Proper protection of critical infrastructure at a hydro facility includes establishing an electronic security perimeter, employing technologies for securing communication and providing secure remote access.
By Demos Andreou and Jacques Benoit
Rapid technological evolution has brought widespread networking and low-cost computing devices to our daily activities. This same evolution is making possible a new generation of automation systems based on Internet Protocol (IP)-enabled devices and advanced standards. These promising technologies also introduce new risk factors by providing an access path to critical devices that were traditionally isolated.
This article will discuss several concepts:
• How automation networks can change and become secure by design;
• Developing an electronic security perimeter (ESP) – defined as the logical border surrounding a network to which bulk electrical system (BES) cyber systems are connected using a routable protocol1;
• Technologies required for securing communications and providing secure remote access; and
• ESP limitations and vulnerabilities requiring a defense-in-depth approach that standard networking devices cannot provide.
An ESP is one of the key technical measures for improved security in compliance with the Critical Infrastructure Protection (CIP) standards set by the North American Electric Reliability Corporation (NERC), which is the primary governing body for interconnected power systems in North America (Canada, Mexico and the U.S.).
With Version No. 5 of the NERC CIP (CIP-5) Cyber Security Standards, approved in 2013 by the U.S. Federal Energy Regulatory Commission (FERC)2, the standards team addressed many of the issues from previous versions and defined a security framework that is in better alignment with existing security approaches3.
NERC CIP-5 standards include rationale for each requirement and guidance on implementation. For instance, the standards now recognize existing technical limitations and accept alternative approaches, such as malware protection through whitelisting, which enforces a list of authorized applications for each system and helps ensure that only approved applications can run. Earlier approaches were often subject to interpretation or technical feasibility exceptions, a mechanism for obtaining an exception from strict compliance of certain CIP standards on the grounds of technical feasibility or technical limitations in previous versions.
In another change, the standards have shifted the focus from the asset level to the system level. The architecture of the automation network can now be viewed as being composed of trust zones, a grouping of logical or physical assets that share common security requirements connected through well-defined electronic access points. This architecture is a key security concept and best practice, also part of the International Society of Automation (ISA) and International Electrotechnical Commission (IEC) ISA/IEC-62443 (ISA-99) standards for secure industrial automation and control systems.
These changes illustrate the convergence of operations technology (OT) and information technology (IT). For example, the use of intrusion detection systems in automation networks is now a requirement at higher impact levels.
Redefining cyber assets
The previous standards (see Figure 1) focused on critical assets and critical cyber assets when emphasizing asset-level security. Utilities had to determine which assets were critical through a risk-based assessment process. Facilities such as power plants, transmission substations and control centers had to be considered and evaluated during the process. Critical cyber assets were defined as any electronic system associated with a critical asset and accessible through dial-up networking or a routable protocol.
Critical cyber assets are not part of the new standard. Instead, the architecture of the automation network is viewed as being composed of trust zones connected through well-defined electronic access points, which are devices that control both inbound and outbound network traffic. This evolution has introduced a number of new concepts. A critical aspect of this change is the impact level rating (see below).
New definitions in NERC CIP-5
The following terms have been introduced or redefined with NERC CIP-5:
• Cyber assets — Programmable electronic devices including the hardware, software and data in those devices;
• BES cyber assets — Cyber assets that have the ability to impact the reliable operation of the Bulk Electric System within 15 minutes if the system is rendered unavailable, degraded or misused; and
• BES cyber systems — One or more BES cyber assets logically grouped to perform one or more reliability tasks.
Each BES cyber asset is included in one or more BES cyber systems. This may include programmable logic controllers (PLCs), distributed control systems (DCSs), intelligent electronic devices/relays, human machine interface (HMI) workstations and application servers.
There are other types of systems that play an important role and they also need to be protected. Utilities need to take the following into account in their risk assessment process:
• Electronic access control or monitoring systems such as electronic access points, intermediate devices, authentication servers (e.g., RADIUS servers, active directory servers, certificate authorities), security event monitoring systems and intrusion detection systems;
• Physical access control systems such as authentication servers, card systems and badge control systems; and
• Protected cyber assets such as file servers, file transfer protocol servers, time servers, local area network (LAN) switches, networked printers, digital fault recorders and emission monitoring systems, to the extent they are within the ESP.
An important change to the CIP Cyber Security Standards is the introduction of impact ratings. Previously, an asset was either critical or not critical. Now, the question that needs to be addressed is: Will the loss of a BES cyber asset or system adversely impact the reliability/operating services within 15 minutes?
The type of facility or service affected determines the impact level. While a discussion of impact level rating criteria is beyond the scope of this article, the concept is important as it will determine the design of the network infrastructure.
All assets that were not previously in the scope of the CIP standards will now have a low impact rating.
ESPs and access points
Earlier, the requirements did not directly map to the capabilities of standard network routers, switches and data concentrators. Now many of the security requirements are assigned to electronic access points.
The ESP defines the boundaries of the system because it acts as the primary defense mechanism for all BES cyber assets and provides a layer of protection for devices that implement cyber security functions. Included in the definition of the perimeter is, “all applicable BES cyber assets that are connected to a network via a routable protocol must have a defined electronic security perimeter.”
Not all devices connected to the network have the same impact level. For instance, in control centers and large power plants there will be protected cyber assets, such as printers and file servers, connected to the network. The standards state that all BES cyber systems connected to a network need to comply with the requirements of the one with the highest impact level.
Called high water marking, it opens the door to network segmentation, which consists of breaking the network down into different segments with different impact ratings in order to apply the level of security appropriate to each system. The concept of network segmentation is a best practice for control systems and is a key element of the ISA/IEC 62443 (ISA99) standards.
Electronic access point
If there is routable connectivity across the perimeter into any cyber asset, then an electronic access point must control traffic into and out of the ESP. This requirement also applies to data exchanged between network segments of various impact ratings.
Previous versions of the standards defined security requirements for the ESP, such as restricting traffic to what is necessary for system operation. With NERC CIP-5, many of these requirements are now assigned to the electronic access point.This new requirement recognizes that unauthorized outbound traffic is often the first symptom of a compromised system. Malware typically sets up, or tries to set up, an outbound connection to a command and control host on the Internet. Obviously, communications with the external world, the utility network, and the other segments of the automation system should be carefully managed through rules and access control lists.
Intrusion detection systems
Another IT best practice in CIP standards is requiring methods for detecting incoming or outgoing malicious communications through the electronic access point.
IT systems generally implement a defense-in-depth approach with multiple defensive layers. In addition to firewalls, one common practice is the use of intrusion detection and intrusion protection systems. These systems perform deep packet inspection with the goal of detecting malicious traffic or an intrusion detection system function, or even blocking such traffic, which is an intrusion protection system function. The challenge with intrusion protection is that legitimate traffic could be flagged and blocked as malicious, preventing critical data from reaching a control center or a control operation from being performed.
Fortunately, automation systems generate much more predictable traffic than IT systems, somewhat simplifying the configuration of intrusion detection and protection.
Serial devices and data diodes
The earlier definition of critical cyber assets was based on the use of a routable protocol. Cyber assets that used serial communications were not considered critical and thus did not need to comply with NERC CIP. However, cyber systems are now defined as programmable electronic devices, without any mention of connectivity. A cyber system that can impact the reliability of the BES needs to be protected. While this will bring serial devices into scope, these devices will still be exempted from many electronic access point requirements, as there is no applicable firewall or perimeter capability for directly connected, non-routable, serial connections.
Data diodes, or unidirectional communication devices, have been the subject of much discussion in the context of NERC CIP. These devices provide the capability to send data outside of the ESP to maintenance applications or data historians. By removing the capability for the receiving system to reply or send back any data within the perimeter, they claim to break the external routable connection. While NERC issued a compliance application notice (CAN-0024) on this subject, there is no clear guidance available.
Interactive remote access
Traffic through the electronic access point can be characterized as being either SCADA data, used for monitoring and control, or interactive remote maintenance access. The requirements discussed so far apply implicitly to machine-to-machine communications, using network or data exchange protocols. Interactive remote access poses a greater risk as it opens a communication path between a human and a BES cyber system. NERC issued a document entitled “Guidance for Secure Interactive Remote Access.” Many of these guidelines have now been incorporated into the standards as ESP requirements.
One of these requirements is the use of an intermediate device, or proxy, so that the cyber asset initiating remote access does not have direct network access to a BES cyber system or protected cyber asset within the ESP. In addition, communications must now be encrypted to protect the confidentiality and integrity of each interactive remote access session. Finally, the requirement for strong authentication, which was somewhat vague, was replaced by a multi-factor authentication requirement.
Implementing the segmented network
At a very high level, (see Figure 2) an electric utility automation system can be broken down into the following zones:
• The Public internet zone is the least trusted and corresponds to external users, or vendors, that would require remote maintenance access through the public Internet.
• The Enterprise zone corresponds to the utility business network. All devices within this zone comply with corporate IT policies and meet baseline security requirements. Corporate IT will generally subdivide the enterprise network into additional zones according to geography, or functions such as accounting and engineering. From the CIP perspective, this zone would not contain BES. However, some of the enterprise-level users will require access to BES cyber systems in the next, more secure, level.
• The SCADA and control systems zone contains trusted systems that communicate with the critical power plant resources. This zone is often referred to as the demilitarized zone as it acts as a buffer between trusted and untrusted zones. From the CIP perspective, this zone contains BES as well as electronic access control or monitoring systems, protected cyber assets and potentially physical access control systems. This zone would also contain servers acting as intermediate devices to provide access to the BES in the next level.
• The power plant zone is the most trusted and contains BES and assets, such as PLCs, data concentrators and protection relays.
Data processing capability is being added to the power plant to help reduce the dependency on the network connection to the enterprise. The power plant may now include authentication servers, event processing systems, data loggers, automated password management, configuration management software, database servers and historians. Breaking up complex networks into additional zones then becomes a basic requirement to provide security and ease of maintenance.
Up to now we have been discussing zones and conduits without delving further into implementation details. Segmenting a network is a basic IT operation based on the use of IP subnets, switches and routers. All devices sharing the same trust level are assigned to the same IP subnet and connected to the same network switch, or cascaded switches. A router is then used as a conduit between the different zones.
Besides managing the exchange of data between the different network segments, routers also provide access control and firewall capabilities, performing many of the functions of the electronic access points for each network segment or zone. An additional benefit resulting from this architecture is that it also improves performance by restricting the propagation of broadcast messages.
LANs and subnets provide segmentation functionality. VLANs are a technology that provides segmentation capability. This is the layer where switches operate. Each networked device can be assigned to a VLAN. Switches that support VLANs are designed not to exchange data between devices that have different VLAN tags. In this manner, devices at different trust levels can be connected to the same switch while still being isolated. In the IT world, VLANs are often used when computers with different functional requirements are connected to the same physical network, i.e. engineering workstations would not be able to access financial data.
A network device with routing capability is required to exchange data between VLANs. Because devices are connected to the same switch and isolation is only ensured by network settings, VLANs are not considered as secure as separate LAN segments based on separate switches. However, they can be combined with LAN subnets to provide increased security and network performance.
Data concentrators and security appliances
Standard IT switches and routers are used to implement a segmented network. Vendors of automation products have also developed OT-specific solutions that provide network segmentation. A typical solution is to support multiple network adaptors and provide application-specific management rules. Each network adaptor is then assigned to a specific subnet and/or to a VLAN. For instance, data concentrator products often have two network adaptors where one is connected to the wide area network and the other to the substation LAN. Such devices typically do not perform packet routing; instead they act as proxies or intermediate devices and ensure that data can only be forwarded
to pre-configured devices.
Advanced data concentrators provide security features ensuring that connected devices are accessed in a NERC-CIP compliant manner, by providing User authentication and authorization, Network security, and Secure Remote Access
Because they are designed to meet specific functional requirements, data concentrators and security appliances designed for electrical substations will generally be easier to set up and provide additional benefits when compared to general purpose networking devices.
1Benoit, J., “Securing the Perimeter,” presented at South East Asia Protection and Automation Conference (SEAPAC), CIGRE, Paris, 2015.
2This paper covers concepts in NERC CIP Version 5. NERC CIP Version 6 is newer, but it does not replace and/or address the entirety of the standards and the aspects of the standards discussed in this paper.
3Benoit, J., “Evolving NERC CIP,” presented at Power and Energy Automation Conference, Washington State University, Pullman, Wash., U.S., 2013.
Demos Andreou is a lead engineer at Eaton in the U.S. and Jacques Benoit is a retired senior security analyst from Eaton in Canada.
This article has been evaluated and edited in accordance with reviews conducted by two or more professionals who have relevant expertise. These peer reviewers judge manuscripts for technical accuracy, usefulness, and overall importance within the hydroelectric industry.