By Justin Lowe, Jamie Lasky and Derek Gilbert, PA Consulting
Ensuring the resilience of safety and mission-critical industrial control systems from security threats is vital to ensuring a utility’s future. Mission- and safety-critical systems are at risk from cyber threats, such as hackers, viruses and worms, because of the increased use of standard IT technologies like Microsoft Windows, TCP/IP (transmission control protocol/Internet protocol), Web technologies and wireless.
A study by PA Consulting Group and the British Columbia Institute of Technology showed that almost half of all of the control system incidents resulted from an attack through the corporate network. Although some companies have installed a firewall between the control system and the corporate network, there are numerous reported incidents where hackers and worms have penetrated or circumvented this protection to access the vulnerable control system inside, and the economic consequences can be severe. The PA/British Columbia Institute of technology study also estimated the average cost of a control system incident at $1.8 million (â‚¬1.4 million). Where incidents resulted from a specific targeted attack, the consequences were significantly more severe, and could cost more than $10 million.
Control Systems are Increasingly Vulnerable
Historically, control systems were designed and constructed using proprietary technologies and installed in isolation from corporate IT systems. However, recent trends include basing newer systems on more cost effective platforms, such as Intel or Microsoft Windows. Furthermore, the desire for remote control and management information has led to the adoption of common network protocols and the connection of many of these systems to the corporate IT network.
Although these changes have yielded many business benefits, they have also meant that control systems are increasingly exposed to the same security vulnerabilities as the corporate networks—notably viruses, worms and malicious hacking. Unfortunately, while these changes have been taking place, many organizations have failed to incorporate the appropriate security measures.
The rise in cyber incidents is easily explained. The rapid expansion of the Internet in the late 1990s encouraged hundreds of utilities to use it for remote monitoring and more instant communications.
The corporate IT department, where the security professionals reside, does not usually manage and protect control systems. They are usually maintained by engineering and operations teams who, generally, do not possess the IT and security skills needed to protect these systems from current threats. Consequently, many such systems are vulnerable and remain unprotected.
Addressing These Exposures
Utilities must understand their exposure to risks and implement appropriate security improvements to segregate their systems from other networks and harden the underlying control systems. Utilities that have successfully addressed the risks generally adopt a combined approach, with IT and control operations undertaking risk assessments and security improvements together. The key task is to recognize the vulnerabilities and to initiate an appropriate risk management program. The health, safety, environmental and reputational consequences of control system hacking are just too great to ignore.
Hackers and virus writers are unlikely to stop their activities, and the situation will only get worse.
Most cyber attacks rely on security vulnerabilities. These can include:
- Poor network segregation—in other words, inadequate use of firewalls to separate critical systems from other networks;
- Poor anti-virus protection—this leaves an organization exposed to viruses, worms and Trojan horses;
- Insecure remote connections—potentially allows hackers easy access to process control systems;
- Poor physical security—allows attackers to gain physical access to systems to launch an attack or install unauthorized remote connections to enable a future attack;
- Insecure remote workstations—permits unauthorized access to process control systems;
- Poor monitoring—allows unauthorized activity such as attacks or reconnaissance to go unnoticed;
- Poor response capability—inability to respond effectively in the event of a security incident;
- Lack of backup and restore—results in loss of important data or systems resulting in long system outages following incidents;
- Vulnerable Internet protocol (IP) enabled control devices—vulnerable low-level control devices that can be attacked easily;
- Poor account and password management—policy needs to be formally defined and executed to prevent unauthorized use; and,
- Unpatched software security vulnerabilities in packaged software have not been addressed by the application of manufacturers fixed (security patches)—unpatched systems are easy to attack.
Managing the Risk
PA Consulting Group has worked with major energy companies for many years to address these risks and as a result has developed an approach that can be applied to any utility (see Figure 1). This seven-step approach has been adopted by the UK Government’s Centre for Protection of National Infrastructure (formerly known as NISCC) as recommended good practice for control system security.
1. Understand the business risk.
Click here to enlarge image
Undertake a formal risk assessment of the process control systems (see Figure 2).
- Understand systems. Construct a formal inventory of the control systems, identifying the systems and their role, their business and safety criticalities and location, the system owner (who manages and supports the system) and how the systems interact.
- Understand threats. Identify and evaluate the threats facing the control systems. Possible threats may include: denial of service, targeted attacks, accidental incidents, unauthorized control, or viruses, worms or Trojan horse infections.
- Understand impacts. Identify potential impacts and consequences to the control systems should a threat materialize. These could include: health and safety incidents, damage to equipment, loss of production, breach of regulatory requirements or loss of reputation.
- Understand vulnerabilities. Undertake a vulnerability assessment of the control systems. Such a review should include: evaluation of the infrastructure, operating systems, applications, network connections, remote access connectivity and associated processes and procedures.
Click here to enlarge image
2. Implement secure improvements.
Once the business risk is understood, a coherent set of risk reduction (security improvement) measures must be implemented to form an overall secure architecture for the system.
3. Establish incident response capability.
An effective response capability involves identifying, evaluating and reacting appropriately to new vulnerabilities, changes in security threats and electronic security incidents. Establishing formal response plans and procedures ensures that any changes to the risk profile are identified as early as possible and any required response actions are embarked on quickly to avoid incidents or at least minimize the impact of incidents where they cannot be entirely avoided.
4. Improve awareness and skills.
The objective of this stage is to increase control system security awareness throughout the organization and to ensure that all personnel have the appropriate knowledge and skills required to fulfill their roles.
5. Manage third-party risks.
The objective of this stage is to ensure that all security risks from vendors, support organizations and other third parties are managed.
6. Engage projects.
The purpose of project engagement is to ensure that all projects and initiatives that may impact the control systems are identified early in their cycle and include appropriate security measures in their design and specification.
- Identify all projects that have control systems implications at an early stage in their cycle.
- Establish a single point of accountability for security risk management for the full lifecycle of the project.
- Ensure that standard security clauses and specifications are incorporated in all procurement contracts.
- Include security requirements in the design and specification of projects and ensure that all appropriate security polices and standards are adhered to.
- Undertake security reviews throughout the project development life cycle.
- Plan for security testing at key points of the project development life cycle.
7. Establish ongoing governance.
The objective of this stage is to provide clear direction for the management of control system security risks and ensure ongoing compliance and review of the policy and standards. An effective governance framework provides clear roles and responsibilities, up-to date policy and standards guide for managing control security risks, and assurance that this policy and standards guide is being followed.
PA Consulting Group is an independent, employee-owned, global firm of 3,000 operating from offices across the world, in Europe, North America, Latin America, Asia, and Oceania. They have expertise across key industries and government, including energy, and skills from strategy to IT to HR to applied technology. More information at: www.paconsulting.com.
Vendor to Vendor: We Must Provide Solutions to Support Compliance
By Lee House, GarrettCom
Beyond the obvious needs of bandwidth, standards compliance, flexibility and reliability, two new challenges in the design of networks for the power industry exist: integrating support for international security requirements and enabling “smart grid” initiatives.
Utilities that employ Internet-related services such as carrier-provided MPLS-based virtual private network (VPN) and wireless Ethernet networking benefit from the efficiency, cost-effectiveness and future-proofing of standards-based IP solutions. However, IP-based solutions do increase the risk of cyber attack.
The force of law behind both cyber security and smart grid makes cyber-security software and the supporting network infrastructure to facilitate compliance “must haves.” Smart grid initiatives will rely on IP-based infrastructure and heightened security standards, such as the NERC Critical Infrastructure Protection (CIP) requirements for North American utilities, which will allow utilities to take advantage of Internet technology without incurring unacceptable levels of risk.
The deadline for compliance with current NERC CIP rules is Jan. 1, 2009, for most utilities. A requirement to collect a full fiscal year’s worth of documentation in order to be deemed compliant in June 2010 also exists. Network and software infrastructure components of NERC CIP include an electronic security perimeter (ESP) (CIP-005), a physical security perimeter (CIP-006), and system access control (CIP-007).
ESP requires a firewall with the capability to provide logs and reports of network activity and security events for auditing and network forensics. Virtual private network (VPN) technology—often integrated with today’s router/firewalls—offers additional network protection.
Physical security can be addressed using IP-based video cameras, as well as physical access controls, such as fingerprint, iris scanners or simple badge access. For bandwidth and latency management purposes, high-bandwidth traffic such as video monitoring should be segregated from access and control traffic by using a separate virtual local area network (VLAN), IP-network or VPN within a plant or substation network.
System access control is concerned with online access to systems in the control center as well as to critical cyber assets (CCAs) at substations. For effective compliance, an integrated access control solution must provide comprehensive user authentication and authorization to ensure that only authorized personnel can access systems and devices. Individual user profiles take security to another level by ensuring that personnel can only perform the specific operational functions for which they are individually authorized. Highest security would include two-factor authentication (both a password and an RSA SecurID token), strong-form passwords and archived logging of all sessions—ideally to the keystroke level.
Effective compliance requires central management of security policies, archiving of log data and production of company-wide compliance reports. This central authority (the server function) must push policy and enforcement of security over CCAs at each substation. One architecture to perform this function involves a central proxy-server as the security gateway to remote firewalls. Another architecture distributes access security servers to within each substation. A centralized architecture typically reduces cost and complexity for initial deployment, while a more distributed architecture may provide greater flexibility and advanced security services over time.
When choosing access control solutions, it pays to look for additional benefits, such as the ability of the solution to enhance utility operations via easy-to-use remote access to critical substation devices. Solutions specifically designed for substation environments that provide integrated tools to control, configure and monitor different IED types can offer an effective dashboard, or user interface, to consolidate IED management and organize IEDs and RTUs into graphical directories. Access across complex networks can be simplified to a basic click-through operation. Further, an integrated security software solution, specifically designed for power utility use, that contains preconfigured device-specific profiles can enable applications to be preset and automatically launched, facilitating “˜front panel mode’ IED interaction.
GarrettCom and other vendors must step up to the plate with solutions that combine high availability IP and Ethernet transport technologies with innovative cyber-security solutions. As the compliance deadline draws near, utilities are looking for solutions that simplify compliance with NERC CIP and help enable deployment of smart grid infrastructure.
Lee House is vice president of engineering and CTO of GarrettCom. Lee has 19 years experience in R&D and product development, with a focus on LANs, WANs and IP at companies including 3Com, IBM and Jetstream Communications. Contact him at email@example.com.