October 26, 2015 | Written by: Jeffrey Katz
Share this post:
Energy and utility organizations are at the forefront of cyber security attacks. Because of their role as a fundamental necessity of today’s society, it is the most attacked critical infrastructure. The modernization of the electric distribution system, known colloquially as the ‘smart grid’ has to take extra precautions so that the smart grid does not become the hacker enabled grid. Regulations provide compliance checks but do not always protect against exploits. New vulnerabilities are still being discovered. The cyber security bad actors have the same tools available as legitimate software tool developers – Agile, Cloud, Grid Computing; Web based forums and sharing sites. These also introduce tools to enable less sophisticated hackers to do their attacks, even those lower level hackers who could not devise the attack tool themselves.
The convergence of Information Technology and Operational technology brings benefits to the grid, but the incompleteness of the convergence may lead to gaps in understanding how the attacks can happen, and consequently lead to unprotected assets.
One approach to ameliorating the situation is to consider security as another dimension of equipment profile. Therefore, besides voltages, currents, temperatures and pressures, security information is part of the asset state. In the classic SCADA monitoring situation, an anomaly in a piece of equipment might provoke scrutiny of the upstream or downstream component. In the paradigm of security as another dimension of the asset, the thinking expands. Therefore, a detection of suspicious network activity might cause examination of the SCADA data of devices on that section of the network. Conversely, SCADA data that does not make sense based on physics may trigger an in-depth look at the related security data. By not separating IT and OT views of the equipment, there is more to be observed. Using this model, the U.S., the DHS motto of “see something, say something” is being applied to the various information flows about a particular piece of equipment.
We must also consider that while TCP/IP is ubiquitous, some equipment might not be appropriate for using a routable protocol. We sometimes overlook that a piece of equipment can be IP connected in part. We could envision that data coming from a device might be on an IP network, but data going to a device for control might be a completely separate channel, or even a different communication mode or protocol. This is sometimes referred to as using a back channel. Since there is much more outbound monitoring data than in-bound commands, the back channel can be lower bandwidth. This might also help alleviate the inherent extra security concerns often added by wireless communications.
In its work, IBM security projects sometimes see recurring patterns that need to be addressed. Weak communication protocols can leave some systems more vulnerable. Control system networks lack overall segmentation, or antivirus protection. Adding standard operating systems, often as the Man Machine Interface to a control system, may open the control devices to common security issues. Control system networks are often not encrypted, and their devices do not have much logging for forensics analysis of a breach. Security patches cannot be installed on some SCADA systems. In a world where many things (sometimes too many things) are network connected, relying too much on physical security for OT equipment may not be appropriate.
The ‘bad guys’ do not induce every problem. Imagine a control system that is connected to an ERP system, in order to provide gross electric power generation data to a new executive dashboard. If the ERP system has had a web services portal for exchange of electronic purchase orders for years, then someone may not notice that there is now a new potential path from the Internet to the control system.
The best way to think about security is that security is the bond between digital and reality. In order words, if you do not have security, you cannot really trust data from your system. Given this peril, one question utilities might want to answer is “Who is going to do penetration of the grid operations system first, to find weakness that might be exploited? The utility, by engaging a reputable, ethical security probing team, or the enemy hacker”? Because one of them is probably going to investigate your utility this year.
Visit ibm.com/energy to explore more.