Protecting the power grid
By Ken Westin
Federal Energy records show that the nation’s power grid is under some kind of physical or cyber attack nearly once every four days. Over the last few years the proportion of cyber security attacks targeting power grids and transportation networks around the world has increased and this problem is particularly acute in the U.S. At a House Intelligence Committee hearing last November, NSA Director Admiral Michael Rogers revealed that several foreign governments had already hacked into U.S. energy, water and fuel distribution systems. While it’s not possible for any organization to guarantee complete cyber security, there are a number of specific actions that can significantly reduce these risks and improve the ability to detect and respond to cyber attacks in progress.
One of the key reasons critical infrastructure cyber attacks are increasing is that these organizations have become easier to compromise. Most industrial control systems use antiquated software and protocols designed primarily for stability and efficiency, not security. None of these systems were designed to be accessed through the modern interconnected networks used in energy organization around the world today. Where ever industrial controls systems touch traditional IT networks, even indirectly, cyber security risks increase dramatically.
Securing the Grid: Essentials
Industrial control networks were not designed to be connected to corporate networks and to the Internet. For example two common industrial Modbus and DNP3 were designed to be both efficient and reliable, with a key goal of avoiding downtime and ensuring systems remained running and stable. Due to the way these protocols were designed they by their very nature do not have any security controls in place like we see with other protocols widely used on the Internet like HTTP. There is no encryption or even authentication mechanisms with these protocols, which makes it very dangerous once connecting an industrial network to a traditional corporate IT network.
Ideally, ICS/SCADA systems should be segmented and remain as isolated as possible from traditional IT networks because many of the ICS systems lack even basic security mechanisms such as authentication and access controls. Often, network segmentation and isolation are often the only viable security options for ICS devices.
NIST SP800-82 R2 is an excellent resource for energy organizations looking to reduce their cyber security risk profile. This document prescribes a defense-in-depth strategy that uses layers of security controls so that the failure of any single control is minimized. The 20 Critical Security Controls (http://www.counciloncybersecurity.org/critical-controls/) can be combined with NIST SP80082 R2 to build a prioritized list of controls to create a “defense in depth” strategy. The first four of the 20 CSC focus on foundational controls that must be in place for a layered security architecture to be effective, so these controls are a great place to start. These basic controls include a complete inventory of hardware devices, a complete inventory of software, a process to maintain secure configurations, and a continuous vulnerability assessment and remediation process.
The combination of SP800-82 and the 20 CSC are particularly effective for energy organizations when used together. This is because SP800-82 tailors the implementation of the 20 CSC to the unique requirements of industrial environments and their application to Information Technology (IT) and Operational Technology (OT) environments.
Reducing the Attack Surface
Industry research and breach analysis indicates that organized syndicates of cyber criminals are targeting energy organizations by taking advantage of specific features within ICS systems and ‘Trojan-izing’ ICS firmware updates. These groups are also stepping up phishing attacks against engineers and plant personnel in order to gain access to energy networks. These same attacks have been used against IT environments in the private sector for years and as a result, technology has emerged that can better identify these newer forms of weaponized, highly-evasive malware. Energy organization evaluating these technologies should carefully evaluate vendors and solutions since not all of them are adapted to ICS devices and uptime and reliability requirements.
The good news is that energy organizations are already grappling with NERC and FERC compliance mandates and these efforts include many security concepts fundamental to an agile, effective security program. Comprehensive cyber security programs for the energy grid that continually reduce cyber security risk and quickly detect any attacks that slip through existing defenses are possible.
The technology solutions and processes necessary to dramatically improve the security of the energy grid are available today; we just need to make the investments necessary that make it happen.
Ken Westin is a security analyst for Tripwire. He is an experienced security researcher and analyst who has worked with law enforcement and journalists to uncover organized cybercrime rings with a special focus on incident detection, forensics and threat intelligence.