Part II: Safeguarding IEDs, Substations and SCADA Systems
By Paul Oman, Edmund Schweitzer and Jeff Roberts
Modern configurations of electric power control systems and protection devices are essentially systems of distributed intelligent devices that closely resemble networked computing systems. Figure 1 shows a typical substation utilizing a multitude of communications protocols. These protocols are used to connect protection equipment such as breakers, reclosers, relays and intelligent electronic devices (IEDs), to control equipment like programmable logic controllers (PLCs), remote terminal units (RTUs), data processing units (DPUs), communications controllers, local PCs and SCADA devices.
The network topology and remote access points create vulnerabilities that electronic intruders, or hackers, can exploit. Integration and automation engineers need to recognize these vulnerabilities and apply information security (InfoSec) technology to either reduce the risk of electronic intrusion or close it off altogether.
Typical safeguards against computer intrusions involve authentication of communicating partners, securing the connection between sites, encrypting data communication between sites, and identification and remediation of intrusions if and when they penetrate the network. Fortunately, several techniques and processes can be used to safeguard virtually every type of programmable digital device used in electric power systems control and protection.
The cornerstone to all network security is access restriction and user authentication. Beyond that, the concern is with safeguarding communication packets from prying eyes, via encryption, and verifying packet transmission and reception (i.e., non-repudiation). Table 1 contains a synopsis of technologies to safeguard network equipment, ordered by increasing cost and complexity. A closer examination of these tools and technologies follows.
Tools for Mitigating Vulnerability
Access restriction can be both physical and electronic. Physical access restriction is commonplace and will not be discussed here. Electronic access restriction is easily implemented via password or personal identification number (PIN) keyed to systems, individual computers, digital devices, databases or database records. A one-to-many mapping between password or PIN and users, such that a whole group of users has the same password or PIN, is an example of a simple access restriction technique.
User authentication occurs when there is a one-to-one mapping between the user and his or her authentication mechanism. For example, entering a unique password or PIN to gain access to the protected system, device, database or data record allows the protection system to authenticate that person as a legitimate user. There are three vectors of user authentication mechanisms-knowledge, physical and biological. A password or PIN falls in the knowledge vector, a SmartCard or similar device falls in the physical vector, and fingerprints or other biologic characteristics fall in the biological vector.
ID devices are electronic mechanisms that furnish authentication information from one of the three authentication vectors. For example, credit and debit cards, SmartCards, magnetic strips, barcodes, and embedded ID chips are all electromagnetic ID devices.
Biometrics are authentication measures or mechanisms that fall into the biological vector. Fingerprints are the most commonly used. Fingerprinting devices are now available for less than $200, complete with software to create and maintain a database of users’ fingerprints. Retinal eye scans, voice prints, face recognition systems and other biological measurements also are used for multifactor authentication. Application limitations are usually based on cost and/or complexity.
User authentication strength is a function of the number of factors used in the authentication process. For years, single-factor authentication was considered “adequate” for computing systems, but with increased e-commerce and the corresponding increase in electronic theft, many systems now use two-factor and even three-factor authentication. Two-factor authentication requires authentication mechanisms from two vectors, and three-factor authentication requires authentication in all three vectors. Two-factor authentication (e.g., your credit card and PIN) is common in e-commerce, and three-factor authentication (e.g., a password, SmartCard and fingerprint) is often used for access to critical military and proprietary systems.
Audit logs are used to record instances of valid and invalid user authentication and session termination (among other things) so that an activity record exists for every system access, or attempt at system access. Audit logs are indispensable when diagnosing and prosecuting electronic intrusion cases.
Secure modems come in a variety of types and complexities. Simplest are modem key/lock combinations that work in pairs to ensure all communication is conducted between similarly configured pairs (or groups) of modem devices. An authenticated connection is established by the keyed handshaking that occurs when the connection is established; data transmission is not encrypted beyond the normal compression needed for high-speed modem communication. Next are programmable modems with on-board security features that enable creation of user accounts, complete with assigned passwords and dial-out phone numbers. Again, security is limited to authentication upon initial connections, and data packets are not encrypted. Finally, secure encrypting modems have been introduced recently with embedded, secret keys that only work between pairs (or groups) of similarly configured modems. Encrypting modems use both secure authentication and secure data transmission, to safeguard against eavesdropping on public phone lines.
Encryption safeguards the communicated data packet while in transit from source to destination. Unencrypted data communications over phone or network lines are susceptible to phone taps and network sniffers, respectively. For example, a TCP/IP packet or UCA packet transmitted raw (unencrypted) is visible to anyone on the network running a network analyzer in promiscuous mode or someone who spoofs (pretends to be) the destination address. Fortunately, both TCP/IP and UCA permit encrypted data packets. Unfortunately, few electric power service providers are using this capability.
Encryption techniques can be grouped into three broad categories: a) secret key algorithms known only to the transmitter and receiver, b) private keys used in symmetric public encryption algorithms, and c) public/private key pairs used in asymmetric public encryption algorithms. Secret key encryption is typically based on reversible hashing or ciphering algorithms. Symmetric encryption uses a private key to encrypt the message using a public encryption method so anyone knowing your private key can decipher the message. The Data Encryption Standard (DES) is a commonly used symmetric encryption technique. Asymmetric public encryption, like the popular RSA algorithm, uses two keys, one public and one private, so anything encrypted with your private key can be deciphered with your public key. Similarly, anything encrypted with someone else’s public key can be deciphered only with that person’s private key. Private keys cannot be derived from the public key, so two-way secure communication is possible.
Public key infrastructure (PKI) provides a means of issuing and revoking public keys and public key certificates via a Certificate Authority (CA) responsible for verifying public key ownership. PKI enables authentication, encryption and non-repudiation services via asymmetric public key cryptography. Through appropriate use of cryptography and cryptographic algorithms, it is possible to achieve private communications with improved assurance of communicating partner identity, and non-repudiation technology to verify the message was transmitted and received correctly. However, designers of integrated substation solutions and SCADA systems may find that PKI solutions are too slow for supervisory control and power system protection. Single key algorithms may be needed in time-critical applications, leaving PKI for advisory and informational applications over the public network.
Network topology is a crucial factor in determining the security of network accessible IEDs and SCADA and IT systems. Star network topologies with point-to-point home-run lines and no modem connections or public network gateways are the most secure and reliable. Ring topologies suffer from the “one-down, all-down” single point of failure vulnerability, and bus topologies are insecure because all devices have access to all data packets on the bus. Ethernet, the most widely used LAN technology, was originally a bus topology that permitted any device connected to the hub to “see” the data packets meant for all other devices. Fortunately, revised Ethernet standards exist for point-to-point star topologies, and when devices are connected to a switch, rather than a hub, the packet switch ensures that each device only receives the data that was specifically addressed to it.
Firewalls are used to defend a site against external network intrusions. A firewall is a protected gateway that stands between the resources requiring protection and the “outside.” Firewalls create segmented networks with restricted access into and between segments. By setting up layers of segmented, restricted subnets, a hacker who penetrates one layer would have access only to the data and systems within that segment. A firewall can be implemented via a router that filters out undesired traffic, or through more complicated combinations of hardware and software. To be effective, a firewall must guard all access to the internal network, including modem connections and remote network access. Internet Protocol Security (IPSec) and Virtual Private Networks (VPNs) are closely allied technologies that provide the means to protect communications between physically distant sites. IPSec uses encryption to safeguard data and embed authentication information in TCP/IP packets.
A virtual private network (VPN) combines IPSec technology and firewalls to form a point-to-point secure, encrypted connection over public networks. From a privacy standpoint, a VPN appears to be a single internal network. This is often referred to as “tunneling.” By encapsulating data packets within other protocols that permit encryption and allow point-to-point addressing, you can send secure packets from one firewall to another, across a public network. VPNs can be implemented via either software or hardware. VPN boxes are hardware devices that transmit and receive secured, encrypted network packets from similarly configured routers.
An intrusion detection system (IDS) is useful in identifying both internal misuse and external attackers attempting to gain internal access. The intent is to determine if insiders or external users are misusing the system. There are two types of IDS: signature detection systems and anomaly detection systems. Intrusions often have attack signatures (similar to virus signatures), which are patterns associated with system misuse. Signature detection systems match known, observable intrusion characteristics against a database of intrusion profiles and, based on sensitivity settings, determine if a match is likely. The goal is to recognize the attack signature as it unfolds and shut off the attack or notify the system administrator that an attack is occurring. Anomaly detection compares ongoing system behavior against a profile of normal system behavior and warns when anomalous behavior is occurring. For example, an IDS might notice unusually high activity during the middle of the night. When abnormal activity occurs, the IDS may shut it down and/or inform the system operator.
Both IDS types have different advantages and disadvantages, but they both have the same common problem-sensitivity setting. Too sensitive a setting generates false alarms when there is no intrusion. In essence the IDS cries wolf, which distracts and overburdens a systems staff that must respond to each warning. Too insensitive a setting generates false negatives, or misdiagnosed actual intrusions. These are actual intrusions that have gone unnoticed.
Applying the Tools
Once familiar with electronic intrusion techniques and countermeasures, utilities can assess the vulnerability of their facilities and take steps to mitigate risk. Table 2 is a Vulnerability-Mitigation matrix for devices and systems used in electric power generation, transmission and distribution. For each type of device, the associated vulnerability and risk is shown, and the mitigation strategy used to reduce those risks is described. The first row of the matrix shows the nominal risk of physical access to stand-alone protective equipment. In the mitigation column for that equipment, the base set of mechanisms used for access control is defined. In subsequent rows, these are referred to as “Basic Mitigations.”
A variety of tools and techniques can mitigate risk associated with electronic intrusions. The following are recommendations related to securing electric power control and protection systems:
* Use passwords, PINs, data access restrictions, and other means of user authentication to guard against unauthorized access to equipment and systems. Match the strength of user authentication to the criticality of data being protected. Two-factor, and even three-factor, authentication may be appropriate for access to critical SCADA systems.
* For single-factor authentication, passwords are better than PINs. Strong passwords consist of six or more characters with mixed case and special characters. Do not use common words, acronyms, or personal information like birthdays and names that can be cracked.
* Change passwords periodically, and change them immediately after instances of contractor installation and maintenance, after suspected intrusions, and when personnel turnover or strife increases insider risk.
* Use different passwords in differing locales, equipment and systems; do not be tempted by single sign-on ease of use.
* Issue alarm contacts for access, password and settings events. Monitor alarms for intrusion detection and to verify device functionality. Automate alarm responses with preprogrammed disconnects, auto-dial warnings, and increasing audio and visual alarms.
* Log alarms and suspicious activity (e.g., failed password attempts) in nonvolatile storage. Scan audit logs and files regularly.
* Use private communications lines when possible to limit public eavesdropping and potential intrusions. When using public lines, encrypt access and control information such as passwords.
* Implement access hierarchies with different levels of permission for viewing and setting devices. Use segmented network topologies and/or star topologies to increase survivability and avoid “one down, all down” vulnerabilities.
* Secure SCADA and IT systems with virus scanners, firewalls and intrusion detection systems.
* When communicating over the Internet, use VPN or PKI technology to authenticate partners and secure data packets.
* Keep communications systems design and network access information private.
* Use “warning banners” to discourage electronic intrusions and enable electronic monitoring and trespass prosecution.
* Use secure dial-back, encrypting, or authenticating modems or modem-keys.
* Terminate interactive sessions after long periods of inactivity, and ensure that open ports are properly closed so the next user does not inherit unauthorized access privileges.
* Limit the number of failed attempts to enter a password, then disconnect and time-out the communications line after a set limit.
The risk of computer-based electronic intrusions and attacks on the electric power industry is increasing. These attacks already have occurred in the computer and telecommunications industries, and they are increasing in frequency and magnitude. The probability of a serious electronic intrusion into an IED, substation controller or SCADA system is rising. Stronger security measures are needed. Each organization involved in electric power production and distribution must conduct its own risk assessment and decide where to focus efforts. Fortunately, there are many InfoSec tools and techniques, with a wide range of pricing and complexity, that can help safeguard IEDs, substations and SCADA systems. By implementing lessons learned in the computer and telecommunications industries, the electric utility industry can stop electronic intrusions before the power grid’s safety and reliability are compromised.
Paul W. Oman is a Senior Research Engineer at Schweitzer Engineering Laboratories Inc. in Pullman, Wash. Dr. Oman has published more than 100 papers and technical reports on computer security, computer science education and software engineering. He has a Ph.D. in Computer Science from Oregon State University, serves as a Senior Member in the IEEE, and is active in the IEEE Computer Society and the Association for Computing Machinery.
Edmund O. Schweitzer, III founded Schweitzer Engineering Laboratories in 1982 to develop and manufacture digital protective relays and related products and services. He is recognized as a pioneer in digital protection, and holds the grade of Fellow of the Institute of Electrical and Electronic Engineers (IEEE). Dr. Schweitzer received his Bachelor and Master degrees in electrical engineering from Purdue University, and received his Ph.D. from Washington State University. His Ph.D. dissertation was on digital protective relaying.
Jeff Roberts is the Manager of Research Engineering at Schweitzer Engineering Laboratories Inc. in Pullman, Wash. Prior to joining SEL he worked for Pacific Gas and Electric as a Relay Protection Engineer for more than three years. Mr. Roberts holds a BSEE from Washington State University and is a Senior Member of the IEEE.