- September 17, 2014
- Wurldtech Security Technologies
By Kenneth Tom, Wurldtech Security Technologies
Today, the smart grid is under attack. We need to protect this infrastructure and provide proper visibility into the network threats by taking advantage of the latest technology for Industrial Control System (ICS) security.
By Kenneth Tom, Wurldtech Security Technologies
What would happen if even a portion of the smart grid was attacked and disabled for a prolonged period of time? Imagine the headache, public outcry, and chaos. What if all the smart meters were reset, turned off, or even set to record only half of the electricity consumed? What else could malicious attackers do to the smart grid infrastructure? Today, the smart grid is under attack. We need to protect this infrastructure and provide proper visibility into the network threats by taking advantage of the latest technology for Industrial Control System (ICS) security. Over the years, the ICS environment has become ripe for successful attacks. Consider these facts:
- Large attack surface - There are already 45 million connected SCADA devices and 244 million connected smart grid devices deployed. Both of these numbers are still growing.
- Growing number of disclosed vulnerabilities - Equally alarming is the accelerating number of ICS vulnerabilities disclosed. According to the Department of Homeland Security, ICS vulnerabilities disclosed from 2010 to 2012 increased by 600%. And be sure to consider the many vulnerabilities kept secret or undiscovered.
- Readily available attack tools – Attackers leverage search tools such as Shodan (shodanhq.com), “the Google for hackers,” and Every Routable IP Project (eripp.com) to easily locate vulnerable ICS systems. And by using attack tools such as Metasploit ICS modules, attackers can take advantage of publicly disclosed proof of concept code.
As one can imagine from this perfect storm, the smart grid truly is at risk. The attack surface is large and growing significantly due to the explosive rate of so many connected devices. With the increasing number of disclosed vulnerabilities and available online tools to exploit these vulnerabilities, the smart grid has and will continue to be attacked. As a result, ICS-CERT Monitor has recorded 256 reported attacks in 2013 and there are many more that are not disclosed. The number of attacks is trending up, as there was only 81 reported attacks in 2012. And of the reported attacks, 59% of them target the energy sector, so indeed, there is an urgent need to protect the smart grid. So what can be done to protect the smart grid? What should be done? Understanding the evolution of the smart grid enables us to better appreciate this unique security challenge. There are now more and more connected devices on the smart grid requiring two-way communications. In the 1990s, the Advanced Metering Infrastructure (AMI) required bi-directional communications between the smart meters in homes with internal systems to share electricity usage information. In addition, power sources are now more distributed and require bi-directional energy flows as well. Not only do the large power plants supply electricity, but photovoltaic cells, hydroelectric plants, fuel cells, wind turbines, etc. are also viable sources. Today, there are more meters, more substations, and more power sources; all requiring more legitimate interconnections between meters and internal systems. Therefore, there are many valid reasons for interconnectivity requiring more network traffic to flow in and out of the network “perimeter.” Given this environment we must properly protect all of the critical information flows. Before delving into the protection alternatives, we must first clarify the definition of the perimeter so that our protections will be in the proper context. By perimeter, we do not mean the one choke point between the smart grid and the rest of the world. Within the smart grid infrastructure, there are many networks and subnetworks, all with potentially differing levels of security requirements. And many of the connection points need to connect to other nodes, sometimes even across subnetworks. In order to ensure proper protection, segmentation is key. Information flows must be properly protected. Network nodes that share common security requirements can be in the same logical zone, so that even nodes that may be in disparate physical locations can still be grouped together to be a segment. Every zone has a logical perimeter and all information flows and network traffic must cross the perimeter, then the policies enforced on this traffic can secure it. Therefore, to properly secure each segment:
- Create the necessary perimeters or network segments
- Put appropriate security controls in place for each zone
- And map proper policies to inspect each information flow
So, now that we’ve determined that segmentation can help secure the smart grid, what are the specific security benefits? They include these following concepts:
- Least Access – Limits user access and information flows to “a need to know” level, or more accurately, “need to access.” Controlling what flows are allowed and what flows are not allowed can be done by setting the proper policy. By controlling access, the internal network structure will not be visible from outside
- Containment – Limits the effects of local failures of this segment from impacting other parts of network. So, whether the malicious culprit is a compromised contractor laptop, vendor back door, infected thumb drive, insider threat, or even a rogue access point; the attack will be limited to the one segment and not affect the other parts of the smart grid.
- Defensibility – Introduces multiple barriers of entry to attackers and implements a defense-in-depth strategy that hinders an attacker from readily penetrating multiple parts of the network.
In addition, an additional side benefit beyond security is improved performance as there are fewer hosts per segment, thus minimizing local traffic. However, segmentation alone is not enough. The main reason is that network-based exploits, denial of service attacks, and insider attacks all appear to be “legitimate” traffic, so segmentation may not stop these threats. More is needed so that we can determine if the legitimate traffic contains malicious intent. This does not necessarily mean brand new technology or a step change from current security measures is required. But there are new requirements, so let’s cover the bases. The key requirement starts with the ability to control or limit the network traffic by allowing or blocking it from a particular segment. With today’s technology, that is as simple as deploying a firewall with the appropriate firewall rules and policies to limit the traffic to legitimate traffic only. And since we know that ICS traffic can run on IP, and firewalls understand IP traffic, the firewall can successfully accomplish this important first step. However, attackers can use this legitimate traffic to hide their malicious intent. Let’s consider two examples:
- A remote user can reset a smart meter, use an attack command, or even cause the smart meter to give everyone a discount for electricity. All of this can be done to like legitimate traffic but today’s enterprise firewalls do not have visibility to understand the specific payloads and its malicious intent.
- A user can engage in espionage by accessing and transferring files, data on operations, functions, features, and memory addresses from the compromised device. And by reviewing ICS-CERT you can also find implementation vulnerabilities in industrial protocols to render a device useless until a manual reset. Think of the time, headache, and cost required to go from location to location to rest the devices.
Therefore, deep packet inspection is necessary to understand malicious intent at the packet level. In today’s enterprise firewalls, some have additional capabilities including content filtering and application control. However, pattern matching packet contents and filtering/blocking web URL and enterprise applications do not provide the specific protections required for the smart grid. Appropriate and relevant solutions must be able to understand industrial protocols (e.g. DNP3, Modbus, ZigBee, etc.), track industrial application sessions, and make proper allow and block decisions. It is with this additional protocol insight that can help OT managers apply the proper security policy to protect the smart grid infrastructure. In addition, technology built for the smart grid needs to address the performance needs and management UI needs for OT personnel. ICS network and smart grid infrastructure is not built like an enterprise network, so the latency and performance characteristics must match the operational environment parameters. And since OT staff may not have advanced IT security training, the management of the security technology must be easy to manage, a graphical UI that provides visibility into the smart grid network, not some complicated command-line interface. Properly segmenting the network with the necessary visibility into industrial control applications and protocols do come with considerations, cost, and perhaps some added complexity. Ultimately, the protections and gains are worth these added steps but they must be examined and considered. Therefore, when implementing segmentation and industrial protocol inspection, consider these costs, both financial and in time:
- Additional complexity – Implementation and management of additional firewall devices or at the very least the capability to do deep packet inspection of industrial protocols and applications.
- Greater change management support – Requires greater support whether from IT or OT staff teams as there will be further work when making network or configuration changes.
- Increased capital equipment cost – More technology requires more allocated budget for new firewalls or deep packet inspection capability for industrial protocols.
- Impact on common networking tools – Support for routing, multi-homed networking, multicast in routed environments.
- Performance overhead – Some latency increases may result when adding equipment to the network. Although the latency increases should be a non-factor, it needs to be considered.
In summary, the smart grid needs proper segmentation. Since traditional approaches have fallen short organizations today require a firewall with deep packet inspection of industrial protocols for better security and better network visibility. Industry analysts, such as Gartner, always stress the importance of gaining approvals for security budget upfront. The typical smart grid project has a significant and positive ROI; so earmarking 5-10% of that budget to security would not have a huge impact on the project’s ROI. If you wait to implement security at a later time, you will find yourself needing to justify the budget separately, which is usually much harder to do, as it will be a cost center/insurance argument vs. an important corporate initiative. So, remember to include security as an important line item in the budget when modernizing your smart grid infrastructure.Learn More
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe