Cybersecurity: A Systems Approach through STAMP
image credit: Credit: MIT Study
- Apr 8, 2020 4:02 pm GMT
- 488 views
In 2015, Russian hackers gained access to Ukranian utility networks and manually switched off power to electrical substations. Hackers were back in 2016, when malware took down a fifth of the country’s national capital’s grid.
As grids become increasingly automated, both attacks brought home the importance of putting robust cybersecurity practices to protect control systems. They also emphasized the rapidly evolving nature of such attacks. Earlier, cyberattacks were targeted at IT infrastructure. With the rapid advance of algorithms through utility infrastructure, however, operational technology has also become fair game. For example, the 2016 malware disabled a Siemens digital relay, preventing access to circuit breakers.
But the view from the grid trenches is not particularly encouraging. A Siemens survey of utilities at the end of last year found that utility checklists and processes for cyber hygiene are aimed at satisfying regulatory mandates for cybersecurity instead of being based off a comprehensive assessment of their internal operations and systems. Cybersecurity investments also tend to prioritize protection of high-value assets, meaning their focus is on ensuring that the most expensive equipment is not damaged or taken offline during an attack. Given the constraints on spending for utilities, that focus makes sense from a financial perspective. But it leaves other assets and infrastructure vulnerable to attacks.
Overarching these problems is an approach based on prevention of cyberattacks rather than containing their impact. That approach is a carryover of traditional information security (IS) practices in which redundancy is introduced into systems to make them immune to attacks. But grid systems are a heterogeneous combination of operational and information technology. In fact, data center servers are below transformers in the equipment hierarchy for utilities. What’s more, control elements within the grid system are both automated and manual.
How then should one design a cybersecurity strategy for such systems?
A Systems Approach to Cybersecurity Planning
An MIT study released earlier this year proposes an answer to that question by defining an approach known as Systemic - Theoretic Accident Model and Processes (STAMP). That might sound like a mouthful but it is actually not very different from current approaches in its application. The STAMP process distinguishes itself from other cybersecurity practices by treating control systems in a utility’s operations as a single entity and mapping interdependencies between components to find linkages between different pieces. In turn, this helps identify critical components and pieces essential to functioning in case of an attack.
The STAMP process begins with defining critical functions necessary for the functioning of a control system. These functions are defined as those losses or hazards that are most critical to the success of the mission or goal of a target system. Thereafter, control loops are refined to simulate various error scenarios.
As an example, consider the diagram above that identifies and evaluates various reasons that might lead to an unsafe AVR command. The erroneous inputs could be generated as a result of human or machine error and cascade down the loop and contribute to a system hazard at the grid level. A subsequent causal analysis reveals contributing factors to the system breakdown. Again, these factors can be a combination of human and machine-generated errors and a post-damage analysis determines the best course of action, whether it is in terms of communication channels or introducing redundancies or checks into the system.
The authors claim that the STAMP approach can result in considerable cost-savings. For example, the introduction of a $6,000 relay helped prevent damage to $11 million worth of transformer equipment based on the results of their study.
Evaluating the STAMP approach
To be sure, the STAMP approach is not novel thinking. Variants of this approach have been used in different industries and are found in disaster recovery literature and planning strategies. But the paper’s authors claim that this is the first such instance of its application to the utility industry.
The case study’s example is an interesting one. This is primarily because, along with policy and process changes, the approach suggests introduction of redundancy into the system to mitigate the impact of a cyber attack. That redundancy takes the form of the relay mentioned earlier. There are two implications to this.
The first one is on costs. While it may save on expensive breakdown costs, the STAMP process also itself inflates operational costs for utilities. For large utilities, which have expensive asset and infrastructure management budgets, those costs could be considerable.
The second one is on operations. The study does not consider the impact of regulation on the STAMP approach. Various federal and regulatory agencies have started policing cybersecurity practices at utilities. The STAMP approach does not obviate the need for traditional information security practices. It complements and adds to them for effective cyber security practices. But the flip side might be an increase in regulatory overhead.
Does the introduction of new processes and equipment have any effect on compliance measures related to cybersecurity? For example, how might the STAMP approach work with NERC’s Critical Infrastructure Protection (CIP) standards? These questions become important when you consider the prospect of a complex, interconnected renewable energy-powered grid in which the number of interconnections between regions multiply.
For all its drawbacks, however, the research takes conversations about cybersecurity in a holistic direction. As utilities increase their spending on cybersecurity practices, they are also looking for efficiencies. Those efficiencies mainly take the form of automation. But Robotic Process Automation (RPA) involves tradeoffs. Even as it reduces costs, RPA increases reliance on machines for control systems. Through its holistic approach, STAMP can help instigate a vital balance between humans and machines during moments of crisis.