EDP Distribuios Strategy for Cyber Security and Privacy
EDP Distribuição’s Strategy for Cyber Security and Privacy Nuno Medeiros, ICS and Smart Grids Security Officer EDP Distribuição Workshop Internacional Segurança Cibernética 20 October 2016 Brasília, Brasil
From a local electricity incumbent to a global energy player with a strong presence in Europe, Brazil and considerable investments in the USA… #1 World leader Electric Sector in Dow Jones Sustainability Indexes #1 Europe hydro project (+3, 5 GW under development) #3 World wind energy company #1 Portugal industrial group United Kingdom 21 Employees UK France Belgium USA/ Canada 260 Employees 3422 Installed Capacity (MW) 9 330 Net Generation (GWh) 100% Generation from renewable sources China 中国 USA Italy Brazil Spain Angola Portugal 7252 Employees 6 053 509 Electricity Customers 271 576 Gas Customers 10 992 Installed Capacity (MW) 34364 Net Generation (GWh) 51% Generation from renewable sources 46 508 Electricity Distribution (GWh) 7 138 Gas Distribution (GWh) Poland/ Romania 51 Employees 475 Installed Capacity (MW) 621 Net Generation (GWh) 100% Generation from renewable sources Canada Brazil 2 635 Employees 2 831 651 Electricity Customers 1 874 Installed Capacity (MW) 8 043 Net Generation (GWh) 100% Generation from renewable sources 24 544 Electricity Distribution (GWh) Poland Romania Portugal France/ Belgium 34 Employees 363 Installed Capacity (MW) 705 Net Generation (GWh) 100% Generation from renewable sources Italy 14 Employees Spain 2 038 Employees 1 015 543 Electricity Customers 787 869 Gas Customers 6 087 Installed Capacity (MW) 15 331 Net Generation (GWh) 37% Generation from renewable s. 9 517 Electricity Distribution (GWh) 48 447 Gas Distribution (GWh)
EDP Distribuição in Portugal , EDP Brasil and Hidrocantábrico Distribution in Spain with about 10 million customers… In Portugal EDP Distribuição has more than 6 million customers and a network of more than 220. 000 Km. In Spain Hidrocantábrico Distribution, EDP has more than 1 million customers Distribuição EDP expanded Inov. City concept to Brasil, Bandeirante, 15. 000 consumers at the city of Aparecida HC Energia UK France Belgium Poland Romania Portugal USA Canada Italy Brazil Spain Angola EDP Escelsa EDP Bandeirante China 中国
The National Electricity System includes EDP Distribuição as the regulated electricity distribution company acting under a public service concession DISTRIBUTION Public Service Concession assigned to EDP Distribuição HV network Generation Transmission Station VHV/HV MV network Substation HV/MV LV network Secondary Substation MV/LV Main figures EDP Distribuição Level of monitoring and automation, today Retailer/ Consumer EB • 9. 375 km • 416 HV/MV Substations • 72. 319 km • 66. 719 MV/LV Stations • 17. 401 MVA installed • 19. 969 MVA installed • 141. 829 km • 6, 1 Million Customers
And the Distribution System is considered a critical infrastructure, potentially the most critical one, since it is essential for the functioning of society and economy
Quality of Service was significantly improved during the last decade, with average interruption time decreasing more than 87% Historical Challenges Evolution of Time Interruption Equivalent MV (TIE MV) since 2001 Quality of Service -87% Operational Efficiency - Supply customers with high quality of service - Minimize OPEX and CAPEX • Focused investments and increased automation are key levers to improve the quality of supply • 99, 99% reliability of electric distribution network starting 2012
… and the future carries many new challenges to EDP Distribuição Historical Challenges New Challenges Renewables and Distributed Generation Quality of Service Advanced Metering Infrastructure Operational Efficiency - Supply customers with high quality of service - Minimize OPEX and CAPEX Smart Grid Electric vehicle MV/LV automation & sensoring A smarter distribution grid to new challenges • New ways of planning and managing the grid (e. g. DG, bidirectional energy flows. . . ) • More information to customer energy efficiency • New technologies (e. g. energy storage) and new business models (e. g. DSM, dynamic energy prices. . . ) Energy efficiency and new business models • EV integration (e. g. V 2 G, smart charging. . . )
SG enabling infrastructure Smart grids applications and services Distribution network The Inov. Grid project is EDP Distribuição Smart Grid Project where we actively seek a gradual and integrated approach towards a smarter distribution grid HV network VHV/HV substation MV network MV/LV substation HV/MV susbstation System integration and cyber security Information management and data mining LV network DG and storage and VPP MV automation and telecontrol Remote public Microgeneration lighting metering integration and management GIS and Work Force Management New tools for Improved network smarter network operation and management quality of service Wide area network EV charge network Local area network DTC New tariffs and pricing mechanisms Energy services (efficiency, DR, …) Home area network LAN WAN Head-end systems Consummers HAN EDP Box
…this was the Power Grid
Power Grid Digitalisation The digitalisation of the power grid started to facilitate a faster and more efficient operation / y it lex p m Co ts a e Thr Exposure Communications • Proprietary protocols and networks Systems • Proprietaty HW & SW • Physical access Human Resources Security Approach 1980 • Limited to DSO facilities • Employees • Perimeter defense and Security through Obscurity DSO Digital Transformation
Considering the “near Air Gap” we had between the operational network and the external networks, keeping a tight Perimeter Defense seemed the right approach Security Approach • Perimeter defense and Security through Obscurity
Power Grid Digitalisation The OT/IT interconnection added new functionalities and further grid observability to control systems / y it lex p m Co 1980 2000 ts a e Thr Exposure • Connection to external networks Communications • Proprietary and Standard protocols Systems • COTS HW & SW • Remote access Human Resources • Employees and outsourcers Security Approach • Defense in Depth DSO Digital Transformation
In 2009 the Board approved an external cyber security audit, to assess our Cybersecurity maturity level and readiness CYBER SECURITY AUDIT We thought we had our process network and servers reasonably protected. However, in 2009 we were classified on level 2 "High Risk of Terrorist Attacks" scale quantitative assessment of DHS The minimum for a critical infrastructure is the 4 "Guarded" We achieved level 4 in mid 2013, with the closure of all projects. • Several high level risks were identified • 33 recommendations • 10 projects in 9 different security areas • 3 years
Defense in depth is a security model in which multiple layers of security controls are placed to provide redundancy in the event of a security failure Security Approach Data Defenses (Backup and Data Restore, Business Continuity) Application Defenses (strong pwds, ACLs) Server Defenses (Security Updates and AV, Port and Services control, strong authentication) Network Defenses (Network Segmentation, network IPS) Perimeter Defenses (Firewalls, ACLs, VPNs) Physical Security Policies and Procedures • Defense in Depth • It intends to hinder access to important resources • Uses many mechanisms structured in several layers • Distinctive Mechanisms • prevention • detection • reacting • They focus primarily on: • people • machines • procedures
Power Grid Digitalisation It currently deals with new and complex issues such as DER, EV, self-healing, demand response, changing the landscape entirely ts a e Thr / y t i x ple m Co 1980 2000 2010 Exposure • Everywhere • Multiple connections • Millions of Nodes Communications • Multiple Standard protocols & networks Systems • Complex and highly Interconnected Human Resources • Hundreds in&out • Remote Access Security Approach • Something different DSO Digital Transformation
However, the challenges are not only technological, but also regulatory, as the EU is currently defining an overall strategic framework for Cybersecurity and Data Protection Network and Information Security (NIS) Directive (entry into force in May 2018) General Data Protection Regulation (GDPR) (entry into force in May 2018) Applicable to Operators of Essential Services Applicable to personal data 'controllers' and 'processors’ • Risk analysis methodologies; • Security controls; • Technical and organizational measures; • Incident response capabilities; • Incident reporting obligation. • Data Prot. Impact Assess. (DPIA); • Data Protection Controls; • Penalty in case of data breach: 20 M€ vs 2%-4% annual turnover; • Report on data breaches <72 h;
EDP Distribuição cyber security strategy addresses the new landscape, and it shall be aligned with the NIS Directive and GDPR requirements ICS Smart Grid Telecom. and IT EDP Distribuição Cyber Security Strategy 2009 Cyber Security (Perimeter) 2011 Cyber Security in Depth CYBER SECURITY AUDIT • In 2009 we were classified on level 2 "High Risk of Terrorist Attacks“ • We achieved level 4 “Guarded”, minimum for a critical infrastructure, in mid 2013 2015 2017 Smart Grid Cyber Security ISO 2700 x NIS Data Protection & Privacy DPIA GDPR Continuous Audit and Monitoring Training and Awareness Program
The Cyber security activities can be divided in 5 different domains. A mature combination of this functions can provide a more comfortable level of security Identify Continuous Audit Identification of vulnerabilities and fast remediation Protect Implementation of ISO 27001 certification Detect Respond Recover Establishes the requirements to define, implement, maintain and continuously improve Security Yearly Cyber security Projects Cyber Risk Assessment (Business focused investments) Smart Grid Security as a priority
However, since it is not possible to completely prevent all potential cyber attacks, Security Operations should facilitate a fast and effective incident detection and response Security Operations Identify integrated in the Digital Platform of Supervision Center Protect Detect Respond Recover Monitoring & Detection Incident Response & Recovery Continuous Sec. Operations Technology & People & Processes Insight from sharing communities: • National Cyber Security Center (CNCS) • EE-ISAC
And one of the most important aspects for Cyber Security, transversal to all its domains, is awareness and training at all Levels of the Organization “Employees should be the most effective security control, but instead they create the greatest vulnerabilities” - UK Gov and Capita 2015 Report EDPD Training and Awareness Program on Cyber Security of Critical Information Infrastructure (CII) Top Mgmt Cyber. Sec Officers SCADA Opr & Maint All employees
Smart Grids introduce risks that cannot compromise consumers’ privacy. Therefore, privacy and personal data should be adequately protected Private (consumption) data is sent from the Smart Meter to the DTC. Espionage meters? European initiatives: Expert Group 2 / Stakeholder Forum DPIA Test Phase • • Advise EC on policy and regulatory frameworks at European level. Data protection impact assessment (DPIA) template for Smart Grid environments • DPIA application to EDP Distribuição Smart Grid environment (future GDPR requirement) • Risk prioritization and implementation of privacy controls • EDP Distribuição is a first mover on the DPIA Test Phase process (with Alliander)
“Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security. ” John Allen Paulos EDP Distribuição Cyber Security Roadmap • Introduce security requirements on most future tenders – ICS and SG • Maintain an active involvement in National and European Initiatives and Groups • Ensure the alignment of Cybersecurity Strategy with the NIS and GDPR • Improve the SOC as a key factor for Cyber Security • Keep investing in Cyber Security to prevent its uncertainty…
Many thanks for your attention!
- Slides: 23