Josh Long: Minimum Cyber Security Requirements for a 20 MW Photo Voltaic Field
1 like528 views
The document outlines the minimum cybersecurity requirements for a 20 MW photovoltaic field developed by Bechtel. It details the project overview, risk assessment, and management plan while identifying major risks and necessary controls. The document emphasizes the importance of a structured cybersecurity program, including policies, procedures, and physical security measures.
Josh Long: Minimum Cyber Security Requirements for a 20 MW Photo Voltaic Field
- 1. Josh Long and Charlie Givens ENERGYTECH 2015 Minimum Cyber Security Requirements for a 20 MW Photo Voltaic Field Bechtel Group, NS&E December 1, 2015
- 2. Author Biography Josiah (Josh) Long Bechtel Global Corp: Nuclear Security & Environmental Senior Technical Engineering Specialist 30+ Years experience Functional Engineering Control System & Electrical Staff 25 years Power, 15 years Nuclear, 10 years Government BSEE Virginia Tech (1981) PE (Control System Engineering), GICSP, ISA CFS & SFS Voting Member ISA 67.04&06 Nuclear SR Setpoints Whitewater, R&R Guitar and Bass, Robotics
- 3. Overview Introduction Description of the 20 MW Standard PV Plant General Approach to Risk Risk with the 20 MW Standard Cyber Security Management System (CSMS) Summary
- 4. Elements of the Standard 20MW Solar Facility © Bechtel | 4
- 5. PART 1 – Project Overview Description of the 20 MW Standard PV Plant Plot Plan – Covers 85 Acres of relatively flat terran Plant includes 10 Identical 2 MW Standard Blocks Electrical Designs – Arrays are based on minimizing wire and maximizing density – Inverters are centrally located to the blocks – Transformers are daisy chained to Substation/Switchyard SCADA Design – Standard SCADA system is a Cal ISO base configuration – 2 SCADA Remote Terminal Units (RTUs) are required – 1 Weather Station is included.
- 6. PART 1 – Project Overview Plot Plan – Covers 85 Acres of relatively flat terrain
- 7. PART 1 – Project Overview Plant includes 10 Identical 2 MW Standard Blocks
- 8. PART 1 – Project Overview Arrays are based on minimizing wire and maximizing density
- 9. PART 1 – Project Overview Transformers are daisy chained to Substation/Switchyard
- 10. PART 1 – Project Overview Description of the 20 MW Standard PV Plant SCADA Design – Standard SCADA system is a Cal ISO base configuration – 2 SCADA Remote Terminal Units (RTUs) are required – 1 Weather Station is included. SCADA UNIT 1 Weather Station SCADA UNIT 2
- 11. Elements of the Risk Assessment © Bechtel | 11
- 12. Part 2 – Risk Assessment Plan RISK MANAGEMENT PLAN Asset List Goals Risks Controls Program
- 13. Part 2 – Risk ASSET LIST CREATE AN ASSET LIST Solar Panels $20M Panel Rack $3.8M Inverters/Transformer $3.5M SCADA $50K Metering $50K Substation/Switchgear $50k Security Features ??? Cabling and Wires $1M
- 14. Part 2 – Risk Assessment OBJECTIVES OF THE FACILITY What are the Goals of the site – Power Generation – Resale – Dispatch – Automatic Generation – Backup Power Each Can Change The Risk Profile
- 15. Part 2 – Risk Assessment OBJECTIVES OF THE FACILITY Power Generation – In the base configuration only generation matters Resale – If resale is required then Metering is important Dispatch – If Dispatch is require then a mean of changing output is required » Internet, Dedicated Phone, Manned Facility Automatic Generation – Automatic Generation may require automatic control perhaps through SCADA Backup Power – Backup Power may require a higher integrity of supplied components
- 16. Part 2 – Major Risks Key Risk Natural Disaster – Earthquake, Hurricane, Flood, Lightening Infrastructure Failure – Power Grid, Intranet, Communications Internal Issues – Thief, Damage, Infect, Sabotage Accidents – Fall or Crushing Incident, Shock, Electrocution External Targeted Attacks – Thief, Mass Damage, Cyber External Mass Attacks – Planned Systematic Physical Attack
- 17. Part 2 – Risk Controls What Controls (NIST 800 – 53/82) The Principle Elements of a Cyber Security Program – People – Procedures – Configs and Physical Security ISA 99 and NIST 800 Series Approaches to Documentation
- 18. Part 2 – Risk Program Program – Recommended Elements Policies and Practices (Standards?) Resource Inventory Security Liaisons Normalized Risk Formula Risk/Change Management Committee Map of Risk to Objectives Contributing Security Programs Exception Tracking
- 19. © Bechtel | 19 20MW PV FIELD Final Cyber Requirements
- 20. Part 3 – Minimum Requirements SWGR USER MW MW
- 21. Part 3 – The Reality of Operation TOP OPERATIONS ISSUES 1. Perimeter Fence Damage 2. Vandalism or Theft 3. Transformer Leakage 4. Various Inverter Damage 5. Broken Conduit or Combiner Box Damage 6. Vegetation Overgrowth 7. Cell Browning/Discoloring or Shorted Cell 8. Shorted Cell 9. Unclean Panels 10.Animal Nuisance
- 22. Part 3 – A More Realistic Approach © 2012 Bechtel | 22 Firewall Switch SCADA Unit 1 Security System CCTV System SCADA Unit 2 HISTORIAN WS MW
- 23. Part 3 - Execution EXECUTION to be performed on an annual or quarterly basis The Principle Elements of Cyber Security – People – Procedures – Configs and Physical Security Monitoring Improvement Plan Design Delta Summary