Reliability
Cyber Security Strategies
By: William Atkinson
The North American Electric Reliability Corp.'s Critical Infrastructure Protection (CIP) Standards (CIP-001 through CIP-009) provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of the bulk electric system.
While utilities have always had a responsibility and a commitment to both physical security and cyber security, the new standards make these requirements more formal, uniform and widespread.
Certainly, management is a critical component. But technology plays an equally important role. It is impossible to meet the NERC CIP standards without a combination and balance of both.
Finjan, a Web security company focused on protecting data for companies, works with utilities on technology aspects of cyber security. The need is critical. "From January through mid-February of this year alone, we found over 10 gigabits of stolen data from companies," said Yuval Ben-Itzhak, chief technology officer for Finjan. "This means that criminals have been remotely controlling software running on desktops in these companies, and the users weren't even aware of it. They had no idea that anything was wrong. However, the criminals were watching everything that was done and even stealing data from these companies."
According to Ben-Itzhak, utilities need to make sure their computer systems are heavily protected from those who are trying to tear down the systems for fun or glory, or from those who want to cause damage as part of a terrorist attack. Finjan offers products that can help utilities meet current regulatory requirements for cyber security.
Holyoke Gas & Electric in Massachusetts hired GarrettCom for help in keeping its computer assets secure. Because the municipal utility is part of the grid, it must have security and network access control to allow it to share data safely and securely with other utilities. And since it is also an Internet service provider, it must meet homeland defense mandates, such as wiretap and tracing laws.
HG&E uses GarrettCom's industrial-hardened Ethernet switches to manage generation operations, physical security and cyber security. The utility selected GarrettCom's magnum 6K-series switches and DX router/terminal services for deploying ethernet into its substations and remote facilities. HG&E selected GarrettCom because the switches are hardened to operate in the high heat in the summer and freezing temperatures in the winter. "We wanted a switch that could give us management right out to the sites," said Adam Jasioskowski, network administrator for HG&E. The utility has hydroelectric stations and substations.
GarrettCom's MNS-6K network management software provides security functionality for the switches. The switches support the utility's security and surveillance equipment, including VOIP, video surveillance, access card readers and entry key controls. The MNS-6K also supports ISP and NERC CIP security requirements, including secure cyber perimeters for critical infrastructure and system reliability. "The technology has the ability to do voice, data and video, and segregate them in their own virtual networks and control them," said Tim Haas, senior network engineer for HG&E. "We have been migrating our standard physical intrusion alarm systems from the conventional alarm system to an IT-based system, and we transport all of that across the Garrett switches as well."
"Overall, the technology has allowed us to manage everything and bring back our physical security and electronic security into our network, so that a couple of people on a PC can manage it all," said Jasioskowski.
Regardless of the type of technology, it must provide a "boy in the bubble" type of protection, according to executives at RedSeal, which builds software that assesses the overall security posture of an organization. The "boy in the bubble" refers to a boy who was so susceptible to germs and infections that he had to live inside a large, sterilized plastic ball.
"A company's IT infrastructure has a lot of pieces in it," said Steve Dauber, vice president of marketing. "It has a lot of routers, firewalls, hosts, etc. They work together to deliver end-to-end security." The problem is that most software tools just look at one device at a time, Dauber said. To manage security effectively and comprehensively, one must understand how all of these things work together.
"Our software collects data from all of these devices, analyzes how they are interacting, and provides information on the combination of security on all of the devices," said Dauber.
What are the implications for utilities in specific? "We have a number of utilities as customers," said Mike Lloyd, chief scientist for RedSeal. "All of them have SCADA networks, but they also have a ‘split world'—the SCADA infrastructure and the ‘corporate' environment." The challenge utilities face is that both of these have been changing and merging, so a lot of utilities are struggling with the differences in these two worlds—the world of the desktop in the main office, and the world of the power generation and distribution facilities. "Since it is no longer possible to maintain these as two separate networks, this is causing problems for utilities," said Lloyd.
SCADA infrastructure is designed for power distribution and control, and it is quite old, said Lloyd. The problem is how to keep this area well defended. The IT infrastructure is getting more complicated, and it is also very delicate.
The solution, according to Dauber and Lloyd, is to make sure you have a perimeter around the critical generation facilities, and this is proving to be a real problem for many utilities. "Most of the discussion around cyber threats to utilities are based around their control systems, as opposed to their corporate networks," said Dauber. The concern is that an intruder could come in and take control of one of the critical control systems and shut down the grid.
Dauber identified four different threats. The lowest level is "cyber mischief," such as a hacker who causes a problem on purpose or inadvertently. The next is extortion. "Everyone is quiet about this type of problem," said Dauber. "However, there have been some instances, especially outside the United States, where criminal rings have hacked into utility control systems, taken control of them, and demanded extortion payments. If the payments weren't made, they have actually caused multi-city outages." The third and fourth levels are cyber terrorism and cyber warfare, where state entities attempt to gain control of the network. "These are serious not only for the individual utilities, but for the nation as a whole," said Dauber. "This is where some of the new regulatory mandates from NERC and FERC are coming in, requiring utilities to protect these control systems."
According to Dauber, control systems, unlike traditional IT systems, were not designed for security. "They were designed for availability, because the number one criteria is reliability of the electrical grid," he said. There has been a lot of discussion about how to make these systems secure, and most of the discussion has been around what can be done to the control systems themselves.
"This misses the point," said Dauber. "You may be able to improve some control systems, but most of them are old and are inherently insecure because they're not being updated anymore."
The way to provide security is to put the whole system in a "bubble" that restricts access, and then be very careful about who is allowed into the "bubble." The most effective approach, from a cost and security point of view, is to treat the whole set of control systems in the same way, Dauber said. "They can be made better individually from a security point of view," he said. "However, if you look at the total set of control systems, you can't get to the point where they are secure in and of themselves. Again, you need to treat them like the ‘boy in the bubble.'"
In fact, this is part of what the new regulations require. NERC CIP-005-1 (Electronic Security Perimeter[s]) "requires the identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter."
However, achieving this requirement can be more difficult than it may initially seem, Dauber said. "It seems easy to say that you're going to put up a ‘bubble' and buy a firewall, and then decide that you're done," he said. "However, be sure that it is a real ‘bubble,' not one with a bunch of holes in it."
"The single greatest target of hackers has been credit card data," he said. The standard for credit card security (the Payment Card Industry [PCI] Data Security Standard) also mandates that a bubble be placed around servers that hold credit card data. However, according to Dauber, two-thirds of companies that receive PCI audits fail their audits, because their "bubbles" are not correctly configured, Dauber said.
"Interestingly, credit card data is actually easier to control than utility control systems, because it is sitting in data centers, which tend to be isolated, with the information all located in one place," said Dauber. "And still, two-thirds of companies are failing their audits."
RedSeal builds a system that allows utilities to construct and maintain the "bubble." It watches a utility's network architecture and system to make sure the utility has actually implemented the "bubble" that it intended to implement around its control systems.
"PCI auditing has been occurring for a couple of years," said Lloyd. "NERC CIP auditing is just beginning, so utilities need to get started on this so they can get ahead of the wave of audits."
Back to Top
Copyright © 2004-2010, American Public Power Association
