Targeting Improved Cyber Security
Three Common Ways Electric Utilities Can
Improve Their Cyber Security.
By Power System Engineering, Inc. (PSE)
Introduction
Many electric utility managers understand the importance of strong cyber security. Certainly the cost of not addressing security can be significant. But many managers are less certain of what is most critical to secure, how severe the issues are at their utility, whether the improvements actually help, and what is practical given limited budgets and personnel.
PSE performs cyber security assessments and remediation work for electric utilities across the United States. In this article, we review three very common cyber security practices that utility managers can easily address to significantly improve the security of their systems:
1. Evaluating Cyber Security for Major Software Purchases 2. Controlling the Use of Employee-Owned Devices
in the Utility
3. Monitoring the Network in the Control Environment
As will be seen in the following examples, we often find that many of the remediation projects do not require significant capital expenditure or internal personnel once utilities are able to know where to target their efforts.
Many managers understand
the importance of strong cyber
security, but are less certain of what
is most critical to secure.
Evaluating Cyber Security for Major
Software Purchases
By its very nature, software for control systems differs from other business or corporate systems. Proprietary protocols and specialized hardware make the evaluation process more difficult. For many years, utility automation systems were either manual or physically separated from Internet access. No connectivity meant that security was not evaluated when the software system was purchased.
The Problem
Often when purchasing decisions are made concerning critical systems such as SCADA, there is not a consistent process or policy in place that requires that the potential system be evaluated for its security components or at least its potential effect on the security environment as a whole. When making software decisions, many utilities focus on evaluating functionality but are unsure of how to evaluate cyber security.
However, new systems can have an effect on the cyber perimeter just in the course of their intended function. For instance, consider a SCADA system that has a remote or smart phone application. This remote functionality requires a network connection to function properly. Many of the devices that this application is loaded on have both a Wi-Fi connection and a cellular Internet connection. The exact system connectivity requirements need to be understood as well as the mobile devices connectivity capabilities to avoid creating connections that bypass the firewall. This is more difficult than it sounds and can often be even more difficult to enforce. Securing the mobile application by not enabling the Internet connection on the device can result in reduced coverage and enabling it can potentially create a bypass of the firewall. Not investigating and understanding these connectivity issues can lead to unexpected bypasses of network security systems. As a result, care must be taken not to create a path that may risk other systems.
Security considerations for new systems include more than just the system itself. The vendor who made the product must also be vetted for its own cyber security practices. If a vendor were to be breached, often this would result in the utilities information being lost as well. This could be further magnified if the vendor had access to the utility’s system. The result is a potential “back door” into the utility network. Consider the following scenario: a utility has just procured a SCADA system from a national vendor. As part of the support agreement, the vendor has obtained VPN access directly to the SCADA Master for the updating of software and general application support. If the Vendor were to be breached and the credentials were obtained by the cyber-criminal, the criminal would have access to the utility’s system.
Often there is not a consistent
security process or policy in place
when purchasing decisions are
made for critical systems.
Utility
X
Utility
Clients
Back Door Threat
VPN A
ccess
SCADA
Vendor
Controlling the Use of Employee-Owned
Devices in the Utility
Mobile devices and other non-company-owned equipment are becoming more and more prevalent in the utility. This category includes all devices that access or contain utility information that the utility does not own or control, such as laptop computers on which employees perform utility functions, smart phones that synch with the e-mail server, and USB drives that an employee brought in to
the office.
The Problem
In many cases, a utility will claim that they are not using BYOD (bring your own device) and therefore do not require a policy or mechanisms to address this issue. But, if you were to poll a random group of utility employees regarding whether they use a personal USB drive or access their e-mail via smart phone app, you would see a lot of hands go up. The unfortunate reality is that the first time you allow a person to synch to the e-mail server or use a non-company-owned USB drive, you are now a BYOD utility, even if you had not intended to be one.
BYOD has the potential for great reward, but along with it comes considerable risk. With any mobile device, there is concern about data or credentials left on the device in the event that the device is lost or stolen. This information or credentials could be used to gain access to other sensitive data or controls in the utility. The traditional approaches have been to encrypt the hard drive or device itself with an IT managed mechanism, but when IT does not own the device, this can be difficult to enforce.
Additional risks with BYOD include compromises of the machine and/or malware. Being that the BYOD device is the property of the employee and not the company, you cannot completely control how the device is being used. BYOD can make employees unwitting accomplices in cyber breaches.
For example, take the case of employee Barb. Barb is a long-time loyal employee who just got a new smart phone from her daughter and is exploring the capabilities of the device. Barb downloads a fun bowling game app but does not realize that this new app is infected with malware and has seized root control of the device. Barb goes into work the next day and plugs her new phone into the USB port on her workstation to charge it. Little does she know that her infected phone is using the data connection of the USB cable to investigate her workstation and the network, and then start exporting data through the phone’s 4G Internet connection.
BYOD has the potential for great
reward, but along with it comes
considerable risk.
The issue does not center on how much security an application has as much as insuring that all data traffic is appropriately protected. For example, an application may natively transport its data in an unprotected manner. This does not mean that the application should not be used, but it does mean that another mechanism, such as a VPN, should be used to protect the data in transit.
The Solution
Established procedures or formal policies should be set in place to ensure all potential new systems are evaluated for security during the procurement process. The Department of Energy has plenty of information on this topic including a guidebook on cyber security procurement language. The implementation of formal polices and/or processes that include the evaluation of application security can improve overall environment security and cyber health of the utility.
The solution to the problem does not require a large capital investment. In many cases, it simply entails establishing a methodology for evaluating the security of a potential new purchase with the same level of diligence normally paid to the evaluation of functional requirements. In fact, you can think of cyber security as a functional requirement itself.
Monitoring the Network in the
Control Equipment
Network monitoring is a key component of understanding what is going on in your cyber environment. This monitoring is the real-time equivalent of security logging and provides high visibility of the environment, both good and bad.
The Problem
Many utilities have some sort of network monitoring in their business operations or corporate environments, but the same monitoring is often absent in the SCADA and AMI environments. In basic terms, this means that some of the utility’s more critical systems are the ones watched less closely from a network perspective.
A common practice is to use third-party carriers (cellular/telco) for the transport of AMI and SCADA data. But this practice means that data leaves and re-enters the utility, creating an additional exposure and possible attack vector that increases the overall attack surface for the utility (increases the number of ways to get into the network). Granted, this type of risk is often accepted by the utility due to cost reasons relative to the probability of attack, but at a minimum, these access points should be monitored.
The Solution
Many device manufacturers are building substation-hardened network devices with sophisticated network monitoring mechanisms built into the base offering. These devices offer all the environmental hardening required for a substation with the ability to be integrated into popular Security Event Information Management (SEIM) systems.
One of the more popular technologies in this category is NetFlow. Originally developed by Cisco Systems, this technology passively reads all of the network traffic across all interfaces of the device to include source, destination, and size, for export to a SEIM system. This technology is being implemented by other device manufacturers. Other competing technologies perform similar passive monitoring (Juniper’s J-Flow and others) and can be integrated with the same SEIM systems as NetFlow.
Devices such as tablets, smart
phones, and “i”-devices provide
additional attack vectors through the
internal Internet connection.
Mobility devices such as tablets, smart phones, and “i”-devices (iPhone, iPad) provide additional attack vectors through the internal Internet connection. This Internet connection can be used in addition to the Wi-Fi connection to the utility network for the transport of data. Additional care needs to be taken that this multiple connection device (dual-homed) does not create a bypass of your existing security devices such as your firewall.
The Solution
Formal policies that govern the prudent use of employee-owned devices, such as smart phones and other
BYODs, in the environment need to be implemented. Due diligence needs to be taken to assess the true business value of this practice relative to the increased risk. Policies need to be well thought-out with regards to exactly what functions will be enabled for these personally owned devices to use, what uses will be permitted, and what controls will be required. Functions to be considered can range from only allowing an ActiveSynch connection to company e-mail to a fully containerized application that can perform remote functions on the SCADA system.
More sensitive applications require more protections from the underlying device operating system in a mobility or BYOD scenario. At the high end, a very sensitive SCADA application can require a fully encrypted, containerized application, working through a VPN requiring multi-factor authentication, to access a heavily monitored proxy server. The potential threat of an attack along this path (or vector) needs to be weighed against the probability of the event.
Summary
These examples are just a sampling of security issues many utilities are either unaware of or unable to resolve due to gaps in processes, procedures, and training.
There exists the perception that cyber security will involve a large capital expenditure. But in many instances, the tools for the security infrastructure have already been purchased; the utility need only to better understand how to implement proper procedures and policies in order to maximize the protection offered by devices already in place. Utilities vary widely with regard to their level of comfort and progress in having implemented security measures to date. Some managers express the sentiment that IT and security are not part of their background, and they have no idea where to start. Others have implemented many programs and simply wonder what gaps still exist. By far, the best practice is to perform a cyber security audit to identify and prioritize issues to be addressed. This gives guidance to remediation efforts, helps calm fears of unknown exposure, and quantifies the capital costs and personnel effort needed to address issues.
PSE has experience in helping utilities cost-effectively identify critical areas of security risk and implement the programs needed to close the gaps.
About the Author
Jeff SimdonLead Consultant – Security and IT
Jeff earned a Bachelor degree in Business Administration from the University of Wisconsin, Whitewater. He has extensive experience in cyber security, networking, and IT in both the Government and private sectors. Jeff has implemented numerous security and IT projects ranging from cyber security assessments, to enterprise software system implementation, to multi-campus IP network design and deployment. He has held positions of IT leadership at the Director level and has worked on numerous security and network projects within the utility industry.
Contact Jeff at 608-268-3561 or [email protected] with any questions you might have regarding PSE’s security capabilities.
Best Practice =
Cyber Security Audit
Full-service
consultants
Serving the utility industry since 1974
PSE is a full-service consulting firm. Our team has extensive experience in all facets of the utility industry, including communications, IT, and smart grid automation planning and design; economics, rates, and business planning; electrical engineering planning and design; and procurement, contracts, and deployment.
We are employee-owned and independent, which gives our clients confidence that we are motivated to satisfy their needs and represent their best interests.
Madison, WI 1532 W. Broadway Madison, WI 53713 608-222-8400 ADDITIONAL LOCATIONS: Minneapolis, MN – (763) 755-5122 Marietta, OH – (740) 568-9220 Indianapolis, IN – (317) 322-5906 Sioux Falls, SD – (605) 221-1770
For more information on all of our services, please visit our website:
