To meet cyber security concerns, software and hardware vendors, system integrators, and other stakeholders need to work with end users to achieve a secure supervisory control and data acquisition (SCADA) solution. The U.S. National Institute of Standards and Technology (NIST) offers the Cybersecurity Framework (“the Framework”) for systematically identifying the critical assets of the organization, identifying threats, and securing these critical assets. The Framework opens the door to partnerships that are more effective with cyber security prioritized so that the needs of the end user are fully met.
Cyber financial attacks such as the 83 million household and small-business records stolen from JPMorgan Chase Bank (Reuters, 2014) contribute to the 78% increase in financial impact of cybercrime in the past four years. In this same period, 40% of cyberattacks have been directed against energy companies (Siegel, Josh; Motorola Solutions, 2014). The U.S. government is focusing on the threat to the nation’s critical infrastructure such as our electric grid, oil and gas pipelines, water and wastewater treatment facilities, and transportation infrastructure like tunnels and bridges.
Executive Order (EO) 13636 addressed protecting the U.S. critical infrastructure against cyber intrusions while directing the agencies responsible for the elements of the infrastructure to share information. The NIST Framework can be used to systematically identify the critical assets of the organization, identify the threats, and secure the critical assets. It is based on risk assessment techniques including periodic reassessment with the goal of identifying and neutralizing a threat before it occurs, but also on recovery plans in the case of a successful attack.
The implementation of cyber security under the NIST Framework is ultimately the responsibility of the SCADA application owner and operator as it encompasses the entire system including the organization developing the SCADA application, the corporate networks, computers that it runs on, and the control devices and instrumentation attached to it. However, the implementation of security standards and the capabilities of the software to implement security processes are the responsibility of the SCADA provider.
Three security objectives
Three of the high-level security objectives of the modern electrical grid, or Smart Grid, are availability, integrity, and confidentiality. These objectives apply to SCADA systems in all segments whether or not they are part of the critical infrastructure. The IEEE 1815 Standard commonly known as Distributed Network Protocol 3 (DNP3) was originally developed without security included in an era when the notion of “security-by-obscurity” was realistic. In today’s connected world this is no longer acceptable, and Secure Authentication (SA) is an addition to the standard that provides for message authentication. The DNP3-SA version 5 (SAv5) released as part of the IEEE 1815-2012 Standard has a strong emphasis on addressing security concerns stemming from demonstrated vulnerabilities to denial of service (DoS) attacks. The standard is under constant review and updated to remain current to cyber threats.
Critical infrastructure security directive
In February 2013, with a growing awareness that cyber security is a critical defense against an attack that can potentially disrupt our power, water, communication, and other critical systems, President Barack Obama issued an EO on Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience. These policies reinforce the need for holistic thinking about security and risk management (Dept. of Homeland Security, 2013).
While these directives are focused on the U.S. critical infrastructure, there is a clear benefit of the approach when applied to other SCADA infrastructures.
NIST Model for Cybersecurity
The Framework enables organizations—regardless of size, degree of cyber security risk, or cyber security sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. The Framework provides organization and structure to multiple approaches to cyber security by assembling standards, guidelines, and practices that are working effectively in industry. Moreover, because it references globally recognized standards for cyber security, the Framework can also be used by organizations located outside the U.S. and can serve as a model for international cooperation on strengthening critical infrastructure cyber security (NIST, 2014).
IEEE 1815 (DNP3) Secure Authentication
DNP3 was designed originally without secure authentication. It is a protocol used extensively in North American substations, oil and gas pipelines, water and wastewater treatment, and transportation infrastructure. This makes it impractical to replace all of the DNP3 devices with embedded security. Instead, the standard has taken the approach to improve secure authentication to an application-to-application level.
DNP is designed to run over a variety of networks, even traversing serial links over radio and Internet Protocol (IP) networks in the process of traveling from the sender to the receiver. For this reason, it is not sufficient to secure only the network, but, in fact, the message itself must be secured, which must be done at the application layer.
The mechanism used by DNP3-SA is an added Hashed Message Authentication Code (HMAC) to the message to verify its integrity. This HMAC uses a cryptographic hash based on the NIST and information security office (ISO) Secure Hash Algorithm (SHA), which requires a shared key to decode. This approach is not based on encryption, rather it is based on verifying the sender of the message with assurance that the message has not been tampered with. An attacker can see the message since it’s not encrypted, but he or she cannot tamper with it or send unauthorized messages without the key.
Three network security types
There are three types of security that are commonly used in communication networks. These are site-to-site (such as virtual private networks (VPNs)), device-to-device (transport layer security (TLS)), and application-to-application (SA). All of these types of security can be deployed simultaneously for full protection. The reason that one type is not enough is illustrated by considering a VPN.
While VPN routers and protocols such as IPSec secure the link between two physical locations, it does not secure the networks at those locations leaving open the possibility that hacking into one network gives access to the other. TLS secures the complete transmission control protocol (TCP) connection and is used in banking transactions today, but the difference to the SCADA environment is that it only works on the IP networks; so if the DNP is crossing a serial link there is a vulnerability (Grant Gilchrist; EnerNex, 2014).
In developing SAv5, the operation of DNP3-SA has been reviewed by independent external security experts. A number of features were identified as being potentially vulnerable. Additionally, the Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG) has a set of security criteria that must be met to permit IEEE 1815 to be adopted as a recommended standard for use in the Smart Grid. Some modifications that appear in SAv5 were included to meet SGIP security requirements (DNP3 Users Group, 2011).
Edward Nugent is business development director, PcVue Inc. Courtesy: PCVueSAv5 has several changes that reduce the impact of denial of service attacks responsible for the buffer overflow issue on the Idaho National Lab’s Top Ten List. Although DNP3-SA HMAC ensures that no unauthorized party can successfully communicate to a DNP3 device, the sending of improper HMAC creates a large amount of traffic in response to the bad message. Nearly half of the categories of changes in the SAv5 aim to reduce DoS impact.
To ensure cyber security concerns are met, it’s vital to work in partnership with end users to achieve a secure SCADA solution. The NIST Framework opens the door to partnerships that are more effective with prioritized cyber security so that the needs of the end user are fully met.
– Edward Nugent is business development director, PcVue Inc.; edited by Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.
Key concepts
- U.S. National Institute of Standards and Technology (NIST) offers the Cybersecurity Framework.
- Identify critical assets of the organization, identify threats, and secure critical assets.
- Common vulnerabilities can be identified, fixed, and shared.
- Standards are helping cyber security efforts.
References
- U.S. states ask JPMorgan Chase for security data as they probe hack, Reuters, Jan. 14, 2015, 2:54 p.m. EST.
- Dept. of Homeland Security, Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity, Presidential Policy Directive (PPD)-21 Critical Infrastructure Security and Resilience.
- DNP3 Users Group. “Further Information Regarding the Release of DNP3 Secure Authentication Version 5 (SAv5).” 2011.
- Grant Gilchrist, EnerNex. “Key Management Options for DNP3 Secure Authentication,” in Distributech Conference, 2014.
- Idaho National Laboratory. “Vulnerability Analysis of Energy Delivery Control Systems.” 2011.
- Information Technology Security Council (ITSC) Utility Security Council (USC), Utility and Smart Grid Security, The Impact of NERC CIP Standards and NISTIR 7628 to the Utility Industry, D. Jin, D.M. Nicol, and G. Yan. “An Event Buffer Flooding Attack in DNP3 Controlled SCADA Systems,” in Proceedings of the 2011 Winter Simulation Conference, 2011.
- National Institute of Science and Technology, NIST Cybersecurity Framework.
- Josh Siegle, Motorola Solutions. “Cyber Security for SCADA and ICS Systems,” in Entelec Fall Seminar Series, 2014.
- Wenye Wang and Zhuo Lu. “Cyber Security in the Smart Grid: Survey and Challenges,” Survey Paper, Elsevier Computer Networks Journal, January 2013.
Created on: 16 May 2017