Cybersecurity is one of the greatest challenges to grid reliability. As more facilities and devices become IP-routable communications-enabled, the threats multiply along with the incredible productivity gains. This additional complexity impacts the work of field testing organizations in the form of a bewildering milieu of new technologies, processes, and regulations. Without awareness of the threats and security best practices, it is easy to feel lost in this complex new reality. This article attempts to fill the knowledge gap by describing real-world cyber threats and how they can impact communication-enabled grid assets. This article discusses best practice countermeasures and what field testing organizations can do to improve security while ensuring that work still gets done.
The energy sector is among the most frequently targeted critical infrastructure sectors. Advanced persistent threats (APTs) — defined as targeted attacks by technologically sophisticated, well-funded, and motivated groups, often with the backing of a state actor — have multiplied in recent years, and now constitute the greatest challenge to grid cyber security. In the early years of this decade, only one or two such successful attacks were detected, most notably the Stuxnet attack in 2010 that took out up to a fifth of Iranian nuclear centrifuges. But over the course of this decade, such attacks have multiplied manifold.
One well-studied APT is the 2014 attack by the group variously known as Energetic Bear (because it was thought to target energy sector entities), Crouching Yeti, and Dragonfly. The purpose of the attack was cyber espionage (i.e., data theft), and so its visible impact wasn’t nearly as severe as the better-known cyberattacks against the Ukraine power grid, but the details of the attack are instructive and resemble other APTs.
Figure 1 shows the various elements of this attack. In general, the various stages of an APT are reconnaissance, social engineering/phishing, lateral movement, data destruction, and ultimately, an industrial control system (ICS) impact. Reconnaissance may involve identifying approved vendors from websites (company website, vendor news releases, etc.); company assets, locations, and power system information determined from regulatory filings and other such public information; and employee information from the company website and social networks such as LinkedIn. The objective of the reconnaissance is to identify employees who may get the attacker closer to target assets and systems.
The next step is to target these identified employees through social engineering. This may be in the form of spear phishing, where employees receive a legitimate-looking email — for instance, one that looks to the undiscerning eye to be from a trusted vendor announcing their user conference with a PDF attachment of the conference program. The PDF attachment in this case could be the actual conference program so that it doesn’t cause any suspicion, but it would be altered (weaponized) to include a malware that would infect the computer of any email recipient who opens the weaponized PDF.
The infected employee computers then serve as the staging for further reconnaissance from within the network. This next recon phase may involve techniques such as network scanning to identify assets and keystroke loggers to record user keystrokes and harvest sensitive information such as login credentials. The attackers use these launch points to move through the network and possibly erase or alter log files to avoid detection. Once they are able to identify a trusted link to the ICS network, such as the one between the corporate and control center historians, they may be able to exploit any available application vulnerability to enter the ICS network and compromise the control systems. With a higher degree of penetration of IP-based communication all the way down to the substations, such attacks now have the ability to propagate deep into the control and process zones of the utility organizations.
Defense in Depth is a key countermeasure strategy to secure communication-enabled systems. According to the NSA (National Security Agency), this is a practical strategy for achieving information assurance in today’s highly networked environment. As shown in Figure 2, Defense in Depth requires balanced focus on People, Technology, and Operations to ensure that defenses exist in all three dimensions. This is akin to castle defense, where multiple layers of defense such as walls, watchtowers, and moats prevent unauthorized ingress. Examining how Defense in Depth strategies might apply to communication-enabled systems demonstrates that two aspects need to be secured: the communication itself and access to the device.
Data communication should be secured at multiple levels, in keeping with the Defense in Depth strategy. For instance, security measures should be in place for communication links as well as application traffic. Table 1 shows some of the controls that could be used to secure the communication link. The application traffic occurs over this secure communication network and should be further secured at the application layer. This additional security consists of authentication using encrypted credentials and encrypted application payload using transport layer security (TLS). In addition, there could be an end-to-end tunnel between the endpoints.
When facilities and devices are communication-enabled, remote access is technically feasible. If an organization decides to provide remote access to certain facilities or devices, strong measures must be put in place to ensure security. Table 2 shows some of the controls that could be used.
Implications for Testing Organizations
Within a typical utility, groups other than the testing organization control technology and compliance aspects of cyber security. IT may be responsible for the technology aspects, such as firewalls, anti-malware, and access control. The compliance group is responsible for determining policies other groups must adhere to. But ultimately, the testing organization works directly with these assets and must have a good understanding of the reasons for the controls and the policies.
Cybersecurity is a discipline that is here to stay and grow in importance with developments such as the adoption of IEC 61850-based digital substations and the deployment of networked sensors such as phasor measurement units (PMUs). It is important for testing organizations to recognize this and become more aware of security threats and countermeasures as it applies to their job function. As more grid assets become communication-enabled and IP-connected, testing organizations must become comfortable working within the layered defenses put in place for them and be able to identify issues that invariably arise with any such complex, multi-layered system.
SANS Institute. “Anatomy of an ICS Attack.” Available at https://securingthehuman.sans.org/cyberattackdemo.
Dr. Richard Piggin. “Industrial Control Systems and SCADA Cyber-Security,” IET Engineering and Technology Magazine, Volume 9, Issue 8, 11 August 2014. Available at https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/.
National Security Agency (NSA). Defense in Depth: A Practical Strategy for Achieving Information Assurance in Today’s Highly Networked Environments. Available at https://www.nsa.gov/ia/_files/support/defenseindepth.pdf.
Dr. Gowri Rajappan is Director of Technology and Cybersecurity at Doble Engineering. As an expert in cybersecurity and enterprise data technologies, he leads the cybersecurity activities at Doble and chairs the IEC TC57 task group for developing a common information model standard for asset management. Prior to Doble, he worked on cybersecurity and data technologies in support of the United States Department of Defense.