Developing a Cybersecurity Strategy for the Grid

By Mille Gandelsman

Physical grid infrastructure

Understanding the vulnerabilities associated with communication protocols is a critical first step

To compete in today’s dynamic markets, power utilities are increasingly deploying IoT-based technologies and integrating their IT and operational technology (OT) networks. While these advances enable predictive maintenance, improve efficiency, and reduce downtime, they also expose grid infrastructures to a much wider attack surface.

The attacks that took down portions of the Ukrainian grid in 2015 and 2016 are proof that hackers have the ability to breach utility networks and disrupt operations.

In fact, the threat of a cyber attack was cited as a major concern by 41 percent of senior power executives in a recent Deloitte survey.

Given these new threats, integrating cybersecurity into a utility’s overall safety and business continuity strategy is no longer optional. This process begins by understanding the primary vulnerabilities.


The Communication Protocol Risk

The use of remote control and connectivity to substations in order to streamline efficiency requires relaying critical information back to Energy Management Systems (EMS) and SCADA Centers for analysis.

Many modern grids use a variety of documented protocols and standards alongside proprietary vendor protocols. These include IEC-61850, IEC-60870-5, DNP3 and others. Using documented standards and protocols yield the advantage of interoperability between systems from different vendors. This is the foundation of the smart grid. Along with these advantages, however, there are also risks. These same protocols can be leveraged by an attacker in the reconnaissance and last mile stages of cyber-attacks.

In the 2016 campaign against the Ukraine grid, legitimate protocol commands were exploited by the Industroyer malware. What made this attack so effective was its four payload components:

IEC 60870-5-101 (IEC101) - Designed to scan the IOA range of the IED and execute single and double commands. These can switch breakers on or off or cause other changes in the process that rely on this protocol.

IEC 60870-5-104 (IEC104) - The same capabilities of the IEC101 payload with the added ability to stop all communication to and from a device.

IEC 61850 - Designed to scan the logical model of the IED and find all Logical Nodes (LNs). It then searched for all nodes related to switch or circuit breaker and can change their state upon command.

OLE for Process Control Data Access (OPC DA) – Similar to the other components, this module attempts to enumerate over OPC servers and to change the position state of the discovered OPC items.

The documentation on how to issue those commands is freely available on the IEC website. Software used to execute these commands, often labeled as “test tools,” is available in open source formats and accessible to anyone.

These payload or protocol components are common in most power networks.


Detecting Protocol Attacks

Historically, network managers deployed security measures at the control center. Today, however, data must be gathered from each component of the network - from the bay level to the EMS level. This requires the ability to understand the protocols used in the EMS and substation.

To identify attacks that are unique to power distribution networks, utilities should deploy deep packet inspection (DPI) engines for documented protocols commonly used in power grid networks. These include IEC-61850, IEC-104 and DNP3 as well as proprietary vendor protocols, such as Siprotec, S7 and Sicam used by Siemens.

DPI engines can identify last mile attacks and reconnaissance activities, such as those used by Industroyer and other malware. These engines extract the relevant information from these protocols and identify the exact action taken with them.

The events are then presented with deep context on the source, destination and the nature of the event and include suggested remediation steps. This allows security managers to understand exactly what happened and determine if further action is required.

Other Threats

Since power networks are typically distributed across a large area, with assets are often located outdoors and in remote areas, they are hard to monitor. By physically accessing a device (e.g., via serial cable), an attacker can infiltrate the station network and change the logic of the bay and station controllers, change process parameters or leave backdoors for future remote access.

To identify cases of physical tampering, utilities should periodically query individual devices to identify whether any changes have been performed. It is especially important to be able to query all IEDs in the network, as these devices control the regular grid operations. It is also important to query servers, workstations, networking equipment, gateways, and any other devices that are critical to the regular network operations.

As networks evolve, older devices are upgraded or replaced. This typically results in a mix of newer and older devices with various patch levels. Maintaining an up-to-date patch management program for the entire inventory is a difficult task and requires a significant amount of manual work and planning.

Some of these legacy devices were not designed with cybersecurity in mind. Over time, many vulnerabilities have been discovered in many types of electrical equipment. The ICS-CERT and other organizations issue alerts on vulnerabilities, but without a way to query devices for their exact state and details, mapping vulnerabilities to network devices is challenging.

Patch management should be based on deep awareness of the state and characteristics of every device. This requires the ability to accurately match between each device’s specific condition and the vulnerabilities knowledge base to eliminate false positives and false negatives. This inventory base should be updated automatically and regularly so that they can be  kept in sync with newly discovered vulnerabilities.

Utilities that maintain an accurate asset inventory have access to device details such as the exact model, firmware, patch levels, installed software, serial number and others. These details allow users to identify devices that should be patched or completely upgraded .

The complex and interconnected nature of power grids contributes to making them more challenging to protect from cyber threats. Gaining a full situational awareness and understanding of where the weaknesses lie, however, provides a roadmap for developing an effective cybersecurity strategy.

About the Author: Mille Gandelsman is CTO of Indegy, where he leads the company’s technology research and product development. Prior to Indegy, he led engineering efforts for Stratoscale and spent several years managing cybersecurity research for the elite 8200 intelligence unit of the Israel Defense Forces. Mille has more than 15 years of experience in ICS and cybersecurity.