November 24, 2024

Security Sessions | Striking the Balance: Ensuring High Performance, Complete Security of Power Grid

by Maggie Wu

Over the years, the North American Power Transmission & Distribution (PT&D) market has benefitted from major investments in generation, transmission and distribution infrastructure in both Canada and the United States. These investments are intended to:

  • Renew aging equipment
  • Improve electrical network reliability and performance
  • Visualize and quickly reduce grid congestion

Along with this trend, utility companies are making considerable investments to protect PT&D infrastructure from both physical and cyberthreats. In response to physical disasters such as Superstorm Sandy in October 2012 - and tough lessons learned from that incident - utility companies are attempting to stormproof the distribution networks by sealing conduits, installing fiber optic cabling and flexible connectors and elevating relay panels - relatively simple solutions that were not common practice until recently. Cyberthreats from online attacks, however, are presenting tougher challenges and threatening the integrity of power substations across the globe.

Multiple factors contribute to increased cybersecurity threats for power substations today. The Industrial Internet of Things (IIoT) and the adoption of new technologies, such as transmission control protocol/Internet protocol (TCP/IP)-based technologies for both substation automation networks and wide area network (WAN) communications between substations, has opened these utility networks up to more cyberthreats. The number of opportunities for an outside force to break into the network has increased tremendously. To combat these threats, a comprehensive and effective cybersecurity policy should be implemented to maintain the reliability and the safety of substation and grid operations.

Cybersecurity for PT&D Networks
Historically, substation control networks were based on local connections and proprietary applications. Systems were designed for safety, reliability and ease of use, and security was not traditionally a concern for network managers or installers. This approach is no longer valid, and given the various cybersecurity concerns facing the industry, engineers need to have additional knowledge of proper security mechanisms. Today's communications networks are characterized by the use of:

  • Commercial off-the-shelf technology
  • Ethernet and TCP/IP-based communications protocols
  • Open standards, IEC60870-5-104 and IEC61850
  • Integration of legacy industrial protocols (DNP3) and Modbus TCP
  • Remote connections (multiple devices and mobility)
  • Interconnection with company IT systems
  • Public networks
  • Inclusion of wireless technologies

The complexity of the power grid has increased over the years as it has become interconnected with systems across international borders. This interconnectivity exposes the grid to more variables, making failures and mistakes more likely, increasing the potential cost and impact of such incidents.

Origins and Types of Threats
To protect utility networks, it is important to understand the origin and scope of these potential security risks. To put it simply, cyber-attacks can be either attacks from outside the network, or internal issues and modifications of information that originate within the network.

Threats can also be considered intentional or unintentional. Intentional threats include hackers and viruses, while unintentional threats consist of equipment failures and employee carelessness. Naturally, different types of threats have different consequences.

The majority of network security incidents are accidental. According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) vulnerability analysis, authentication flaws were the most abundant threat type identified in 2013. This liability is of particular concern because an attacker with minimal skill could potentially gain administrator-level access to devices that are accessible over the Internet. The analysis also identified other common vulnerabilities like factory hard-coded credentials and weak authentication keys.

With the source and nature of the threats in mind, the next step is to establish preventive processes for any issue that could lead to network downtime. These measures can include devices, configurations, internal security policies and employee and contractor training. And since it's not realistic to assume all threats can be prevented 100 percent of the time, it is also important to set up monitoring and remediation strategies to address issues when they occur.

A thoughtful cybersecurity policy, combined with a well-designed network infrastructure, can help minimize and contain threats. Here are a few best practices for developing better security measures for either new or upgraded substation communications systems:

1. Segment operational networks:
Networks tend to grow incrementally, resulting in large, flat networks. Too often, we find networks that have become vast, sprawling systems that are difficult to manage or secure. Dividing up large networks into smaller ones improves the manageability, reliability and security of the system.

This is a key requirement in many standards, including the ISA IEC 62443 standard for industrial security. It also makes isolating network issues much easier, and improves overall system reliability.

There are a variety of technology options for dividing your networks into zones:

  1. Subnets: This technique divides devices into physical groupings based on function or location for ease of maintenance and security. Each subnet has a specified range of IP addresses and is connected to other subnets using a Layer 3 switch or router. Subnets prevent broadcast' messages from being sent between areas, reducing the chances of traffic storms impacting substation operations. Many of these switch and router devices can also act as packet-filters (Layer 3 firewall), offering certain protection against cyber-attack.
     
  2. Virtual local area networks (VLANs): VLANs create logical groups of Ethernet devices that cannot be physically grouped. They work by having Ethernet switches insert a "tag" (essentially, a 4-byte field) into each Ethernet message. Other switches on the network can read this tag and make decisions on whether a message should be forwarded or not. VLANs are great traffic management tools as they allow devices to access only the data they need.

Cybersecurity is an iterative process. As surrounding conditions or threat sources evolve, systems and policies need to be updated to address those changes.

2. Build multiple layers of security:
A single point security solution is a thing of the past. The electrical grid - including its substations and feeders - is an increasingly easy target for hackers and, given its critical importance, any internal errors that bring down the network would be detrimental as well. A carefully constructed and designed security strategy should deploy multiple, overlapping layers of protection to secure critical infrastructure. This can include looking at policies and procedures, as well as physical, network, computer and device security.


 

Multi-layer security is built on three core concepts:

  1. Multiple layers of defense: Layer multiple security solutions so that if one is bypassed, another layer will provide the defense. Systems cannot rely completely on a single point of security, no matter how good it is.
     
  2. Differentiated layers of defense: Each security layer should be slightly different from the rest so if an attacker finds a way past the first layer, they don't automatically have the capabilities to get past subsequent defenses.
     
  3. Threat-specific layers of defense: Each of the defenses should be designed as both context and threat specific. In essence, design for the threat. The electric power system can be exposed to a variety of different security threats, ranging from computer malware and angry employees to denial-of-service (DoS) attacks and information theft. Each needs to be considered and defended against so that the defenses can be based on the behavior and context of the systems using these protocols.

3. Implement different network security technologies:

  1. Industrial firewalls control and monitor traffic, comparing the traffic passing through to a predefined security policy and discarding messages that do not meet the policy's requirements. Firewalls can be installed both at the network boundary and between internal zones.
     
  2. Virtual private networks (VPNs) are networks that are layered onto a more general network using specific protocols or methods to ensure private' transmission of data. VPN sessions tunnel across the transport network in an encrypted format, making the data for all practical purposes.
     
  3. Industrial Protocol Zones and Conduits: Most devices in the PT&D market still use legacy industrial protocols, often carried inside TCP/IP protocol communication. As a result, a security approach solely focused on TCP/IP protocol communication vulnerabilities may not be enough. One unique way to provide additional cybersecurity is to divide the network into multiple legacy industrial protocol zones, connected by deep packet inspection (DPI) devices, ultimately forming conduits for legacy industrial protocol communication between those zones. Such a network design ensures that even if the attacker gains access to one section or zone of the network through a TCP/IP protocol vulnerability, he or she won't be able to actually misuse the industrial devices in other zones.

4. Embed security in different elements of the network:

  1. Security in the router: To create a security perimeter for the substation, establish a security control point to restrict and monitor traffic flowing into and out of the substation. This could be a dedicated firewall, but in most cases, a router or terminal server can be used. These need to be able to filter large amounts of traffic and interface transparently to IT systems using security and authentication protocols such as RADIUS and TACACS+. It is critical that this device is both security hardened and monitored for indication of attacks.
     
  2. Security in the switch: To protect core processes, network switches have advanced security features for industrial use. At first glance, they appear on the network like a traditional Ethernet switch, but they actually inspect network messages in great detail. The transparent' feature allows them to be dropped into existing systems without readdressing the station devices. Organizations can retrofit security zones into live environments without a shutdown and install security controls within a single sub-network - for example, within a large process bus. The firewall' feature provides detailed stateful' inspection of all network protocols so inappropriate traffic can be blocked. For example, rate limits can be set to prevent "traffic storms" while deep packet inspection rules can be set to prevent inappropriate commands from being sent to IEDs or controllers. The network switches also provide additional security protection through features like device access control by IEEE 802.1x for port-based networks, access control lists that can block unknown devices and protocols, security alerts in case of suspicious network activity and IP source guard to detect network address spoofing.

5. Add redundancy into the network infrastructure:
When designing substation networks, it's important to consider how all of the pieces will communicate with each other and how the data will move from the substation to other locations on the network.

Substations can communicate with the master control station and the backup control station using a variety of networking technologies, including Ethernet WAN, Cellular 3G/4G or MPLS-PPP WAN. Whichever technology is chosen, consider making it redundant by adding yet another cellular backup. Robust communication keeps small issues contained and ensures high systems availability.

While numerous redundancy schemes have developed over the years, there are three particularly useful concepts for mastering substation redundancy: Rapid Spanning Tree Protocol (RSTP), Cellular Redundancy and Parallel Redundancy Protocol (PRP). When it is not possible or practical to add a separate physical hardwired Ethernet line, cellular redundancy can be used to provide a means of backing up communication. The cellular link remains in a standby mode until communications via the primary hardwired Ethernet line is lost. Communication is then transferred to the cellular link.

6. Establish a systematic approach to cybersecurity:
In a typical substation network, a systematic approach for cybersecurity procedures will improve the overall reliability and predictability of the network and carry long-term benefits. These procedures should include the following elements:

  • Installing routers and firewalls between the corporate backbone and the substation network
     
  • Implementing stateful inspection, or Deep Packet Inspection (DPI), to ensure that only authorized and valid packets travel between both networks. Tunneling, router redundancy and encryption are helpful features to secure access to the substation
     
  • Segmenting between the operational network and telecom network by creating demilitarized zones (DMZs) for servers and computers in the operational network with external access. Security zones can be defined by physical location or common functions

Several standards, such as North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP), Institute of Electrical and Electronics Engineers (IEEE)'s 16868 and the International Electrotechnical Commission (IEC)'s 623519, are working to address cybersecurity for substation control systems. Each covers or focuses on different areas and parts of the overall system.

In light of the various physical and cybersecurity challenges facing the power landscape, it is important for network administrators to select switches and routers that have holistic protection against all types of hazards prevalent in substations. Many providers offer such solutions.

About the Author

Maggie Wu is a director of product line management for industrial IT at Belden. She joined the company in 2014 to lead Belden's efforts in innovating industrial networking products, focused mainly around providing complete communication solutions in the power transmission and distribution substations. Maggie is a veteran of several Silicon Valley high tech companies, mainly in the areas of semiconductor and networking.

Maggie holds a bachelor's degree from Tsinghua University in China and a master's degree from Stanford University. Reach her at maggie.wu@belden.com.