Today at Black Hat USA 2019 we’re presenting an innovative power grid cyber security solution that greatly improves monitoring of intelligent electronic devices (IEDs). These devices, such as RTUs, PLCs, field devices and power supplies, are critical components for keeping electricity flowing smoothly.
Using the IEC 62351 standard for monitoring industrial networks, we demonstrate how four types of hard-to-detect attacks are readily identified. Our new approach to asset health monitoring significantly enhances threat detection and power grid cyber resiliency.
Power Grid Cyber Security: State of the Art
Until recently, electric utilities have focused almost exclusively on implementing and operating equipment that maintains power system reliability. Plus, the industry has traditionally separated the business/IT side of the organization from power grid operations. The focus on reliability and the isolation of power grids networks helped establish the mindset that cyber risk was low.
Over the past decade, however, this situation has changed dramatically.
- To improve efficiencies and meet changing customer demands, power plant operators have been integrating IT and OT (operational technology) systems and teams. While increased connectivity delivers business benefits, it also exposes the power grid to higher cyber risk.
- Threat actors are focusing more on critical infrastructure attacks, especially in the energy sector, and are benefiting from the availability of malware toolsets on the internet.
- For the second year in a row, the World Economic Forum lists cyberattacks on critical infrastructure as one of the top five global risks. The 2019 Global Risk Report highlights that an attack on a country’s electricity system could have potentially devastating effects.
Electric utilities have responded to rising cyber risks by adopting ICS visibility and cyber security solutions. These solutions typically use passive network monitoring to detect threats, identify assets and improve situational awareness. They are deployed by attaching a passive appliance to span ports. The appliance analyzes network traffic without introducing new packets into the system, ensuring that critical industrial processes aren’t disrupted.
The passive monitoring approach delivered a quantum leap improvement in securing critical infrastructure — but it has limitations. For example, it’s not able to provide valuable information regarding the health of assets or reliable vulnerability assessments.
To effectively address escalating threats to critical infrastructure, it‘s therefore essential to improve the effectiveness of power grid network and asset monitoring.
IEC 62351 Standards for Securing Power System Communications
Communication protocols are one of the most critical parts of industrial systems, responsible for retrieving information from field equipment and sending control commands. Unfortunately, these communication protocols have rarely incorporated any security measures, including protection against errors, equipment failures, or deliberate sabotage.
Yet critical infrastructure systems are vital to the smooth functioning of societies. Thus, in the early 2000s, IEC Technical Committee 57, a group devoted to power system management standards, began focusing on how to make power grids secure-by-design. Working Group 15 (WG15) was formed to evaluate the requirements from a technology perspective, and define a standard way to implement them.
WG15 proposed a series of solutions aimed at creating secure communication channels inside critical infrastructure networks. The resulting standard is organized into several different parts, with each one addressing different security objectives such as encryption, data authentication, spoofing prevention, intrusion detection, etc.
Power grid network monitoring using the IEC 62351-7 standard:
Immediate detection of a power supply failure caused by a cyberattack
IEC 62351-7 Radically Improves Asset Health and Security Monitoring
Part 7 of IEC 62351 defines data objects that contain the information needed to significantly improve:
- Asset visibility, such as disruption of field devices and power supply failure
- Asset health evaluation, such as CPU and memory usage
- Asset security assessment, such as watchdog and running process status
- Network situational awareness, such as links on ethernet ports
Relying on widely used management and automation protocols like SNMP, DNP3 and IEC 61850, IEC 62351-7 supports the reliable and safe collection of key asset and network information.
Considering the significant value of this approach, several manufacturers have made available firmware updates or new equipment that is compliant with the standard. This not only increases the security of their product offerings, it allows the use of IEC 62351 in real-world scenarios.
IEC 62351 Part 7 Delivers New Threat Detection Scenarios
Power grid cyber security solutions that interact with IEC 62351-compliant equipment significantly enhance network security and reliability monitoring. For example, the drastic improvement in asset health monitoring allows alerts to be triggered when faulty or overloaded devices are detected. Such alerts could stem from a cyberattack or equipment failure, both of which could represent emergency situations.
In fact, information about assets with irregular internal conditions gives engineers the opportunity to prevent accidents or severe disruptions before they occur. Suddenly, events that were previously unexplainable can now be connected to conditions that had been occurring over a long period of time.
Awareness of network asset status is also very useful for detecting advanced attacks targeting the internal logic of devices. One example is a ladder-based attack where the attacker aims to modify the behavior of the industrial process. Modified ladder logic could cause an IED to have CPU overload or high memory utilization, triggering alerts that would start an investigation.
Cyberattacks can cause physical outcomes, such as a power outage and equipment damage. Successful attacks against a specific device could lead to a dangerous situation if not detected and mitigated promptly. IEC 62351-7 provides detailed information about devices like power supplies, enabling early-stage threat detection.Power grid network monitoring using the IEC 62351-7 standard: Immediate detection of a malware attack on an HMI.
The Future of Securing Power Grid Intelligent Electronic Devices
Using an active, but low-risk approach to monitoring IEDs, along with the IEC 62351-7 standard, makes it possible to closely monitor the health of industrial assets. This innovative approach identifies hard-to-detect threat scenarios, such those outlined here and shown in our Black Hat presentation.
There is an urgent need to improve power grid cyber security. Our real-world application of the IEC 62351 standard shows that solutions are available today that deliver comprehensive smart grid threat and reliability monitoring.
Free Tools from Nozomi Networks Labs
- Webpage: Nozomi Networks Labs Tools
- Github.com: Nozomi Networks Tricotools
- Github.com: GreyEnergy Unpacker + Yara Module
- Github.com: Radamsa Enhancement