Advances in the Cyber Security Quest
As power utility networks grow ever smarter, more automated and more connected, they also make much more attractive targets for hackers and other network intruders.
By Amir Barnea
As power utility networks grow ever smarter, more automated and more connected, they also make much more attractive targets for hackers and other network intruders. Utilities are recognizing this new reality, but only a few are thinking beyond the obvious - and not always fully effective - security responses.
Regulations (such as NERC-CIP) define a minimum level of security that is valid, but don’t imply more sophisticated defenses that are beyond today’s required minimum.
Because automation is continuously being pushed out to lower impact assets (field area network) as well as operations technology/information technology (OT/IT), convergence may only increase the possible attack vectors and adversely affect systems.
Messages may arrive from invalid sources or include manipulated commands that could harm the system. Contrary to popular perception, while outside hackers get the most attention, most destructive attacks originate within the organization. This can come from disgruntled employees or from human error (infected laptops or other systems). That means these intrusions have already bypassed physical and peripheral cyber security.
What is critical for utilities is to ensure that all communicated messages are genuine, that they are sent from authorized sources, and that they do not carry malware. They must be communicated securely and their integrity has to be properly reconfirmed. In addition, there must be a complete repository of all transactions for later root cause analyses or big data anomaly detection. There are a number of new and innovative security ideas, many that are already starting to be used or at least being carefully tested by utilities around the world. Let’s look at some of them.
Network Functions Virtualization (NFV) is typically discussed in the context of telecommunications carrier networks, but utilities can leverage this technology to carry out critical functions through software implementations and limit the time, effort and money associated with network hardware implementations.
Distributed NFV puts the intelligence at remote sites, which is why it is an effective way to secure substations. The substation has become the pivotal point in cyber-securing a utility network. Installing distributed NFV equipment there allows a utility to manage its security technology from a central point, transporting the necessary information over encrypted tunnels between the substations and the central management center.
Going Beyond the SCADA Syntax
Most security technology examines the syntax of the information and commands being transmitted to and from SCADA systems. While that is useful, it no longer goes far enough when cyber security is a top priority.
Admittedly, evaluating the syntax does tell much and can detect a number of anomalies. For instance, a command may be encountered that has never been used or hasn’t been used in months, or simply shouldn’t be present at a particular time of day. That should draw attention, since it does raise the possibility of a harmful act.
It can be determined who is sending commands to whom and what the command says, but syntax may only tell about numerical values and ports and buffers, but not address the physical equipment that this affects. A given value of 55 in a command could suggest a temperature, a direction to turn a valve 55 degrees, or it could mean that a particular engine should be set at 5500 RPM.
That next level of information can only be fully interpreted through the metadata at the SCADA/HMI application layer. Analysis of that data takes you beyond command syntax into a deeper understanding of what a given command entails. It also unveils any anomaly at the physical level of the controlled physical systems as opposed to an anomaly of the syntax within the ICS that attempts to control it.
Ratcheting Up Your Encryption
Most utilities use pre-shared encryption keys to facilitate communication between their remote substation equipment and central management centers. This is better than no encryption at all, and it has the advantage of being simple to manage - but it is not truly effective in today’s security environment.
Moving to public key infrastructure (PKI) is a more secure strategy, although it is more complicated. By managing a broader range of keys and security certificates, PKI ensures a trusted networking environment across the organization. It is not new technology, but it is only recently gaining traction as utilities are becoming more committed to addressing cyber security risk.
Its complexity still scares off some utilities because with PKI you need additional elements in place in the network. It is also necessary to be able to ensure accurate network timing, which not all utilities can do through the cellular networks they use. There are also management tasks involved in making sure security certificates are current, for instance, and in other “maintenance” issues. But if a utility wants to create a more secure environment, it needs to consider PKI.
Much of what utilities are struggling with regarding cyber security is not just about what will work best for them, but what is expected of them in light of new NERC CIP v5 requirements and how to make sure they avoid fines. Forward-looking utilities must recognize that NERC CIP v5 is only part of the equation; if they are going to invest anyway in cyber security equipment, they should be prepared to go above and beyond what NERC CIP v5 may require to implement a comprehensive solution.
About the author: Amir Barnea is head of the Critical Infrastructure line of business for RAD (www.rad.com), provider of security and migration solutions for power utilities.