EE Magazine March / April

Electric Energy T&D - Index

Electric Energy T&D - EE Magazine March / April - Index

NIST testing has demonstrated that updating
antivirus definition files can cause a -6
minute denial of service on legacy control
system processors. Traditional IT security
testing can be even more problematic for
legacy systems. Many legacy control systems
have been designed without a complete IP
communication stack. Scanning legacy
control system devices and/or networks
utilizing traditional IP scanning tools can
lead to broadcast storms as the scanning
tool attempts to locate devices that cannot
adequately respond. A broadcast storm is
a state in which a message that has been
broadcast across a network results in even
more responses, and each response results
in still more responses in a snowball effect.
A severe broadcast storm can block all
other network traffic, resulting in a network
meltdown 9 . There have been several actual
control system cases where scanning control
system networks and/or devices resulted in
broadcast storms significantly impacting
control system performance. In at least one
case, scanning resulted in damage to control
system equipment requiring replacement
before the equipment (in this case variable
speed drives) could be reused. Consequently,
it cannot be stressed enough how dangerous
scanning can be to legacy systems if not
performed knowledgeably and with caution.
Scanning is not the only issue. A recent
case involved the tripping of a 50 MW
generator because of inappropriate policies.
Inappropriate architecture has also led to
cyber incidents including the shutdown of a
large nuclear power plant.
Another common problem is security of dialup
modems. Many users feel that all modems
have been identified and disconnected when
not needed. When visiting users (not just
utilities), I have yet to meet a user that hasn’t
told me they know where all of their modems
are and they are disconnected when not in
use. Conversely, after detailed discussions
and walk-downs, I have yet to find a user that
hasn’t found at least one modem they didn’t
know they had or at least one modem that was
connected they thought was disconnected.
Any modem that is not secured is a cyber
security vulnerability. The recent Idaho
National Laboratory (INL) demonstration
that was shown on CNN destroyed a diesel
generator by using dial-up modems 10 .
Without appropriate control system policies
and procedures, you cannot secure your
control system assets. It is also the surest way
to fail a “real” (are you really more secure?)
control system audit or the quickest path to
unintentional control system problems.
System integration
In the past, identifying relevant stakeholders
for a SCADA or plant control system was
easy: it was limited to facility and corporate
operations and engineering. Today, it is much
more complex and tomorrow will be even
more so. Part of what makes control systems
more productive is also what makes them
more insecure – system integration. More
and more organizations are finding their
most valuable and useful data is the realtime
control system data. This is leading
to many internal organizations establishing,
or wanting to establish, connections to a
SCADA, plant control system, programmable
logic controller, or control system database
without the corporate or facility operations
and engineering organizations even being
aware. Additionally, productivity can be
enhanced by integrating control systems
such as SCADA with non-control systems
such as customer management or geographic
mapping programs. Depending on how the
networks are configured, this can, and has,
resulted in actual cyber incidents including
the only case I know of where a SCADA
system was targeted and incapacitated.
9 http://www.webopedia.com/TERM/B/broadcast_storm.html
10 Sources: Staged cyber attack reveals vulnerability in power grid, September 6, 007, http://www.cnn.com/ 007/US/09/ 6/power.at.risk/index.html
46 I March-April 2008 Issue
Performing vulnerability assessment to
prudently identify all electronic connections
Utility organizations are beginning the process
of assessing cyber vulnerabilities of their
control systems to meet the NERC CIPs. The
creation and execution of these assessments
needs to be done carefully as there are
several significant and frequently conflicting
issues at play. The first is scope. NERC is
focused on grid reliability. There are many
specific scope exclusions in CIP-00 such as
telecom, market functions, distribution, and
non-routable protocols. Many utilities have
excluded these systems in their vulnerability
assessments since they have been excluded
by the NERC CIP. Many of these excluded
systems are cyber vulnerable and directly
communicate with systems that are in the
CIP-00 scope. Consequently, it is not
possible to comprehensively identify the cyber
vulnerabilities that can impact these critical
cyber assets. Implicitly, there is another
exception – small facilities. The NERC CIP
implies that traditional reliability criteria can
be followed in defining what equipment need
be identified and addressed as critical assets
which implies large facilities. This makes
sense from NERC’s traditional reliability
perspective. Since most utilities have provided
redundancy in substations, power plants,
and sometimes even control centers, many
utilities have identified very few critical cyber
assets. In reality, the NERC CIPs are a cyber
standard, not a traditional reliability standard.
From a cyber perspective, it is the connectivity
that determines criticality, not the size. The
analogy is 9/11. The terrorist that hijacked the
plane in Boston did not originate in Boston.
Rather, they boarded in a smaller airport with
no security. The same philosophy occurs here.
A very small facility that is connected to a
larger facility can impact the larger facility or
any other facility to which it is interconnected.
A common control system network that can
shutdown all facilities, be they power plants or
substations, can have an impact on the grid.
From a cyber security issue, it is irrelevant
how large or critical the system is to normal
reliability considerations. From a cyber
perspective, what matters is if the equipment
is electronically connected.