Cybersecurity: what are the adequate boundaries for protection?
One of the main topic is cybersecurity nowdays and we are glad to share the points of view on the following questions:
1. What do you think about the cyber security threat at electrical facilities? Is it a real threat, a potential threat or does it exist at all?
2. Do we have to undertake special measures preventing cyber attacks, or would it be enough to just put all things in order (for instance, change the default passwords)?
Andrey SchemetovFGC UES, UTILITYHot debates are currently going on about cybersecurity of the relaying equipment and substation automation systems. The primary reason for them is the attempts to equip electric power facilities with software and hardware targeting cyber threats. There are two main parties: utilities involved in the maintenance of the electrical facilities and responsible for their normal operation, and vendors of cyber security systems. Now, I would like to convey the standpoint of the utilities.
In my speeches during various public events, I have repeatedly stated that in the first place, it is necessary to develop and implement organizational and technical measures for perimeter protection. The Federal Grid Company implements measures for automatic delivery of all necessary information to consumers (including relay maintenance crews). Additionally, the inspections of microprocessor-based relays are minimized. The relay engineers won’t need remote connection to a substation
LAN in order to access data from the protective relays, which facilitates a more reliable perimeter protection. A step-by-step implementation of specific measures combined with continuous threat analysis should decrease the losses from possible cyber attacks as well as the costs of the security measures. Nevertheless, the companies that are engaged in cyber security stubbornly insist on “protecting” the local area network within the electrical facility through the installation of specialized hardware and software. In the course of the roundtable on cyber security at the Relay Protection and Automation exhibition in 2016, the need was realized to implement technical measures for cyber security under the assumption that cyber attacks would take place. The necessity of analyzing the impact of those measures on the core functions of the power facility was not even considered during the talks. I like the following statement in order 31: “Cyber security solutions must not impair the functionality of the substation automation systems.” We must not forget this while considering cyber threats. The utilities have been placed in conditions where cash expenses on the hypothetical threat elimination are demanded from them, while it is unknown what impact the offered cyber security solutions will have on the core relay protection and control functions. Moreover, the vendors will bear no responsibility if normal operation is undermined. Now let me put forward some counter-arguments on cyber security. 1. Who needs it: Please explain to me the financial reason of substation hacking. The reason for bank hacking is clear.
The latest incident with the blackout of a 750 kV overhead line and a nuclear power plant unit was caused by throwing a pair of pliers and a piece of wire to the 750 kV line. Everything is simple, and there is neither a laptop nor network intrusion.
Still, during the aforementioned roundtable they mentioned a remarkable phrase – that the hacking probability is small, but it should be rounded upwards to “one”. When selecting the relay protection and control solutions, the Federal Grid Company argues with the System Operator of the Unified Power System about the amount and functionality of the equipment. A compromise is reached after considering various well-grounded facts. The “N-1” criterion (one failure at a time) is established in relay protection. If “N-X” had been specified instead, I would have made an effort to justify the construction of the second power system for reliability. To sum up, this seems very weird to me that the probability equal to 1 is assumed, while in reality it is approaching zero.
2. Responsibility for the operation of relay protection and control systems: Who will be responsible for a relay failure, say, if the cyber security software blocks a “malicious” GOOSE message coming out after a circuit breaker failure? In that case, breakers on the remote end of the protected component will open through remote backup protection. This will cause a blackout of a part of the power system, not just a network element. And we, the relay engineers, ask where the border is, which will determine the responsibility for an incident in the future. The utility is obliged to maintain network integrity and the capability for electric power transfer. If we start disconnecting consumers due to a “detected” threat within the local area network, the utility will be blamed for breaching the contract with the consumer. What responsibility are the vendors of cyber security systems ready to share? Moreover, if we decide to set off an alarm in order to alert personnel of cyber threat, we will have to make IT specialists work at the electrical facility around the clock.
3. The issue of the cyber security costs: Currently, when creating digital substations, the Federal Grid Company seeks to solve two tasks: reliability improvement and cost reduction. The former is achieved through a continuous monitoring of the component integrity and operability. The overall facility cost is determined by the expenditures on its design, construction and maintenance. Today, if a digital substation is erected from scratch, it turns out more expensive than a conventional substation. However, if some of the maintenance costs can be avoided, and the substation equipment is inspected only if needed (rather than scheduled), the digital substation will eventually be cheaper.
Now, we have been told that we need to incorporate cyber security systems and other complex tools. In that case, a substation would look more like a DATA center.
Instead of an electrician inspecting the secondary circuits, we would be forced to employ a wellpaid cyber security expert and a system administrator, who would repeatedly take care of the complex information systems. Such systems would fail during the operation because the server’s operational lifetime is 10 years and the substation is in service for around 40 years. All costs associated with the IT infrastructure modernization would be included in the tariff, so we could face a modern and innovative power industry with huge tariffs for electricity and a minimum number of consumers.
The Federal Grid Company is working on the creation of digital substations and considers them quite promising. However, if we fail to justify the costs for cyber security solutions by showing evidence they do improve the reliability of the electrical facility operation, power engineers will once again have to resort to the electromechanical relays manufactured at “Cheboksary Electromechanical Factory” (which have been in service for more than 40 years without any failures).
Anton ShipulinKaspersky Lab, VENDORThe threat is definitely real, and to prove it, I will provide a few arguments. I will give you a couple of fresh examples. A notorious incident occurred in December 2015 in several Ukrainian regions where more than 220 000 consumers lost power for almost six hours because of an organized cyber attack targeting the utilities. This act of violence included search for relevant information and data collection phases before the actual attack (the BlackEnergy trojan was used along with other tools). Then cyber criminals took control of the power equipment and caused blackouts at several points simultaneously, followed by a series of hoax calls to the utilities’ phone lines, and a trace cover-up. The cyber criminals also made sure the recovery would be slow. Attacks become possible because reliable cyber threat monitoring and prevention tools are absent at industrial facilities, and one can get unauthorized access to them.
A second example: in 2016, at an information security conference, the researcher Devan Chaudkhury stated that he modeled an “attractant” for the hackers in the form of a real substation with the possibility of external access to it.
After that, the researcher recorded cyber attacks and monitored hackers’ actions (including both reconnaissance and attempts to shut down the facility). At other industry conferences, researchers clearly demonstrated many times that a wellmotivated and smart hacker (even without in-depth knowledge of electrical engineering) could cause damage to substation equipment. For example, «Kaspersky Laboratory» performed an experiment at the end of 2015 in which IT specialists had to “crack” a virtual substation developed in a contemporary manner – complying with IEC 61850. It is interesting that enthusiasts carrying out the attacks had little knowledge about the industrial equipment they had to “crack”. The goal was to find out the critical breaches that could be used for an attack targeting the enterprise infrastructure, and also to test out the company’s innovative technology detecting those attacks. As a result, in as little as three hours a short circuit took place at the substation, organized in two ways at once. During two days the substation was “cracked” 26 times, which was enough to disrupt its operation as a whole and damage each of its component. These days, more and more such incidents are happening at industrial facilities worldwide. It’s heartening to see though that an increasing number of enterprises understand that cyber threats are serious . Besides, threats to critical energy infrastructure have been admitted to be real at the regulatory body level. For example, in the National Security Strategy of the Russian Federation signed by the President in December 2015, attention is directed to cyber threats to the critical information infrastructure of the Russian Federation. The power & energy infrastructure is undoubtedly considered critical. Additionally, the Ministry of the Russian Federation for Civil Defence, Emergencies and Elimination of Consequences of Natural Disasters in their projection for 2016 emphasizes cyberterrorism as relevant to Russian power assets. Unfortunately, organizational measures are not enough. These measures will only be effective if people obey them. People, however, aren’t perfect; they can lose concentration, make a mistake or break the rules consciously or accidentally. That is why smart systems should be deployed. Moreover, it is necessary to follow the “defense in depth” concept. It doesn’t mean we should utilize as many protection means as we can. All the nodes that attacks could get through should be secured. We must possess a good knowledge of our systems, networks, and communication links. Network monitoring is of utmost importance. It can work in the background without affecting the protected facility operation while notifying us about the emergencies as soon as they appear.
Aleksey LukatskiyCISCO, VENDORThe question seems a little awkward to me. As a participant of the mentioned roundtable discussion at the Relay Protection and Automation exhibition in 2016, as well as other events arranged by the Federal Grid Company and CIGRE, I have never heard about hardware supply, in particular. The discussion is more about the relay engineers’ reluctance to consider cyber security as an important issue. They are still falsely assuming that relay protection and control systems are closed-loop and absolutely unattractive to computer hackers, who – in their view – are only targeting banks, where there is something to line their pockets. Unfortunately, this viewpoint, which was true even several years ago, is gradually receding into the past, and history teaches us that things are changing drastically. First, relevant protocols have become open. Then, supposedly isolated networks and systems have started connecting to the Internet (whether this is necessary is a controversial topic). Finally, hackers are not only interested in money. It helps to remember that the risks of extremism and terror attacks have risen under the geopolitically tense conditions. Cyber security experts, who usually judge from the worst-case scenario (and consider that the attack probability at the critical infrastructure, including protection and control equipment, is equal to one), just want the relay engineers to pay attention to these issues they still consider irrelevant. If someone is trying to push their products in these circumstances, let it be on their conscience.
Mikhail HaikinGomelenergo, UTILITYOf course, cyber threats are a reality. However, such threats have always been present, even when electromechanical protective relays were being used. When it comes to the special measures of the cyber attack protection, I would first of all suggest that the local area network at the facility be separated from the corporate network at a physical level. In other words, the LAN must be physically separated from the internet. If the Human Machine Interface equipment is connected to both the corporate network and the power facility LAN, the execution environments must be isolated. I believe only the manufacturer’s software should be installed at the facility – else we risk losing data.
Maksim MaltcevRUSGIDRO, UTILITYI share the apprehensions of Andrey Shemetov, expressed in his article, and also join in with the raised questions. At the same time, I think that the maintenance personnel’s reaction to the large-scale cyber security measures being put into practice is emotional in some way, which is easy to explain.
Over the decades of the existence of microprocessor-based relays (leaving alone the local control systems), security was interpreted as an inherent property of this equipment and its components.
The aspect of information security in these systems was not highlighted as a consequence of their relatively limited availability. However the concepts of operational reliability and industrial security have always existed, and these have had to be ensured by control systems. Over the last several years, the manufacturers of cyber security systems have extensively discussed various invasion incidents undermining normal operation of industrial enterprises and businesses. Such incidents are then extrapolated to the collapse of sectors of the economy threatening the country’s survivability. While reading such materials, the maintenance personnel can surely recollect a variety of technological catastrophes that have taken place without any unauthorized tampering and cyber security violation: from the Chernobyl disaster to the system blackout in 2005, followed by the Sayano-Shushenskaya power plant accident. We must be conscious that the huge amounts of money to be spent on cyber security will be withdrawn from the budget for the creation and adoption of technologies assuring reliability and industrial security of the existing solutions. As a side note, the normative documents do not recommend using the term “cyber security” due to the fact it can never be achieved. I agree with the author that we’d better focus on securing the control systems perimeter, and I share his concerns about a possible technological throwback if that issue is ignored in our country. By no means should the technological security requirements be left out of consideration.
Ilya KarpovPositive Technologies, VENDORA threat always exists, even if it is not evident for various reasons. Recently, there has been a lot of talk about whether or not different cyber security solutions are necessary and applicable. This situation evokes comparison with a home computer or a house
door: everybody chooses the security level themselves, based on their perception of the environment they live in as well as the value of data or facilities. Evaluation is always subjective, and that is why one person mounts the door with an ordinary door lock while another with a more complicated one, along with an alarm. The protection level of their property will hinge on their understanding of the security domain and life experience. There have not been many incidents related to electrical facilities, but they still exist (during 2015, tens of such incidents were noted). The number of incidents in different branches of the industry (including the power industry) is presented annually in ICS-CERT reports. At Positive Hack Days, successful attacks targeting digital substations and generation facilities have been demonstrated multiple times. This year, a lot of approaches and methods were exposed, and it was proven that even an amateur could exert influence on complex systems just by downloading a couple of programs from the internet. Unfortunately, there still are people who think that securing the control systems perimeter would be enough to deprive the lawbreaker of the opportunity to get into the critical infrastructure. There are those who believe that the absence of an internet connection is a sufficient protection measure. The Stuxnet story, I suppose, proved hard for many people. Currently, local area networks are quite accessible for lawbreakers so when working on cyber security solutions, we’d better accept that the lawbreaker already has access to our LAN (which, by the way, doesn’t cost them much). It does not really matter what facility we are talking about: a nuclear power plant, a hydropower plant, a transmission substation, or a distribution substation. Special measures are certainly required. For example, is there any need for an antivirus for a home computer? If the home computer breaks down, then of course it can be replaced and the loss will be minimal (dictated by the new computer’s cost and the time needed for a system installation). If, instead, we talk about the infrastructure facilities – how soon could the replacement take place? The lawbreakers need knowledge about industrial protocols, and it is not uncommon for them to rely on specialists from different fields, including industrial control systems. Therefore, today we need to talk more often about organized cyber groups, such as Dragonfly. Statistics shows that such groups successfully enter wellprotected systems. The financial reason for their attacks can always be provided.
Besides attacks aimed at earnings, attackers can also be driven by extremist and political motives.
Currently, an increasing number of exploits for power engineering systems are being discovered, and this means that lawbreakers’ interests in the critical infrastructure is deepening dayby-day. Certainly, effective organizational measures and their perfect implementation will improve the protection of the power facilities. However “absolute” security is too good to be true, and attackers will continue to find breaches to get in. This is why additional monitoring and protection means must be introduced (with their choice depending on the priority of the protected facility). Additionally, the cyber security solutions themselves should be protected better (not just new ones but also older ones). Using only a set of protective means recommended by the cyber security solution manufacturer is insufficient. The overall system security level is determined by its most insecure component. In electric power systems, this is often relaying equipment. If its operation can be undermined just by sending a few bytes of data, this is obviously a vulnerability to be coped with by the relay manufacturer. It is also necessary to provide for similar issues in the future so they never arise again. At the moment, such attacks are possible and they must be identified in order to counter them on time. Finally, we must not forget about the direction that power engineering is moving towards: to the modern environment-oriented distribution systems. In the near future, distribution systems should begin to support “electricity stream” not only to the consumers, but also in the reverse direction – and even between the consumers. This is one of the enablers of the progressive future – with electric vehicles, smart grids, energy savings, and other innovations. Naturally, all of this incurs additional costs that are often considered too high, which is wrong. As the saying goes, “security is never too much”.
Carlos Rodriguez del CastilloRed Electrica de Espana, UTILITYAs we have seen in recent years, cyber attacks in substations are a real issue. We could keep the digital substation network isolated from the outside (in this case, a cyber threat is not an issue any more), but such an approach is against today’s paradigm of the smart grid. We do need access to the facility from the outside to maintain control over it, which makes cyber threats unavoidable. Depending on your network configuration and access control strategy, you could put into action different measures to reduce the risks. For example, you could stick to a private network and restrict access to credible users and computers. That being said, the overall cyber security will ultimately depend on the utility policy and their asset management approach.
Cyber security policy must be carefully formulated and adapted to suit a specific environment at an electrical facility.
All vulnerabilities must be addressed, and the delivery of security patches has to be under control. Some threat intelligence can be used to prevent possible attacks and then implement countermeasures (depending on the identified breaches) to reduce their impact. Special steps have to be taken if the utility is using a public network to access the digital infrastructure. The security measures in such a case should certainly be different from those implemented for a private network with very limited access from the outside.