By Mati Epstein
From the beginning, power utility communication networks were designed solely to provide operators with a picture of what was happening in the power network, with little concern about cybersecurity.
As utilities have introduced packet-based network technologies, for their greater efficiency, this has increased the risk of cyber threats. Although traditional Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) technology are not impervious to cyber attacks, it is much less susceptible than packet technology. This is because of the static nature of SONET/SDH and the absence of a signaling plane.
But packet technology, because it is capable of dynamically reaching any point in the network through the use of addressing-and because it has a signaling plane-can open the door to threats.
Considering how little thought was put into securing the power utility network in its original design phases, its vulnerabilities are no surprise. The proprietary characteristics of remote terminal units (RTUs) and supervisory control and data acquisition (SCADA) equipment, for instance, present particular challenges. Because of the sensitive nature of this equipment's software code, utility operators are often prohibited from making modifications, such as upgrading an older-generation operating system or keeping it current with updated security patches. As a result, there are many documented security holes that are not patched or otherwise addressed.
Two major vulnerabilities are the network control plane and the data plane. Some of today's packet networks have a control plane to streamline circuit provisioning. This may be efficient from a network management standpoint, but it also provides a path for corrupting and disabling the network. By disseminating malicious information, an attacker can cause a network to send its traffic into nowhere, create routing rings, or take other actions that could bring down the entire network.
Denial of service attacks is a classic example of threats that originate on the data plane. These attacks typically bombard a victim with multiple bogus requests for connection, causing the recipient to waste resources and struggle to handle legitimate requests. If all resources are exhausted, the target can completely fail. For a power utility, the resulting loss of visibility to its RTUs or teleprotection equipment can quickly translate into loss of control of the power network and a significant power outage.
Following are five things that you can do to protect your network.
Protect the Perimeter
This approach insulates the power operational network from outside contact through firewalls and encrypted virtual private networks (VPNs).
Network firewalls allow contact only between approved entities, approve or reject connection requests, and check remote users for credentials. Their weakness is that once they permit a connection, they have no notion of the data passing through-which could include malware or invalid data.
One-way network firewalls, another approach, provide a "physical" separation of the operational network from user monitoring requests. They allow information to move only from the operational network outward and minimize the exposure of mission-critical components.
Encrypted VPNs, typically used in conjunction with network firewalls, allow secure communications between different elements of the Electronic Security Perimeter (ESP). This prevents certain types of attacks and compromises of control information.
Most security measures are derived from the concept of perimeter protection. But they depend to some extent on physical security. And, for most utilities, their communications equipment is typically in unstaffed, lightly protected locations. That is why additional security measures are recommended.
Take the Control Plane out of Your Network
Attacks on the control plane, where the attacker corrupts or crashes it, are particularly dangerous, resulting in network collapse. Even more concerning is that breaching a single location could crash the entire network. The means the entire network is only as secure as its weakest link, or, in the case of power utility networks, the least protected substation.
Network designs with a control plane or signaling protocol-such as Multiprotocol Label Switching (MPLS) and Internet Protocol (IP) networks-are highly susceptible to these types of attacks. While some mitigation is possible, the threat remains as long as control planes exist.
If possible, move to a control plane-free network architecture, such as Carrier Ethernet or the more traditional SONET or SDH. Neither of these network types offers a means to attack their signaling plane, and both require a management station to provision them. Secure the management station and attacks are impossible.
Minimize Data Plane Attacks
Such attacks tend to be more focused-such as a denial of service attack on a particular host-and the potential loss of connectivity between the Human Machine Interface (HMI) station and remote units can interrupt control of the electrical grid. Data plane attacks can be mitigated through the design of the operational network. Where rigid connectivity is forced, such as with Carrier Ethernet or SONET and SDH networks, it is more difficult for an attacker to gain visibility into network elements outside of their direct connection. This is because only the minimum necessary parts of each host are exposed to the network, with more vulnerable parts shielded. See Figure 1.
Authenticate the Source
Another way to increase security and avoid masquerading or spoofing is through the use of source authentication protocols. The most prominent of these is the Ethernet-based 802.1X, which validates each newly inserted device through a centrally managed database. It uses encryption to verify the identity and ensure the new device is not masquerading as a valid network device. This ensures all devices connected to the network are valid and not hacker-inserted.
Counter the Malware Threat
Among the most difficult attacks to detect are those that originate from elements inside the network. It is challenging, for example, to determine if a particular command is valid or malicious. Some commands, such as decommissioning an old RTU, may have a valid use when issued by authorized personnel-but can be harmful when initiated by others.
The distributed nature of these types of attacks renders a centralized or transitional solution inadequate. In addition, solutions must understand the Industrial Control Systems (ICS) protocol and make an intelligent determination of whether a particular command is valid or out of bounds. The ideal solution here is a distributed, ICS-aware firewall, integrated into the fabric of the network as part of the switching equipment. An ICS-aware firewall that can determine the validity of different SCADA commands can block and detect insider threats or threats stemming from the introduction of malware to the network.
The key elements of this solution are omnipresence and application awareness, to address the distributed nature of power utility networks as well as the difficulty associated with detecting malware attacks. Malware typically piggybacks on real control stations and verifiable hosts, and only changes the content of control messages. To detect this type of tampering requires the intelligence to read and verify each command, hence the need for application-aware equipment. See Figure 2.
To summarize, operational power utility networks face many potential cyber threats. Each defense strategy presents its own vulnerabilities, so a network can only be truly protected through multiple defenses at multiple layers. This defense-in-depth strategy focuses on multiple defenses using a mix of tactics to impede the advancement of an attacker and to detect and block that attacker.
Ultimately, network security for the power utility network must be seriously considered at every stage of the design. Diligent planning can greatly improve the resilience of the network.
About the author: Mati Epstein is head of the Utilities Line of Business for RAD, provider of evolutional migration solutions for power and transportation utilities, facilitating a smooth, secure and cost-effective transition to packet-based networks. Contact him at firstname.lastname@example.org.