By Alan McBride
“Evolving threat landscape” is de rigueur to surface in discussions on cybersecurity for critical infrastructure. In fact, recent power outages in Ukraine caused by cyberattacks are vivid illustrations of this so-called evolving landscape.
It is equally important to consider not only the evolution of threats, however, but also technology; particularly as utilities increase their reliance on information and communication technologies, often including migration to a converged communications infrastructure for diverse applications.
Lastly, in some jurisdictions, there has been a major shift towards compliance--compulsory with version 5 of NERC CIP and voluntary compliance to the NIST Framework for Improving Critical Infrastructure Cybersecurity in the United States.
In the face of these changes, an actively-managed security posture is required, including adherence to the de-facto principle of defense-in-depth, which involves the use of multiple layers of overlapping security controls working together to mitigate vulnerabilities and protect critical assets.
Security controls can be preventative, detective or corrective in their purpose. Furthermore, they can be procedural, technical or physical in nature. The vast array of potential security controls available to be employed in a defense-in-depth approach leads to the challenge of determining the optimum balance of security investment against risk. More specifically, it is challenging to determine which controls to employ, how widely to deploy them, how to operate them efficiently and how often to review and modulate the range of chosen controls.
How best to evolve security controls for communications generally, and for critical infrastructure specifically, is an area where there has been considerable debate. However, there are certain practices and techniques to which any utility should be paying attention.
A prime example of a security control that is widely accepted as foundational for critical infrastructure is the principle of security zoning. It is an established best-practice that the utility communications infrastructure should be securely segregated from external networks (such as the Internet or connected networks of business partners), typically through the use of a demilitarized zone (DMZ) between internal and external networks. It is also considered best-practice to further segregate the internal utility enterprise network (hosting applications such as billing, customer care, email, etc.) from its grid operations network (including applications such as SCADA, distribution automation, metering, etc.), typically through use of a second DMZ.
Beyond the use of DMZs to segregate logical zones such as enterprise applications and operations, it is generally advisable or desirable to treat remote substations as instances of a logical ‘substation zone’, protected by a secured electronic perimeter. Additionally, the various applications that involve communication between central operations and remote substations can also be segregated into their own logical zones (for example, a ‘SCADA zone’).
Achieving this approach to zoning will involve the use of virtual networking to segregate application communications across the converged communications infrastructure and firewalling and intrusion detection at the perimeter of zones, including the logical communications entry point at the remote substation.
Ideally, cryptography should be employed for all critical communications to ensure confidentiality but also to support virtual network segregation, authentication of communicating parties and integrity of data in-transit. Often there is reluctance on behalf of critical infrastructure operators to widely deploy encryption because of concerns about impact on latency for time-sensitive applications (e.g. teleprotection), complexity of management (including key management) and limitations in terms of supported protocols or layers.
Today’s advanced networking equipment can support multi-layer and multi-protocol encryption with hardware support for negligible latency and advanced approaches, such as group encryption, can streamline the management and deployment of keys. Specific examples of support in networking equipment includes physical-layer encryption in optical or microwave devices and multi-protocol encryption in IP/MPLS switches with group encryption support.
Policy-based security management
Security zoning, implemented using firewalling and encryption, requires management and operation in the deployed network. Ideally, this management should be based on zone-level policies rather than requiring point-to-point or per-node management of keys and firewall rules. Group encryption supports key management at a coarse-grained level that can seamlessly match the definition of logical zones. Zone-based firewall rule management provides an analogous capability for firewall rules. The ability to manage security configuration in accordance with coherent policies and at the level of logical zones helps lower the cost of security management while avoiding vulnerabilities that may arise from errors and misconfigurations.
Advanced intrusion detection
The use of intrusion detection systems (IDS) and security information and event management (SIEM) is highly recommended since, despite protective controls, breaches may be considered almost inevitable, and intrusions often remain undetected for weeks, months or even years. An emerging approach is to apply data analytics in the security domain - including techniques such as machine learning - as an advanced platform for intrusion detection that can go beyond traditional ‘signature-based’ approaches. This can also potentially detect zero-day exploits, advanced persistent threats and stealthy intrusions through techniques such as detection of anomalies in configuration, traffic patterns, user behaviors or threat intelligence captured using honeypot techniques in the deployed network. Intrusion detection can augment the security posture achieved through zoning with encryption and firewalling and advanced intrusion detection through data analytics can position the utility defensively against the evolving threat landscape that we briefly discussed at the start.
A solid foundation for cybersecurity
Defense-in-depth will require the use of a wide range of security controls of various types, including physical and procedural controls as well as technical controls such as firewalling, encryption and intrusion detection. Investing in a coherent and streamlined approach to managing security zones using modern techniques, such as group encryption and zone-based firewalling augmented by advanced analytics-based intrusion detection, is a very good start. It also provides an excellent foundation on which to build the more comprehensive security posture that utilities require in the face of the evolving threat, technology and compliance landscapes.