by Brad Bauch, PwC
Although the safety and controls systems that operate most of the nation’s power plants are isolated from the Internet and protected against outside invasion, in many cases these systems and other critical infrastructure are decades old. These outdated systems also might be connected to computer networks used to manage administrative systems, providing a potential gateway for hackers to insert viruses, malicious code and worms.
Most power plants use a distributed control system (DCS) to manage operations. Examples of DCS systems include the systems that control generation plants or refineries, computers that manage the flow of oil and gas through pipelines, and the energy management system, which controls the power grid.
These systems have been around for years and are essential to the operation of plants and the electric grid; however, they largely have been ignored from a security perspective. This partially was because the systems were physically separate from any other network and often used proprietary communication protocols. The physical network boundaries, however, have all but disappeared, and standard communications infrastructure is used commonly now. Because of an ever-increasing threat to power grid security, utility companies are rethinking their networks. Many are reverting to age-old techniques such as manual data transfers to maintain an air gap, which separates critical networks from the public Internet and insecure local area networks.
Why Are Operational Systems Vulnerable to Cyberattack?
Operational systems are used to monitor and control the infrastructure. These systems include the supervisory control and data acquisition (SCADA) systems or DCS. Although technically the SCADA system primarily collects data and the DCS controls parts of the environment, often the terms mistakenly are used interchangeably.
Operational systems typically are maintained by plant engineers or operators running the grid. Because of the small number and variety of users, the computerized controls, which are standard for financial systems (such as formal segregation of duties, robust user management, etc.), historically have not been required for these systems. Many legacy systems because of age or design also might not support such technical controls. The Federal Energy Regulatory Commission via the North American Electric Reliability Corp. (NERC) and the Department of Homeland Security (DHS) only recently began to regulate the security of these systems, unlike financial systems, which are regulated under the Sarbanes-Oxley Act. The energy and utility industry also is undergoing a multitude of challenges:
- Energy companies face cost control and regulatory constraints as they increasingly are pressured to demonstrate environmental leadership through use of smart grids, intelligent utility networks, emissions monitoring and advanced water management, all of which require a secure, scalable infrastructure and never-before-seen interconnectivity.
- DCS systems increasingly are subject to cyberattacks. Since 2000, the number of successful cyberattacks has increased tenfold against SCADA systems at power generation, petroleum production and nuclear plants and water treatment facilities. The recent discovery of the Stuxnet worm further highlights the risk to real-time systems. Stuxnet is believed to be the first computer virus or worm specifically written to exploit control system vulnerabilities and sabotage the systems.
- Many electric utilities must comply with NERC Critical Infrastructure Protection (CIP) Standards, which require implementation of security management controls and new systems to meet the requirements.
- The Nuclear Regulatory Commission (NRC) also requires and enforces strict cybersecurity at nuclear power plants.
- Although primarily directed toward chemical companies, the Chemical Facility Anti-Terrorism Standards (CFATS) also might subject to compliance utility, energy and manufacturing companies.
What Can be Done?
Taking a compliance approach to security (i.e., doing the minimum to comply with NERC CIP, CFATS or NRC requirements) is not the most effective use of resources given the potential operational and reputational risks involved with these threats.
Security breaches of several prominent payment card industry-compliant companies reiterate that compliance does not equal security. Companies should design their security capabilities using a flexible framework such as ISO 27000 or Control Objectives for Information and related Technology (COBIT) to provide a solid, controls-based foundation to work from and should help minimize rework as regulatory requirements change.
Companies also might want to leverage information available from the Defense Information Systems Agency’s Security Technical Implementation Guides as well as the Department of Commerce’s National Institute of Standards and Technology (NIST) publications.
These resources provide technical guidance to secure specific systems and resources. In addition, professional organizations such as the Institute of Electrical and Electronics Engineers, American Gas Association, American Petroleum Institute and International Electrotechnical Commission have informative, industry-specific international standards.
Companies should start by assessing their current overall security posture around the SCADA and DCS environments. This should include reviews of network and controls’ design and threat-based penetration testing to simulate attacks.
Generally, control room systems should be air-gapped from other networks and systems. If an actual, physical air gap cannot be maintained, the spirit of this requirement should be enforced. This means strict adherence to controls related to systems that can and cannot be connected to or introduced into the control system network. This may include disabling the ability to connect external media, e.g., USB drives to systems on production networks.
Control room systems should be patched to the highest level supported by their software and hardware vendors. If updates are not supported, work diligently with vendors to ensure vulnerabilities are appropriately mitigated.
In addition to virus detection and intrusion detection and prevention, application white listing should be implemented on critical computer systems. White listing provides a mechanism such that only software known to be safe is allowed to run on a system, all others are blocked. This is one approach to combat the introduction of new viruses and malware.
Regardless of an organization’s perception of its control environments’ strength, it should consider performing tailored, forensic analysis procedures on the network and key servers to determine whether a breach already has occurred.
This is more difficult to accomplish because of the nature of today’s advanced threats. The signatures companies would be looking for are not in the public domain, and the attacks often are company-specific, so commercial software such as virus protection or intrusion-detection systems might not identify these programs or the existence of a breach.
Companies will need to team with a service provider that has in-depth experience responding to such threats. The network traffic analysis is relatively nonintrusive; however, assessing a system might require a full forensic image of the server. Because of the real-time and always available nature of these systems, acquiring these images requires careful coordination and a skilled project team.
Although utilities are considering installing innovative control room technologies to help streamline power plant operations, they must be aware of the security issues lurking in the background. By addressing these issues now, utilities potentially can reap huge savings and alleviate long-term headaches.
What’s a Stuxnet?
A worm? A virus? Or malware that could change the world as we know it? The answer might be all of the above.
A recent Google search on “Stuxnet” generated more than 12 million hits. It’s been the feature story on several major news networks and is a popular topic among bloggers worldwide.
Most say Stuxnet is a sophisticated worm that can be used as a cyberweapon to disrupt software that controls computer control systems. Although specifics regarding the source, target and purpose of Stuxnet are mostly speculation, computer security experts generally accept that its existence puts many of our critical infrastructure systems at greater risk than previously believed.
Brad Bauch is a principal within the power and utilities advisory practice of PwC, Houston, specializing in information technology and information technology security. Reach him at email@example.com.
Past EL&P Issues