As we wrap up National Cyber Security Awareness Month (NCSAM), our final theme, “Protecting Critical Infrastructure From Cyber Threats,” considers the state of cyber security for essential systems and critical infrastructure. This week’s theme also transitions to the topics of November’s Critical Infrastructure Security and Resilience Month (CISR).
The U.S. power grid plays a vital role in fueling transportation, powering industries, and sustaining the healthcare system, among many other systems. People depend on a continuous supply of electrical power every day – even a minor disruption of the vast network of grids can have devastating impacts.
Here’s an excerpt from our recent white paper, “Cyber Security and the Grid: The Definitive Guide,” explaining the technical cyber security threats facing the grid.
Esoteric Nature of SCADA Systems
Power grid supervisory control and data acquisition (SCADA) systems are extremely unique and specialized. Moreover, the applications and processes that manage and direct telemetry and control communications of each SCADA system are proprietary software and are specific to the vendor who produces it. Because vendors are often responsible for designing these specialized SCADA systems, the IT Operations staff ultimately operating them may lack a comprehensive understanding of their own SCADA environment, as they are often based on proprietary software.
Even when installed on typical operating systems such as Unix or Windows, the operating system itself can behave in unfamiliar ways. What would be considered standard IT procedures in any other environment (such as routine OS updates or password changes) may prove disruptive in a specialized and proprietary SCADA environment.
Corporate Move to Cloud Environments
A recent trend, both among corporations and the vendors they employ, is moving infrastructure and services to the cloud. Even sensitive services, such as security patches (CIP-007R2), or anti-virus software and signature updates (CIP-007R3), (which many responsible entities are dependent upon for maintaining compliance and a secure SCADA environment) are moving or have already moved to the cloud.
In addition to services such as weather forecasts and Outage Management Systems (OMS) directly interacting with the SCADA environment, responsible entity corporate networks are becoming increasingly dependent upon cloud-provided services, applications, and storage, and are inextricably exposed to data leakage risks.
Cost of Commitment, Lack of Interoperability
Choosing a SCADA system vendor is a massive commitment in time and capital expense. Furthermore, a utility is often locked into a vendor for many years, as these systems have virtually no interoperability with any other equipment other than custom interoperability designed and implemented in the initial SCADA solution. Because of this lack of interoperability, if any equipment or software bundled in the solution is found to be unable to conform to compliance requirements or security best practices, there is usually very little to no opportunity to replace the equipment or software with alternatives. As a result, there is no easy upgrade when SCADA solutions become outdated. A utility is forced to develop a completely new architecture, purchase new equipment, and conduct new training for the IT Operations Staff.
Undocumented “Features” in SCADA Environments
IT Operations Staff are often forced to rely upon the documentation provided by SCADA vendors to understand the operational behaviors and requirements of the environment. Unfortunately, not all behaviors and requirements are explicit, and sometimes they are only implied. Thus, IT Operations Staff who may be unfamiliar with the SCADA application, device, or process may miss or misinterpret signals.
Because SCADA solutions are proprietary products, there are few, if any, additional resources besides the vendor to turn for more documentation, explanation, or instructions. Adding to this is the sensitive nature of SCADA solutions in the utility industry. Although you can typically find all sorts of online resources regarding managing firewalls, databases, and servers, it’s difficult to find such information when it comes to SCADA solutions. The “security through obscurity” paradigm typically applied in SCADA environments often produces unintended results, as operators and staff do not share critical threat information from one utility to another.
Updates Delayed by Shortcomings in SCADA Software
During the lifecycle of any computing environment, security patches and operational updates are common and expected. However, vendors are routinely slow in producing timely SCADA security software patching, leaving SCADA systems dangerously vulnerable to even known cyber weaknesses. These vulnerabilities are routinely cited in vulnerability assessments, often including warnings of unapplied security patches and existing Technologically Feasibility Exceptions (TFE).
Infiltration of “Internet of Things” (IoT)
Before the IoT became common, mundane equipment such as uninterrupted power supplies (UPS), heating ventilation and air conditioning (HVAC), closed circuit television cameras (CCTV), and other devices common in regulating the physical data center environment were not a security concern, as they were typically not network- capable. Now, manufacturers are incorporating network connectivity in almost all appliances, including refrigerators, toasters, ovens, microwaves, and coffee makers. Not surprisingly, these appliances, once introduced into even non-secure areas such as a control center breakroom, could pose a threat to the utility network. Therefore, continuous passive monitoring for unknown devices on ESP networks may help to identify their presence.
To learn more about the non-technical issues facing the grid, and gain a deeper understanding of all the cyber risks that could impact critical infrastructure availability, download the grid white paper in its entirety.