Author: Daniel Ehrenreich, SCCE
Cyber defense solution for Distributed Management Systems – DMS used by electric utilities are operating without interfering with the control process and therefore can only utilize incremental upgrades. Adding cyber defense requires detailed analysis of the hardware, software and the application programs.
Control architectures in the past focused only on the operation process, without paying attention to cyber-defense. Today, none can deploy a DMS without built-in safeguards aimed to assure the safety and reliability of the system. Before defining any cyber defense system is important to analyze the applicable threats and risks that may impair the proper functioning of the power grid. Also important to remember that you cannot deploy a cyber defense solution without assurance of physical security for the central site and each remote site. The following are few examples of applicable threats:
Malicious modification of operating parameters in sub-stations.
Interruption of the disturbance and load monitoring processes.
Blocking the flow of information from remote sites to the DMS.
Irresponsible behavior of employees authorized to access remote sites.
Directly introducing malware into computers and field control devices.
Here are some examples of cyber defense measures which are particularly suited for the DMS:
Separation of the network using advanced zoning firewalls. Secure connections achieved by using managed data switches provide enhanced security for all network connections.
Modern devices using Stateful Inspection processes allow monitoring the inbound and outbound communications and the relation among these sessions, without harming the control process.
Controlling the electronic and physical access to field control devices and computers through a variety of biometric and other measures before starting the maintenance.
Deployment of Access Control to authenticate the maintenance person and allows him to perform only specific functions, for which he has received explicit permission for a predefined time window.
Deployment of anomaly detection process is particularly suitable for DMS. It is constantly studying the control processes and operates based on recorded processes when the system operated correctly. This may help preventing the Denial of Service – DoS type attack. Systematic self-learning process will lead to effective protection against already known and new vulnerabilities (Zero-Day Vulnerability).
For broadband networks it is important to secure channels with authentication and encryption and use of Virtual Private Network-VPN in order to minimize risk of replay attack (Man in the Middle-MitM).
Well suited procedure for preventing the installation of unauthorized software (white listing) that might contain malicious code installed on any component linked to the DMS.
Collect data from the DMS about events (System Logs-Syslog), and transfer these events to the Security Operation Center-SOC in order to generate alerts with low false detection rates.
Adherence to procedures and policies related to the use of complex and changing passwords, used exclusively for each DMS computer or field control unit to connect to the network.
While today’s cyber attacks are done by professional entities operated by hostile countries and commercial organizations the cyber defense challenges have become more complex. The conclusion is, that special attention is required for the DMS, and systematic investment is important to achieve continuous supply of electric power for the well-being of people, the industry, and service providers in the country.
Daniel Ehrenreich (BSc) is an independent consultant at Secure Communications and Control Experts-SCCE. Daniel has gained professional experience of over 25 years in the field of control systems for water, oil and gas and electricity while working for Motorola, Siemens and Waterfall Security. Daniel is presently consulting to industrial firms on the subject of integrating control systems with cyber defense, publishing papers and lectures at conferences.