Cybersecurity considerations for electrical distribution systems

There is increasing concern regarding cybersecurity across industries where companies are steadily integrating field devices into enterprise-wide information systems.

This occurs in discrete manufacturing and process industrial environments, a wide range of general and specific purpose commercial buildings, and even utility networks.

Traditionally, electrical systems were controlled through serial devices connected to computers via dedicated transceivers with proprietary protocols. In contrast, today’s control systems are increasingly connected to larger enterprise networks, which can expose these systems to similar vulnerabilities that are typically found in computer systems.

Information technology (IT) vs. ICS networks

• The main focus of the IT network is to ensure the confidentiality and the integrity of the data using rigorous access control and data encryption
• The main focus of the ICS network is safety, availability and integrity of data
• Enterprise security protects the servers’ data from attack
• Control system security protects the facility’s ability to safely and securely operate, regardless of what may befall the rest of the network

Cybersecurity threat vectors are paths or tools that an entity can use to gain access to a device or a control network in order to deliver a malicious attack. The figure below shows examples of attack vectors on a network that might otherwise seem secure.

These paths include:

• External users accessing the network through the internet
• Misconfigured firewalls
• Unsecure wireless routers and wired modems 
• Infected laptops located elsewhere that can access the network behind the firewall
• Infected USB keys and PLC logic programs 
• Unsecure RS-232 serial links

Common cybersecurity attacks

• Virus – a software program that spreads from one device to another, affecting operation
• Trojan horse – a malicious device program that hides inside other programs and provides access to that device
• Worm – a device program that spreads without user interaction and affects the stability and performance of the ICS network
• Spyware – a device program that changes the configuration of a device

Packet filter or boundary firewalls that work on the network layer

These firewalls mainly operate at the network layer, using preestablished rules based on port numbers and protocols to analyze the packets going into or out of a separated network. These firewalls either permit or deny passage based on these rules.

Host firewalls

These firewalls are software firewall solutions that protect ports and services on devices. Host firewalls can apply rules that track, allow or deny incoming and outgoing traffic on the device and are mainly found on mobile devices, laptop, and desktops that can be easily connected to an ICS. 

Application-level proxy firewalls

These firewalls are highly secure firewall protection methods that hide and protect individual devices and computers in a control network. These firewalls communicate at the application layer and can provide better inspection capabilities. Because they collect extensive log data, application-level proxy firewalls can negatively impact the performance of an ICS network.

Stateful inspection firewalls

These firewalls work at the network, session and application layers of the open system interconnection (OSI). Stateful inspection firewalls are more secure than packet filter firewalls because they only allow packets belonging to allowed sessions. These firewalls can authenticate users when a session is established and analyze a packet to determine whether they contain the expected payload type or enforce constraints at the application layer.

SCADA hardware firewalls

These are hardware-based firewalls that provide defense for an ICS based on observing abnormal behavior on a device within the control network. For example, if an operator station computer suddenly attempts to program a PLC, this activity could be blocked and an alarm could be raised to prevent serious risk to the system.

Network segmentation is a key consideration in establishing secure control networks. Firewalls should be used to create DMZ by grouping critical components and isolating them from the traditional business IT network. A three-tier architecture should be employed at a minimum, with a DMZ between the organization’s core network and an isolated control system’s network.

Control networks are divided into layers or zones based on control functions, which are then connected by conduits (connections between the zones) that provide security controls to:

• Control access to zones
• Resist denial of services (DOS) attacks or the transfer of malware
• Shield other network systems
• Protect the integrity and the confidentiality of network traffic

Beyond network segmentation, access control (both physical and logical) should be defined and implemented.

Defining required interactions

The key consideration when designing access control is defining the required interactions both within a given zone and between zones. These interactions should be mapped out clearly and prioritized based on need. It is important to realize that every hole poked in a firewall and each non-essential functionality that provides access or creates additional connectivity increases potential exposure to attacks. A system then becomes only as secure as the devices connecting to it.

If mapped correctly, the potential adverse impact to control system reliability and functionality should be negligible. However, this element introduces additional costs (in terms of firewall and other network infrastructure) and complexity to the environment.

Intrusion detection and prevention systems (IDPS)

These are systems that are primarily focused on identifying possible incidents in an ICS network, logging the information about them, attempting to stop them and reporting them to ICS security administrators. Because these systems are critical in an ICS network, they are regular targets for attacks and securing them is extremely important.

The type of IDPS technology deployed will vary with the type of events that need to be monitored.

Four classes of IDPS technology

• Network-based IDPS monitors network traffic for particular ICS network segments or devices and analyzes the network and application protocol activity to identify suspicious activity
• Wireless IDPS monitors and analyzes wireless network traffic to identify suspicious activity involving the ICS wireless network protocol
• Network behavior analysis IDPS examines ICS network traffic to identify threats that generate unusual traffic flows such as DOS attacks
• Host-based IDPS monitors the characteristics and the events occurring within a single ICS network host for suspicious activity