by Andreas Dreher, Belden, and Eric Byres, Byres Security Inc.
Electric utilities are migrating to standards-based Ethernet infrastructures for smart grid automation and communications, but they must be aware of the increased threat of network cyberattack from internal and external sources.
While much of the power grid is controlled by legacy automation systems that might not use open networking technologies, these systems are linked to supervisory control and data acquisition (SCADA) systems that rely on open systems. Open systems make the entire system more vulnerable. Care is needed to ensure the network is highly robust and reliable against accidental and deliberate network disruptions. Advanced industrial networking technologies can address these risks. Good cybersecurity and the intelligent deployment of network hardware designed for SCADA applications can make any modern system secure and reliable.
The Case for Standards-based Systems
Today’s intelligent grid relies on real-time communications to control and monitor power flows. Basing the communications infrastructure on open standards such as Ethernet and TCP/IP has become a fact of life. These technologies reduce purchase costs because standards-based communications hardware and software are significantly less expensive than proprietary alternatives. Installation is also easier and less costly because contractors are familiar with these technologies and components. And using Ethernet and TCP/IP helps streamline and simplify implementation and system integration, as well as maintenance and future upgrades.
As the name implies, however, open communications systems in power generation, transmission and distribution operations can be more vulnerable to cyber impact than closed proprietary systems with fewer links to other systems. Proper design is essential from the start so all security and reliability risks are mitigated. Substation security and reliability design are at the heart of power transmission and distribution control and communications.
No utility wants to be the weak link in the bulk electric system. Each utility wants to be certain that other utilities’ poor security practices will not impact theirs. And the government wants to ensure all utilities can supply power reliably.
As a result, all North American utilities must meet regulatory requirements defined by the North American Electric Reliability Corp. (NERC) regarding critical infrastructure protection (CIP) standards. Many people struggle to understand what must be done and how to do it effectively. NERC regulations can be summarized into four goals:
- To develop and enforce reliability standards,
- To assess reliability annually via 10-year and seasonal forecasts,
- To monitor the bulk power system, and
- To educate, train and certify industry personnel.
NERC-CIP standards cover sabotage reporting, critical cyberasset identification, security management controls, personnel and training. Also addressed are electronic security perimeters, the physical security of critical cyberassets, systems security management, incident reporting and response planning, and recovery plans for critical cyberassets.
Cybersecurity fits into the grid primarily at the substation level, where many automation components and intelligent electronic devices (IEDs), generally connected to each other via Ethernet, exist. There also is the IEEE 1686-2007 standard–security for IEDs. It establishes IED security requirements and defines the functions and features to be provided in substation IEDs to accommodate CIP programs. IEEE 1686-2007 provides a table of compliance that vendors must use to indicate their requirement compliance levels.
Increasing Cybersecurity, Reliability
Designs must address the possibility of deliberate attacks such as internal breaches, industrial espionage and terrorist strikes, as well as inadvertent compromises of the infrastructure arising from user errors, equipment failures and natural disasters.
A good first step in achieving these goals is learning and understanding what the utility must do to comply with the applicable industry standards mentioned. Much information gathered in this process leads into the second and third steps:
- Understanding possible risks facing the utility and their potential impacts on systems, and
- Auditing the communications architecture, systems and components to identify vulnerabilities and areas of noncompliance.
The fourth step is creating and enforcing companywide security procedures designed for the SCADA and substation systems. A significant percentage of security breaches are caused by simple mistakes such as poor password selection, weak controls on contractor activities or use of unauthorized storage media. Eliminating elementary errors improves cybersecurity. Security procedures, however, won’t address all risks. Thus, a fifth critical step is on the infrastructure side: installing hardware and software designed to protect against cyberattacks, accidental system misuse and general network faults.
For existing systems, retrofits and the replacement of components on a selective basis is the common path. For new substations and other facilities, systems can be designed from the ground up with optimal cybersecurity and reliability.
Advanced Ethernet Technologies
When preparing for an incremental security upgrade of substations, a complete system modernization or a new facility construction, power companies should be aware of the current Ethernet hardware components and technologies designed to boost system reliability and cybersecurity. The following is an overview of components and approaches that have proven effective in the electric power generation, transmission and distribution industry.
Managed switches. The days of using hubs and bridges for network design are over. The appropriate technology for the core of the substation network is the managed switch.
All Ethernet switches perform two simple functions: store and forward switching and auto-negotiation and autocrossing.
The first function separates switches from hubs–the control of network messages so they are sent only to the computer or device that should receive them.
The second function makes data rate mismatches and crossover cables less likely.
Managed switches, however, provide additional functions critical to the robust deployment of Ethernet in applications such as substation automation. Managed switches provide network administration functions such as filtering data flow, traffic prioritization, network diagnostics and access security. Data flow and traffic prioritization are particularly important for reliable substation operations. This ensures mission-critical control traffic is given priority over less important traffic such as data collection or Voice over Internet Protocol (VoIP) phone traffic.
Managed switches also are used to provide network redundancy–critical for high-availability Ethernet applications such as substation automation. Network redundancy provides alternative communications paths should a segment of the physical media be interrupted by failure or for maintenance. Existing IEEE standard redundancy schemes such as the Spanning Tree Protocol and the Rapid Spanning Tree Protocol have limitations, so newer managed switches comply with IEC standard 62439-2, labeled Media Redundancy Protocol (MRP).
Firewalls. Firewalls are designed to examine the traffic flowing through key areas in the network and filter inappropriate or unauthorized traffic. For example, a firewall can prevent unauthorized computers on the corporate network from accessing critical IEDs in the substation while allowing approved devices to connect. A firewall also can block traffic that might be generated by misconfigured equipment, such as Windows computers’ sending excessive messages in what is known as a broadcast storm.
Firewalls must do more than simply filter each message as it passes through the network. The firewall must make decisions based on a combination of access rules and the messages it has observed earlier. For example, if a Web server is sending replies to a client who never sent a request in the first place, something is wrong, and the firewall must detect and block these replies. Yet when the client sends a request, the server’s replies should be allowed. This feature is known as stateful filtering and is critical to reliable security. If it is not used, it can be trivial for attackers to flood victim networks with spurious traffic.
Firewall location is also important. While one obvious location is between the substation and the external network, internal subdividing of the substation network into security zones is highly recommended. For example, critical protection equipment typically is firewalled from workstation and maintenance computers–equipment that is less mission-critical and susceptible to common worms and viruses.
All modern firewalls also provide important alerting functions for the overall network, similar to the way a burglar alarm guards a home. For example, the firewall can send warnings of network flooding issues or possible cyberattacks.
Virtual private networks. Another important security technology is the virtual private network (VPN). VPNs create secure encrypted connections known as tunnels between a client device and a server device over an insecure network such as the Internet. For example, a VPN client might be a remote maintenance laptop, and the VPN server might be a security appliance installed on a critical control network. Typically, the client initiates the connection, and the server accepts and authenticates incoming connection requests from one or more clients.
Once a VPN connection is established between a client and a server, the networks upstream of the client and a server are connected together such that network traffic may pass between them. Continuing with the example of the laptop client, the laptop would appear as if it were actually plugged into the network upstream of the VPN server. As such, it would receive a new virtual IP address suitable for a local network and could access other devices as if it were directly connected to the network. When using VPNs, remember that the VPN only secures the tunnel and not the client or server. To ensure network security, the VPN must seamlessly be integrated into a suitable firewall.
The final step to good system security and reliability is the continuous monitoring of the entire security plan and security systems. Technology and threats constantly are evolving, and the network must keep pace. This involves regularly monitoring the information and alerts generated by the firewalls and switches, a requirement of NERC-CIP.
It also means understanding the changing threat landscape as it applies to the power industry. For example, the recent public disclosure of 34 security vulnerabilities–along with free attack software–for major SCADA packages has led to the hacking community’s active scanning for and attacking of these products.
Diligent system operators must know their systems are vulnerable so they can apply manufacturers’ patches and watch for signs that their systems are under attack. Being proactive and keeping the bad guys out is a lot easier than getting them out once they have penetrated your system and installed their hidden backdoors and root kits.
The monitoring, switching and protection systems in the power transmission and distribution industry are targets for juvenile attackers and professional criminals. Other threats are sure to arise, such as state-sponsored hacking. The key is to be aware of risks to your system–malicious and accidental–and address them. The result will be better security and a safer, more reliable system.
Andreas Dreher is manager of advanced development at Hirschmann, a Belden Brand in Neckartenzlingen, Germany. He is a member of IEC TC57 WG10. Reach him at email@example.com.
Eric Byres is chief technology officer of Byres Security Inc. He is one of the world’s leading experts in critical infrastructure security and is an International Society of Automation (ISA) Fellow. He is chairman of the ISA 99 Cyber Threat Gap Analysis Task Group. Reach him at firstname.lastname@example.org.