Presentation by Jon Longstaff at Grid Analytics Europe 2016: Cyber-Secure Analytics – identifying and overcoming the security vulnerabilities of next generation grid analytics infrastructures that integrate multiple systems and data sources.
...dedicated to helping utilities bridge the gap between operations and information technology
...existing as a separate entity to which both Siemens and Accenture could bring their IP and integrate IT and OT more effectively
...with expert practitioners from both companies, working as one team
Talk about each – reference analytics
Challenge
Integrating diverse renewable energy sources, like in Hawaii or in California
Declining prices on some energy markets require flexibility in offering the portfolio via different trading channels
Be prepared for high volume of flexible loads to participate in reserve markets
Solution
A virtual power plant management system will be implemented in order to monitor and control – in case of RWE - up to 50.000 distributed assets
VPP
- Lots of data - consumption, control, forecasts, market, commercial
- not "traditional" grid operations - which is value of case study as it challenges many of the usual concepts - forget the air gap
- Real - we are working on these projects today across Europe
Analytics – two main challenges
chain of trust from the source of the data to the analytics system
Protection of the data in the analytics system
Wouldn’t it be great if there was a shiny piece of IT we could simply slot into the data centre that would solve all of our problems. Mitigate all of those risks, patch those vulnerabilities?
Unfortunately no – it is hard work, incremental improvement. Much like everything else we do.
NIST framework is great to structure the discussion
Not a complete methodology – we rely more on ISA-62443 to undperpin our approach
Analytics focus
Chain of trust
Combination of different data streams – better insight but may be greater risks (customer number / name / demographics)
Who is allowed to access data
valuable to you – valuable to a competitor – valuable to a criminal
Training
JV
Phishing
At rest
Very large datasets with high access rates -> encryption may not be the best approach so what are other strategies
Don’t forget backups
Who do you tell?
NIS will “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.”
Does someone in your organisation have authority to disconnect your data warehouse? Is it you? What would happen if there an incident going on at your organisation now but you aren’t picking up the phone because you are at an excellent talk on securing your data warehouse???
Three key points
Longest and possibly most expensive stage (ref ukraine, heartbleed)
Use as a feedback loop back to the development/implementation team. Don’t let them design a solution that can’t be recovered – or is too expensive
Build and prepare a plan – and try to test something, even a desktop exercise
VPP
- Lots of data - consumption, control, forecasts, market, commercial
- not "traditional" grid operations - which is value of case study as it challenges many of the usual concepts - forget the air gap
- Real - we are working on these projects today across Europe
Analytics – two main challenges
chain of trust from the source of the data to the analytics system
Protection of the data in the analytics system