Substation Defense in Depth

Wednesday, February 10, 2016 @ 11:02 AM gHale

By Heather MacKenzie
The largest electric utility trade show and conference in the U.S., DistribuTECH, is going on this week in Orlando and what makes that important is the focus around one of the conference discussions entitled “Defending the Grid.”

The importance of the topic stems from the new NERC CIP requirements designed to strengthen reliability and security. Another reason is grid protection is a hot topic is high-profile cyber attacks such as the one on the Ukraine power system.

Ukraine Power Outage Exposes Risk
Drop Security Assumptions: No Air Gaps
Evolving Physical Security
ICS Security Trends

With all this utility cyber action going on, it is time to review the state of cyber defenses at transmission substations. What is the right approach to secure substations? The quick overarching answer is it all starts with the best practice of Defense in Depth.

Layers of Protection
If you are an engineer in North America, you are familiar with NERC (the North American Electric Reliability Corporation), which sets standards for the operation of power systems across the U.S., Canada and parts of Mexico. It has a standard called NERC CIP (CIP standing for Critical Infrastructure Protection) that mandates compliance with minimum security requirements.

Unfortunately, for years a core NERC CIP concept was an electronic security perimeter (ESP) philosophy based on hiding all critical assets behind a monolithic boundary. For example, a single firewall could end up installed on the boundary between all critical control assets and the business network, with the hope that it would prevent all unauthorized access to the critical assets.

Industry experience has shown that monolithic designs present a single point of failure in a complex system. Few systems are so simple as to have a single point of entry. With the help of Murphy’s Law, eventually all single-point solutions are either bypassed or experience some sort of malfunction, leaving the system open to attack.

A more realistic strategy is based on Defense in Depth (DiD) – multiple layers of defense distributed throughout the control network.

DiD maintains an ESP firewall between the business and control networks, but adds security solutions inside the control system that protect the substations if the main firewall is bypassed. The solutions work in parallel, with one technology often overlapping with others, to form a significant safeguard against either attack or human error.

The techniques used should come from answers derived from doing a risk assessment for critical assets and processes. Then, a multi-layer defense model, which includes protection technology and other items, is developed. The other items include things like physical security, policies, procedures and more.

A network protected using a Defense in Depth strategy responds to threats, such as a traffic storm (caused by device failures) or a USB-based virus, by limiting the impact to the zone where the problem started. Alarm messages from the firewalls would pinpoint the zone and even the source of the problem.

Establishing a Control Point
To create a security perimeter for the substation, a security control point needs to be established to restrict and monitor traffic flowing into and out of the substation.

Typically, this will be a dedicated firewall, but in some cases a router or terminal server can be used. These need to be able to filter large amounts of traffic and interface transparently to IT systems using security protocols, such as RADIUS and TACACS+. It is critical this device is security hardened and monitored for indication of attacks.

There are two primary options for implementing network security technologies for a substation:

1. Industrial firewalls that control and monitor traffic; comparing the traffic passing through to a predefined security policy, and discarding messages that do not meet the policy’s requirements. Firewalls can be installed at the ESP boundary and between internal zones.
2. VPNs (Virtual Private Networks) are networks layered onto a more general network using specific protocols or methods to ensure “private” transmission of data. VPN sessions tunnel across the transport network in an encrypted format, making them “invisible” for all practical purposes.

Inspecting Messages
Transparent firewalls are security devices with special features for industrial use. At first glance, they function on the network like a traditional Ethernet switch, but they can actually inspect network messages in great detail.

The “transparent” feature allows them to be dropped into existing systems without requiring readdressing of the station devices. This means that organizations can retrofit security zones into live environments without a shutdown. They also allow the installation of security controls within a single subnetwork, for example within a large process bus.

The “firewall” feature provides detailed “stateful” inspection of all network protocols so inappropriate traffic can be blocked. For example, rate limits can be set to prevent “traffic storms” while deep packet inspection rules can be set to prevent inappropriate commands from being sent to IEDs or controllers.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s blog.