Unpatched software security vulnerabilities in packaged software have not been addressed by the application of manufacturers fixed (security patches)—unpatched systems are easy to attack.
PA Consulting Group has worked with major energy companies for many years to address these risks and as a result has developed an approach that can be applied to any utility (see Figure 1). This seven-step approach has been adopted by the UK Government’s Centre for Protection of National Infrastructure (formerly known as NISCC) as recommended good practice for control system security.
Undertake a formal risk assessment of the process control systems (see Figure 2).
- Understand systems. Construct a formal inventory of the control systems, identifying the systems and their role, their business and safety criticalities and location, the system owner (who manages and supports the system) and how the systems interact.
- Understand threats. Identify and evaluate the threats facing the control systems. Possible threats may include: denial of service, targeted attacks, accidental incidents, unauthorized control, or viruses, worms or Trojan horse infections.
- Understand impacts. Identify potential impacts and consequences to the control systems should a threat materialize. These could include: health and safety incidents, damage to equipment, loss of production, breach of regulatory requirements or loss of reputation.
- Understand vulnerabilities. Undertake a vulnerability assessment of the control systems. Such a review should include: evaluation of the infrastructure, operating systems, applications, network connections, remote access connectivity and associated processes and procedures.
Once the business risk is understood, a coherent set of risk reduction (security improvement) measures must be implemented to form an overall secure architecture for the system.
An effective response capability involves identifying, evaluating and reacting appropriately to new vulnerabilities, changes in security threats and electronic security incidents. Establishing formal response plans and procedures ensures that any changes to the risk profile are identified as early as possible and any required response actions are embarked on quickly to avoid incidents or at least minimize the impact of incidents where they cannot be entirely avoided.
The objective of this stage is to increase control system security awareness throughout the organization and to ensure that all personnel have the appropriate knowledge and skills required to fulfill their roles.
The objective of this stage is to ensure that all security risks from vendors, support organizations and other third parties are managed.
The purpose of project engagement is to ensure that all projects and initiatives that may impact the control systems are identified early in their cycle and include appropriate security measures in their design and specification.
- Identify all projects that have control systems implications at an early stage in their cycle.
- Establish a single point of accountability for security risk management for the full lifecycle of the project.
- Ensure that standard security clauses and specifications are incorporated in all procurement contracts.
- Include security requirements in the design and specification of projects and ensure that all appropriate security polices and standards are adhered to.
- Undertake security reviews throughout the project development life cycle.
- Plan for security testing at key points of the project development life cycle.
The objective of this stage is to provide clear direction for the management of control system security risks and ensure ongoing compliance and review of the policy and standards. An effective governance framework provides clear roles and responsibilities, up-to date policy and standards guide for managing control security risks, and assurance that this policy and standards guide is being followed.
PA Consulting Group is an independent, employee-owned, global firm of 3,000 operating from offices across the world, in Europe, North America, Latin America, Asia, and Oceania. They have expertise across key industries and government, including energy, and skills from strategy to IT to HR to applied technology. More information at: www.paconsulting.com.
By Lee House, GarrettCom
Beyond the obvious needs of bandwidth, standards compliance, flexibility and reliability, two new challenges in the design of networks for the power industry exist: integrating support for international security requirements and enabling “smart grid” initiatives.
Utilities that employ Internet-related services such as carrier-provided MPLS-based virtual private network (VPN) and wireless Ethernet networking benefit from the efficiency, cost-effectiveness and future-proofing of standards-based IP solutions. However, IP-based solutions do increase the risk of cyber attack.
The force of law behind both cyber security and smart grid makes cyber-security software and the supporting network infrastructure to facilitate compliance “must haves.” Smart grid initiatives will rely on IP-based infrastructure and heightened security standards, such as the NERC Critical Infrastructure Protection (CIP) requirements for North American utilities, which will allow utilities to take advantage of Internet technology without incurring unacceptable levels of risk.
The deadline for compliance with current NERC CIP rules is Jan. 1, 2009, for most utilities. A requirement to collect a full fiscal year’s worth of documentation in order to be deemed compliant in June 2010 also exists. Network and software infrastructure components of NERC CIP include an electronic security perimeter (ESP) (CIP-005), a physical security perimeter (CIP-006), and system access control (CIP-007).
ESP requires a firewall with the capability to provide logs and reports of network activity and security events for auditing and network forensics. Virtual private network (VPN) technology—often integrated with today’s router/firewalls—offers additional network protection.
Physical security can be addressed using IP-based video cameras, as well as physical access controls, such as fingerprint, iris scanners or simple badge access. For bandwidth and latency management purposes, high-bandwidth traffic such as video monitoring should be segregated from access and control traffic by using a separate virtual local area network (VLAN), IP-network or VPN within a plant or substation network.
System access control is concerned with online access to systems in the control center as well as to critical cyber assets (CCAs) at substations. For effective compliance, an integrated access control solution must provide comprehensive user authentication and authorization to ensure that only authorized personnel can access systems and devices. Individual user profiles take security to another level by ensuring that personnel can only perform the specific operational functions for which they are individually authorized. Highest security would include two-factor authentication (both a password and an RSA SecurID token), strong-form passwords and archived logging of all sessions—ideally to the keystroke level.
Effective compliance requires central management of security policies, archiving of log data and production of company-wide compliance reports. This central authority (the server function) must push policy and enforcement of security over CCAs at each substation. One architecture to perform this function involves a central proxy-server as the security gateway to remote firewalls. Another architecture distributes access security servers to within each substation. A centralized architecture typically reduces cost and complexity for initial deployment, while a more distributed architecture may provide greater flexibility and advanced security services over time.
When choosing access control solutions, it pays to look for additional benefits, such as the ability of the solution to enhance utility operations via easy-to-use remote access to critical substation devices. Solutions specifically designed for substation environments that provide integrated tools to control, configure and monitor different IED types can offer an effective dashboard, or user interface, to consolidate IED management and organize IEDs and RTUs into graphical directories. Access across complex networks can be simplified to a basic click-through operation. Further, an integrated security software solution, specifically designed for power utility use, that contains preconfigured device-specific profiles can enable applications to be preset and automatically launched, facilitating ‘front panel mode’ IED interaction.
GarrettCom and other vendors must step up to the plate with solutions that combine high availability IP and Ethernet transport technologies with innovative cyber-security solutions. As the compliance deadline draws near, utilities are looking for solutions that simplify compliance with NERC CIP and help enable deployment of smart grid infrastructure.
Lee House is vice president of engineering and CTO of GarrettCom. Lee has 19 years experience in R&D and product development, with a focus on LANs, WANs and IP at companies including 3Com, IBM and Jetstream Communications. Contact him at lhouse@garrettcom.com.
Utility Automation & Engineering T&D November, 2008
Web Exclusives 
| View all PennWell sites | View all PennWell events
Add RSS Feed
