By Bill Ray
Network security is not a new topic for utilities, but as automation networks become more interconnected, and adopt standard protocols, the risk of attack increases and defenses need to be ramped up. Unfortunately few utilities have the skills or experience to maintain an adequate cyber defense, despite often taking responsibility for securing systems once they've been delivered, so a new approach is needed.
Vendors need to share responsibility for securing the systems they sell. Delivering regular updates and security warnings, then working with utilities to ensure they're promptly applied, while the utilities need to adopt a layered approach creating security in depth, and understand that keeping the network safe is a journey, not a destination.
Environmental factors, storms, floods and so forth, remain the biggest threat to the utility network, but they are at least predictable to a degree. Winds, rains and snowfall can peak unexpectedly, but they don't get progressively more aggressive every year. Cyber attacks do. As miscreants learn more about the systems being used, and the systems grow in complexity to expose new risks alongside additional functionality, so the challenge of protecting them grows equally.
But we can't go backwards - the adoption of industry standards into substation automation has increased efficiency, and flexibility, not to mention creating a safer environment for workers and the general public - increased vigilance is the price we have to pay for the plethora of advantages offered by the digital grid.
That vigilance mostly consists of doing things which are already being done, or should be. Basic network maintenance can secure against the vast majority of attacks, involving nothing more than routine tasks including:
- Listening to network alarms
- Removing unused software
- Disabling unused services
- Removing old user accounts
- Changing passwords
- Verifying that updates have been installed
- Installing anti-virus software
Legacy equipment might not have updates available, but throwing out perfectly good (and, quite possibly, perfectly secure) equipment if often impractical and unnecessary. In such circumstances the equipment may be encapsulated: protected by a dedicated firewall to limit communication with the rest of the network.
Software firewalls, installed on computers running network services, should also become standard practice. Firewalls at the perimeter of the network will keep out the majority of attacks, but should not be relied on exclusively - an attacker gaining access to the network, or an errant employee already within the network, has bypassed the perimeter but can be held at bay by firewalls running on network servers, while the logs from those firewalls will provide useful evidence of such intrusions so they can be traced and resolved.
All the firewall logs should be looked at regularly, where possible. They make for dull reading, but humans are peculiarly adept at spotted anomalies and an hour or two spent reading the logs, every week, will build up useful knowledge of what's "normal".
What is not normal, but surprisingly efficacious to the attacker, is phoning up and asking for network passwords.
Hackers have discovered this kind of "social engineering" is a great deal less effort than hacking into the (well protected) computers. The caller will claim to come from technical support or similar, and ask for passwords as part of a routine process, while users will often just hand them over on request. Spear phishing, where email messages are targeted at specific staff members to discover their passwords or other credentials, are standard practice these days.
Protecting against this kind of attach requires education - all staff with any kind of access password - from the night cleaner to the company CEO – must be made aware of the risk from such attacks.
Social engineering is certainly the most prevalent of attack vectors, but also one which serves to emphasize the need for a coordinated defense; involving vendors and staff just as much as it involves the IT department. Cyber security is an ongoing task, just as attackers evolve so the deference team need to apply new responses, ensuring the utility can experiences the advantages of the digital evolution without paying the price in compromised security.