This Cybersecurity webinar, the second in a series, addresses issues of importance to executive, technical, and academic professionals involved with managing and protecting Electric Utilities and Smart Grids worldwide. Technology and market challenges will be addressed, followed by cybersecurity approaches (including those used in Europe and US) and best practices. Three case studies, and legal and regulatory constraints, for architecting smart grids in a secure way also will be presented.

1. Cybersecurity for Smart Grids:
Technical Approaches to Improve
Cybersecurity
Presentation by Cyril W. Draffin, Jr.
Project Advisor, MIT Energy Initiative
Stefano Bracco
Knowledge Manager, Agency for the Cooperation of
Energy Regulators
David Batz
Security and Business Continuity, Edison Electric Institute
International Energy Agency’s International Smart Grid Action
Network (ISGAN) Academy – 2nd Cybersecurity Webinar
11 September 2017
1

2. ISGAN in a nutshell
International Smart Grid Action Network TCP (ISGAN)
‘Strategic platform to support high-level government attention and action for
the accelerated development and deployment of smarter, cleaner electricity
grids around the world’
 An initiative of the Clean Energy Ministerial (CEM)
 Organized as the Implementing Agreement for a
Co-Operative Programme on Smart Grids (ISGAN)
The CEM is the only multilateral forum dedicated
exclusively to the advancement of clean energy
technologies and related policies. ISGAN is the only
global government-to-government forum on smart grids
2

3. Geography of ISGAN
3
Swedish Energy Agency
Commonwealth Scientific
and Industrial Research
Organization
Government of Canada
Norwegian Ministry of Petroleum and Energy
New Energy and Industrial
Technology Development
Organization (NEDO)
Sustainable Energy
Authority of Ireland
Government of Belgium
Forschungszentrum Jülich GmbH
Government of the Netherlands,
Ministry of Economic Affairs,
Agriculture and Innovation
Union Fenosa Distribucion
Government of Austria
Government of France
Swiss Federal
Office of
Energy Government of Korea
European Commission
South African National
Energy Development Institute
Energy Market
Authority, Singapore
Government of India
MOP, NSGM,
POWER GRID, CPRI
Government of Mexico
U.S. Department of Energy
Ricerca sul Sistema Energetico (RSE S.p.A.)
Contracting Parties: 25
Invited: Malaysia
Expression of Interest: UAE
Ministry of Science and Technology
Department of High and New
Technology Development and
Industrialization
Russian Energy Agency
Tekes (Finnish Funding Agency for Technology and Innovation)
Danish Energy Agency

4. Activities of ISGAN
4
For more information, please visit:
o ISGAN: www.iea-isgan.org

5. Topics for
Cybersecurity for Smart Grids Webinar #2:
Technical Approaches to Improve
Cybersecurity
1. Cybersecurity Challenges
2. Cybersecurity Approach and Best Practices
3. Case Studies
4. Cyber Professionals
5. Regulatory and Legal Constraints of architecting smart
grids in a secure way
6. Measures of Success
7. Conclusions
5

6. Market and Technology
• Smart Grid and digital evolution
• Highly inter-connected platforms with a number of actuators and
sensors (with wide geographical area)
• Decision-making delegated to machines (Distributed Control Systems)
• New intelligent control devices which have to cooperate with old
control devices (which are not easy to replace)
• Changing business models with more actors involved
• Distributed Energy Resources, with renewable resources that have
intermittent behaviour, with multiple ownerships and cybersecurity
practices
• Demand changes, dynamic pricing and need for inclusion of new actors
(for example “prosumers” and aggregators) with impact on electricity
systems
Electricity Market Challenges
affecting Cybersecurity
Cybersecurity Challenges
6

7. Management
• Evolving cyber threats
• Hacking groups trying to find vulnerabilities embedded in the existing
security measures, and seeking undiscovered vulnerabilities of control
systems
• Potential role of nation states
• Potential national or cross-border impact of attacks and incidents,
related to the “weakest link problem”
• Existing governance versus best practices
• Agility important-- impossible to predict what will happen
• Forensics methods and technologies (applicable to standard IT systems
and their security measures) may not work as well on Operational
systems
• How much cybersecurity expenditures are sufficient?-- cost of
cybersecurity
Management Challenges
affecting Cybersecurity
Cybersecurity Challenges
7

8. Cybersecurity Approaches
• Threat and risk management system
 Pursue a harmonized, structured and comprehensive way to identify operators of essential
services for the energy sector at regional level
 Structured risk analysis and risk treatment plan specific for the highly interdependent European
and US energy sectors
 Cyber security maturity framework
 Regional cooperation on cyber security topics
 Control and secure disclosure of vulnerabilities and incidents affecting the energy sector in its
crucial role
• Effective cyber response framework
 Define and implement a cyber response and coordination framework
 Implement and strengthen regional cooperation for efficient handling of cyber emergencies
when energy is involved and affected
 Improve cyber resilience in the energy sector
• Build-up adequate capacity and competences
 Build competences
 Provide knowledge, including frameworks and best practices
 Promote research
Cybersecurity Approaches
8

9. A maturity model is a set of characteristics, attributes, indicators, or patterns that
represent capability and progression in a particular discipline.
Model content typically exemplifies best practices and may incorporate standards
or other codes of practice of the discipline. It provides a benchmark against which
an organization can evaluate the current level of capability of its practices,
processes, and methods and set goals and priorities for improvement.
When a model is widely used in a particular industry (and assessment results are
shared), organizations can benchmark their performance against other
organizations. An industry can determine how well it is performing overall by
examining the capability of its member organizations.
Maturity Model
Cybersecurity Approaches
9

10. 10 Domains In Maturity Model:
Logical grouping of cybersecurity practices
• Risk Management
• Asset, Change, and
Configuration Management
• Identity and Access
Management
• Threat and Vulnerability
Management
• Situational Awareness
• Information Sharing and
Communications
• Event and Incident Response,
Continuity of Operations
• Supply Chain and External
Dependencies Management
• Workforce Management
• Cybersecurity Program
Management
Cybersecurity Approaches
10

11. Information Technology and Operations Technology
Systems
Cybersecurity Approaches
11
Information Technology
1. Confidentiality (most important)
2. Integrity
3. Availability
versus-------------------------------------------------------------------------------------------
Confidentiality
(most important)
Integrity
Availability
Availability
(most important)
Integrity
Confidentiality
Operations Technology
1. Availability (most important)
2. Integrity
3. Confidentiality

12. How the European Commission Clean Energy
Package acknowledges Cybersecurity
• The legislative proposals put emphasis on smarter and more
efficient management of the grid, by using digital technologies and
the flexibility of consumers and their electrical appliances
• Innovation is at the core of the package, from renewable energy
legislation, to energy efficiency and the new market design
proposals
• The package acknowledges the importance of cyber security for
the energy sector, and the need to duly assess cyber-risks and their
possible impact on the security of supply.
• It proposes the adoption of measures to prevent and mitigate the
risks identified as well as the adaption of technical rules for
electricity (i.e. a Network Code) on cyber-security.
12
Cybersecurity Approaches

13. Energy Expert Cyber Security Platform (EECSP)-
Expert Group
13
10 cyber security challenges in the energy
sector
(reference: EECSP Report)
Electricity Oil Gas Nuclear
1 Grid stability in a cross-border interconnected
energy
network.
x x x
2 Protection concepts reflecting current threats and
risks.
x x x x
3 Handling of cyber-attacks within the EU. x x x x
4
Effects by cyber-attacks not fully considered in the
design rules of an existing power grid or nuclear
facility
x x
5 Introduction of new highly interconnected
technologies
and services.
x x
6 Outsourcing of infrastructures and services. x x x
7 Integrity of components used in energy systems. x x x
8 Increased interdependency among market players. x
9 Availability of resources and their competences. x x x x
10 Constraints imposed by cyber security measures in
contrast to real-time/availability requirements.
x x x
Cybersecurity Approaches

14. Present Coverage In European Union
Regulation
14
Strategy and Legislation
Strategy papers
• EU Cyber Security Strategy
• Digital Single Market Strategy
• 50 national cyber security strategies
Legislation with
focus on cyber
security for critical
infrastructure
providers
• Network and Information Security (NIS)
Directive
• European Programme for Critical
Infrastructure Protection (EPCIP) Directive
• Contractual Public-Private Partnership
Legislation with
focus on security of
supply
• Security of Supply (SoS) Directive
• Security of Gas Supply Regulation
Legislation with focus
on data protection
and privacy
• General Data Protection Regulation (GDPR)
• Data Protection Impact Assessment
(DPIA) Template
Cybersecurity Approaches

15. Strategic Priorities (European perspective)
15
Strategic Priorities Strategic Areas Areas of Actions
I
Set-up an effective
threat and risk
management
system
European threat and risk landscape and
treatment
1. Identification of provider of essential
services for the energy sector at EUlevel.
2. Risk analysis and treatment.
3. Framework of rules for a
regional cooperation.
4. EU framework for vulnerabilities disclosure
for the energy sector.
Identification of provider of essential services
Best practice and information exchange
Forster international collaboration
II
Set-up an effective
cyber defence
framework
Cyber response framework 5. Define and implement cyber
response framework and
coordination.
6. Implement and strengthen the regional
cooperation for emergency handling
Crisis management
III
Continuously
improve cyber
resilience
European cyber security maturity framework
7. Establish a European cyber security
maturity framework for energy.
8. Establish a cPPP for supply chain integrity
9. Foster European and
international collaboration
Supply chain integrity framework for
components
Best practice and information exchange
Awareness campaign from top level EU
institutions
IV
Build-up the
required capacity
and competences
Capacity & competence build-up 10. Capacity and competence build-up.
Cybersecurity Approaches

16. Core European documents under review in
2017-2018
• EU Cyber Security Strategy is under review
• German EU Strategy and others were
reviewed in 2016
• Others strategies expected as a result of the
NIS (Network and Information Security)
Directive
16
Cybersecurity Approaches

17. Best Practices
• No comprehensive best practices, but:
– Big TSOs and DSOs are already applying existing standards
that may be helpful (e.g. ISO 27000 Series and NERC CIP)
– BSI is a reference in Germany (https://www.bsi.bund.de)
– ANSSI (The French CIIP Framework -
https://www.ssi.gouv.fr/en/cybersecurity-in-france/ciip-in-
france/) in France with two different approaches
– ENISA is working hard at EU Level with a number of
publications every year: most of them provide
recommendations and analysis at EU Level, and are
complemented by the work done by DG ENERGY and DG
JRC of the European Commission.
17
Cybersecurity Approaches

18. Case Study 1 – Advanced Metering Infrastructure
Background
The Advanced Metering Infrastructure (AMI) is now being rapidly deployed throughout
the power grid, and is an enabling technology for smart grid. Identifying the attack
surface is a necessary step in achieving cyber security in smart grids and AMI.
Source: https://arxiv.org/ftp/arxiv/papers/1607/1607.04811.pdf
Case Studies
An attacker may target an AMI in several ways, which may result in several/different
risks for the operator involved.
Main potential objectives for such an attack:
• Intelligence gathering;
• Infecting the target AMI systems;
• AMI exploitation (use for profit);
• AMI exfiltration (transfer of data);
• Maintaining control on this capability on short, medium, long run.
Needed definition: cyber attack surface can be defined by the methods an environment
or a system can be attacked by an adversary to introduce or retrieve data from that
environment or system.
Analysis
18

19. Case Study 1 – Advanced Metering Infrastructure
(continued)
Analysis
 Surface is composed of:
 Smart Meters
 IR Port
 Internal Link
 Firmware
 Micro Controller
 Radio
 AMI Information and Communication Network
 Smart Meter Data Collector – SMDCs
 Similar to Smart Meters
 AMI-Head End
 Interface with the Utility Infrastructure
 Outage Management Systems (Restoration capability)
 Energy Management System (Dispatch and monitoring)
 Master Data Management Systems
 Corporate WAN
 Protocols and Software
 Weak Encryption keys
 Smart Energy Profile 2.0
 KillerBee to hack AMI
 Many attacks possible on 3G/4G/LTE
Case Studies
19

20. Possible Counter-measures
• Create closed and proprietary security solutions;
• Use Open Standards and architect things in a way that “red points” will be green (or
removed from the list);
• Interim measure is to analyse existing devices, to identify the surface, and to
mitigate the risks.
Global Smart Grid Federation’s Smart Meter Security Survey, August 2016
http://www.globalsmartgridfederation.org/wp-content/uploads/2016/08/smart_meter_security_survey.pdf
http://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf
Cyber Attack Surface Analysis of Advanced Metering Infrastructure
AMI Surface https://arxiv.org/ftp/arxiv/papers/1607/1607.04811.pdf
https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-industrial-control-systems-
36277
Proof-of-concept ransomware locks up the PLCs that control power plants
http://www.cap.gatech.edu/plcransomware.pdf
Case Studies
20
Case Study 1 – Advanced Metering Infrastructure
(continued)

21. Case Study 2 – Process and Tool Adoption- toward
a secure and resilient power distribution grid
Background
The tight interaction of the control applications with communication networks and
physical components, such as sensors and actuators in a complex cyber-physical system,
is of paramount importance in order to assure that the system can be introduced in a
working environment and can provide the certain level in respect to new risks deriving
from new components tools and processes.
In this respect more work has to be done to establish, well before the adoption, how
“secure” is a system in respect to the already existing and established operations, and if
a change in operations can impact the security of the system.
Source: http://ieeexplore.ieee.org/document/7778800/
Case Studies
21

22. Case Study 2 – Process and Tool Adoption- toward
a secure and resilient power distribution grid (continued)
Analysis
In the DERs, local controls are capable to keep grid voltage in a certain range. Additional central
controllers may implement high-level objectives such as loss minimization or minimum generator
shedding.
While most of the systems are robust enough to overcome issues such as a weak communication
channel, there is no assurance of non vulnerability to cyber-attacks.
In this context we have to consider that technical protection measures can be of two kinds:
• ICT Security Measures (e.g. Firewall, IDP, Authentication)
• System/control-theoretic measures (e.g. model-based attack/fault detection and isolation, robust
control strategies that maintain closed-loop stability and performance guarantees)
Several recommendations are already in place.
Attacks spans Data Integrity, DoS (Denial of Service), Delay Attacks.
Findings
• A workbench to assure and test that all possible technical measures are taken into
consideration is still needed, but a comprehensive tool is not available.
• This must be part of the tasks of a control engineer when developing similar
systems, who needs to apply a more holistic approach to the engineering phase of
similar tools.
Case Studies
22

23. Case Study 2 – Process and Tool Adoption- toward
a secure and resilient power distribution grid (continued)
Counter-measures
• Security by design is the first advice.
• ICT Measures and control theoretic protection measures have to work together to
properly address risks which may be hidden to a preliminary analysis.
• Should be a “mantra” for the procurement of new equipment.
• Same analysis must be performed when an interconnected ICT or control
theoretic protection measure is affected by any change.
Case Studies
23

24. Case Study 3 – Ransomware / Wipers for
Industrial Control Systems
Background
Georgia Institute of Technology released an academic paper on use of a cross-vendor
Ransomware worm working on Programmable Logic Controllers (PLCs).
Due to a weak authentication, attacker is capable to lock out an administrator, installing
a logical bomb.
Conficker and Stuxnet used MS08-067. It is not impossible that a virus for ICS will use
MS17-010 as WannaCry/WannaCrypt did. In this case we may face safety/critical
shutdown, or worse.
“US-CERT released the following documents that contain in-depth technical analysis on
the Petya malware, as well as indicators of compromise and additional
recommendations for mitigation….. The following product vendors have proactively
issued notifications with recommendations for users regarding the Petya ransomware
(ICS-CERT will update the list of vendors that have released customer notifications as
additional information becomes available):”
Source: http://www.cap.gatech.edu/plcransomware.pdf
http://iiot-world.com/cybersecurity/the-impact-of-wannacry-on-industrial-control-systems-ics/
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C
Case Studies
24

25. Case Study 3 – Ransomware / Wipers for
Industrial Control Systems (continued)
Analysis
Ransomware (including WannaCry used in 2017) is a typical extortion crime on a
company, instead on a (more common) population of potential targets.
• To implement a similar attack in practice, you will need still to use a “Trojan horse”
to inject the Ransomware.
• The Georgia Institute of Technology paper describes the side effects: profit, which in
normal circumstances would be Population*Value-Cost, in this case will be difficult
to estimate. In Smart Grids, where data are imperative to continue business, the
damage may be huge, and the restoration may be difficult if not properly addressed
in existing procedure at any level of the company.
• Collateral damages may include downtime, Equipment Health, Human Safety.
• The negotiation phase may be particularly lengthy as the financial values may be
extremely high and the legal consequences may be extremely severe for the
company, in case it would be found guilty.
On NotPetya (used in 2017) there were several abilities put in a single worm, that can
shut down operating systems, and “wipe” away information in data bases.
Case Studies
25

26. Case Study 3 – Ransomware / Wipers for
Industrial Control Systems (continued)
Counter-measures
• End-point security
• Network security (including backups of all configurations)
• Adoption of proper policies, including software updates
• Proper selection and management of contractors, and proper hand-over if your ITs
and OTs are managed by a Third Party
• Safeguards to protect information assets related to IT and OT equipment
• Strict control on change management and supply chain
• Isolate or protect vulnerable embedded systems that cannot be patched from
potential network exploitation
• Locate control system networks and devices behind firewalls, and isolate them from
the business network
• Engagement with regional / national defence agencies
Case Studies
26

27. Cybersecurity Professionals
Basic Skills
• Sound knowledge of IT and OT;
• In depth knowledge of the Security Domains (including physical security);
• Being able to analyse emerging threats in complex and interconnected infrastructures with limited
or partial inputs, and without being able to stop operations;
• Both high level and low level knowledge (processes and protocols).
Possible certifications
• Several in the field of cyber security (e.g. CISSP, CEH, others at different levels);
• Smart Grid Maturity Model Navigator is example of a good start for specific field related
certifications (http://www.sei.cmu.edu/training/P109.cfm)
Advantages of certification
• Baseline on knowledge for network operators recognised and accepted by all;
• Trust among operators and their own staff;
• As in aviation, rules in case of crises are known and common to all the community;
• Staff can be recognised as part of a community system.
For the future
If we certify equipment which can operate on smart grids, why not to certify people?
A schema has to be developed. To make fast progress, there is a need for:
o Training
o Awareness campaigns in the sector
o Extensive cooperation to identify core skills and methods
Professionals
27

28. Regulatory and Legal Constraints in European Union
 Smart Grids may be based on Best Available Techniques and
BREF (BAT Reference Document); This is very much depending
on the regulation; Right now it is just a reccomendation
 Nation States, such as Germany and France, have very stringent
requirements (Catalogue of IT security requirements under
section 11(1a) of the Energy Act)
Regulatory Constraints
Electricity and gas network operators are required to implement a minimum level
of IT security. The core requirement is the establishment of an information
security management system (ISMS) with certification to DIN ISO/IEC 27001 by
31 January 2018.
https://www.bundesnetzagentur.de/EN/Areas/Energy/Companies/SecurityOfSup
ply/ITSecurity/ITSecurity_node.html
28

29. Regulatory and Legal Constraints in European Union
(continued)
 GDPR will be applicable as from 25 May 2018 – It is already
having an impact on Smart Grid decisions (e.g. Time of retrieval
of the information from Smart Meters)
 There is a general need to coordinate National Efforts and
European Efforts
 When dealing with Standards, International efforts are needed
to make sure that standards and/or local legislations will not
collide, jeopardising the efforts of the communities producing
standards and of the international communities regulating the
cyberspace (having a standard which issues technical rules but
doesn’t take into consideration GDPR or NIS Directive may be
counterproductive)
29
Regulatory Constraints

30. Regulatory and Legal Constraints in United States
 Regulatory and legal constraints of architecting smart
grids in a secure way
 Bulk Electric System at a Federal level (1) vs. distribution
controlled by U.S. States/Territories (56)
30
Regulatory Constraints

31. Measures of Success for Cybersecurity for Smart
Grids
 Smart Grids that are secure, reliable and protect
customer data and information require:
 Engagement with National and International Authorities that
can play an important role in regulating, enforcing, monitoring
and protecting the grids from emerging risks.
 Effective response plans to recover from cyber incidents or
attacks are completed and understood
Measures of Success
31

32. Conclusions
• Smart Grids will grow in size and achieve higher levels of efficiency through
the adoption of new intelligent devices (including Internet of Things, and use of
the Cloud)
• Cyber threats will continue
• Technical risk management work has to be done
– Efficient methods and processes needed to speed up the mitigation of all
cybersecurity challenges, using appropriate standards and best practices, using an
iterative approach to improvement
– Understand the issues and the full risk landscape (use Computer Security Incident
Response Teams and the implementation of European NIS Directive)
– Operators should think about Maturity Models to evaluate the status of their
cybersecurity preparedness.
• Cooperation needed between institutional, regulatory, research, and market
actors—both nationally and internationally
– Report when things do not work as expected
• Cybersecurity for energy is an essential investment for the future of our civil
society
– Cybersecurity for energy has to be addressed in the short, medium, and long term
– We have a chance to mitigate risks through the adoption of proper actions
Security is your responsibility 32

33. Questions & Comments
Contacts:
Cyril Draffin
Email: draffin@alum.mit.edu
Stefano Bracco
Email: Stefano.BRACCO@acer.europa.eu
David Batz
Email: dbatz@eei.org
Cyril W. Draffin, Jr.
MIT Energy Initiative, E19-307
77 Massachusetts Avenue
Cambridge, Massachusetts, 02139-4307, USA
Stefano Bracco
Agency for the Cooperation of Energy Regulators
Trg Republike, 3 - TR3 12/20
SI-1000 – Ljubljana, Slovenia
David Batz
Edison Electric Institute
701 Pennsylvania Avenue, NW
Washington, DC , 20004-2696, USA
ISGAN Academy coordination:
Institute for Research in Technology
Comillas Pontifical University
Santa Cruz de Marcenado 26
28015 Madrid, Spain
International Energy Agency’s (IEA) International Smart Grid Action
Network (ISGAN) Academy – 2nd Cybersecurity Webinar
Cybersecurity for Smart Grids: Technical Approaches to
Improve Cybersecurity
33

34. 34
This recorded cybersecurity webinar and previous webinars are available at ISGAN Academy platform:
http://www.leonardo-energy.org/resources/1070/isgan-academy-58ec8d2e7b9b0
ISGAN Academy Webinars
• Jeju Island Smart Grid Project (in Korea)
• Reference Network Models (tools for large scale distribution
network planning)
• TSO Reliability Management: a probabilistic approach for better
balance between reliability & costs (GARPUR project, Europe)
• Integration of RES in power systems: transmission networks
issues (Renewable Energy Sources)
• Cybersecurity for Smart Grids: Vulnerabilities and Strategies
to Provide Cybersecurity
(1st Cybersecurity Webinar; 28 June 2017)