By Michael Singer, AT&T Business Solutions
USA Today recently completed an investigation suggesting physical or online attacks to the national power grid in the United States occur “almost once every four days.” While one might quibble with the numerical accuracy of this study, or with the definition of what constitutes an actual attack, few would argue with the clear trend toward increased cyber security issues in the energy industry/content/dam/elp/print-articles/PGI/09/p>
Three powerful forces appear to be driving this cyber security problem in the sector: First, malicious actors of all sorts, including nation state groups, terrorist cells, organized criminals and individual hackers, have raised their games substantially. This advancement of capability is not, however, unique to the energy industry, even though grid components and systems are certainly high value targets. Instead, all industrial sectors, especially ones considered critical infrastructure, are now forced to deal with a more capable cyber adversary.
Second, the components one finds in an industrial control system (ICS), such as sensors, actuators, and controllers, are now massively interconnected across private networks, mobile networks, and even the public Internet. Such energy sector interconnectivity, necessary for low-cost operational control, maintenance and monitoring, clearly increases the attack surface for these grid devices, which are collectively referred to as part of the burgeoning Internet of Things (IoT). The well-known 2010 Stuxnet case in which a computer worm was aimed at logic controllers, illustrates the manner in which malware locates and attacks ICS components over the Internet.
Third, and perhaps most profoundly, the cyber security industry has traditionally built its defensive controls and protective tools for generic information technology (IT) customers, rather than for specific ICS applications. Next-generation firewalls come pre-loaded with the ability to handle Web or corporate application traffic, but few firewalls understand the protocols for communicating with the proprietary safety system attached to an electromechanical heat pump. Even when specific ICS security components are available from vendors -almost always as customized hardware racked appliances-the ICS test and deployment process is lengthy and requires special engineering expertise.
© Can Stock Photo Inc. / olechowski
This process challenge can be illustrated with a typical actuator connected to an electromechanical component. This device was likely manufactured with a proprietary interface that understands electronic pulse controls for basic functions like powering on and off. To provide security for such interfaces, the engineer must understand not only the specifics of authentication, access control and monitoring-three basic tenets of computer security-but also how best to embed these controls into the connection between that actuator and control center.
Improper design can lead to serious problems such as latency-initiated outages or misfiring. The process is further complicated by the plethora of proprietary and legacy sensors, controllers, switches, and other IoT devices one finds in an ICS environment.
The ICS engineer must also contend with the fact that telecommunications and computer security have evolved toward greater reliance on hardware for proper functioning. Hardware increases speed and efficiency, but greatly reduces flexibility and modification, crucial in a typical ICS environment.
In the actuator example cited above, the security solution would likely be provided as specialized hardware that would have to be tested, delivered, installed, monitored, and protected in the optimal physical configuration and locations that could include multiple data centers. This is an expensive endeavor for ICS companies, especially since a typical environment in the energy sector will have hundreds, thousands or even millions of specific endpoints to be connected and protected.
One architectural trend that does provide some relief is the migration of certain ICS control functions onto mobile networks. Often initiated as replacements or backups for existing legacy approaches, wireless protocols such as Wi-Fi or ZigBee reduce the on-premise complexity of local area network switching and routing by offering simpler airborne connections. As radio access network technology and deployments increase in range and power, direct connections to mobile service provider infrastructure further reduce complexity and cost.
In spite of the transition to mobility, ICS security remains complicated by the challenges of dealing with proprietary hardware. To help address this problem, scientists at AT&T Labs and the AT&T Chief Security Office have begun taking advantage of the industry shift to software defined networking (SDN). An SDN removes a great deal of distributed control from network elements, and centralizes this control in a software-based cloud with application programming interfaces (APIs) for third-party extensions. It is precisely these third-party extensions that provide a means for ICS security functions to be more easily embedded via APIs into the control stream.
Furthermore, SDN will provide energy companies with the ability to dynamically embed their own customized virtual protections into their networks using software provisioning. While this process requires that security technology companies virtualize their products, the industry shift from hardware to software is already well underway and includes companies that offer ICS security functions. The shift is driven by the efficiency, cost and extensibility advantages of software virtualization.
Once sufficient progress has been achieved in the virtualization of security products, energy companies should have the ability to provision security on-demand and in real-time into their SDN-powered ICS infrastructure, without the need for expensive and lengthy hardware integration. If under live cyber attack, for example, energy sector security teams will have the ability using SDN to click a link on a provisioning screen to immediately increase the mitigation protection for any ICS component being targeted. Eventually this will lead to the development of learning algorithms that can guide such defensive action through automated provisioning without any human intervention.
While this progression to SDN and virtualization continues to unfold, telecommunications companies can provide the energy sector with interim assistance through expert security consulting, network architecture assessment and cryptographic analysis. Such cross-sector information sharing will strengthen awareness on the part of service providers and their customers. Finally, the near-term prospect of an SDN-powered telecommunications infrastructure is an exciting one and should bring needed cyber security relief to an energy industry under serious attack.
Michael Singer is assistant vice president of mobile, cloud and identity security for AT&T. He joined AT&T’s growth platform team in 2013.