Cyber security is five to 10 years behind typical IT systems, although the gap is narrowing. But being behind IT is not a good place to be because “they’re behind the attackers.”
That was one of the messages at the super session on cyber security at the recent IEEE PES conference. Speakers from Sandia National Laboratories, the DOE’s National SCADA Test Bed, and NERC, addressed the scale of the problem. The solution? Mandatory cyber security standards, which became regulatory requirements on June 1.
Utilities will have a lot of support in the compliance process, however, thanks to the partnership with vendors that the government has encouraged. The companies that developed the enhanced SCADA (Supervisory Control and Data Acquisition) systems on the market today are working now on the necessary cyber security solutions, giving full consideration to the special characteristics of deploying cyber security measures in a mission critical, process control environment.
Companies including ABB, AREVA, GE and Siemens are actively supporting industry and government efforts to enhance control systems and develop cyber security across the energy infrastructure. New “hardened” SCADA systems are being deployed; pilot demonstrations are going on in the real world.
The utilities are chartered with developing a program, and it’s the vendor’s job to support them. The vendors are ready, according to Bill Brownlee, vice president of marketing at Power & Water Solutions division of Emerson Process Management.
“Emerson had someone sitting on the NERC development team creating these regulations, starting back when it was NERC 1300,” said Brownlee. “We were out in front because these standards apply to the majority of our customers.”
NERC CIPS now apply to generation
The U.S. Department of Energy (DOE) designated the North American Electric Reliability Council (NERC) as the electricity sector coordinator for critical infrastructure protection. NERC serves as the Information Sharing and Analysis Center for the electricity sector and also works closely with the Department of Homeland Security (DHS) and Public Safety and Emergency Preparedness Canada (PSEPC) to ensure that the critical infrastructure protection functions are fully integrated and coordinated with the governments of the United States and Canada. NERC, having been involved on the transmission and distribution side of the business, had regulations in place, so it was only logical to task them with developing the critical infrastructure protection regulations (CIPs) that are now being applied to generation.
On June 1, CIPs 02 through 09 became effective as NERC standards. These standards cover cyber assets, security policy personnel and training, electronic perimeter, physical protection, system security management, incident reporting and disaster recovery. By Dec. 31 of this year, utilities are required to have a plan in place that they are implementing. Compliance is voluntary at this stage, but by the next deadline, Dec. 31, 2008, they must be “substantially compliant.” On Dec. 31, 2009, they must be compliant with a record-gathering process in place.
By Dec. 31, 2010, utilities must be able to prove compliance.
These standards apply not only to the regulated or “deregulated” utilities but to any owner of a power plant that provides power generation to the grid. This would include independent power producers (IPPs) but not co-generators, in some cases. Co-generators would be excluded, in theory, if they operated a captive power plant that did not export power.
I think in the past, one of the buzz words was security by obscurity,” said Brownlee. “A number of these control systems were built on proprietary technology, which only the vendor understood. It wasn’t practical to hack into these systems because you couldn’t find any information about how to do it. They were less and less connected to the outside world.
“As time went on, many of these systems started using Windows-based operating systems, so more people understood how the operating systems worked and their vulnerabilities. They have the opportunity now to do something.”
Vulnerabilities also crept into the systems as reliance on automation increased. Installing out-of-the-box configurations was also a “big” mistake.
The business system at the utility can be used by attackers like a beach- head to get to the automation network. Connections are not secure; coordination between multiple entities increases vulnerability, as do remote access procedures. Wireless technology is an insecure connection because it “shoots the whole perimeter.” Firewall configuration should be improved and firewall logs reviewed more often.
Information is widely available for attackers to access, too. Locations and diagrams for public projects and vendor product data can be reviewed, and not just by “friendly” interested parties.
Unfortunately, reduction in staff at utilities adds to the problem and remote access procedures are often not secure. Vendors have access and there’s other unsecured activity to be concerned about. And, as obvious as it sounds, companies need to maintain security patches, be sure only the appropriate users have administrative privileges, and advise employees that storing passwords in plain sight is a dangerous practice.
In his July 19, 2005, testimony to the U.S. Senate Committee on Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, and International Security, Paul Skare, product manager at Siemens Power Transmission and Distribution Inc., said that to be successful, a utility needs corporate security policies in place.
“Even the best security built into a SCADA product is insufficient to prevent hacking of a SCADA system if not complemented with a strong security policy and security enforcement program by the users of the SCADA system themselves. This requires a security manager, a security awareness program, and periodic changes of username/password with special content requirements-no more yellow sticky notes!- and audits.”
the cost “Ëœwill be people’
None of this should come as a surprise to the utilities. “Time wise, it’s reasonable,” Emerson’s Brownlee said. “It’s not something that’s been sprung on them. They’ve been involved with the formulation of the regulations, fully onboard, as have the vendors, creating the software components that they need in their system and a framework that will fit the system. The tools are there.”
Emerson, for instance, has teamed up with Symantec to add virus protection, scanning and other capabilities. But how much will this cost?
Utilities can do it all themselves or “turn-key” it. It depends largely on how well the companies are structured internally. For the smaller companies, it might be a bigger problem to develop a security policy. They have to audit it and drive it from the IT levels, clear down to the control levels. There will be some expense, and there will be some push back from the controls department, but it’s a matter of defining the policy and assigning someone at a high level to be responsible within the utility for compliance with these regulations.
There’s plenty of help for the utilities to call upon. There’s no shortage of qualified consulting expertise from companies like KEMA, and vendors like Emerson are putting packages together that combine service and other products.
For Emerson, for instance, whose products were designed with security systems already in place, it wasn’t a huge jump to refine their products based on the NERC CIPs. “The software update is, cost wise, quite trivial. The internal infrastructure is where the cost will be,” said Brownlee. “The cost will be people.”
According to Brownlee, most utilities are not price buyers. They understand what they’re getting into. But some of the merchant plants now owned by financials, rather than strategics, might not have the infrastructure in place to make the right decision.
“But they’re not the big players, they’re a small percentage of the generation assets,” said Brownlee. “Most of the plants owned by the financials are part of the gas-fired fleet so they can’t afford to buy fuel for them anyway. It’s unlikely someone is going to come in and shut them down.”
One of the best things about the NERC standards is that they aren’t entirely prescriptive. They allow power generators to figure out what they need to do. “The bottom line is that they are all good things to do no matter what process you’re involved with. Yes, they apply to NERC but they also fit with other industries as well,” said Brownlee.
Electric utilities cannot simply invest in every cyber security improvement, due to the cost, noted Siemens’ Skare in his testimony. “It is not only a few computer systems that need to be addressed, but their entire control system infrastructure, from the control center on out to every monitored substation and on out to each field device. Utilities need to be able to bring these costs into their rate structures, and this cannot happen without the support of each state’s public utilities commission.”
different levels of vulnerability
Brownlee didn’t play down the importance of cyber security for generation, but did explain to what level the damage would pervade. “In the worst case scenario, if someone could hack in, what they really could do is shut the unit down. It’s unlikely that they can do anything like destroy the generation plant through the control system.”
If all the boundaries failed it would cause a plant trip, not sustained damage. The plant could then recover and start back up.
The threat of a physical attack will always be there, but according to Brownlee, while terrorists can physically take the unit off-line for a while, typically the generator protection and the steam turbine protection and all the protection systems built into the control strategies would prevent any long term damage from occurring from that attack.
CIP 09 addresses the need for a disaster recovery plan. If the control system’s memory is erased, for instance, the plant operator has a backup, and they can get the unit back on line very quickly.
“The intent of some of these cyber attacks is to attract widespread media coverage,” added Dan Simon, manager product marketing, Power & Water Solutions division of Emerson Process Management. While terrorists could attack multiple plants at the same time, that kind of large scale denial of service attack is generally not going to shut the control system down. It might impede the flow of information from the control system back to corporate headquarters but it wouldn’t affect generation.
The real vulnerability is still on the physical side. If several miles of a key transmission corridor are blown up, that’s a much longer term recovery process.
“The guys on the distribution and transmission side have more worries because they have larger footprints of unprotected assets. The generating plant is nice because it’s all inside the fence, it’s tight and self-contained. It’s a little easier to police,” said Brownlee.
A specialized IT attack: SQL injection techniques
SecureWorks, a managed IT security service provider, is alerting organizations around the country to be on the lookout for IT attacks using SQL (Structured Query Language) injection techniques. SecureWorks is seeing an increase in the volume of sophisticated SQL injection attacks for its 1,300 utility, banking and healthcare clients.
In an SQL injection attack, the attacker adds SQL code to a web form input box to gain access to resources or make changes to data. Customers input information in online web forms when adding or disconnecting their electrical service, activating or deactivating their meter, or contacting a utility company for more information.
Although a Network Intrusion Prevention System (NIPS) provides protection from SQL injection attacks, SecureWorks’ security analysts are recommending that utility companies also secure their web applications for complete protection because hackers can use a variety of evasion techniques, including SSL (encryption), to get beyond external defenses, and a NIPS does not inspect encrypted traffic.
Need more information? These websites provide in-depth information on cyber security:
“- www.sandia.gov/scada – Sandia National Laboratories, the Center for SCADA Security
“- www.inl.gov/scada – Idaho National Laboratories, National SCADA test bed program
“- www.controlsystemsroadmap.net – The Roadmap to Secure Control Systems in the Energy Sector
“- http://www.nerc.com/~filez/cip.html – North American Electric Reliability Council, Critical Infrastructure Protection Committee (CIPC)