Energy Information Security Case Study
Jim is the Manager of Information Security & Systems at a Northeastern utility that services nearly one million households.
He was recruited to the role from the US State Department to create a more structured approach to security.
Jim likes to joke that his job title acronym (MISS) explains why he got the job – as it explains what had been done previously on his company’s Smart Grid security efforts.
Information Security Concern
With the Public Utility Commission pushing hard, Jim had too many initiatives and too little time to do due diligence. He was looking for assistance in:
✔Assessing the security of a 900Mhz Spread Spectrum Frequency Hopping Distribution Network. Part of the challenge was establishing a standard from the overwhelming amount of guidance available.
✔Ensuring that the In Home Devices that support the Demand Response initiative did not pose a direct risk to the utilities infrastructure. Of concern was the newness of the device and the fact that it has at least four distinct interfaces that need to be secured (ZigBee Pro, ZigBee SE, WLAN, and serial/debug).
✔Certifying and accrediting the Smart Meters into operation in support of a Smart Grid initiative. This was complicated by the fact that the Demand Response program was on a different “track,” yet the smart meters were needed to protect the backend network from an Industrial Hardware Distributors (IHD) breach.
✔Assessing the third-party credit web applications that support the Demand Response and Pre-Pay initiatives. This effort needed to address the risks associated with breaches of customer data and/or malicious use of the trusted utility interfaces (e.g., DMS access, malicious connects/disconnects).
Information Security Approach
Pivot Point Security worked with Jim and his team to analyze various options, and helped them come up with the right combination of activities to meet their specific requirements.
Jim and his team decided to:
✔ Conduct a Gap Assessment of the 900MHz Distribution Network Design and the radios under consideration. Integral to this effort was establishing a set of standards derived from various guidance (e.g., NIST, NISTIR, ISO 27002, FIPS 140/186/199, IEC 62351, ISO 27002, NERC-CIP, IEC 62443) to baseline the design and radios against. The report provided guidance on the design and the security “fit” for each of the radios under consideration.
✔ Perform a comprehensive design review and conduct substantiative tests against the IHD’s network and physical interfaces to ensure that the deployment of thousands of IHDs in customers’ homes did not pose a risk to the utility. The report outlined a number of vulnerabilities and their potential remediation, including compensating control mechanisms where remediation was impractical or outside the direct control of the utility. Generally speaking, all devices outside the direct control of an organization’s Information Security Management System should be considered “suspect.”
✔ Conduct certification tests in accordance with the utility’s newly developed (NIST 800-37 like) SC&A activities on the Smart Meter. The test plan was extended to address the results of the IHD testing and to ensure that the Smart Meter, or another upstream device, could provide detection and filtering of malicious content/commands emanating from the customers’ IHD/network. This more holistic approach made it simpler to identify gaps and specify control improvements to close them.
✔ Perform an Application Architecture Assessment against the Demand Response and Payment application architectures. The testing included network and application vulnerability assessments and penetration tests against the application, network, and database infrastructures of the third-party hosts. Secure Data Flow Diagramming (SDFD) was leveraged to ensure that the “trusted” interfaces between the third-party and utility were secured in a manner consistent with the utilities objectives; and that data breach, malicious connect/disconnect and grid integrity risks were mitigated to an acceptable level.
✔ Develop a prioritized remediation plan across all of the findings to ensure security and compliance is addressed in a holistic way.
We continue to work with Jim providing “on-call” SME as required while he and his team execute on the remediation plan. We are working with Jim to better formalize an approach to Information Security including;
✔ Establishing a Security Operations Center (SOC) to consolidate, normalize, and correlate logs from security devices throughout the network to reduce the likelihood of a serious breach impacting the utility and its customers.
✔ Formalizing an approach to information security; most notably documenting critical Policies, Standards and Procedures.
✔ Establishing a Risk Management Framework to ensure that monitoring and assessment activities are focused on the utility’s most critical risks.
You might say that their information security prognosis is excellent!