#White Papers
Defense in Depth Cyber Security for Substation Communications
This week, the largest electric utility trade show and conference in the U.S., DistribuTECH, is being held
One of the tracks in the conference portion of the event is “Defending the Grid.” The prominence of the topic at this show, along with recent high-profile hacking attacks (Sony, Target) that have caught the attention of top management in all industries, add up to one thing – it’s time to look at or review the state of cyber defenses at your substations.
It’s not a surprise that critical infrastructure, such as the electrical grid, has been an increasing target for sophisticated cyberattacks. What may be news to you, however, is the fact that the legacy devices and protocols used in substations are particularly vulnerable to both intentional and accidental cyber incidents.
What then is the right approach to take to secure substations? It starts with the best practice of Defense in Depth.
Defense in Depth – Multiple Layers of Protection
If you are an engineer in North America, you are familiar with NERC (the North American Electric Reliability Corporation), which sets standards for the operation of power systems across the U.S., Canada and parts of Mexico. It has a standard called NERC CIP (CIP standing for Critical Infrastructure Protection) that requires compliance with minimum security requirements.
Unfortunately, NERC CIP has at its core an electronic security perimeter (ESP) philosophy based on hiding all critical assets behind a monolithic boundary. For example, a single firewall could be installed on the boundary between all critical control assets and the business network, with the hope that it will prevent all unauthorized access to the critical assets.
Industry experience has shown that monolithic designs present a single point of failure in a complex system. Few systems are so simple as to have single points of entry.
For example, this is what the U.S. Department of Homeland Security has found:
“In ….hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections … .”
With the help of Murphy’s Law, eventually all single-point solutions are either bypassed or experience some sort of malfunction, leaving the system open to attack.
A more realistic strategy is based on Defense in Depth – multiple layers of defense distributed throughout the control network.
Defense in Depth maintains an ESP firewall between the business and control networks, but adds security solutions inside the control system that protect the substations if the main firewall is bypassed. The solutions work in parallel, with one technology often overlapping with others, to form a significant safeguard against either attack or human error.
The techniques used should be based on doing a risk assessment for critical assets and processes. Then, a multi-layer defense model, which includes protection technology and other items, is developed. The other items include things like physical security, policies, procedures and more.
A network protected using a Defense in Depth strategy responds to threats, such as a traffic storm (caused by device failures) or a USB-based virus, by limiting the impact to the zone where the problem started. Alarm messages from the firewalls would pinpoint the zone and even the source of the problem.
Routing Firewalls Guarding the Substation Perimeter
To create a security perimeter for the substation, a security control point needs to be established to restrict and monitor traffic flowing into and out of the substation.
Typically, this will be a dedicated firewall, but in some cases a router or terminal server can be used. These need to be able to filter large amounts of traffic and interface transparently to IT systems using security protocols, such as RADIUS and TACACS+. It is critical that this device is both security hardened and monitored for indication of attacks.
There are two primary options for implementing network security technologies for a substation:
Industrial firewalls that control and monitor traffic; comparing the traffic passing through to a predefined security policy, and discarding messages that do not meet the policy’s requirements. Firewalls can be installed both at the ESP boundary and between internal zones.
VPNs (Virtual Private Networks) are networks that are layered onto a more general network using specific protocols or methods to ensure “private” transmission of data. VPN sessions tunnel across the transport network in an encrypted format, making them “invisible” for all practical purposes.
Transparent Firewalls to Protect Core Processes
Transparent firewalls, such as the Tofino Xenon, are security devices with special features for industrial use. At first glance, they appear on the network like a traditional Ethernet switch, but they actually inspect network messages in great detail.
The “transparent” feature allows them to be dropped into existing systems without requiring readdressing of the station devices. This means that organizations can retrofit security zones into live environments without a shutdown. They also allow the installation of security controls within a single subnetwork; for example within a large process bus.
The “firewall” feature provides detailed “stateful” inspection of all network protocols so inappropriate traffic can be blocked. For example, rate limits can be set to prevent “traffic storms” while deep packet inspection rules can be set to prevent inappropriate commands from being sent to IEDs or controllers.
