By Joseph Boike, Advanced Control Systems
Cybersecurity threats are a serious and ongoing challenge for the energy sector. As attacks become more numerous and sophisticated it is critical to perform the right steps in order to keep the high standards of reliability and resiliency our nation’s electrical grid needs. A cyberattack can have a significant impact on the ability of an energy automation system to perform critical functions, affecting public safety and well-being, national security and the economy. The 2015 Lloyds Emerging Risk Report says that the impact on the economy of a blackout across 15 U.S. states affecting 93 million people could reach $1 trillion. All this makes cybersecurity one of the most significant investments in the power business, requiring allocation of substantial resources in order to mitigate all possible risks. The North American Electric Reliability Corp. (NERC) maintains a set of Critical Infrastructure Protection (CIP) guidelines that many utilities are obliged to adhere to. NERC CIP requirements address a vast range of critical cyber asset and cybersecurity issues, including the substation and the substation automation system. Compliance to this standard will ensure that best practices are in place and the likelihood of future system cyberattacks are substantially reduced. Implementing defensive measures can also help avoid the NERC CIP v5 compliance violation and associated $1 million per-day penalty.
This can be easy to address when designing a new installation with the latest technology. Problems might arise, however, when addressing older substations with aging automation systems in place. Modern technology, which possesses features that will help utilities comply with NERC CIP requirements, must be developed and integrated so that a smooth transition, in a timely manner and under budget is possible. Utilities should then view the NERC CIP standard as a guidance tool for security; it does not specify the technology or methodology but rather the goals, which can be reached through a combination of features supplied by hardware, software and procedures. Therefore, if it’s possible to upgrade the existing substation remote terminal unit (RTU) with the most critical security features, and then couple it with other technologies and procedures, a full RTU replacement can be avoided in favor of the upgrade, saving time and resources. To be a valid solution, the upgraded RTU must have a minimal level of authentication and authorization, protection against the use of unnecessary physical and logical ports, and audit ability.
Authentication and Authorization
Without the appropriate authentication and authorization methods in place, unauthorized users might gain access to the system or system functions. Access must be restricted to certain systems or functions following the principle of least privilege, which only allows the minimum required access to perform a given operation. In addition, utilities should enforce roles within their organization and implement role-based access control, grouping users based on their role, with different levels of access for each group-not evaluating each individual.
To facilitate the compliance with these NERC CIP requirements, the upgraded RTU in the substation has to bring features such as an embedded remote authentication dial-in user service (RADIUS) client, so that centralized authentication, authorization and accounting management is possible. With this feature, several NERC CIP requirements are directly addressed, including: CIP-005 R1 (1.3), met by setting access levels for credentialed users and denying all others; CIP-005 R2 (2.3), because the embedded RADIUS client provides the capability to multi-factor authenticate all Interactive Remote Access sessions; and CIP-007 R5 (5.1), as the RTU configuration tool requires authentication before allowing interactive access to the RTU. In addition, CIP-007 R3 (3.1) compliance is aided by restricting the group of users with permission to update the unit’s firmware. RTU security is further enhanced by requiring the firmware being installed to be properly signed and encrypted with a privately held key.
Every unused port that remains enabled can be a potential entry point. Whether logical or physical, the upgraded RTU must be capable of disabling what is not being used. As with the principle of least privilege for users, here the principle of least functionality gives access to only what is required to perform a specific function. Although the disabling of ports should be accomplished by software with configuration tools for easy re-enabling by an authorized user, a port lock should always be available for physical ports.
Because these requirements are specific to the equipment, the RTU upgrade process must bring a solution that clearly addresses the NERC CIP requirements. CIP-007 R1 (1.1) refers to the enabling of only the logical network accessible ports that have been determined to be needed. A solution, via the configuration tool, that gives the user the ability to individually enable and disable those ports is clearly recommended. Looking at the physical ports, according to CIP-007 R1 (1.2), there is the same need to disable any unused ports. It is also strongly recommended that the configuration tool have the enable/disable function. For communication ports, it can simply be disabled unless specifically assigned as a protocol port. (All communication ports disabled by default.)
Recording system activity is as important as disabling unused ports and controlling user access. Recording the system activity generates an audit trail, which is vital for monitoring all activity. It also identifies potential cyberattacks in time to take action and provides information for post-event investigations if an attack occurs. It is necessary that an RTU upgrade include time synchronization capability to time stamp all the events logged, which is every single action performed by any user.
To comply with the NERC CIP standards, the upgraded RTU must, as a minimum, provide features that enable the creation of log files, thus complying with CIP-007 R4 (4.1) and CIP-008 R1 (1.1). A way to accomplish this requirement is to have Syslog support-a Syslog client in the upgraded RTU-so that the log file can be retrieved via the configuration tool or configured to periodically send all Syslog entries to a Syslog server. All firmware update attempts, whether successful or not, must be logged. Simultaneously, the configuration tool should also maintain a separate configuration log within each configuration file, which details all changes made to a configuration and the responsible user.
From Legacy to Secure
Substation automation is a vital part of the power system-it is the intelligence that brings visibility to and allows control from the operator in the SCADA room or the advanced energy or distribution management systems. Because substation automation equipment is crucial to reliable electricity delivery, it has become a desirable target for cyberattacks. NERC CIP provides guidelines needed to reach a minimum security level and mitigate risk. It is important for owners and operators to understand that the standard’s goal is not to define which technology to use. Cybersecurity involves different equipment, processes and departments.
This goal-driven characteristic of the NERC CIP standards gives the utility the option to upgrade the aging substation RTU rather than purchase a full replacement. It is not necessary for a single piece of equipment to comply with all requirements. For authentication and authorization, CIP-007 R5 (5.5-5.7) can be addressed by using an external authentication server in the control room, acting as the RADIUS server for the RADIUS client in the upgraded RTU. An equivalent Syslog server can exist for the Syslog client in the substation, and utilities also can have the firewall functionalities directed by an external firewall router to address CIP-005 R2 (2.1-2.2). If an upgrade path for the old RTU exists, a substation can go from legacy to secure in a reasonable time and at a reasonable cost-today.
Joseph Boike has a bachelor’s degree in electrical engineering from Georgia Institute of Technology and a master of science degree in electrical engineering from the University of Missouri. Prior to joining Advanced Control Systems, Boike held positions in the research & development departments of McDonnell Douglas Corp. and Zellweger Analytics. After joining ACS, he became the primary hardware designer for the RTU product lines, driving the transition to surface-mount technology. Boike is currently the R&D hardware manager, and is responsible for driving compliance to industry-standard security requirements.