The Evolving Threat
On March 5th, several US based grid providers were probed by outside factions. While there was not a widespread outage as a result of the attack, there were disruptions. In its aftermath, NERC released a paper that provided recommendations as to how providers and generators can help address the problem going forward. What was learned from this event was confirmed by the former U.S. Director of National Intelligence Dan Coats. Coats noted that the grid is more vulnerable than we thought and that outsiders were gaining “red button” functionality to potentially shut down the grid at the time of their choosing.
This is not science fiction or an isolated incident. Recent events include the attack on a Ukrainian electric utility which involved Industroyer or the incident at a Middle Eastern oil and gas refinery in which involved TRISIS malware. Each of these events caused massive outages as a result of an unchallenged attack. This underscores the increasing threat of electronic and computer-based attacks on critical infrastructure.
Why Here and Why Now
Power utilities are digitizing their power plants and grids to enhance efficiency, reduce costs and ensure regulatory compliance. This has resulted in a convergence of their once separate OT and IT environments. Moreover, the growing adoption of smart grid technologies and distributed energy resources has increased the need for interconnection. As their OT networks are increasingly connected to IT, the attack surface and attack vectors for potential cyberattacks continues to grow. More providers have migrated to universal TCP/IP standards such as IEC 61850 and IEC 104 potentially resulting in a more “frictionless” way for attacks to migrate from provider to provider. As power grids become smarter, more connected, and more targeted for attacks, utilities need to rethink their cybersecurity strategies.
What To Do
To maintain definitive security in grid environments, it is essential to go beyond compliance recommendations which should always be considered as a minimum standard. Some crucial elements should include:
Gain 360 visibility and control - Attacks should be identified long before the last mile. Traffic requires monitoring everywhere, including at the substation bus itself. Events should be clearly understood and should incorporate enough situational awareness to discern if the events are malicious for grid specific environments or part of regular operations. Doing so will eliminate many potential attacks before they begin migrating across the interconnected grid infrastructure. This can be achieved by leveraging a multi-threat detection engine encompassing policy, anomaly and signature-based detection.
Identification of physical tampering – Unlike traditional IT networks, grid topologies by design are geographically distributed. Substations or remote facilities are usually the ones that are least protected yet may be the prime entry point for an attack. A solution must not only listen to the network but should also query individual devices at all locations to identify if any changes have been performed. It is especially important to be able to query all IEDs in the network as they control regular grid operations. This is in addition to servers, workstations, networking equipment, gateways, and any other devices. For locations where it is impossible or impractical to deploy physical appliances, Industrial Cyber Security as a Service (ICSaaS) can be deployed to ensure comprehensive security across the entire environment.
Manage Your assets – Grid environments tend to have large and interconnected infrastructures. Many different devices are spread across a vast area and sometimes across several networks. Networks generally have multiple generations of devices as well as a variety of makes and models. A solution needs to be able to give you a real-time accounting of what is on the network (such as IEDs, EMS servers, GPS time servers, protection devices) down to the patch levels and firmware information. Doing so will allow you to pinpoint devices that need to be addressed if a CVE is issued and will also help identify devices that are in need or maintenance or replacement.
For More Information
If you want to learn more about specific challenges that power & utility providers are facing as well as some of the ways that Indegy can help address them, download any one of the following:
|Practical Guide for Building an
Effective Cybersecurity Strategy for Your Power Grid
|Public Utility District #1 Case Study||Electric Grid Use Case|