• Access control/data access control.

• Anti-virus.

• Application whitelisting or dynamic whitelisting.

• Change control or configuration control.

• Database security.

• Endpoint encryption.

• Host data loss prevention (DLP).

• Host firewall.

• Host intrusion detection systems/host intrusion prevention systems (HIDS/HIPS).

• System hardening.

Field zone protection

Field devices are often embedded systems: usually designed around low cost and low power consumption. Therefore, these devices will typically require security countermeasures that consume less memory, utilize fewer CPU resources, and have a smaller footprint. While the protection of these devices is paramount, the Smart Grid owner or operator will (typically) be unable to alter these devices, or install any commercially available cyber security countermeasure. Rather, the onus falls to the device manufacturer to build cyber security into these devices within the factory. Many device vendors are starting to investigate (and even implement) certain controls as part of their product development cycle. This is a positive trend, as the protection of the field devices would go a long way toward removing the inherent vulnerabilities that are present in most control environments. In addition, many commercially available technologies are highly significant and applicable to field device protection. Consider application whitelisting. Application whitelisting is one of the more popular software security solutions for embedded devices for these reasons. Unlike blacklist technology, which defines a rapidly growing list what is bad, whitelisting defines a finite list of known good applications and blocks everything else. “Applications” here refers to executables, including DLLs and other system functions, making it extremely difficult for malware to circumvent. The biggest advantage in an embedded system is, of course, that the whitelist rarely changes, minimizing or even eliminating the need to update the security profile on the embedded device (anti-virus, in contrast, must be patched frequently, with over 8 million new malware samples collected in Q2 of 2012, and over 90 million unique malware sample known to date in total.¹). Application whitelisting is highly suitable for many embedded devices, which by their nature provide a fixed function: no application other than those that originate in the factory should ever be enabled on these devices (embedded devices using VxWorks or a similar real-time operating system are an exception due to the way “applications” function in these systems; however the concept of locking down authorized code and preventing the execution of unauthorized code still applies).

However, it is important to remember that there are exceptions to all rules: some systems in the field, such as feature-rich gateways, may run on standard computing platforms using commercial operating systems, making it not only possible to install secure software, but also making much more important to do so.

It’s also important to watch the field device vendors closely, as more security countermeasures are being designed into these devices from the factory. Several device vendors—including the makers of the real-time operating systems (RTOS) that are often used on fixed-function devices, the industrial control vendors designing field assets, and even the chipset vendors who are designing the silicon used within these devices—are working with security vendors and researches to implement a greater degree of protection. Many field device vendors have implemented secure coding and design practices, while others are addressing compensatory features to limit vulnerabilities, protect against exploit, or provide secure communication capability. At the DHS’s 2012 Spring Industrial Control System Joint Working Group conference, RTOS makers Wind River and security research firm Wurldtech presented a joint initiative to embed vulnerability detection signatures directly into the RTOS, essentially providing an embedded host deep packet inspection capability into fixed-function devices.² Another example is that of major ICS and electric utility vendor Siemens who in Summer 2012 released new enhanced communication processors for their Windows PCs and S7 line of PLCs providing an effective method of point-to-point authentication between command and control devices. Other vendors are supporting this positive trend as well, and as more security becomes built in to these devices by design, the less onus is on the end customer to secure the devices themselves after the fact (if that is even possible at all).

Control zone protection

As shown in Figure 6.1, as we move further in from the field and into the substations, we see more sophisticated devices: SCADA servers, measurement and data management servers, AMI headends, and similar server-based systems. These devices are fully owned and operated by the end user and thus any security countermeasure—once fully vetted and tested by the vendor—can theoretically be installed. Again, however, there are certain technologies that fit better than others.

Service zone protection and back-office systems

As we get to centralized SCADA systems, historians, data concentrators, and back-office systems such as billing and customer management systems, the capabilities of the servers increase, as does the value of the data created by (or utilized by) these systems. In these cases, the same security countermeasures utilized in the control zone apply. However, there is an increased reliance upon the integrity of data and less on availability since we are moving away from real-time control to more transaction-based information. The increased volume of information (as a result of centralization) also indicates the use of supporting database(s) to store and manage that data. It is therefore important to give additional consideration to data integrity and information assurance tools, including database security solutions, database auditing, and data loss prevention tools in these areas.

Compensating controls

Compensating network security controls has been around for a long time, and includes devices such as firewalls, intrusion detection and prevention systems, network access control systems, and similar devices. Firewalls, either host-or network-based, should be used promiscuously to filter out unauthorized network connections where possible. However, authorized traffic can be used to exploit a system, so firewalls should always be supplemented with some sort of monitoring or inspection technology as well:

It’s important to remember that, without costly hardware tools, encrypted traffic is extremely difficult to inspect. Therefore, if a communication path is encrypted using a network appliance or other tool, the traffic should by inspected before encryption (i.e. within the “safe” side of the demarcation). If the encryption occurs at the host, the host itself must be secured to ensure the integrity of the sessions it participates in—otherwise an infected endpoint could authenticate and send encrypted exploits without risk of detection. Application whitelisting is a good fit here, as it offers the best degree of protection against malware at the endpoint.

Of course, it won’t be possible to protect all connections, especially in remote areas. It’s also not always possible to implement just any commercial off-the-shelf (COTS) security tool. Many substations, for example, present extreme temperature conditions and high levels of electromagnetic interference (EMI). Space may be limited, or other physical or environmental conditions might prevent installation. Luckily, many network security tools today can be virtualized. This allows the firewall, IDS, IPS, and/or other tools to be installed as software upon an industrial computing system—ideally one that already exists and is implemented in the target area. While not as strong a solution as dedicated, purpose-built appliance, virtualization offers more flexible deployment options and (typically) lower cost—an important consideration as you attempt to implement network security deeper into the grid where it may not be cost-effective to implement large numbers of dedicated hardware appliances, but where virtual appliances may be easily deployed. Note that virtualized systems should not be allowed to violate established zone separation. Virtual machines should be assessed as if they were physical devices, and virtual connectivity should be assessed as if they were “normal” network connections.

Advanced network monitoring

A monitored network connection can be used to aide security in several ways. Often, anomalous behavior can indicate that some sort of cyber attack is underway. In other scenarios, anomalous behavior may be an indication that a breach has occurred and additional infection stages are in process. Network behavior and anomaly detection (NBAD) tools are devices dedicated to this type of analysis and detection, and can often block against suspect traffic as well, like an IPS. Similarly, by feeding network flow information to a SIEM or log management tool, anomalies may be detected after the fact. One advantage to this method is that multiple flows can be compared—against each other and against other security events—to detect more complex threats such as multi-vector attacks, low-and-slow attacks, and blended attack scenarios.

Another useful tool for network monitoring and analysis is a network forensics tool such as Netwitness Investigator or Solera Networks’ DeepSee products. These tools capture all network traffic, storing it as a base of forensic evidence that is extremely useful to investigators should a breach occur. Network packet capture does require an investment in storage, but the return can be well worth it, especially if used by an advanced cyber security team.

Data loss prevention (DLP) is better known for securing financial information in the banking industry, or patient information in the medical industry, but is just as applicable to the Smart Grid. DLP provides detection of sensitive information—both at rest and in motion—and can prevent this information from being stolen. In terms of the Smart Grid, DLP has a less obvious role. However, just like in other critical industries such as Smart Oilfields used by modern oil and gas companies, Smart Grids rely on sensitive information that must be protected. DLP can prevent it from being transmitted outside of a protected zone via the network, and can even prevent sensitive data from being saved to a USB drive or other removable media, printed, or otherwise extracted. This information could include the following:

As can be seen in Figure 6.2, not every control fits in every area, and the needs of a DLP solution for back-office systems will be very different from those intended for SCADA systems. Still, there are numerous areas where security may be implemented to separate, segment and control network activity between the numerous and diverse systems of the Smart Grid.

• Being aware of all the data and applications that are being used within the Smart Grid, including the following:

• Where automation logic resides, what it controls, and how.

• Where measurements are being taken, and how those measurements are being used.

• Where management systems—including SCADA, EMS, and other systems—reside, what they manage, and how.

• What business applications are being used, how they utilize or depend upon grid operations or measurement data, and how they obtain that data.

• Being aware of where repositories of data reside, and how they are stored (i.e. a database).

• Being able to collect that information in a format that is relevant to digital cyber security, even if the data spans multiple domains or zones.

• Being able to analyze and assess that data in a meaningful manner, to detect indications of cyber risk and threat.

• Being able to articulate that analysis back to the many stakeholders involved in Smart Grid operations.

• SIEM or security information and event management systems are information management systems designed to collect information from devices, networks, and applications. SIEMs are often focused on security events from network and endpoint security products (as described above), but can also collect application logs, operating system logs, and network flows (an audit of network communication details from the switching or routing infrastructure). This allows a SIEM to identify risks and threats against applications and data based on analysis of both internal system data and external global threat data.

• Network DLP prevents the loss or theft of data across the network by detecting specific types of data (or specific data that has been tagged or flagged in some way) that are “in motion.” i.e. Network DLP can detect data that is being used by applications and traversing the network. For example, detecting when sensitive data are retrieved within a query from a remote database console, embedded in a file transfer, or attached to an email. Network DLP is very useful at the perimeters of data centers that house substation automation systems, energy management systems, and other systems that contain information that could in and of itself pose a threat to the larger operations of the grid. In other words: where the “data” originate or are used by a command and control system such as a SCADA server, where the data can be used to manipulate operations and cause a direct threat to the infrastructure.

• Database Activity Monitoring or “DAM” does exactly what it says: it monitors activity to and from databases, either via in-line inspection of network traffic, or via a host-based agent that monitors database activity locally. DAM is extremely useful for both monitoring and controlling the access to the data stored within a database, but it can also protect against database-specific exploits, such as Slammer, that could compromise the database server entirely.

• SCADA project files: used by SCADA severs; certain gateways and controllers; the software development environments (SSEs) for HMI console SDEs, etc.

• Measurement data stored within: PDCs; meter data management systems; data historians, etc.

• Personal data about customers or end users, stored in: customer service/CRM systems; billing systems; the advanced metering infrastructure, etc.

• Information about the grid, including the following: specific device models of assets and infrastructure, from purchasing systems or from engineering diagrams; Device node information obtained from industrial protocol traffic between devices; PMU location data obtained from GPS references stored at the PDC, etc.

• SCADA severs—automation logic and operations data including process schematics and flow diagrams that could be used to disrupt grid operation.

• EMS—load, outage, response, and similar data that could be used to identify periods of stress, and ultimately identify the best way to impact grid reliability and recovery.

• Demand response, AMI, and HEMS—data concerning how energy is delivered to the end user and how it is used, identifying peak periods of use, etc. could be used to impact end-users. For example, issuing remote disconnects when demand for power is high, etc.

• End-user information—consumption data, home privacy, HEMS, and similar data used to obtain personal data about in-home habits, up to and including what appliances are being used in-home and when. See Chapter 4, “Privacy Concerns With the Smart Grid.”

• Correlation of collected data against known threat patterns, to detect more complex or blended threats (e.g. multiple failed login attempts, followed by an eventually successful login attempt, followed by a network port scan originating from the same device, which may be indicative of a brute force attack).

• Calculation of baseline activity and trends, and the ability to alert when statistical deviations occur (very useful for detecting the symptoms of an attack that have affected operations).

• Tracking or “scoring” risk associated with specific assets, users, or applications and issuing an alert when risk is high.

• Filtering large amounts of data against defined criteria, and/or cross-referencing information against outside information sources such as: threat feeds; CERT activity, malware databases.

What to monitor

What needs to be monitored? For effective situational awareness within a Smart Grid, a minimum of the following should be monitored:

In other words, abide by the 3 × 3 model referenced in Chapter 5, “Security Models for SCADA, ICS, and Smart Grid” by monitoring endpoint, network, and data layers across all domains.

To actually perform this level of monitoring, a combination of log collection (from those devices and applications producing logs), event collection (from those cyber security devices that produce security events), and the direct inspection of the communication paths between devices (using network-based detection tools such as IDS, IPS, DLP, and DAM). For those devices that do not produce logs, do not utilize security countermeasures that could create events, and cannot be inspected by a network-based tool—for example, the embedded devices and field devices used within substation automation, line protection, metering, etc.—another means of information collection is required. One example of how to obtain information from these devices would be to integrate with the PDCs, SCADA servers, historians, and/or other systems that are already monitoring these devices, so that all activity can be passed to the SIEM. This will typically require customization of the SIEM, to provide the necessary integration with these specialized systems. However, it should be noted that many of these “specialized systems”—DM, EMS, HEMS, Substation Gateways, SCADA servers, et al.—will most likely produce logs of their own, relevant to the operating of that device. These logs should be collected as well, to provide awareness as to when users authenticate to the server, activity that is performed, changes that are made, etc.

Where to monitor

Based on the advice given so far, the trite answer is, “everywhere!” However, there’s a broader concept of “where” that applies to the grid. For example, what domains should be monitored? What zones? Well, the answer is still trite, and it’s still “everywhere!” However, the concept of domains and zones by definition means that the systems will be separated from each other, and often there will be (or at least should be) hard cyber security perimeters between them.

Therefore, in many cases the information will need to be collected locally within a domain or within a specific zone within a domain. In some cases, there will be no network path at all to a centralized facility (i.e. the mythical “air gap”), and in many cases, there will be hard security restrictions in place. For example, in nuclear generation facilities, there is a clear one-way communication requirement between secure zones and unsecure zones: if a network connection is used at all, it must only support outbound communication, so that information can be obtained from a reactor for use by business systems, but malware or malicious control cannot be sent from the insecure location back to the reactor. Local information can therefore be collected by a local SIEM that is deployed within the secure facility. The collected data can then be sent, one-way over a data diode or unidirectional network gateway, to a SIEM located centrally.

In most areas, however, establishing a secure connection for the bi-directional communication of collected data is enough. Fortunately, most SIEM tools on the market today support encrypted transfer of data when deployed in a distributed manner—many of which are actually certified “secure” under standards such as common criteria (which certifies system security) and FIPS 140-2 (which certifies secure and cryptographic boundaries).

Once information is being collected from within and between zones, simple correlation rules within the SIEM can be used to detect policy violations, for example, controllers communicating with IEDs in a separate zone, or administrators authenticating to servers in a separate domain. These types of deviations are clear indicators of risk—someone or something is behaving in a way that may seem normal but has not been explicitly allowed—but also of threats. This is because most methods used by attackers will violate these strict policy definitions. The trick is to “teach” these policies to the SIEM so that it can detect the violation. This requires configuring the SIEM with domain and zone knowledge, as well as user roles and responsibilities, and any other relevant policy information. This can be done by the following: