By Vlad Vylkov
Product Manager, Siemens Energy Instrumentation, Controls and Electrical
Power plants are vulnerable to attack from two fronts. Physical attacks are still a significant concern for plant operators. However, a new danger, cyber attacks, threatens to strike at the heart of most plant operations: the I&C system. Since most plants have moved to open architecture and networks, power plant I&C systems are more vulnerable than ever to system security cyber attacks.
To put this into perspective: the Department of Homeland Security tracks the total number of reported cyber security breaches across the U.S. In 2007, DHS reported around 3,500 attacks. In 2008, that number jumped to almost 7,000, roughly a two-fold increase.
Cyber attacks can be external or internal. More people are aware of external attacks: sources hacking into the network or server and compromising the I&C system. While some of these sources are not intentionally destructive (for example, a teenager hacking into the system just to prove he can do it), there is always the threat of adversarial sources, such as hostile governments, terrorist groups, industrial spies, disgruntled employees, and malicious intruders.
Internal incidents can result from system complexities, human errors and accidents, equipment failures, and natural disasters. Any time a new piece of software is introduced or a Web browser is opened, vulnerability is introduced from the inside of the plant. For example, at the Hatch nuclear station in March 2008, a software update installed on the plant’s business network caused the computer network to reboot, inadvertently clearing the plant’s safety systems and leading to an unscheduled shutdown.
The compromising of an I&C system can be devastating to public health and safety, national security, and the economy. Compromised systems can, and have, led to extensive cascading power outages, dangerous toxic chemical releases, and explosions.
About a year ago, the CIA reported that an overseas utility had been compromised by cyber attackers in an extortion scheme. Hacking that was once benign has devolved to criminal or terrorist acts, or even state-sponsored espionage. Such escalation demands an appropriate and dynamic defensive response.
Some plant operators are taking this issue very seriously, while some are not. Most of the large power generators have at least met the minimum compliance standards, while a few are going above and beyond to protect their systems. Regrettably, some plants don’t understand the risk and the repercussions for not maintaining NERC-CIP Compliance. They do not recognize that not only are they exposing their control system to attacks, but they are also risking substantial fines for noncompliance.
“NERC” stands for North American Electric Reliability Corporation. NERC is an organization whose mission is to improve the reliability and security of the bulk power system by enforcing compliance with mandatory reliability standards. Its mission also includes helping industry participants operate and plan so they can meet these standards.
“CIP” stands for Critical Infrastructure Protection. These “CIPs,” or cyber security standards for NERC—specifically CIPs 002 through 009—involve addressing critical cyber asset identification and working through to recovery plans for critical cyber assets.
NERC-CIP compliance all begins with identifying critical assets. “Critical assets” are identified by conducting a risk assessment that focuses on specifically which assets, if compromised in any way, would prevent the reliable operation of the bulk electric system.
Some municipal and industrial generators think they are exempt from the NERC-CIP standards because they do not contain critical assets. In other words, they think they are not compromising the bulk electric system. This is not the case. Any utility adding electricity to the grid could compromise the security and reliability of the system, no matter how few megawatts they generate.
Another issue is even more stringent compliance standards are being created. Many utilities plan to comply with NERC-CIP standards eventually, but are waiting until the final rules are implemented before making changes.
According to NERC-CIP implementation rules, companies must have been substantially compliant by December 31, 2008, compliant by December 31, 2009, and auditably compliant by December 31, 2010.
Siemens provides on-site cyber security and NERC-CIP 002 through 009 assessments and audits, specifically addressing compliance with controls-relevant CIPs 005, 007, and 009. This assessment includes taking inventory of all the devices on the networks, what they’re connected to, and what software is running on them. Siemens will examine the plant system’s electronic security perimeters and Demilitarized Zones, or DMZs, systems security management, recovery plans, as well as backup and restore procedures. Siemens creates a detailed report of the findings and customized recommendations to improve and enhance the plant’s cyber security.