KTH ROYAL INSTITUTE

OF TECHNOLOGY
Cyber Security
in Power Systems

Matus Korman
Industrial information and
control systems, KTH
<[email protected]>
www.ics.kth.se

Image source: zdnet.com

?
 Example consequences:

US Northeast blackout (2003)

Cause: A software defect in a control

room.
Restoration: Some customers after
6 hours, some after 2 days, some
remote places after nearly a week.
Consequences (among other):
• 45M people in 8 US states
• 10M people in Canada
• Healthcare facilities experienced
$100M lost revenue
• 6 hospitals bankrupt one year
after

Source: Wikipedia
Outline

1. Background (IT-security)

2. Attackers, threats

3. Vulnerabilities in power systems

4. Solutions for securing power systems

5. Standards & guidelines, where to look further

IT security… what it is about (roughly)
TO ENSURE: … DURING

THE REQUIRED
STATE OF DATA,
IT SERVICES AND
OTHER RESOURCES:

… BY APPLYING

Technology

Organization,
Human &
processes
culture
& rutines
 Actually more than that…

Requirements identification and

specification

It takes Design and analysis

the whole
lifecycle Development and verification (testing)

… of technical systems Operation and maintenance

(changing, upgrading etc.)
… of organizations
(socio-technical systems,
work systems) Disposal
 What parts does cyber security relate to?

…
pretty much
all these layers,
domains and zones:
To ensure security of the
power delivery – that’s on
the business layer and that
Smart Grid Architecture Model.
is dependent on roughly
CEN-CENELEC-ETSI Smart Grid Coordination Group: everything else in the
Smart Grid Information Security
picture.
NISTIR 7628 rev. 1: reference model – entities, actors
NISTIR 7628 rev. 1 – entities and data flows
Outline

1. Background (IT-security)

2. Attackers, threats

3. Vulnerabilities in power systems

4. Solutions for securing power systems

5. Standards & guidelines, where to look further

Threats of the cyberspace (general)

HACKTIVISTS
DIFFERENT CRIMINALS
FRAUDSTERS

[PROFESSIONAL]
HACKERS

RANSOMWARE BOTNETS AND

THEIR OPERATORS

MALWARE

MILITARY &
TECHNICAL USERS, WE
STATE UNITS
FAILURES OURSELVES
Outline

1. Background (IT-security)

2. Attackers, threats

3. Vulnerabilities in power systems

4. Solutions for securing power systems

5. Standards & guidelines, where to look further

In information technology…
… vulnerabilities are all around

• Due to complexity… multiple layers, interdependencies:

• From physical signals and processing in hardware
(the chips, processors with all their registers and
how they work)
• Through operating system level
(e.g., Windows/Linux/VxWorks/… kernel)
• Through numerous levels of libraries/APIs
+ networking (distributed computing)
(e.g., system libraries like libc… all the way up)
• To user/application level
(e.g., file transfer, bus protection logic, …)

• Additional considerations: virtualization, cloud… coming in to ICS, too.

Why ICS are vulnerable

Systems are traditionally designed and tested to:

– Work in ideal conditions (functionality)
– Work even under different expected variation in the
process environment (field-robustness – ”rugged”)
– To some extent work under cyber-noise
(e.g., higher network load, patching of systems,
network scanning etc.)

However, they increasingly need to:

– Resist sophisticated attacks from intelligent and
capable threat agents (cyber-security)
Why ICS are vulnerable… cont’d
Convergence between ICS and general IT:
• General IT-technology is increasingly used in ICS
(IP-networks, Windows, Linux, wireless, web-based
systems … all well-known, well-compromised)
• Connections between the process network and other
networks tend to lack securement
• A variety of data flows between networks, using
various protocols (including old, proprietary, insecure
ones)
• Sometimes unprotected control system components
(IEDs, RTUs, etc.) – for flexible access for technical
personnel, consultants/contractors…

Physically and logically distributed environments

=> more difficult to secure
 Different levels of vulnerabilities

System/component design:
• SCADA-software, HMI and workstation operating systems
(Windows, Linux), other systems;
• PLC, RTU, IED, switches, routers…

Network design:
• ICS-network (process network) + its connection to the office
network (and other networks);
• Application services running on machines in the ICS-network;
• Configuration of IT-security protection in the network
(firewalls, IDS/IPS, configuration of operating systems)…

Organization, people and operations:

• Security policy and security culture in the organization;
• How people carry out different technical operations;
• What devices one can use in the ICS-network
(own computers on which one surfs in private, USB-sticks etc.);
Common vulnerabilities in ICS
Documentation and processes:
• Lack of formal documentation
• Lacking change management process
• Lacking security policy and security culture(awareness, attitudes etc.)

Access control:
• Lacking access control (which user/role has access where, when, how, etc.)
• Vulnerable handling of authentication data (e.g., passwords)
• Over-privileged access accounts, old accounts, etc.

Network design and state of systems hosted there:

• Vulnerable network design, insufficient protection of networks
(e.g., unnecessarily broad exposure of systems and data traffic in a network,
insufficient separation between process networks, office networks, outside Internet…)
• Outdated systems, active modems/VPNs with poor authentication...

Security countermeasures
(e.g., firewalls, IDS/IPS, configuration, security operations):
• Weak network protection (firewall restrictions such as what ports, what IP ranges,
what intensity of communication, etc.)
• Lacking security reviews and accountability
• Vulnerable configuration of system such as unnecessary services and software
installed and even running
 How an attack can take place…
A network can be penetrated e.g.:
• Directly: An attacker manages to get into a network from outside (e.g., by obtaining
an own IP-address in there, ARP-spoofing some other machine, …)
• Indirectly: An attacker exploits that personnel surfs on Internet, reads e-mail, etc… in
order to infect the personnel’s machine(s), and then attack further and deeper
• Social engineering: An attacker tricks personnel to do something compromising (e.g.,
give away a username, password etc.) – through pretending to be a legitimate
person, commonly in an urgent situation (e.g., a technician who quickly needs some
non-standard help to prevent a major failure/incident from happening…)
A software can be infected through (a single data flow can be enough) e.g.:
• Known vulnerabilities (on outdated systems) – statistically frequent and often
unnecessary vulnerability. Whoever can get exploits and shoot them at a system.
• Zero-day vulnerabilities (0-days, yet publicly unknown) – majority is not captured
even by advanced, expensive, collaborative security solutions (NGIPS). Luckily,
0-days are very expensive to buy usable exploits for (e.g., black market) and very
demanding to identify and develop on own for a generic software.
There are different types of attacks, e.g.:
• DoS (Denial of Service), DDoS (distributed DoS) – sabotage that blocks, saturates,
locks in or takes down systems/functions so that they no longer are available
(temporarily or permanently)
• MITM (Man-In-The-Middle) – hidden manipulation of data communication…
• Intrusion – leads to illegitimate control over a system or a part of it, which then can
lead to modifications/sabotage, mapping/espionage, etc…
Identifying potential victim devices…

Shodan – it’s like Google, just for devices with public access:
https://www.shodan.io/

It’s a computer search engine. Partially free of charge.

Helps people to find webcams, fridges, RTUs, etc…

… according to country, ports/services,
organizations, operating systems,
installed software packages…
Outline

1. Background (IT-security)

2. Attackers, threats

3. Vulnerabilities in power systems

4. Solutions for securing power systems

5. Standards & guidelines, where to look further

How to secure ICS environments?
Identify and eliminate greatest security holes

Harden systems and networks

(get rid of unused functionality, unused software installed on machines,
unnecessarily open ports; harden your systems configuration, etc. etc.)
The goal of all this is to:
 Constrain the possibilities and maneuvering space of the attacker(s),
and so make their work as difficult, expensive and risky as possible.

Scan for vulnerabilities, do penetration tests as applicable

(e.g., ICS test beds, typically not on-site, as things could break…)
… to measure security

Establish a systematic, formal work with IT security

– Risk analyses and risk treatment – there are risk analysis methods
– Reviews and log analyses
– Analysis of in- and outgoing network traffic (e.g. Netflow)
– Updates + other security maintenance
– Education and training of personnel

… etc.
 Example countermeasures… just a few

• Network segmentation and DMZs between networks

• Firewalls
BASIC
• Access control to systems, plus:
• Reasonably strong passwords
• Smart cards (eventually)
• Connection tracking and network access control
• Blacklisting
• Whitelisting
MORE
ADVANCED • Intrusion detection
(both based on signatures and models of normal behavior)
• Honeypots / honeynets

The following document gives a very good overview of the different realistic security
controls to consider – ”The Critical Security Controls for Effective Cyber Defense” by
Council on Cyber Security:
https://www.sans.org/critical-security-controls
Outline

1. Background (IT-security)

2. Attackers, threats

3. Vulnerabilities in power systems

4. Solutions for securing power systems

5. Standards & guidelines, where to look further

Cyber security standards and guidelines

General IT security:
• ISO/IEC 27000-series (27001, 27002, 27005…)

Security in industrial control systems:

• NIST SP 800-82 (rev. 2):
Guide to Industrial Control Systems (ICS) Security
• IEC 62351 – for communication protocols
• NIST Framework for Improving Critical Infrastructure
Cybersecurity
• NERC CIP (Critical Infrastructure Protection)

Security in power systems (specifically):

• NISTIR 7628 (rev. 1): Guidelines for Smart Grid Cyber
Security
Where to look further
• Industrial Control Systems
Computer Emergency Response Team (ICS-CERT):
https://ics-cert.us-cert.gov/
https://ics-cert.us-cert.gov/Standards-and-References

• EU Agency for Network and Information Security (ENISA):

https://www.enisa.europa.eu/
https://www.enisa.europa.eu/topics/critical-information-
infrastructures-and-services/scada

• Critical Security Controls (by Center for Internet Security):

https://www.cisecurity.org/critical-controls.cfm

• SCADAHacker forum (by Joel Langill):

https://scadahacker.com/
 Great books
Highly topic-relevant:
Eric D. Knapp & Joel Thomas Langill (2015):
Industrial Network Security:
Securing Critical Infrastructure, Network for Smart Grid,
SCADA, and other Industrial Control Systems

A good book about information security (general):

John R. Vacca (2013):
Computer and Information Security Handbook
(second edition)
 Books with highly applied, practical focus

Tyson Macaulay & Bryan Singer (2012):

Cybersecurity for Industrial Control Systems

Ralph Langner (2012):

Robust Control System Networks
 
Thanks for your attention and good luck!