered Phase 2 Activity IntrusionAttempt
(Yellow Priority 5 & 6)
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
20/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Phase 2 Intrusion Attempt BehaviorsObserved
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
21/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Discovered Phase 3 Activity OutboundSuspicious Communications
(Orange Priority 7 & 8)
BDS | Boeing Energy
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
22/36
BDS | Boeing Energy
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
23/36
BDS | Boeing Energy
Copyright 2011 Boeing. All rights reserved.
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
24/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Discovered Phase 4 Activity SuspiciousData in Motion
(Red Priority 9 & 10)
BDS | Boeing Energy
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
25/36
BDS | Boeing Energy
Copyright 2011 Boeing. All rights reserved.
Most of the traffic is from United States
Very little traffic to foreigncountries is suspicious
BDS | Boeing Energy
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
26/36
BDS | Boeing Energy
Copyright 2011 Boeing. All rights reserved.
Legacy WWW Server Discovered
Most of the traffic is from United States
Very little traffic to foreigncountries is suspicious
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
27/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Workflow Provides Efficient Operations
Discovery Analysis Case Creation
Case
ManagementInitialFollow-upFinal
Course of
Action
Protection
& Case
ResolutionClosed
Whats the priority?Higher priority alerts havethe greatest business impact
What are the details?Ticket Type & IDStageFrequencyOperational ImpactSecurity ClassificationConsequence Severity
What is it?
Detailed Forensics
Research notes, attachments, PCAPsOwnership Tracking
Block/Shutdown, monitor, other Detailed metrics availableTime to resolutionAnalysts involved, etc
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
28/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Boeing ENS Live Demo Phase 2Intrusion Attempt Incident Response
Security Operations Center Analyst Investigates Phase 2 Intrusion Attempt Further Incident Details Gathered Case Created with Integrated Case Management System Case Assigned to Incident Response Team (CERT)
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
29/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Boeing Operations Service Bus Architecture
S Di t ib t d O ti S i
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
30/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Secure Distributed Operations ServiceBus
Distributed service bus provides secure two-way communicationsDesigned for tactical / field environmentsArchitecture provides plug-n-play modularity at application, sub-system, anddevice level
Information assurance designed-inProtected transportRole-based access control at application and transaction levelsDistributed security agents
Network Performance Management - Bandwidth and Quality of ServiceManagement
No central hub eliminates scalability and vulnerability issues
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
31/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Protected Transport Unencrypted/encrypted
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
32/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
Role Based Access Control (RBAC)
Occur at the application layer in a communications protocol stackProvides higher level of access control than the application
provides for allowing legacy applications to be supported
Three Cases Unauthorized User trying to authenticate onto the system to execute acommandAuthorized User trying to execute an unauthorized commandAuthorized User trying to execute an authorized command
Authorized User
Unauthorized User or
Authorized User without proper Role
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
33/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
RBAC: Unauthorized User Attempting Access
33
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
34/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
RBAC: Authorized User Attempting toExecute an Unauthorized Command
Activate correct role
Access interface thatdoes not belong to
user/role
Activate role that doesnot belong to user
34
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
35/36
BDS| PhantomWorks
Copyright 2011 Boeing. All rights reserved.
BDS | Boeing Energy
RBAC: Authorized User SuccessfullyAuthenicating and Executing a Command
35
-
7/27/2019 Secure Microgrid Operations Cyber Security for Critical Infrastructure
36/36
BDS| PhantomWorksBDS | Boeing Energy
Questions?