The Continuing Gap in Control System Cybersecurity of the Electric Industry
image credit: © Guruxox | Dreamstime.com
- Apr 29, 2020 5:01 pm GMTApr 28, 2020 3:58 pm GMT
- 1697 views
This item is part of the Special Issue - 2020-04 - Cybersecurity, click here for more
I helped start the control system cyber security program for the electric industry in 2000 while at the Electric Power Research Institute-EPRI (I left EPRI in 2002). The program was based on three pillars – physical security (”guns, gates, and guards” which already existed), network security (needed to be addressed by the IT community), and control system cyber security (which can only be addressed by the control system community including the electric utilities). The program was about “keeping lights on and water flowing”. Keeping Internet Protocol (routable) networks available was not the ultimate goal.
When we started the program in 2000 there was little understanding about cyber security beyond it being an “e-mail problem”. There was, and continues to be, little buy-in of cyber security by the substation and power plant communities. Moreover, cybersecurity policymakers, including in the NERC CIP process, have assumed that control systems are simply another type of IT infrastructure and, therefore, IT policies, technologies, training, and testing methodologies apply. This is also why much of the current focus is on the Human Machine Interfaces-HMIs (Windows) rather than the actual control systems. There have been numerous cases where IT security policies, procedures, technology, and/or testing have impacted control system operation, sometimes actually damaging control systems. Moreover, keeping the focus on the HMIs have left the unsecured control syetem devices unmonitored for cyber security.
The NERC CIP process changed the face of cyber security in the electric industry. The overwhelming positive of the NERC CIPs was getting management attention to the concept of cyber security. However, the ultimate goal changed from keeping lights on to keeping the networks available – these are not the same. Moreover, the CIPs became a compliance exercise staffed with compliance and network security experts, not grid and power plant experts. This has significant implications for the ultimate goal of keeping the grid reliable, available, and safe.
The NERC CIPs have several very significant limitations for protecting the grid:
- The most critical aspects of grid and power plant reliability and safety come from the field control system devices such as process sensors (e.g., pressure, level, flow, temperature, voltage, current, etc.), drives, actuators, power supplies, etc. yet, these devices have no cyber security, authentication, and generally rely on lower level, non-routable protocols. Unfortunately, these critical devices and networks are out-of-scope for NERC CIP compliance. As an example, a utility connected THOUSANDS of process sensors to their corporate network and from there to the Internet. That was not considered a NERC CIP violation.
- The NERC CIPs assume a cyber attack will be identifiable in an expeditious manner. However, the cyber attack of a petrochemical plant in Saudi Arabia demonstrated that it may not be possible to detect a cyber attack capable of shutting down a facility. Morever, there have been numerous cases in the North American electric industry where control system cyber incidents went undetected for months. It may be difficult to identify a cyber incident as being malicious as the only difference between a malicious attack versus an unintentional incident may be the motivation of the person involved. Additionally, control system cyber forensics are minimal at best .
- The NERC CIPs are focused on malware rather than physics issues. Yet, the physics issues can bring the grid down for months without having to resort to using malware.
These are not idle considerations as control system cyber impacts are real. There have been more than 1,200 actual control system cyber incidents to date, with more than 1,500 deaths and more than $70 billion in direct damages. The impacts include pipe ruptures, refinery explosions, train crashes, plane crashes, and major electric outages. Specifically, there have been more than 300 control system cyber incidents in the North American electric grid including 5 major outages each affecting at least 95,000 customers. All were caused by electronic communications between control systems and devices.
What needs to be:
- Governance changes need to mandate that engineering management and technical staff participate in control system cybersecurity along with CIO/CISO and IT/OT network security staff;
- Recognize and address the most dangerous control system cyber attacks are those that manipulate physics. This requires engineering-domain expertise to identify and respond to these types of issues;
- Training is needed for the substation and plant engineers to recognize when upset conditions might be cyber-related; and
- Adequately address field control system devices in control system cyber security policies and procedures including supply chain.