Modern power utility systems deliver information to a wide range of users in near real time and automate several tasks that streamline operations and performance. These new performance advantages often come with a challenge: cybersecurity. Integration and automation professionals can enhance the security of modern power utilities with the sensible, yet reliable methods described below.
Many networking technologies are built on a premise of trust and provide multiple benefits for operational efficiency. For example, a modern networked substation often allows the remote resolution of problems, preventing a utility from wasting many hours trying to locate a fault. Encroaching on this benefit are new cybersecurity regulations that do not easily align with control system remote diagnostics. Many of the new regulations emerge as a result of work in other sectors, such as information technology (IT). Sometimes, it is appropriate to apply the security principles learned from IT, and at other times, utilities are best served by approaching principles and regulatory norms from other industries with a circumspect posture. The application of IT security measures and regulations should not negatively impact the reliability or resiliency of grid operations.
News reports on cybersecurity tend to emphasize uncertainty and doubt. These reports, while well intentioned, can lead to an overreaction of increased legislation, while the more effective response would be to create and implement internal security policies, plans, training, and procedures. The incorporation of a variety of firewalls, virtual local-area networks (VLANs), virtual private networks (VPNs), and Internet Protocol Security (IPsec), as described below, is a powerful strategy for increasing network resiliency and preventing cyberintrusion. Once in place, these security and networking technologies provide a robust ‘security in-depth’ approach to securing critical infrastructure control systems, such as those found in modern smart grid substations.
Applying Firewalls as a Security Measure
One important security tool is the firewall. The name and its function originate from the firewall that can be found in automobiles or applied in the construction of buildings. An automobile’s firewall confines fire to the engine compartment, preventing fire from progressing to the driver and passenger areas. The firewall must have holes in it for certain functions, such as steering, throttle control, and braking. Likewise, a network firewall restricts illegitimate traffic from flowing on the network segment, but allows legitimate data to proceed. The firewall makes these decisions based on a set of rules. Another firewall feature is the ability to log or document actions, including auditing actions. The rules for a firewall originate from a well-defined security policy. Typically, a firewall operates between network boundaries, where network communications meet. For example, a firewall would be found where data from the Internet (outsiders) meet the data from a corporate intranet (insiders).
Firewalls are often built into network equipment, such as computers, gateways, or routers, and provide a means to restrict network traffic, such as preventing outsiders from connecting to insiders. Just as there are holes in an automotive firewall, the rules for a substation may allow network holes, or ports, to allow certain TCP/IP network traffic to pass. For example, a firewall may have holes to pass email traffic assigned to Port 25 (Simple Mail Transfer Protocol, SMTP) or Port 110 (Post Office Protocol 3, POP3). These ports in the firewall allow legitimate network traffic to pass, but drop illegitimate traffic. Firewall rules that drop data packets often create an alarm or log file that notifies the user and/or administrator of a problem. As with any security tool, a firewall requires an understanding of the network design; unintentionally or inaccurately changing a firewall rule can impede important network traffic.
There are several firewall types: packet filtering, stateful inspection, and application proxy. Packet filtering examines the IP address and/or port and accepts or denies the packet through the firewall. The more popular type of firewall is called stateful inspection (often referred to as a session-based firewall), which bases the rules on the state of a connection or session. It adds slightly more depth to its protection. There are UNIX-based firewalls that run off IP tables or IP filters. These work well for a substation environment because they allow for some degree of fine-tuning (e.g., allowing control system packets and rejecting all other traffic). UNIX-based firewalls require more time and greater expertise to set up. As the name implies, an application proxy sets up an intermediary hardware path for the data packets. The proxy hardware receives all traffic to and from the destination and filters traffic based on its rule set. One advantage of a proxy firewall is that it hides the true IP addresses from outsider connections.
Firewalls provide logs and document attempts to connect to the network—very important features that will help modern substations meet regulatory requirements. These log files are an important source of useful information that can be used to prevent illegitimate access to a substation environment. Unfortunately, most security officers do not spend the time to review these log files.
The Proper Place for VLAN in a Resilient Network Design
Another important security tool is the virtual local-area network (VLAN). VLAN groups end devices and users into a particular network group or segment, allowing communication to occur only within that group. This provides better management of data traffic and segments network traffic with similar network security requirements, yielding better resiliency during high-traffic communications, even during a cyberattack. Unfortunately, a common misconception is that VLANs provide security for data packets.
VLANs provide a convenient means of moving users and/or devices to different broadcast domains. They require only a reconfiguration of the port that is used to connect to the network. For example, you could be working in Engineering Level 1 and need to move to Engineering Level 2. Instead of physically moving the computer or rerouting wires, simply modify the VLAN configuration of the port, changing it from Engineering Level 1 VLAN to Engineering Level 2 VLAN. This flexibility allows you to create logical, rather than physical, groups of users.
If a PC from the Engineering Level 2 VLAN is affected during a cyberattack, it is very easy to isolate the offending PC from network traffic; namely, move it to a separate, less critical segment, causing little or no impact to other network traffic. Conversely, devices or end users can easily be moved to other segments, removing them from danger of attack.
Configuring A Virtual Private Network for optimal security
A virtual private network (VPN) creates a network extension that behaves as if it were part of a larger, enterprise-wide network. As an example, VPNs allow users to reach work-related emails with a laptop computer from the convenience of a home network. Unlike a VLAN, a VPN is able to provide a secure network infrastructure. A typical VPN uses existing network infrastructures, including the Internet, to make a connection.
If configured properly, the security of the VPN allows the data to maintain confidentiality and integrity. VPNs create secure communications links between remote locations, while providing the same level of security as if the connection were part of a fully trusted network.
There are two types of VPNs: trusted and secured. A trusted VPN allows computers in different locations to be members of a common local-area network (LAN) with access to the network resources located within its constraints. A trusted VPN does not establish privacy. A secured VPN uses cryptographic tunneling protocols to provide security. Confidentiality, sender authentication, and message integrity establish security within a VPN. As mentioned previously, VPNs must be set up correctly in order to ensure information security. By implementing the correct security technologies provided by VPNs, it is possible to prevent unauthorized data transmission to critical infrastructure devices as well as avert the interception of authorized data transmissions, such as passwords, between these critical devices.
Despite their popularity, VPNs have limitations, as is true for many security technologies. Organizations should consider that the use of VPNs requires a solid understanding of network security issues as well as careful installation and configuration to ensure security over a public Internet network. Also, it is important to recognize that the performance, reliability, and resiliency of a public, Internet-based VPN is not under the utility’s control. Instead, a VPN that uses the public Internet relies on the service provider and their quality of service. In the recent past, mixing and matching network devices in a VPN resulted in technical issues that would drop communica¬tions due to vendor incompatibility.
Using IPsec to Secure Communications
A VPN solution starts with two endpoints on a network and, for the purposes of this article, one endpoint that likely terminates in a substation. It is the suggestion of this author that devices residing within a substation’s security perimeter terminate via an Internet Protocol Security (IPsec) gateway appliance. At present, many substation devices are unable to support a direct VPN termination, so termination occurs as part of an existing in-line network infrastructure device, such as a gateway, near the vicinity of the device.
IPsec is a framework protocol that secures data traversing an Internet communications link. The framework protocol includes tunnel and transport modes as well as the Authentication Header (AH) and Encapsulating Security Payload (ESP) security algorithms. Choosing between tunnel mode and transport mode depends on the power utility and its transmission and distribution network topology. For more traditional VPN use, tunnel mode topology creates a gateway-to-gateway (substation-to-substation) or host-to-gateway connection. In this case, host is defined as a computer-to-Internet device, and gateway is a network device that connects two Internet communications links.
Transport mode authenticates the two network hosts or peers and establishes a secure communications channel.
This secure channel ensures that communication between the two computers remains tamper-free and private. In transport mode, the Internet Protocol (IP) header is sent in the open.
Tunnel mode secures traffic routed between two gateways over an untrusted network. A device at one site (substation) must communicate to a device at the other site (substation). The traffic passes through the IPsec gateway. Tunnel mode is for site-to-site communications, useful for securing gateway-to-gateway, server-to-gateway, and server-to-server communications.
Configuring IPsec connections for a power utility starts with defining a set of security associations (SAs). Each SA is filtered based on source and destination addresses (IPv4 or IPv6), name (user ID or system name), Transport Layer Protocol (Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), and source and destination ports (port number). These SA selectors help determine the eligibility of inbound or outbound traffic for association with a particular SA. IPsec supports strong cryptographic authentication and encryption of data.
During a cyberattack, IPsec VPN traffic traveling through a router is filtered so that any frames an attacker forms and attempts to send to a substation computer are dropped. The packets do not pass because the frames fail authentication and/or decryption. An encryption/authentication key must be used to code all data, and the network devices accept or deny this traffic.
IPsec issues arise due to the misconfiguration of the tunnel during setup, which introduces security holes. For example, implementing a traffic filter without any authentication verification on the packets could allow a knowledgeable attacker to send malicious TCP/IP traffic that matches the expected traffic profile. Thus, the rogue traffic survives filtering. A hacker is then able to pose as a legitimate device on the substation network, and malicious traffic can be sent to the substation device by faking or spoofing the IP address.
The cybersecurity technologies described above offer a sensible yet robust arsenal to help protect and control substation network data that traverses untrusted network paths. The modern substation automation professional should be aware of and explore the use of technologies, such as firewalls and VPN IPsec tunnels. These and other technologies help protect networks from malicious traffic and provide network resiliency. There are also new technologies that look promising for application into control system security, namely the use of certificates such as X.509 and certificate services such as Online Certificate Status Protocol or OCSP.
Also, readers might consider Lightweight Directory Access Protocol or LDAP (RFC4510) as a technology that works with certificates for authentication even user-based access controls. It is important to take the time to review the application of all new security technologies to assure they do not negatively impact the safety, reliability, and resiliency of grid operations. We have many tools to consider, and we must move wisely and circumspectly forward, not compulsively or under duress; we must rely on well-disciplined engineering principles to arrive at sensible cybersecurity.
About the Author
Dwight Anderson received his B.S. in electrical engineering from Stevens Institute of Technology. He is now a security engineer for Schweitzer Engineering Laboratories, Inc. in Pullman, Washington. Prior to joining SEL in 2005, he worked 20 years for Hewlett-Packard as an aerospace and defense business development manager and systems engineer on projects ranging from electronic warfare countermeasures to SCADA system programming. He holds the Global Security Essentials Certification (GSEC) from Global Information Assurance Certification (GIAC), is a Certified Information Systems Security Professional (CISSP), and is an active member of the Palouse Chapter of the ISSA
(www.palouse-issa.org).