information and it security for power system operation › archive › 2011 › presentations › op...
TRANSCRIPT
Information and IT Security
for
Power System Operation
Göran Ericsson and Kun Zhu
2011-05-25
Agenda
• Introduction of Svenska Kraftnät
- Swedish National Grid Company
• R&D activities in Sweden
- Collaboration between SvK, KTH and FOI(Swedish Denfence Research Agency)
- Viking project
• Conclusion
Presentation for EPCC 2011, 2011-05-25
3Presentation for EPCC 2011, 2011-05-25
Missions (in brief)
• Provide transmission of power on the national grid level in compliance with security, efficiency and environmental requirements
• To perform the system operator function for electricity and natural gas cost-efficiently
• To promote an open Swedish, Nordic and European market for electricity and natural gas
• To ensure a robust nationwide supply of electricity
Presentation for EPCC 2011, 2011-05-25
Research Collaboration within Sweden
• Vulnerability scanning
- Detection and false alarms
- Remediation
• Reflections from a Cyber Defense Exercise
- How reliable is the Common Vulnerability Scoring System?
- Expert assessment of the probability of successful remote code execution attacks
- How good are experts and different prediction models?
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning
• Purpose: to identify and evaluate possible vulnerabilities of the IT systems based vulnerability scanning tools
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning Project
• How does it work?
• Network scanning
• Vulnerability scanning
• Vulnerability analysis
Scanner
Hello, what services and operating systems are you guys running?
I am 172.18.1.3, Windows XP SP2, unpatched, with file sharingand remote desktop enabled
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning Project
• How does it work?
• Network scanning
• Vulnerability scanning
• Vulnerability analysis
Scanner
Hmm.. XP SP2 withoutpatches… There are 17 vulnerabilitites that are applicable.
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning Project
• How does it work?
• Network scanning
• Vulnerability scanning
• Vulnerability analysis
Scanner
Do you have default passwords or any other sillyconfiguration flaws?
My password is ”password”, it is handy as no one forgets it!
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning Project
• How does it work?
• Network scanning
• Vulnerability scanning
• Vulnerability analysis
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning Project
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% D
ete
cti
on
% False Alarm
Unauthenticated scans
Nessus
Qualys
NeXpose
SAINT
McAfee
AVDS
Patchlink scan0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% D
ete
cti
on
% False Alarm
Authenticated scans
Nessus
Qualys
NeXpose
SAINT
McAfee
AVDS
Patchlink scan
Presentation for EPCC 2011, 2011-05-25
Vulnerability Scanning Project
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% R
em
ed
iati
on
% Detection
Unauthenticated scans
Nessus
Qualys
NeXpose
SAINT
McAfee
AVDS
Patchlink scan0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% R
em
ed
iati
on
% Detection
Authenticated scans
Nessus
Qualys
NeXpose
SAINT
McAfee
AVDS
Patchlink scan
• Automated security scanning needs to be complemeted through otherefforts…
5884 pages
report …
Presentation for EPCC 2011, 2011-05-25
Presentation for EPCC 2011, 2011-05-25
Cyber Denfense Exercise
Cyber Denfense Exercise
• Does the vulnerability level of a system affect the time needed to compromise the system?
• Vulnerabilities can be measured through the Common Vulnerability Scoring System (CVSS)
- Scale from 0 – 10
• 15 system-level vulnerability metrics are testedto see if any metric displayed a relation to the time needed to compromise the systems
- Drawn from literature (9 metrics) and models used by the industry (6 metrics).
Presentation for EPCC 2011, 2011-05-25
Cyber Denfense Exercise
• TTC: Time from start of attack (measured through the first alarm from the intrusion detection system Snort) until successful compromise of that host.
Snort t1 = 1400.3 sec
t2 = 3000.2 sec
TTC = t2 – t1
Presentation for EPCC 2011, 2011-05-25
Research in cyber security so far…Cyber Defense Exercise
• Statistics for the best model…
Presentation for EPCC 2011, 2011-05-25
Research in cyber security so far…Cyber Defense Exercise
• A more detailed security estimation model is needed!
Presentation for EPCC 2011, 2011-05-25
H. Holm, M. Ekstedt and D. Andersson “Empirical analysis of system-level vulnerability metrics through actual attacks” submitted to IEEE Trans on Dependable and Secure Computing.
Presentation for EPCC 2011, 2011-05-25
Viking Project
• VIKING stands for Vital Infrastructure, Networks, Information and Control Systems Management
• EU financed Framework 7 Collaborative STREP Project and is part of themes 4, ICT, and 10, Security.
• Between 2008-11-01 and 2011-10-31
• To investigate the vulnerability of SCADA systems and the cost of cyber attacks on society
• A consortium of industrial and academic partners
- KTH, Stockholm
- ETH, Zurich
- University of Maryland
- E.ON
- ABB
- Astron Informatics
- MML
www.vikingproject.eu
Presentation for EPCC 2011, 2011-05-25
VIKINGFrom security requirements
to societal costs
Attack
SCADA system
Power network
Societal cost
AttackInventory
System ArchitectureVulnerability Models
SCADA functionality manipulation:State Estimator, AGC
Virtual city/citizensimulator
Virtual T&D networksimulator
Presentation for EPCC 2011, 2011-05-25
Cyber-security from SvK perspective
• It is of paramount importance to take security into consideration in the procurement phase of new system for power grid operation and control
- Architecture: is the system are composed by different zones with security concerns?
- Security mechanism
- Authorization: third party access
• The same security concern should be shared with other critical infrastructures in society, such as water, gas and transportations.
Presentation for EPCC 2011, 2011-05-25
Questions?
Presentation for EPCC 2011, 2011-05-25