Cyber Security and NERC CIP5
By Dave Thomas
As the number and severity of cyber attacks against critical infrastructure continue to rise, the risk management challenges for utilities are quickly multiplying. In parallel, utilities are facing the need to comply with the North American Electric Reliability Corporation’s (NERC’s) latest Critical Infrastructure Protection (CIP) requirements.
As if the problem of cyber attacks wasn’t sufficiently challenging on its own, utilities must now address this issue in line with the NERC CIP structure. If they fail, they create for themselves another risk: significant fines for non-compliance.
According to the Department of Homeland Security, at least 40 percent of critical infrastructure cyber attacks target the energy sector. For obvious reasons, one of the most vulnerable elements of a power utility’s network is the remote substation. Its characteristics make it one of the most challenging to properly secure.
Combining security appliances creates a network that is more resistant to intrusion.
From a physical standpoint, one can look to the news to see attacks in the form of sabotage, gunfire, arson and the like. Similarly, from the cyber perspective, there has been a steady stream of reports about hackers accessing substation control systems. These attacks commonly take the form of malware, “man-in-the-middle attacks,” remote network access, or even physical media breaches.
A cyber attack on these sites is particularly worrisome because of the difficulty for qualified cybersecurity and SCADA network experts to respond immediately. This drives the need for solutions that can be monitored, managed and reconfigured as needed from a central site.
According to NERC data, there are two areas where most violations are noted. They are:
- Systems security management, which is focused on port control and access, patch management, malicious code detection and prevention, incident log capabilities and access controls; and
- Electronic security perimeters, which aim to manage electronic access by guarding against compromise-provisions also have to be included to ensure protection against internal breaches, whether accidental or intentional.
To address the issues of systems security management and electronic security perimeters, as well as other concerns, calls for a solution that provides resilient cybersecurity controls for remote substations in compliance with the NERC CIP standards.
Ideally, such a solution would function as a comprehensive SCADA/IED security appliance. It would have security and efficiency advantages, such as the ability to dynamically reconfigure each SCADA/IED device within a remote substation. This would include Internet Protocol security (IPsec) for encryption, virtual private network (VPN) tunnels, separate access controls, whitelisting to limit access, and remote event collection into a centralized logging system.
What is likely to become the norm for utilities is a dynamic cyber risk management approach. This strategy-which aligns with NERC CIP 5, the latest series of standards-puts a premium on the ability to adjust the controls to new threats as they develop. It means security managers will have to invest in highly adaptable security solutions.
Elements of such a NERC CIP 5-compliant solution should include the following:
- SCADA-aware firewall;
- Dynamic configuration for detecting and deep analysis of various SCADA protocols;
- Anomaly detections for traffic spikes;
- Failover communication redundancy;
- Automatic detection of “normal” baselines; and
- Comprehensive software tools to implement, manage and document all the previous functions.
Implementing these elements-ideally in a single device-allows utilities to deploy managed cyber security controls that address remote substation vulnerabilities. SCADA-aware data attack detection and prevention mechanisms, for example, ensure service validation. Each data packet entering each port on the switch can be examined to match it to defined rules and guarantee it is a legitimate packet and not the first shot in a cyber attack.
Utilities have the ability to create an airtight, segmented connection between different nodes serving various operational needs. The result is fail-safe, distributed security, essentially rendering the network invulnerable to external threats.
Introducing new security measures to remote locations does, unfortunately, add to the strain on already overworked utility IT personnel. But in the face of an increasingly hostile cyber landscape, security managers can turn to solutions that offer ease of configuration modification and change management. By doing so, they can increase efficiencies and accomplish their cyber security defense objectives without significantly adding cost or increasing IT workloads.
About the author: Dave Thomas is Business Development Director for RAD (www.rad.com), provider of security and migration solutions for power utilities.