March 29, 2024

Security Sessions | Combatting Cyber Threats in the Electrical Grid: A Guide for Engineers

by Germán Fernández

Electrical grid security continues to be top of mind for power and utility companies. A recent sniper attack on a Utah substation highlights that grid vulnerability is a very real problem and that teams must be prepared to handle the variety of security issues that face power engineers today.

Physical threats, such as external attacks, are far too common, but threats can also come from the inside. Cyberattacks in the electric power industry are on the rise, with more than 75 percent of those surveyed by Tripwire saying they experienced a significant cyberattack in the past 12 months.

A sound, holistic cybersecurity policy requires a collection of measures adopted to prevent unauthorized use, malicious use, denial of use, or modification of information, facts, data or resources. A good cybersecurity policy doesn’t just protect against intentional attacks from outside the network, but also internal issues and unintentional modifications of information. Cybersecurity is about making a facility more reliable and reducing network downtime. It’s not about defeating hackers or terrorists – contrary to popular belief, they only account for 10 percent of known incidents.

New Complexities Require Strong Communications Networks

New technologies – such as transmission control protocol/ internet protocol (TCP/IP) based technologies for both substation automation networks and wide area network (WAN) communications between substations – have opened most industrial communication networks up to more cyber threats.

Having an effective cybersecurity policy in place is a simple first step to maintaining the reliability and safety of substation and grid operations. There are a few key criteria that make a strong cybersecurity policy:

  • Confidentiality: Preventing unauthorized access to information
  • Integrity: Preventing unauthorized modification or theft of information
  • Availability: Preventing denial of service (DoS) and ensuring authorized access to information

Power grids have become increasingly complex over the years. More interconnection with systems across countries has made failures and mistakes more likely – and their potential impact greater in scope and cost. Strong communications networks require commercial off-the-shelf technology; Ethernet and TCP/ IP-based communications protocols; open standards, such as IEC60870-5-104 and IEC61850; the integration of legacy industrial protocols and Modbus TCP; remote connections with multiple devices; and use of public networks and interconnection with company IT systems.

Five Steps for Superior Security
How do teams build up levels of security and ensure those remain constant? Cybersecurity is an iterative process and as surrounding conditions or threats change, systems and policies must adapt.

When cybersecurity issues are not fully addressed, downtime occurs, which is costly. Since it’s not realistic to assume all threats can be prevented 100 percent of the time, recovery strategies after issues occur are also critical to protect network uptime. There are five critical levels for network security that will help teams keep threats minimal and reverse any damage threats have caused the network:

  1. Preventative security: Intended to prevent an incident from occurring, and reducing the number and types of risk. An example of this kind of layer is password protection and policies.
  2. Network design security: Minimizes the vulnerabilities and isolates them to prevent an attack from affecting other parts of the network. This is achieved by limiting the number of connections through a zones and conduits method.
  3. Active security: Implemented before and during an event. These measures block off traffic or operations not allowed or expected in a network. Examples of this layer include encryption, protocol-specific deep packet inspection, Layer 3 firewalls and antivirus use.
  4. Detective security: Identify and characterize incidents by evaluating activity registers and logs. This can include log-file analysis and intrusion detection system monitoring.
  5. Corrective security: Aims to limit the extent of any damage caused by an incident. Protocols are built in for retrofitting preventative security and the network design security measures once a vulnerability is detected. Firewall and antivirus updates are the most common mechanisms in this layer.

Only having one point of defense is not the most effective way to enforce cybersecurity throughout a communications network. Rather, a best practice is to deploy multiple layers of defense throughout the network so if one is bypassed, another layer provides defense. No matter how good it is, relying on one security system sets teams up for security failure.

Defense in Depth: Ensuring multiple layers for robust security
Teams need to make sure each of the security layers throughout the network is slightly different so that if an attacker finds its way past the first layer of defense, they don’t have the capabilities for getting past all subsequent layers of defense as well. Each of the defenses should be designed so they are context and threat specific – they should essentially be designed for the specific threat at hand.

The electric power grid system can be exposed to multiple threats at once, ranging from computer malware and angry employees to DoS attacks and information threats. Each of these vulnerabilities needs to have an appropriate defense mechanism at the ready. In substation applications, sophisticated supervisory control and data acquisition (SCADA) aware firewalls observe network traffic all the way down to specific types of commands. This defends against the context of the threat to the system.

A few other steps teams should take to ensure multiple layers of defense include:

  • Prioritize threat responses and make sure mission-critical systems are secure first.
  • Create a culture of security by keeping teams informed and educated on security best practices.
  • Update existing risk assessments regularly, including both physical and virtual checks.
  • Don’t apply a one-size-fits all solution across the entire IT and SCADA system. The threats, risks and goals of these systems are different, and so should be the solutions.
  • Install routers and firewalls between the corporate backbone and the substation network for more security support.
  • Implement stateful inspection or deep packet inspection to ensure only authorized packets travel between both networks.
  • Segment between the operational network and telecom network by creating demilitarized zones for servers and computers in the operational network with external access.

Complete protection against every potential cyber and physical attack is not possible, but most threats can be avoided with a strategic and holistic security strategy. At the core, being able to quickly detect, isolate and control the threats is the key to success so that the impact on the rest of the network is limited. Substation security requires vigilance against both accidental and intentional threats to the network. Following an integrated security approach that has multiple layers of defense is the best way to limit damage, control threats and manage risks more efficiently.
 

About the Author

Germán Fernández has more than 15 years of experience in the electric power industry, specifically pertaining to industrial Ethernet networking and telecommunications technologies. He is the global vertical marketing manager for the energy market at Belden. Germán has managed power projects worldwide as a system integrator and brings a deep understanding of cybersecurity needs for electric power utilities to his role at Belden. He is also a member of the Cigre Working Group D2.40.