Publications

This document describes a microgrid cyber security reference architecture leveraging defense-in-depth techniques that are executed by first describing actor communication using data exchange attributes, then segmenting the microgrid control system network into enclaves, and finally grouping enclaves into functional domains. To illustrate the design approach, two notional microgrid control implementations are presented. Both include a discussion on types of communication occurring on that network, data exchange attributes for the actors, and examples of segmentation via enclaves and functional domains. The second example includes results from Red Team analysis and quantitative scoring according to a novel system that derives naturally from the implementation of the cyber security architecture.

This document summarizes the on-going cyber security work and resulting cyber security reference architecture for a secure microgrid control system network. The architecture pre sented here provides guidelines and security recommendations for the implementation of a secure microgrid control system at Department of Defense (DOD) installations. The mi crogrid is designed using the Energy Surety MicrogridTM (ESM) methodology developed by Sandia National Laboratories (SNL). Microgrids developed using the ESM methodology demonstrate— • increased reliability for critical mission loads resulting from the interconnection of electrical generation assets using the existing distribution network • reduced reliance on diesel-generated backup power through the use of renewable energy sources during outages • increased efficiency of diesel backup generators through careful, coordinated operation across the microgrid system • reduced operational risk through a strong focus on cyber security The design of a microgrid control system needs to be more robust than that of a traditional industrial control system (ICS) for the following reasons: • The microgrid is used in emergency situations and may be critical to continuity of operations of an installation. • The microgrid must function during active attack by a capable adversary. As such, the traditional design and implementation for an ICS may not be sufficient for implementing a robust and secure microgrid.

Threats are generally much easier to list than to describe, and much easier to describe than to measure. As a result, many organizations list threats. Fewer describe them in useful terms, and still fewer measure them in meaningful ways. This is particularly true in the dynamic and nebulous domain of cyber threats - a domain that tends to resist easy measurement and, in some cases, appears to defy any measurement. We believe the problem is tractable. In this report we describe threat metrics and models for characterizing threats consistently and unambiguously. The purpose of this report is to support the Operational Threat Assessment (OTA) phase of risk and vulnerability assessment. To this end, we focus on the task of characterizing cyber threats using consistent threat metrics and models. In particular, we address threat metrics and models for describing malicious cyber threats to US FCEB agencies and systems.

The key piece of knowledge necessary for building defenses capable of withstanding or surviving cyber and kinetic attacks is an understanding of the capabilities posed by threats to a government, function, or system. With the number of threats continuing to increase, it is no longer feasible to enumerate the capabilities of all known threats and then build defenses based on those threats that are considered, at the time, to be the most relevant. Exacerbating the problem for critical infrastructure entities is the fact that the majority of detailed threat information for higher-level threats is held in classified status and is not available for general use, such as the design of defenses and the development of mitigation strategies. To reduce the complexity of analyzing threat, the threat space must first be reduced. This is achieved by taking the continuous nature of the threat space and creating an abstraction that allows the entire space to be grouped, based on measurable attributes, into a small number of distinctly different levels. The work documented in this report is an effort to create such an abstraction.