Today’s best in class cybersecurity practices for Industrial Control Systems promote defense-in-depth techniques with firewalls and network segmentation. Enhancements are being made to detect intrusions through network monitoring. However, today’s systems still awkwardly fail to implement zero-trust models. Zero trust means that no entity or device is trusted by default from inside or outside the network, and verification is required to gain access to resources on the network. By implementing zero-trust, systems can be nearly impervious to attacks.

Asset Owners are weary of elaborate cybersecurity requirements with no best practice designs or implementations, and dismayed by proprietary architectures. Asset owners are rapidly adopting Cloud services and pushing their operations to the grid’s edge. This increases risk and urgency to identify and adopt enhanced security practices. OpenFMB coupled with security best practices provides the foundation for securing grid devices using cryptographic identity, zero-trust, distributed PKI, and situational awareness.

In this session, presenters will disclose findings from Duke Energy’s Emerging Technology Offices’ multi-year effort to develop a best-in-class security architecture for the Distribution Grid at the Mount Holly Microgrid using OpenFMB. An OpenFMB node is a field device with compute resources like an industrial PC or gateway. The ZTAG system provisions and deploys nodes, updates node applications, and automates key renewal. This novel architecture leverages Docker for application containerization, Kubernetes for container management and deployment, and SPIFFE/SPIRE with Trusted Platform Module (TPM2.0) identity management for workload and device attestation to ultimately build a system that is scalable and secure from the data center to field devices. By completing this latest step, the microgrid presents a scalable architecture demonstrating interoperability, security, integrity, authentication, and situational awareness.

Session Chair: 

Richard Wernsing
Wernsing Consulting LLC