Connected and Defenseless

It’s a quiet December afternoon in 2015. In the Ivano-Frankivsk region of Western Ukraine, workers are preparing to finish their day and make their way home into a cold night. Inside the Prykarpattyaoblenergo control center, which distributes power to the region’s residents, operators are nearing the end of their shift. Suddenly, an unprecedented series of cyberattacks takes place as they watch in amazement. The attacks eventually knock out parts of Ukraine’s electric grid, thus cutting the power to nearly a quarter of a million residences.

The attacks, directed at three regional electric distribution companies, demonstrate prowess in several complex hacking techniques. These include spear-phishing to obtain fake credentials, exploiting vulnerabilities in software applications, such as office productivity programs, and deploying BlackEnergy 3 malware to infiltrate the utilities’ networks.

Figure 1

The perpetrators were able to obtain login credentials to the utilities’ virtual private networks, allowing access via the Internet to manipulate supervisory control and data acquisition (SCADA) servers. With this access and using BlackEnergy malware, the attackers cut off power to substations and changed passwords. Locked out of their computers, utility staff members watched the substations go offline one by one.

The attackers didn’t stop there, however. They also struck two other power distribution centers at the same time, nearly doubling the number of substations taken offline and leaving more than 230,000 residents in the dark. And, as if that wasn’t enough, they also disabled backup power supplies to two of the three distribution centers, leaving operators themselves stumbling in the dark.

Unfortunately, these types of events are becoming more commonplace. The Ukraine suffered another similar attack to its electric grid in December 2016. On December 2017, the safety shutdown system for an industrial plant in Saudi Arabia was penetrated by the Triton malware, causing a process shutdown. This malware is built to interact with certain safety instrumented system (SIS) controllers commonly used in nuclear power plants.

Powerful, Yet Powerless

Most cyber threats involve identity theft — massive data breaches of personal information and alarming fraud scams that contribute to the mistaken sharing of personal data. Cyber threats such as these are collectively focused on information technology (IT) systems. These systems include personal computers and devices, bank accounts or private health data, or company databases and e-mail servers.

As serious as these IT threats are, more serious and less heard about consequences for people and the environment are stealth attacks like the one in the Ukraine. These types of attacks focus on industrial control systems (ICS). The perpetrators come from a variety of places. They could be adversarial national governments, industrial spies, or terrorists.

ICSs are the many unseen but important cogs in the world that control critical infrastructure. They control the electric grid. They measure the level of water at hydroelectric dams. They keep trains running and planes in the air. Most critically, they keep us safe. Collectively, ICSs make up operational technology (OT) systems.

The term ICS refers to a broad set of control systems, including SCADA, distributed control systems (DCS) and safety instrumented systems (SIS). ICSs control and monitor systems that are used to make, monitor and move products. These systems have three types of components:

  • Field devices, such as sensors, valves and switches;
  • Field controllers, like programmable logic controllers (PLC), safety systems and remote terminal units (RTU);
  • Human machine interfaces (HMI), such as engineering workstations.

Figure 2 shows a typical ICS architecture and its key components.

Figure 2: ICS architecture

ICS Trends and Vulnerabilities

While the low cost of sensors and the ease of connectivity has encouraged industrial facilities to add more sensors and controls to improve efficiency and reliability, this convergence of IT and OT systems has increased the risk of cyber threats and opens new surfaces of attack that need to be protected. For example, IT professionals are now monitoring processes from their PCs and handheld devices under the control of ICSs, thereby opening up a new set of vulnerabilities not present when operational controls were physically disconnected from IT.

Figure 3

As a consequence of this rapidly expanding digitalization, many ICS users do not have an adequate accounting of all the sensors, controllers and other connected components that have been added. They may not have a firm grasp on how they are all connected to the network. A complete picture of this is called digital configuration management. Absent of digital configuration management, the asset owner does not know which systems need to be protected or what capabilities exist in each new digital device that is being used. This lack of understanding may contribute to a lack of adequate management of control/sensor software upgrades and patches. These upgrades usually contain fixes for new or existing vulnerabilities to cyber attacks.

In addition, most digital or mechanical equipment suppliers are requiring online, real-time monitoring of their control systems for warranty purposes. The remote access required by the suppliers opens another window of attack through the IT systems of the equipment supplier.

Protect and Defend

The good news is the call for a more robust cyber defense of ICSs has been heard. Most critical infrastructure asset owners have adopted the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. 

This framework defines five essential program activities:

Identify: Develop the organizational understanding to manage security risks to systems, assets, data and capabilities.

Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Detect: Develop and implement appropriate activities to identify the occurrence of a security event.

Respond: Develop and implement the appropriate activities to take action regarding a detected security event.

Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services impaired due to a security event.

For example, some of the processes being applied to power generation assets under the Protect program are:

  • Supply Chain Management – Implement a process to assure purchased equipment and services are compliant with industry regulations and your organization’s cybersecurity requirements.
  • Digital Configuration Management – Know what digital equipment you have, how it is connected, and which capabilities are enabled or in use for each device.
  • Secure Remote Access – Secure protocol for suppliers to access your network.
  • Patch Management – Implement a process to make certain the right system and software updates are executed at the right time.
  • Hardening of Cyber Assets – An example of hardening is unnecessary software being removed and default passwords changed to reduce the attack surface. Devices can be hardened to reduce their attack surface.

The electric generation industry has taken the NIST framework one step further and developed the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards for generation, transmission and distribution, as well as grid control centers.

Enabling a Smooth Digital Journey

There is no doubt businesses will continue to digitalize operations by connecting processes and controls to networks. The threat of a cyberattack may cause some business leaders to pause or slow down their digitization journey, but a well-crafted cybersecurity program following the NIST framework and addressing the aforementioned issues can enable progress, not inhibit it. With safeguards such as these in place, businesses can continue to take advantage of the latest technology for industrial control digitization and keep everyone out of harm’s way.

Resources

  1. NIST Framework for Improving Critical Infrastructure Cybersecurity:https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework
  2. NERC CIP Standards: https://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity.asp
  3. Industrial Control Systems Basic Training: https://ics-cert-training.inl.gov

Juan F. Villarreal

Juan F. Villarreal, is the Managing Director at Villarreal Energy LLC. Juan is a technology-driven international operations and business development executive who has held leading roles in nuclear and fossil power generation and the oil and gas industries. www.villarrealenergy.weebly.com 

Upcoming Events

August 9 - August 11 2022

MaximoWorld 2022

View all Events
banner
80% of Reliabilityweb.com newsletter subscribers report finding something used to improve their jobs on a regular basis.
Subscribers get exclusive content. Just released...MRO Best Practices Special Report - a $399 value!
DOWNLOAD NOW
The Three Laws of Preventive Maintenance

The Three Laws of Preventive Maintenance

Each preventive maintenance task in an Uptime Elements developed Reliability Strategy is generated for an identifiable and explicit reason

Digital Built America: Smarter, More Sustainable and Resilient

Digital Built America: Smarter, More Sustainable and Resilient

Building back better means transitioning the current infrastructure to smarter, more sustainable forms of development to safeguard the country’s future.

DIPF Curve and RCM Failure Patterns

Predictive Maintenance Deja Vu All Over Again

Compared to total asset failures, what percentage of asset failures can be "reliably predicted" with predictive maintenance?