Cybersecurity Procurement Language for Energy Delivery Systems
Total Page:16
File Type:pdf, Size:1020Kb
Cybersecurity Procurement Language for Energy Delivery Systems April 2014 Energy Sector Control Systems Working Group (ESCSWG) For Questions or Comments Energy sector asset owners, operators, and suppliers are encouraged to provide feedback on this document to enhance the cybersecurity procurement language for future versions. Please send questions or comments to [email protected]. Acknowledgements This document was prepared by the Energy Sector Control Systems Working Group (ESCSWG), Pacific Northwest National Laboratory (PNNL), and Energetics Incorporated, with funding from the U.S. Department of Energy (DOE) Office of Electricity Delivery and Energy Reliability (OE) Cybersecurity for Energy Delivery Systems (CEDS) program, and in collaboration with the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Duke Energy, Edison Electric Institute (EEI), the Electric Power Research Institute (EPRI), the Federal Energy Regulatory Commission (FERC), the Independent Electric System Operator (IESO) in Ontario, and the Utilities Telecom Council (UTC). Contributions were also provided by the American Public Power Association (APPA), American Gas Association (AGA), and Idaho National Laboratory (INL). A special thanks to Ed Goff of Duke Energy for his dedication and leadership in guiding this effort. Also, a special thanks to the many unlisted stakeholders and experts who provided comments and feedback during the two comment review periods for this document. Disclaimer This material was prepared as an account of work sponsored in part by an agency of the United States Government. Neither the ESCSWG, nor the United States Government nor any agency thereof, nor any of their employees, nor the technical contributors to this document or their employers, MAKES ANY WARRANTY, EXPRESSED OR IMPLIED, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information or processes disclosed, or represents that its use would not infringe privately owned rights. i Contents For Questions or Comments ....................................................................................................................... i Acknowledgements .................................................................................................................................... i Disclaimer ................................................................................................................................................... i 1. INTRODUCTION ...................................................................................................................................... 1 1.1 Cybersecurity of Energy Delivery Systems ................................................................................. 1 1.2 Background on Cybersecurity Procurement Language ............................................................. 1 1.3 Procurement Aligns with Energy Sector Cybersecurity Initiatives ............................................ 2 1.4 About this Document ................................................................................................................. 3 1.5 How to Use this Document ........................................................................................................ 5 1.6 Examples of How to Use this Document ................................................................................. 10 2. GENERAL CYBERSECURITY PROCUREMENT LANGUAGE ...................................................................... 13 2.1 Software and Services .............................................................................................................. 13 2.2 Access Control .......................................................................................................................... 14 2.3 Account Management ............................................................................................................. 15 2.4 Session Management ............................................................................................................... 16 2.5 Authentication/Password Policy and Management ................................................................ 16 2.6 Logging and Auditing ............................................................................................................... 17 2.7 Communication Restrictions .................................................................................................... 18 2.8 Malware Detection and Protection ......................................................................................... 20 2.9 Heartbeat Signals ..................................................................................................................... 21 2.10 Reliability and Adherence to Standards................................................................................... 21 3. THE SUPPLIER’S LIFE CYCLE SECURITY PROGRAM ............................................................................... 23 3.1 Secure Development Practices ................................................................................................ 23 3.2 Documentation and Tracking of Vulnerabilities ...................................................................... 24 3.3 Problem Reporting ................................................................................................................... 25 3.4 Patch Management and Updates ............................................................................................ 26 3.5 Supplier Personnel Management ............................................................................................ 27 3.6 Secure Hardware and Software Delivery ................................................................................. 27 4. INTRUSION DETECTION ........................................................................................................................ 29 4.1 Host Intrusion Detection .......................................................................................................... 29 4.2 Network Intrusion Detection ................................................................................................... 29 5. PHYSICAL SECURITY ............................................................................................................................. 31 ii 5.1 Physical Access to Energy Delivery System Components ........................................................ 31 5.2 Perimeter Access ..................................................................................................................... 31 5.3 Communications inside the Physical Security Perimeter ........................................................ 32 6. WIRELESS TECHNOLOGIES ................................................................................................................... 33 6.1. General Wireless Technology Provisions ................................................................................. 33 7. CRYPTOGRAPHIC SYSTEM MANAGEMENT .......................................................................................... 34 7.1. Cryptographic System Documentation .................................................................................... 34 7.2. Cryptographic Key and Method Establishment, Usage, and Update ...................................... 34 8. REFERENCES ......................................................................................................................................... 36 9. ABBREVIATIONS AND ACRONYMS ....................................................................................................... 39 10. GLOSSARY .......................................................................................................................................... 41 11. ADDITIONAL ACKNOWLEDGEMENTS ................................................................................................. 42 iii 1. INTRODUCTION 1.1 Cybersecurity of Energy Delivery Systems Energy delivery systems are critical to the effective and reliable operation of North America’s energy infrastructure. Our twenty-first-century way of life is made possible by the vast network of processes enabled by these systems, as well as the interconnected electronic components, communication devices, and people who monitor and control those processes. Energy delivery systems are used to monitor and control the production, transfer, and distribution of energy. These systems include Supervisory Control and Data Acquisition (SCADA) systems, Energy Management Systems (EMSs), Distribution Management Systems (DMSs), and Distributed Control Systems (DCSs). Energy delivery systems comprise the following: • The sensors and actuators used for monitoring and controlling energy delivery processes. • The computer-based systems that analyze and store data. • The communication pathways and networks that interconnect the various computer systems. Cybersecurity threats, whether malicious or unintentional, pose a serious and ongoing challenge for the energy sector. Today’s highly reliable and flexible energy infrastructure depends on the ability of energy delivery systems to provide timely, accurate information to system operators and automated control over a large, dispersed network of assets and components. A cyberattack on an energy delivery system can have significant impacts on the availability of a system to perform critical functions as well as the integrity of the system and the confidentiality