Information Trust Institute: University of Illinois at Urbana-Champaign

Abstract:

Topics include:

• Discussion of the nature and scope of the vulnerabilities and threats posed by Internet connectivity to Supervisory Control And Data
  Acquisition systems, Energy Management Systems, and Distribution Management Systems, both current and future; they are much worse than generally advertised.  
• DOE's business model for threat management, to include the roles and relationships of cyber security and the Intelligence Community.
• The system in play - recent incidents.  
• Mitigation techniques.

About the speaker:

Thomas A. Malec served as the commander of Air Force units for more than 12 consecutive years in capacities as both a Special Agent and a senior security officer. Prior to his retirement from active duty, he administered a 1,600-person law enforcement program located throughout the United States.

He holds a Master of Science degree, and has taught a variety of college courses. He also developed and delivered courses in advanced computer security, network intrusion detection and analysis, and the use of intrusive tools. He developed engineering and training materials for network security and management applications, and conducted a series of basic, advanced, and specialized hands-on technical training courses. He has supervised both site survey and installation engineering teams.

He previously served as the Director, Cyber Division, Counterintelligence Directorate, Office of Intelligence and Counterintelligence, Headquarters Department of Energy.

He currently serves as the DOE CI Senior Cyber Scientist, and represents The Secretary at numerous National-level fora. He also provides programmatic and technological advice and guidance to investigations, analysis, training, and specialized staff at Headquarters DOE, and to DOE CI field operations.

Abstract:

to appear

About the speaker:

Professor Radha Poovendran has been with the Department of Electrical Engineering at the University of Washington (UW), Seattle since 2000. At the UW EE, Professor Poovendran is the Founding Director of the Network Security Lab (NSL). He is also a founding member and the Associate Director for Research at the UW Center for Information Assurance and Cybersecurity. This academic center is a collaborative effort at the UW and includes multiple disciplines and departments, including EE, across the UW campuses. The center is also certified as a "National Center of Excellence in Information Assurance Education" by National Security Agency (NSA). 

His doctoral dissertation work was on cryptographic key management for secure multicast communications. His contributions to wireless security include energy-efficient group keying, introduction of the cross-layer approach in security, secure location estimation in sensor networks, modeling and characterization of wormholes, and privacy in medical as well as vehicular ad hoc networks. He is a recipient of the NSF Career Award (2001), the ARO YIP Award (2002), the ONR YIP Award (2004), and the PECASE Award (2005) for his research contributions in the areas of wired and wireless security. He has served as a guest editor of the IEEE Journal of Selected Areas in Communications (Special issue on Wireless Security, 2006), as technical program co-chair of the ACM Wireless Security Workshop (WiSe) for two consecutive years (2005-2006), and as local chair for the IEEE International Symposium on Information Theory (ISIT, 2006). He is technical program co-chair of the first ACM Conference on Wireless Network Security (WiSec), to be held in 2008. 

Abstract:

Today's electric power systems are increasingly more integrated and automated, and are no longer operated with discrete, isolated components like electromechanical relays. Modern electric power systems include multifunction relays, distributed programmable controllers, phasor measurement units (PMUs), and similar intelligent electronic devices (IEDs) that are capable of producing and consuming various sorts of data for monitoring, metering, automation, and control. Communications within the power system infrastructure are required to achieve the highest levels of integration and must be efficient, reliable, and secure.

The use of communications within the electric power system provides:

• Information exchange between IEDs to coordinate protection, automation, and control.
• Real-time power system status information for visualization, state estimation, remedial action schemes, etc.
• Remote apparatus reconfiguration such as breaker position or voltage regulator tap.
• Power system oscillography and sequence-of-events data retrieval after system disturbances.
• Remote IED operational parameter changes.

This lecture provides computer engineers and computer scientists with an overview of electric power systems and the communication architectures used within them. The following topics will be discussed:

• Power system overview
• Substation IEDs and their functions
• Common electric utility communication media types
• Electric utility protocols such as DNP3 and IEC 61850
• EMS (energy management system) and SCADA (supervisory control and data acquisition) overview
• Legacy system integration methods
• Unique communication challenges

About the speaker:

David Whitehead, P.E. is the vice president of Research and Development at Schweitzer Engineering Laboratories, Inc. Prior to joining SEL, he worked for General Dynamics, Electric Boat Division as a combat systems engineer. He received his BSEE from Washington State University in 1989 and his MSEE from Rensselaer Polytechnic Institute in 1994, and is pursuing his PhD at the University of Idaho. He is a registered professional engineer in Washington and Maryland and a Senior Member of the IEEE. Mr. Whitehead holds seven patents, with several others pending. He has worked at SEL since 1994 as a hardware engineer, research engineer, and chief engineer/assistant director and has been responsible for the design of advanced hardware, embedded firmware, and PC software.

Abstract:

The vast, interconnected North American grid is arguably the world's largest and most complex machine, collectively operated by literally thousands of organizations. It has achieved and sustained an enviable record of reliability through application of numerous technological and operational efficiencies, and strong regulatory oversight. The grid's complexity and interconnected nature, however, also pose a significant drawback; under the right circumstances, problems occurring in one area have the potential to cascade out of control and affect large geographical regions. This was the case on August 14, 2003, when the largest blackout in the history of the North American grid affected 50 million people and caused an estimated $10 billion in economic damages. Multiple causes of this blackout were traced to failures in computers critical to the real-time operational management of the grid.

Power grid controls have evolved into a hierarchical structure, with localized controls providing fast feedback control and protection functions, and wide area supervisory controls providing slower control and monitoring functions. Through the advent of inexpensive microcontrollers and low-cost communication, there is a growing trend for increased intelligence and capabilities in field equipment, including that installed in substations, within the distribution network, and even at the customer's premises. This increased control capability, while vastly increasing the flexibility and real-time management functionality to achieve better economics, also introduces new cyber vulnerabilities that haven't previously existed.

This lecture will focus on wide area stability issues associated with operating large interconnected power systems. It will include an illustrative case study of a cascading failure, and will provide a framework for better understanding of the context for subsequent lectures associated with control system cyber security issues.

About the speaker:

Mr. Jeff Dagle, PE, joined the Pacific Northwest National Laboratory in Richland, Washington (operated by Battelle for the U.S. Department of Energy) in 1989. He received BS and MS degrees in electrical engineering from Washington State University in 1989 and 1994, respectively. Mr. Dagle currently manages several projects in the areas of transmission reliability and control system security for the DOE Office of Electricity Delivery and Energy Reliability, the Department of Homeland Security, and other clients. Mr. Dagle is a Senior Member of the Institute of Electrical and Electronics Engineers, is a licensed Professional Engineer in the State of Washington, and was named 2001 Tri-City Engineer of the Year by the Washington Society of Professional Engineers.

Abstract:

Industrial control systems are widely used throughout most manufacturing industries and utilities infrastructures to monitor and control many kinds of equipment and processes. Control systems vendors are rapidly migrating from proprietary networking technologies to IP-based networks, but both the performance and security requirements for control systems networks differ from those of enterprise networks. This session focuses on architectural guidelines for deploying secure IP-based control systems, including automation, process control, distributed control, and Supervisory Control And Data Acquisition (SCADA) systems. This session will review basic networking concepts and security issues, outline security threats specific to control systems, and discuss specific network architectures that provide appropriate performance and security for control systems.

About the speaker:

Andrew Wright is Chief Technology Officer at N-Dimension Solutions. He holds a Ph.D. in Computer Science from Rice University. He has published over 20 technical papers and has 16 years of experience in industrial research and development. At N-Dimension, he guides R&D strategy for the company's cyber security products for electric power utilities. Prior to joining N-Dimension, he was a Technical Leader in Cisco's Critical Infrastructure Assurance Group (CIAG), where he developed cyber security solutions for critical infrastructure, particularly Industrial Control Systems and SCADA. He established the Cisco Secure Control Systems lab in Austin Texas, was the key architect of the AGA-12 serial SCADA encryption protocol, and was a founding developer of CVSS, the Common Vulnerability Scoring System. At N-Dimension, he is currently working 1) with IEEE working group 1711 to standardize AGA-12 as an IEEE standard, 2) with Idaho National Lab to develop best practices for securing industrial control networks, 3) with ISA's SP99 Working Group 4 on secure control system requirements, and 4) with UCA's AMI-SEC security working group on security for automated metering infrastructure.

Abstract:

The term "Smart Grid" refers to a future transformed electricity transmission and distribution network or "grid" that uses advanced technologies such as two-way broadband communications, sensors, and computers to improve the efficiency, reliability, and safety of power delivery and use. Before such a Smart Grid is realized several important challenges need to be addressed. In this talk we cover the challenges in a substation that must be overcome in order to enable the Smart Grid. For example, how does one handle the administrative management issues associated with thousands or tens of thousands of smart devices within the substations at a major utility? What changes do we need to start making today to be able to have a manageable network of smart devices? There are many questions yet few answers... maybe? To address these challenges, we need to start the dialogue between the utilities, vendors, standards bodies, and regulators so we have ample time to be sure that all the critical issues can get addressed. 

About the speaker:

Paul Myrda is a Technical Executive with the Electric Power Research Institute working in Power Delivery and Markets. He is responsible for:

• Coordination of the asset management effort within EPRI across transmission, distribution, and substations so that it provides relevant tools and services to the industry.
• Being Data and Network Task Team Leader for the Department of Energy, North American Synchrophasor Project and also participating on the Leadership Team.  This task team is focused on designing the network and data infrastructure for this project .
• Leading the development of the next generation monitoring as it relates to synchrophasors and the infrastructure to support it.
• Advancing the implementation of IEC 61850 and the Utility Common Information Model.
• Representing EPRI on the Industrial Advisory Board for the Power Systems Engineering and Research Consortium.

Previously, Myrda was Director of Operations and Chief Technologist overseeing planning and asset management functions for Trans-Elect's operating companies. He was instrumental in developing an overarching strategy in asset management and championed an innovative protection and control system upgrade project for the Michigan Electric Transmission Company, an affiliate of Trans-Elect. This project fully leveraged the capability of IEC 61850-based microprocessor relays, physical security, telecommunications, and data warehousing technologies using EPRI's Common Information Model. This innovative approach has been widely publicized to the Federal Energy Regulatory Commission, CIGRE, Distributech, and other premier conferences.

Myrda also led the start-up of NASA's Illinois Commercialization Center. As Executive Director, he was responsible for technology transfer from NASA, DoD, SBA, and EPA, including an innovative grant program co-funding technology developments with small businesses in Illinois.

He has over 20 years of experience, including extensive experience in leading-edge technology implementations. His diverse background includes planning, engineering, information systems, and project management. He has an MBA from Kellogg and an MSEE and BSEE from the Illinois Institute of Technology. He is President of the Technology Management Association of Chicago, a licensed professional engineer, and a member of the IEEE and CIGRE.

Abstract:

to appear

About the speaker:

James W. Sample is the Manager of Information Security Services for the California Independent System Operator (CAISO), a not-for-profit public-benefit corporation. CAISO is charged by the state with management of the flow of electricity along the long-distance, high-voltage power lines that make up the bulk of California's transmission system.

He is a Certified Information System Security Professional (CISSP) and Certified Information Security Manager, and also a lecturer at conferences, security and audit seminars, and user groups on issues and methodologies related to information security, high-tech crimes, and electronic commerce. He is the Cyber Security representative for the Western Electricity Coordinating Council (WECC) on the North American Electric Reliability Council (NERC) Critical Infrastructure Protection Committee (CIPC).

Prior to joining CAISO, James was a Principal Systems Engineer for SAIC's Secure Business Solutions Group. He was responsible for technical leadership for design activities relating to security projects, practices, and methodologies. He has also performed information security functions for several information management companies and performed consulting services for the Joint Chiefs of Staff, and was active duty in the Naval Security Group Activity.

Abstract:

Remote devices to control power transmission or distribution are monitored and controlled via communications between a control center and a collection of Supervisory Control and Data Acquisition (SCADA) devices, such as Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs). These devices provide data to allow operators to manage the network and permit operators to remotely operate and change the settings of circuit breakers, tap changers, and other transmission or distribution grid operating devices. Although almost every critical device is protected by local safety mechanisms, such as fuses or circuit breakers, we believe a determined attacker could cause a significant outage by targeting assets that are heavily loaded. To cause a major disruption, an adversary would have to gain access to the communications between a control center and the remote devices.

The SCADA communications used to control power transmission and distribution are markedly different from the communications used by office or other business applications. While the transport mechanisms, such as dial-up, radio, or the Internet, may be the same, the higher-level protocols, such as Utility Communications Architecture (UCA) and Distributed Network Protocol (DNP), are markedly different. Furthermore, power management traffic is limited to the commands and data streams supported by SCADA devices such as RTUs and IEDs. Because of the regularity of this traffic, specialized sensors that monitor power distribution SCADA traffic can detect artifacts of attempts to penetrate the communications between a control center and remote distribution devices and trigger countermeasures. Sensors in a large system can produce hundreds of events in a day. While some events are clear indications of unauthorized activity, many events may result from external factors such as a sudden demand for energy by an external network or a storm. False alarms are a significant concern, as operators are primarily concerned with power management and may not be trained to detect cyber intrusions. It is particularly important to suppress false alarms if the network monitoring system is able to automatically respond to unauthorized activity. To make sense of these events, it is important to correlate multiple events and to relate them to known system events, including known equipment outages and external events such as storms. Interpreting these events requires real-time forensic reasoning that can distinguish malicious activity from other activity that may be "normal."

About the speaker:

Dr. Heimerdinger is a Senior Research Fellow in the Integrated Security group at the Honeywell Advanced Control Systems Advanced Technology Laboratory in Minneapolis, Minnesota. He has been active in research on reliable, fault-tolerant, and secure systems for over 30 years.

He has studied the impact of security breaches in the U.S. electric power grid and contributed to a demonstration of an anomaly-based intrusion detector to detect security attacks on common electric grid control protocols. He led a project that developed the Scyllarus intrusion alert correlation and assessment system. Scyllarus aggregates reports from multiple computer and network intrusion detectors to reduce the rate of false reports of intrusions as well as to decrease the time from the first report to the first credible intrusion assessment. He also participated in the CIRCADIA project, which developed a system to automatically respond to network intrusions. He also was project leader of the Systems Fault Tolerance Project at the Software Engineering Institute at Carnegie Mellon University .

Dr. Heimerdinger received a Ph.D. degree in Electrical Engineering from the University of Illinois at Urbana-Champaign in 1972.

Abstract:

Transformation: Utilities around the world are in the midst of radical and unprecedented transformation. Historical and emerging forces are combining into a perfect storm of visibility and control that will fundamentally change the way the electric power industry operates its field elements. At the center of this transformation, utilities are deploying a complex and dynamic fabric of volatile communication technologies to tap the explosion of rich data from remote assets in every corner of the grid. Utilities are struggling to effectively process the fresh flood of data, yet in our effort to stem the relentless advancement of demand, we continue to cast the biggest communication nets we can find. How are we going to maintain control? As we provide ourselves with ever more access to our remote assets, we are also spreading our communication channels into areas of less and less control and physical proximity. The rapid emergence of Advanced Metering Infrastructure (AMI) represents the single largest step we have ever made in this direction, and it is only the beginning. As we build our two-way metering communications infrastructure, we are creating an intelligent network that reaches the furthest points of our system. In truth, metering is merely the catalyst application, as it alone carries enough functionality that we can cost-justify the deployment of the communications channel. But we soon realize that this channel is useful for much more than just metering.

Visibility: Today we operate the grid largely by estimation, approximation, and deductive reasoning. We run numerous applications whose sole purpose is to help us draw conclusions about an opaque area of the grid from a complex and incomplete set of information. We construct virtual data points to represent real-world tangible assets, as we have limited means of remotely obtaining a direct measurement, especially on the distribution system. AMI invalidates this assumption. Deployment of measurement devices for any remote asset becomes much simpler and cost-effective in the context of a communication system reaching our furthest endpoints. The holy grail of wide-area visibility and control is suddenly within our reach. Advanced distribution automation, outage management, distribution operations, mobile workforce deployment, and countless other applications – both current and as-yet-conceived – will all be fundamentally changed by the presence of deterministic data for every point on the grid. In essence, advanced metering becomes the point of leverage for us to begin deployment of the smart grid. We are building the intelligent communications system layered over the power grid that visionary and guiding bodies have talked about for the past dozen or more years. But before we become too self-congratulatory, we must remember our fundamental objective: safe, reliable, and inexpensive electric power. All will be for naught if we neglect our responsibilities and fail to build in the appropriate controls. We must think about security.

Industry Response: The creation of a ubiquitous communication system reaching the remote ends of the grid places us in completely new and unexplored territory. We will have millions of end points, direct control of load, and limited physical access control options on assets within easy reach of the bored, curious, and malicious. We are in the domain of the adversary, and would-be attackers would like nothing more than for us to stay in the dark. This presentation will illustrate current industry efforts to shed light on the problem space and define the security landscape that lies before us now. Collaborative initiatives involving utilities, vendors, and independent domain experts are being utilized to provide guidance and instruction for navigating our way into tomorrow. These efforts are about securing our newest Smart Grid asset: our developing field communication systems.

About the speaker:

Darren Reece Highfill, CISSP, is the Utility Security Practice Lead for EnerNex Corporation. He is the co-chair of the AMI-SEC Task Force as well as the Principal Investigator and Program Director for the Lemnos Interoperable Security Project. Darren developed the information security framework that is used to manage risk, write policy, and produce specifications for Southern California Edison's AMI project and has adapted this framework for broader reference by the UtilityAMI Working Group. He has been managing EnerNex's support of the Tennessee Valley Authority for several years and is one of the system architects for the PowerWAN, the new wide-areas IP-communications network. Darren has also been heavily involved in the integration of the Bradley County 500kV Substation, which is one of the first multi-relay vendor projects to implement the full suite of IEC 61850.

Abstract:

Process control systems were formerly on isolated networks running application-specific protocols, but current market pressures increasingly motivate migration to commodity platforms and networking protocols. Modern PCS often encapsulate legacy protocols that were not designed with security in mind, and are directly or indirectly connected to business systems. PCS can benefit from advances in the wider scope of information technology. However, this rapid migration to commodity platforms and standards may expose PCS to the risk of cyber attacks whose consequences are not merely economic but can include environmental and safety impacts. The situation is exacerbated because, due to the stringent availability demands of PCS, enterprise security practices such as system patching have not been widely adopted.

Faced with this situation, asset owners are adopting perimeter defenses such as firewalls and switched network topologies in PCS and Demilitarized Zones (DMZ) between business and control networks. This is essential, but monitoring is also essential to ensure that perimeter defenses are not breached or bypassed.

Monitoring PCS presents special challenges not seen in enterprise monitoring. Control networks may have limited bandwidth that would be strained by traffic from monitoring systems. In addition, there are still relatively few monitoring solutions tailored to PCS.

On the other hand, monitoring in PCS is simpler than in enterprise systems. PCS have a more narrow mission scope than enterprise systems, the protocols are simpler, and the communication patterns are more regular, in comparison to enterprise environments.

We will present approaches to address the challenges of PCS monitoring, providing timely and accurate reporting of security-relevant events. This is accomplished through monitoring at the device, network, and control host level, and correlating outputs in the ArcSight SIEM framework. The monitoring solution leverages the advantages of PCS protocol simplicity and communication pattern regularity. Our SIEM approach will consist of PCS-specific dashboards to provide actionable situational awareness for PCS security.

About the speaker:

Alfonso Valdes is a Sr. Computer Scientist in the Computer Science Laboratory at SRI International. He has led or participated in several research projects in information security for such clients as the Defense Advanced Research Projects Agency (DARPA), the Advanced Research and Development Activity (ARDA), and the Department of Homeland Security. He is an expert on statistical algorithms for detection and modeling and the application of such techniques in the information security arena.  He has led statistical algorithm development in SRI's Next-Generation Intrusion Detection Expert System (NIDES) and later EMERALD. Mr. Valdes has implemented a high-speed Bayes component to detect network intrusions, as well as an innovative probabilistic approach to correlation of reports from heterogeneous intrusion detection sensors.

He holds two patents in the field of computer intrusion detection. Over the last three years, he has taken an interest in the security of critical infrastructure systems such as the distributed control and SCADA systems that operate refineries and pipelines in the Oil and Gas sector.

Mr. Valdes is also an expert on a wide variety of statistical and classification techniques, including likelihood theory, decision analysis, neural networks, simulation, and Bayesian formalisms. He has applied these methods with great success in a number of problem domains, including signal processing and environmental and medical sciences, in addition to information security.

Abstract:

Power grids are an excellent case study on the challenges of future control systems. This lecture will focus on innovative concepts related to achieving trustworthiness of control system cyber architectures, using power grids as an example. Over the past few decades, electrical utility infrastructures have become largely computerized, remotely/automatically controlled, and interconnected. Such a web of critical information infrastructures became susceptible to digital accidental faults and computer-borne malicious cyber attacks, and understanding the problems related with resilience is a complex task, due to their hybrid composition (SCADA, corporate intranets, and Internet). However, power grids, if architected and managed with a view to having the same (or even better) security and dependability goals as classical IT systems do, may present very high levels of resilience. This lecture will discuss some recent advances in this area, based on innovative concepts that help realize the vision of automatic security. We present a reference architecture for advanced critical infrastructures featuring configurations that induce aprioristic prevention of known attack and vulnerability combinations. The classical prevention approach is complemented with middleware devices that achieve automatic security, through tolerance of remaining faults and intrusions. Their action is leveraged with the use of trusted-trustworthy components and architectural hybridization. Resilience to the expected severity of threats to power systems requires additional mechanisms that seek perpetual unattended operation. Proactive and reactive recovery mechanisms for self-healing are discussed, as well as trustworthiness monitoring mechanisms allowing dependable adaptation to situations not predicted or beyond assumptions.

About the speaker:

Paulo Veríssimo is currently a professor of the Department of Informatics (DI) of the University of Lisboa Faculty of Sciences and Director of LASIGE, a research laboratory of the DI. He is a Fellow of the IEEE. He is associate editor of the Elsevier International Journal on Critical Infrastructure Protection and past associate editor of the IEEE Transactions on Dependable and Secure Computing. He belonged to the European Security & Dependability Advisory Board. He is past Chair of the IEEE Technical Committee on Fault Tolerant Computing and of the Steering Committee of the DSN conference, and belonged to the Executive Board of the CaberNet European Network of Excellence. He was coordinator of the CORTEX IST/FET project.

Veríssimo leads the Navigators research group of LASIGE, and is currently interested in architecture, middleware, and protocols for distributed, pervasive, and embedded systems, and in the facets of real-time adaptability and fault/intrusion tolerance. He is the author of more than 130 refereed publications in international scientific conferences and  journals in the area, and co-author of five books. He holds M.Sc., Ph.D., and "Agregado" degrees in Computer and Electronics Engineering from the IST (Instituto Superior Técnico) of the Technical University of Lisboa.

Abstract:

Much like early information networks, power grid protections are essentially hierarchical. The models emerged to match traditional ways of managing the grid, including the ways in which energy is generated and sold. However, just as changing e-business and social networking models influence the security needs of information networks, we should expect that emerging energy management and use trends will necessitate changes in the way we manage the power grid. The impetus behind these trends is diverse: economic, technical, and political forces are combining to shift both energy supply and demand, and older hierarchical models that depended on relatively sophisticated central controllers with relatively unsophisticated "end points" may not always be the norm. Already, field equipment, substations, and customer sites rely upon "smarter" controllers. Customers are becoming producers as well as consumers of energy; even individuals can generate power from their homes. The popular movements towards energy independence and a renewable power grid are also likely to drive changes in the way that we manage energy. It is not only the way we generate and sell energy that is affected. As with any change, there will always be opponents and opportunists seeking to disrupt or take advantage of new circumstances. Those opposed to energy independence will have a stronger motivation to disrupt energy flow. The existence of "energy currency" may make fraud and theft attractive. Just as long-tail economic models have resulted in new business models for e-commerce, similar pressures in energy management are likely to change the existing security model for the power grid as well. This lecture will build upon the content provided in previous lectures to highlight emerging research areas that appear likely to affect our ability to operate the power grid safely and securely as our interactions with it change.

About the speaker:

Deborah Frincke joined the Pacific Northwest National Laboratory in 2004 as Chief Scientist for CyberSecurity. Prior to joining PNNL, Dr. Frincke was a Full Professor at the University of Idaho, and co-founded TriGeo Network Systems. More recently, she is an enthusiastic charter member of the Department of Energy's cyber security grass roots community, which is working to devise long-term research plans to address DOE cybersecurity needs. Dr. Frincke is a member of numerous journal editorial boards and conference program committees, including the Journal of Computer Security.

Abstract:

Process Control Systems (PCS) are responsible for managing processes that manufacture goods, refine oil, light our streets, and heat our homes. If PCS are not properly configured and protected, they are vulnerable to disruption, potentially leading to business, economic, and environmental losses and possibly to the loss of life. Whereas once these systems were purpose-built and isolated, increasingly they are built using commodity hardware and software, and are becoming connected to the Internet. Organizations are beginning to understand that these systems need to be hardened, but accomplishing this task remains difficult. For every aspect of security -- from making a business case to management, and from building security into PCS design & implementation to configuring, running, monitoring, and if necessary restoring systems -- well-designed tools can make a tremendous difference. In this presentation I will discuss some of the threats to these systems, describe how to identify components for "security upgrades," and explain how each device can be made more secure through automated testing of software and hardware configurations.

About the speaker:

Robert K. Cunningham is Associate Leader of the Information Systems Technology Group at MIT Lincoln Laboratory. In this position, he pursues research in attack detection algorithms that do not require advance knowledge of the method of the attack, systems that fuse information assurance alerts, and software development tools to prevent vulnerabilities. Prior to joining the group, he was a member of the technical staff of the Machine Intelligence Group, where his research addressed digital image processing and image understanding. While in that group, he also performed research on automated seismic analysis and event discrimination, and developed parallel programming algorithms and support software. Dr. Cunningham has participated in several national panels evaluating and defining research approaches to information operations problems and has received a commendation from the director of the National Security Agency for his efforts. Dr. Cunningham also participates on international program committees in information operations research, including service for the IEEE Symposium on Security and Privacy and as the general chair for the Symposium on Recent Advances in Intrusion Detection. He is a senior member of the IEEE, has led the Laboratory's Advanced Concepts Committee, and is a member of the Laboratory's New Technology Initiatives Board. He holds a Sc.B. degree in computer engineering from Brown University, an M.S. degree in electrical engineering from Boston University, and a Ph.D. degree in cognitive and neural systems from Boston University.

Abstract:

This session will present vulnerability categories based on consequence and threat issues as the problem basis, identify the different mitigation vehicles being produced or still needed for those vulnerabilities, and finally present a larger scope on resilient control systems elements needed for future systems.

The high-level risk equation for cyber security attacks on control systems consists of Risk = Vulnerabilities * Threat * Consequences. The vulnerabilities are becoming understood and characterized based on the work done by the Department of Energy Office of Electricity Delivery and Reliability (DOE-OE) National SCADA Test Bed (NSTB) and the Department of Homeland Security National Cyber Security Division (DHS-NCSD) Control Systems Security Program (CSSP). These programs are performing analysis of consequences and threats to a lesser extent than they are addressing vulnerabilities and mitigation tools and guidance.

Not all vulnerabilities are equal. Vulnerability characterization is needed to understand the impact, ease of exploit, exposure, and deployment that the vulnerabilities represent. An analysis of vulnerability characterization will reveal common threads for mitigation techniques. Categorization of vulnerabilities, including implementation issues, code flaws, and design and architecture issues, is useful when designing mitigations. For targeted attacks, multiple vulnerabilities (often from multiple categories) are connected to provide information disclosure, access, escalation of privileges, and control of process. In rare cases, a few vulnerabilities may create the desired targeted attack. Defense in depth is one strategy for protection, but the base system is still vulnerable.

Overall more resilient control systems are needed. Resilient control systems will have the ability to operate under multiple conditions. Resiliency will require the aspects of safety, quality, and security. The objective of safety is to ensure operation within safety parameters and switch over to redundant systems or safe shutdown. The objective for quality is to produce systems in a structured, repeatable process with control over the configuration and changes throughout the life cycle. The object of security is to create more secure code and configurations, manage resources, and design systems with the ability to detect, isolate, identify, and remove threats in real time. The enabling aspects for resilient control systems include:

• Situational awareness: monitors, alarms, knowledge limits, and fault tolerance
• Recovery: isolatation of faults, real-time investigation, and identification of problems
• Restoring: verification of system ready for services
• Redundancy: ability to switch to another configuration without interruption
• Reliability: includes the traditional measures and ability to apply to software.

About the speaker:

Rita Wells is the energy sector lead for supervisory for the Critical Infrastructure Protection/Resilience division at the Idaho National Laboratory. She is responsible for making the technical decisions, strategy, and direction of testing and assessment activities at the Supervisory Control and Data Acquisition (SCADA) and control systems test beds. Rita has worked with the Federal Energy Regulatory Commission, Department of Homeland Security, Department of Energy, industry (vendors and asset owners), and other entities as a subject matter expert for cyber security of control systems for 4 years. She has worked at the lab for 18 years and has served as a technical lead for integrating control systems into a data management system for transuranic waste, which resulted in two national awards for the product developed. Her process control experience includes the training simulator for the advanced test reactor, HVAC for nuclear waste storage facilities, and command and control for military projects. She has served as a subject matter expert for networks and security for a large military integration program. Prior to joining the lab, she worked for a university computer center, for which she was responsible for network infrastructure while working towards her degree in Computer Information Systems.

Abstract:

Everyone is talking about the "Smart Grid," but the challenges are daunting. How do you deploy technology to millions of homes and businesses that allows secure, two-way communications to read meters, enable microbilling transactions (plug-in hybrids), perform Distribution Automation functions (Cap banks, reclosers, fault detectors), and enable home automation applications? The purpose of this talk is to discuss the challenges and examine an actual implementation of "Smart Grid" technologies at Florida Power & Light. Topics covered will include IPV6, RF mesh, mesh security, routing simulation, last-gasp outage detection, hang-and-run/self-discovery, and viral firmware deployment techniques, with actual examples provided.

About the speaker:

Mel Gehrs has 30 years of utility experience with ComEd/Exelon in developing and supervising Nuclear Plant Process computers, Nuclear Security Computers, and nuclear simulator systems. Following his retirement from Exelon, he worked for NASA for 3 years, facilitating the transfer of technology from NASA laboratories to Illinois technology companies. He is currently president of Gehrs Consulting, Inc., and is specializing and consulting in "Smart Grid" technologies. He holds degrees from Kansas State University in Nuclear and Electrical Engineering.