Secure Energy Supply
Like other aspects of our daily life, the energy supply is extremely dependent on information technology. Without fast acting control systems, continuous and high quality energy supply is near impossible to achieve. Yet the heavy reliance on computer systems also results in new threat scenarios: cyber attacks on energy suppliers now occur on a daily basis.
In the last two decades, the requirements related to electric transmission and distribution grids have significantly changed. The cross-border power exchange on the transmission level has notably increased. The growing penetration of the grid by renewable power infeeds requires new and fast-acting solutions. These enable loss-minimized operation of the transmission and distribution grid which optimally utilizes the available equipment and optimizes the infrastructure investments. At their core, these solutions are based on deploying innovative information and communication technologies.
As the events of the past years have shown, these are often vulnerable and susceptible to attacks. Therefore securing the critical infrastructure which includes the energy supply is absolutely necessary and also became required by law in the meantime.
In the German-speaking countries, the term "IT security" is now frequently used. However, network control systems are not IT systems but OT (operational technology) systems. Gartner defines the following: "OT consists of hardware and software which by direct monitoring and/or control detect or make changes in physical devices, processes, or events in the corporate environment." For this reason, the term "cyber security" is commonly used internationally which applies to both IT systems and OT systems.
The security in a connected system is always determined by the system with the weakest security features. Therefore, the installed security systems must comply with general regulations and standards. Consistent application of these ensures a minimum security standard.
Internationally, two groups of standards for information security of control systems are dominating: NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) and ISO 27001 with the respective best practices and implementation guidelines.
The applicable standard is mainly determined by the geographic location of a company. Both systems describe the measures which are required for securing the critical infrastructure. The NERC standard focuses more on a process view whereas the ISO standard focuses more on a technical view. However, the technical requirements of both standards are essentially very similar and in general even identical.
In Germany and Austria, the ISO 27001 standard detailed by the BDEW/OE documentare today used as basis for cyber security measures. In the relationships between control system supplier and customer as well as between customer and regulating agency, this interpretation is usually used as the basis for audits. In general, these audits are performed by an independent consultant or a test organization.
The PSI products used in electric and multi-utility control system environments (PSIcontrol, PSIcommand, PSIprins, PSIgridmobile, PSIsaso, PSIsmartcharging, and others) fully comply with the current BDEW whitepaper requirements as well as the NERC CIP regulations. Cyber security is already seamlessly integrated and an inherent part of the design. The realization of the design into software complies with defined security requirements in order to eliminate any security threats during the system implementation.
Based on specific requirements, the features available in the standard system can be expanded by additional packages for the control systems as well as substations. This ensures that customer, industry, or regional requirements can be integrated in the required technical scope of functionality.
Today, cyber security has evolved into a field on its own. Just the documentation of the security properties of a PSIcontrol system by far exceeds the length of this article and requires a book on its own. Therefore, only a view key properties are briefly highlighted in the following.
The major cyber security requirements can be summarized in a few key requirements. The system components which have not been directly designed for use in critical infrastructures require special focus. These certainly include the hardware and the operating systems.
PSI systems are always supplied as "hardened systems". Operating systems are used only with the smallest technically possible installation which includes only the required programs and services. For example, all unnecessary hardware interfaces are disabled in software as part of the parameterization, and if required, are also physically disabled.
The hardware and operating system of the PSI systems provide exactly those services which are needed by the application software system. Depending on the operating system, trade-offs may be required. Therefore, the selection of the hardware and the operating system is particularly important.In general, PSI uses standard i86 hardware and Linux operating systems. In comparison to other widely used operating systems which are focused more on office environments, Linux can be optimally adapted to the security requirements of critical infrastructure.
Not only James Bond but also cyber security operates based on the "need-to-know" rules. PSI systems also apply the "minimal need-to-know" principle. This requires a role-based user administration which controls the access to data and functions. The login is usually based on two-factor authentication using a password and an additional factor such as code card or code generator.
For realization of "RBAC" ("Role Based Access Control"), the user administration of the PSI systems uses the LDAP system which is used world-wide. This system enables the system administrator to associate users with roles for granular control of the access rights via a comfortable user interface.
Of course, the location at which the data and functions of a system are accessed is also important. As we know "first-hand" from the movies, the above-mentioned James Bond would not converse about secrets in a phone booth using a non-secure phone connection.
Stand-alone central LDAP systems have the disadvantage that after failure of the central servers, logins are no longer possible. For this reason, PSI uses replicating parallel instances of the LDAP system to ensure that logins remain possible even when the central server is temporarily not available. At the same time, the system-inherent capabilities of the distributed PSIcontrol system with its unique fault tolerance are fully supported.
Already in the middle ages, sophisticated construction techniques were used in castles to thwart attackers. The castle builders realized defined defensive zones to protect the inner castle, the keep. The different areas of the castle were connected by secure passages. Only guarded gates provided access to other parts of the castle.
The same principle is used today in modern systems. In order to prevent system intrusions by unauthorized persons and to simultaneously provide the extensive connectivity required by modern control systems, the PSI systems are divided into different security zones which are separated from each other and the outside world by firewalls.
PSI systems are divided into one or - in case of distributed systems - several "core zones" and "demilitarized zones" (DMZ). The core zone must not have a direct connection to the outside world. All connections are terminated in a DMZ; for information forwarding, separate connections are used.
In addition to the firewalls for securing communication between zones, so-called "intrusion detection" and "intrusion prevention" systems (IDS/IPS) are running directly on the firewalls or as separate systems. They detect and prevent intrusions into the systems.
In addition to the firewalls for each zone, host-based firewalls are used on all servers.
Today, the monitoring and control of supply processes is mainly based on RTUs and wide-area networks. To ensure secure communication, IEC 104 proxy systems can be used here. In addition to the proxy function, they also provide "next generation firewall" functions.
The IEC 60870-5-104 communication with the substations can be based on IPsec tunneling or on IEC 62351-3 secured connections. The received telegrams are individually analyzed (i.e. the above mentioned "deep packet inspection") and made available for further processing and forwarding. Processing and forwarding only known telegrams results in increased security. In parallel, a (D)Dos protection mechanism is implemented.
In case of problems, critical infrastructures require fast responses by the operator and the manufacturer. In critical situations, the 24-hour on-call service uses "remote maintenance access" which allows remote monitoring and analysis of parts of the control system as well as active assistance if needed.
For this purpose, PSI operates its own remote maintenance system which complies with the increased security requirements for critical infrastructures. Access to the system is permitted only in coordination with the on-site customer security administrators and is performed only by staff with security clearance.
Cyber security compliance also implies that the systems are continuously improved in terms of resolution of known problems. The "update service" ensures that all known issues of the system are resolved regardless of the customer who reported the issue.
Patches which are incremental changes of the installed software are made available for this purpose. Patches cover the application software as well as the operating system and possibly installed third-party software such as a relational database management system.
For this reason, all PSI systems include an "Install, Configure, and Patch" (ICP) server. This meets the requirements of the BDEW whitepaper as well as NERC CIP. For every system, the complete application system including the necessary parameters is maintained in a version management system both on site and at PSI. This allows creation and installation of new software versions as well as restoration of older versions (which can be stored in a repository) if needed. ICP ensures that all systems with the same type such as workplaces or database computers are always installed identically. Even the sequence of the patch installation is identical. This facilitates and accelerates troubleshooting in case of emergencies.
The entire chain from the repositories at PSI to sending to, and storing in, the local version management system as well as the installation is based on secure communication. A complete "chain of custody" including individual transaction security is supported by default.
Expansion package for increased IT security
Additional security mechanisms beyond the BDEW whitepaper requirements are available in the PSIsecure expansion package.
Systems like virus scanners operate based on the past, meaning they scan for critical patterns. If such patterns cannot be detected, for example since the malware is too new, then other measures must be taken. "Application whitelisting" is such a measure. Whitelisting permits using only programs and files which are known and checked against specific criteria.
All messages and events which are relevant in terms of cyber security are logged in the PSI systems. The logging is based on "documents" which cannot be modified. In case of large or multiple systems, it may be useful to analyze all security messages in the system in order to detect attack patterns and to initiate countermeasures. The "Security Information and Event Management" (SIEM) is such a central platform for collection, detection, processing, and reporting of security events. A SIEM which can be integrated in PSIsecure provides functions such as data collection, correlation and alarming, reporting, archiving, and compliance checks. Firewalls control the data communication.
Using the next-generation firewalls significantly expands this simple control mechanism. Next-generation firewalls completely analyze the data communication. The analysis uses "deep package inspection" as already mentioned above in the IEC 104 proxy context. For example, it supports rules on the application level and even the user level. PSIcontrol supports this inspection by clearly documented data formats.
However, it must also be understood that there is no absolute cyber security; now or in the future. Absolute security is not possible. The battle between attackers and defenders is continuous and interruptions are usually only temporary. This neck-and-neck race requires continuous improvements to ensure ongoing protection of the control systems and entire IT infrastructure.
The design, ongoing improvement, and long-term system security is the main task for control system manufacturers. PSI and its team of cyber security specialists respond to this need by developing cutting edge technology and solutions.
Dr. Michael Wolf
Phone: +49 6021 366-720
miwolf@psi.de
Extension package for increased IT security: PSIsecure
Control system PSIcontrol
Magazine for energy suppliers