Publications

Publications / SAND Report

Cyber Security Gap Analysis for Critical Energy Systems (CSGACES)

Stamp, Jason E.; Quiroz, Jimmy E.; Ellis, Abraham E.

This study describes a cyber security research & development (R&D) gap analysis and research plan to address cyber security for industrial control system (ICS) supporting critical energy systems (CES). The Sandia National Laboratories (SNL) team addressed a long-term perspective for the R&D planning and gap analysis. Investment will posture CES for sustained and resilient energy operations well into the future. Acknowledgements The authors would like to acknowledge the funding and technical support from the Department of Energy Office of Electricity Delivery & Energy Reliability for the development of this report. The authors are very appreciative of the key contributions by other SNL personnel in supporting the analysis, particularly from Jennifer Depoy, Abraham Ellis, Derek Hart, Jordan Henry, John Mulder, and Jennifer Trasti. The authors would also like to thank the following government and non-government organiza- tions for their invaluable input to this study: Government Massachusetts Institute of Technology Lincoln Laboratory Construction Engineering Research Laboratory (CERL) Idaho National Laboratory Marine Corps Air Ground Combat Center, Twentynine Palms, California National Renewable Energy Laboratory National Institute of Standards and Technology Pacific Northwest National Laboratory U.S. Army Corps of Engineers U.S. Army Cyber Command U.S. Navy Installations Command Non-Government Customized Energy Solutions Electric Power Research Institute Enchanted Rock ICETEC Integrated Energy Solutions NEC Energy Solutions OpenADR Alliance PJM POWER Engineers Schweitzer Engineering Laboratory Southwest Research Institute Typhoon HIL, Inc. Executive Summary This study describes a long-term cyber security R&D plan to address ICS cyber security for CES. Long-term goals for ICS were assumed to be those that would require significant action and R&D to achieve, as opposed to being addressable by applying existing technology and best practices. Long-term R&D would roughly fall into the window of 5-10 years out. Investing in the identified R&D will posture CES for sustained resilient energy operations well into the future. The gaps were identified using a conventional gap analysis process. The current state of cyber security R&D was surveyed and summarized. Then, the desired future state of ICS cyber security was characterized, in terms of required capabilities for a secure and resilient ICS. Afterward, gaps were identified by comparing the current state of cyber security to the desired end-state. Finally, the gaps were prioritized and paired (where important) with the appropriate communities (industry, vendors, academia, etc.) suitable to address them. The baseline survey of the existing R&D focused on efforts in government, academia, feder- ally funded research and development centers (FFRDCs), and industry (including vendors). One primary source was existing DOE, Department of Homeland Security (DHS), and Department of Defense (DoD) programs, including Cybersecurity for Energy Delivery Systems (CEDS) and Defense Advanced Research Projects Agency (DARPA). Crucial documents from the National In- stitute of Standards and Technology (NIST) were also surveyed. On the academic side, the group included work from the Institute for Information Security & Privacy (IISP) and Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) research consortiums. Numerous other smaller efforts were cataloged as well. Overall, the results show significant attention on the cyber security issues faced by ICS, but with a definite tendency toward near-term solutions, and less defined long-term goals, particularly in terms of needed R&D. The surveyed concepts and goals were used to develop the desired state for long-term ICS cyber security. These were complemented by concepts and frameworks previously used for ICS cyber security. The overall result was the development of a matrix of needed technical capabilities for secure and resilient ICS in the long term. Eighteen cyber security concepts (referred to as "topics" for gap analysis) were identified and sorted according to their positions in the security lifecycle (secure design, reinforced implementation, operation and deployment, or cross-cutting capabilities) and security category (protect, detect, react, or recover). For each topic, a description was provided, as well as other discussion, including a comparison to existing work. The comparisons formed the basis for the gap analysis. Some security topics, although an essential part of a desired secure ICS state in the future, have significant R&D resources alieady working to realize the goal. Others, however, are only partially addressed. Besides the severity of the R&D gap, an important consideration is that perfect security is unattainable; therefore, strong security engineering must be complemented with additional security monitoring. The final rankings for long-term R&D, including specific opportunities and challenges, along with suggestions about which group or groups should be targeted for funding opportunities, are in Chapter of the report. Some of the key results include: 1. Trusted monitors, which act as out-of-band security sentinels, and security analytics, which fuse weak indicators to detect security anomalies, have very high priority for R&D. As men- tioned previously, no system can be completely trusted (or, given the potential ramifications, even reasonably trusted); therefore, monitoring is essential. 2. Virtualization is a key capability for many aspects of ICS cyber security; potential applica- tions include training environments, pre-deployment change testing, red/blue engagement, evaluating tactics-techniques-procedures (TTPs), and others. Virtualization capability would be greatly enhanced with better support for ICS field devices (like relays, programmable logic controllers, etc.) and automated model generation from design or operational system information. 3. Field devices have unique cyber security issues, and are critical to cyber risk given their application: straddling the cyber/physical domains Addressing these issues in an organized fashion (including their virtualization) is a priority R&D gap. This is also an example where industry (particularly vendors) must complement other R&D organizations.