Cri$cal

Infrastructure Security:
The Emerging Smart Grid

Cyber Security Lecture 1:
Introduc$on
Carl Hauser & Adam Hahn

Administra$ve
Textbook (available online)
Ross Anderson. Security
Engineering 2nd Ed. Wiley.
hLp://www.cl.cam.ac.uk/
~rja14/book.html
Read Chapter 1

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Complexity

Complexity is the enemy of security Daniel Geer

Source: Dan Geer. Complexity is the enemy IEEE Security & Privacy. Nov/Dec 2008

Threats in the Smart Grid

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Terminology
Threat circumstance or event with the poten$al to adversely impact
organiza$onal opera$ons

Threat Events event or situa$on that has the poten$al for causing
undesirable consequences
Threat Source (agent) intent and method targeted at the inten$onal
exploita$on of a vulnerability or a situa$on and method that may accidentally
trigger a vulnerability

Vulnerability & Predisposing Condi$ons

Vulnerability a weakness in an informa$on system, system security

procedures, internal controls, or an implementa$on that could be exploited by
a threat source
Predisposing Condi$on condi$on with contributes to the likelihood of a
threat event

Risk a measure of the extent to which an en$ty is threatened by a

poten$al circumstance or event

Func$on of (1) adverse impact of aLack and (2) likelihood of occurrence

Source: NIST SP 800-30, rev1. hLp://csrc.nist.gov/publica$ons/nistpubs/800-30-rev1/sp800_30_r1.pdf

Security Mindset
Good engineering involves thinking about how
things can be made to work; the security mindset
involves thinking about how things can be made
to fail. It involves thinking like an aLacker, an
adversary or a criminal.
Security professionals

can't walk into a store without no$cing how they might

shoplif.
can't use a computer without wondering about the security
vulnerabili$es.
can't vote without trying to gure out how to vote twice.
-Bruce Schneier

Source: hLps://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html

Why Computer Security is Hard?

Cultural
Technology evolves
faster than human
behaviors

Psychology
Threats are invisible,
intangible

Economic
Financial investment in
people and technology
Performance
Security technologies
ofen consume
computa$on resources

Challenges

Threats
Asymmetric, well
funded adversaries vs
rate-based u$li$es

Privacy
Boundless data
collec$on and analysis

Usability
Technical
Less trus$ng
environments require System vulnerabili$es
ofen dicult to
more congura$on
discover

Key Security Principles

Kerckhos (!= Kirchos) Principle
No security by obscurity
Assume aLacker knows how security system
works

For$ca$on Principle
Defender must defend en$re system
ALacker will target lowest point

ALack Lifecycle

Source: NERC, DOE. High-Frequency Low Impact Event Risk to the North American Bulk Power Systems. 2009

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Cybercrime

Source: New York Magazine, hLp://nymag.com/

daily/intelligencer/2013/04/ap-twiLer-hack-sends-
stock-market-spinning.html

Source: CNN Money, hLp://nymag.com/daily/

intelligencer/2013/04/ap-twiLer-hack-sends-stock-
market-spinning.html

Hac$vism

Source: Forbes, hLp://www.forbes.com/sites/quora/

2014/07/24/how-wsjs-facebook-page-got-hacked-
and-what-others-should-do-to-prevent-this/
Source: Mother Jones, hLp://www.motherjones.com/
poli$cs/2014/07/anonymous-cyberaLack-israel-gaza

Na$on-State Threats

Source: The Washington Post, hLp://www.washingtonpost.com/world/na$onal-

security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-
videos-microsof-pages/2014/08/15/31c5696c-249c-11e4-8593-
da634b334390_story.html
Source: CNET, hLp://www.cnet.com/news/saudi-oil-rm-says-30000-
computers-hit-by-virus/
Source: The New York Times, hLp://www.ny$mes.com/2013/05/20/world/asia/
chinese-hackers-resume-aLacks-on-us-targets.html?pagewanted=all&_r=0

Advanced Persistent Threats (APT)

What is an APT
Advanced

Well funded, professionals

Will u$lize zero-day vulnerabili$es

Vulnerabili$es discovered by an aLack, but unknown to defender

Will have sophis$cated rootkits to hide aLacks

Will u$lize covert methods to aLack and exltrate data
Will perform heavy reconnaissance of organiza$on (both
technical and personal)

Persistent

Will con$nually aLack un$l successful

Understand Law of large numbers

Threats to the Grid

Source: NERC Cyber ALack Task Force. Draf Report. 2012.

Coordinated Cyber ALack

Electric power grid should be reliable to any single physical fault (NERC n-1)
Impacwul aLack will likely required mul$ple coordinated ac$ons

Source: NERC Cyber ALack Task Force. Draf Report. 2012.

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Vulnerability Sta$s$cs

Source: hLps://web.nvd.nist.gov/view/vuln/sta$s$cs-results?adv_search=true&cves=on

Vulnerability Lifecycle

Source: European Union Agency for Network and Informa$on Security (ENISA). Window of exposure... a real problem for
SCADA systems? Dec. 2013.

Market for Vulnerabili$es

Vulnerabili$es tradi$onally publicly disclosed when found
Vendors would then provide patches

Now, vulnerabili$es being sold to highest bidder

Vendor, public remain unaware of them

Source: hLp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-
hackers-secret-sofware-exploits/

Pervasive Vulnerability
Modern systems have
pervasive vulnerability
From a security
perspec$ve, they are
purchased in a broken
state
Only get worse as $me
progresses

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Privacy
Deni$on: the quality or state of being apart
from company or observa$on
"Informa$on privacy" refers to the user's
ability to control when, how, and to what
extent informa$on about themselves will be
collected, used, and shared with others.
Source: hLp://www.merriam-webster.com/dic$onary/privacy
Source: hLps://msdn.microsof.com/en-us/library/ms976532.aspx

Source: E. L. Quinn, Privacy and the New Energy Infrastructure, Social Science Research Network (SSRN), Feb. 2009

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Cyber Security Proper$es

Key Principles: CIA Triad [NIST FIPS-199]
Conden'ality - Preserving authorized restric$ons on informa$on
access and disclosure, including means for protec$ng personal
privacy and proprietary informa$on

Integrity - Guarding against improper informa$on modica$on or
destruc$on, and includes ensuring informa$on non-repudia$on
and authen<city
Availability - Ensuring $mely and reliable access to and use of
informa$on.


CIA acronym, but also tradi$onally the priority of the proper$es
In control systems we usually care more about AIC (or IAC)

Cyber Security Proper$es

Accountability

Ac$ons of an en$ty can be uniquely traced back to that en$ty

Nonrepudia$on en$ty cant deny responsibility for an ac$on

Authen$city

verica$on of the validity/source of a message or transmission

Authen$ca$on process of verifying authen$city

Trust

Even if you know to whom youre talking can you count on

them to behave as expected?

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Security Engineering Framework

Source: Security Engineering. Ross Anderson. 2nd ed. Wiley

Security Engineering Framework

What we try to achieve:
-who has access
-what can they do

Incen$ves for:
-defenders to implement
policy, mechanisms
-aLackers to bypass policy,
mechanisms

How we enforce policy:

-Prevent (rewall, crypto)
-Detect (IDS, AV)
-Respond (recongure)
-Recover (disaster recovery)

The amount of reliance

you the mechanism to
enforce the policy

Source: Security Engineering. Ross Anderson. 2nd ed. Wiley

Secure Development Lifecycle

Security is a process, not just a technology or
features
Secure development lifecycle

Similar to systems or sofware engineering lifecycles

Ensure security decisions considered throughout
systems lifespan

Source: Microsof. Simplied Implementa$on of the Microsof SDL. 2010. hLp://www.microsof.com/sdl

Outline
Smart Grid Overview
Security Intro and Terminology
Threat Events & Sources
Vulnerabili$es
Privacy
Security Proper$es
Security Engineering

Future Class Topics

Topics
Lecture #2

Cryptography and authen$ca$on

Lecture #3

Sofware vulnerabili$es and aLacks

Lecture #4

Network vulnerabili$es and aLacks

Lecture #5

Assurance, Evalua$on, and Compliance

Lecture #6

Case study: Stuxnet

End