Post

Security Model and Framework for Cloud Migration

Posted to Owl Cyber Defense in the Digital Utility Group
image credit: © Elantsev | Dreamstime.com
Brian  Romansky's picture
Chief Innovation Officer Owl Cyber Defense

Creating business value through innovation and delivering new products to new market segments are at the core of my professional development. I have a strong emphasis on a user centered approach...

  • Member since 2020
  • 16 items added with 9,653 views
  • Oct 27, 2021
  • 631 views

This item is part of the Special Issue - 2021-10 - Advances in Utility Digitalization, click here for more

Introduction

Utilities provide a unique environment for the utilization of Cloud Services.  The mix of secure critical infrastructure and less-secure distribution systems, the lack of a consistent regulatory structure beyond NERC-CIP, the lack of integration and interoperability between the OT/IT environments, the skill set chasm between the OT and IT support organizations and the attempt to determine where to utilize Cloud Services within the context of the Purdue Model are just a few of the critical issues facing Utilities.

What is often overlooked is that these issues have created a strange dance between security professionals, Utilities, and the regulatory bodies. Until all three come to the table to understand their strengths and weaknesses, risk and probability, and operational impact, NERC will keep pushing new CIP regulations. Utilities will keep adopting a compliance-based security methodology and security practitioners will continue the hyperbolic conversations of what could happen next (Russian hackers turning off our power generation systems). Ultimately, nothing concrete will be done. 

While it is not feasible to adequately discuss all the key issues in a single paper of this length, the purpose of this document is to introduce some of the challenges implicit in Utility Distribution Systems (which are often outside of the regulatory purview of NERC-CIP) and the Best Practices that a Utility should implement to modernize and secure its Distribution Systems facilitating the use of Cloud Services.  The document will also present a Model Architecture which adopts these Security Best Practices on Cloud-based infrastructure.

Electrical Distribution Utility Challenges

Some of the key challenges that the industry is facing today are:

  • Technology - Aging infrastructure, managing the asset register of thousands of assets, managing fluctuating demand, managing outages

  • Cost - Managing cost in the ever changing economy and increasing base cost

  • Customer Expectation - Customer expectation in terms of reducing the cost of supply and retail customer pressure

  • Digitalization - Digital journey with current infrastructure challenges and continual adapting with aging workforce and loss of critical skillsets

  • Decentralized Management - As utilities are becoming more decentralized, due to their rising reliance on distributed generation, storage, and flexibility services.

  • Cybersecurity - Increased remote measurement and control this is leading to an increased attack surface while at the same time an expanding cyber security crime syndicate continually surprises with the boldness of their attacks.

Mitigating Technologies

Key technologies that are driving disruption in the industry are:

  • Digital Twin - Methods to predict asset failure or identify outage risks and Managing the energy reliability and quality. Utilities can “deploy” the most risk-intensive forms of analytics: predictive modeling, machine learning (ML), and artificial intelligence (AI), without taking on much actual risk

  • AR/VR - AR/VR technology superimposes the digital information with the 3D model and equipment videos for outage management. As the industry is facing the aging workforce challenges the AR/VR technology shall be used for training the resources with tacit knowledge of the knowledge workers.

  • Blockchain - Blockchain, with its ability to manage smart contracts, has the potential to support the distributed trading system and handle the complex commercial arrangements between different parties on the energy market

  • Machine Learning - Integration of adaptive learning systems can help interpret, correlate and pinpoint the type of outage with precise location information.

  • AI services to customers – Artificial intelligence (AI) services will simplify and enhance interaction with customers through transparency of power usage, outage information etc.

Cybersecurity in the Digital Distribution Network

 The risk of data breaches, and rise in threats to security systems, means a security compliance framework is vital. Our approach recognizes this, and we have robust testing measures in place to ensure that the

requirements such as data security, and identity & access management are captured and built as part of the application by using framework such as NIST, DHS, IEC 62443 and  ISO27000.

During implementation of security controls it is very important to setup a security governance structure to ensure operational, regulatory and utility policy is appropriate and followed. This includes information receipt, triage and escalation & remediation. Common procedures include organization structure of Cyber Incident Response Team, Team Structure, RACI, step-by-step process starting with Preparation è Containment è Eradication è Recovery è Report. It is also recommended that asset owners maintain situational awareness of information on known vulnerabilities based on the make, model and type of the device

Sample Cyber Secured Reference Architecture

Best practices for architecting a distribution network;

  • Developing security policies, procedures, training and educational material that applies specifically to the Industrial Control Systems comprising of SCADA, RTU, & PLC etc.

  • Considering ICS security policies and procedures based on the System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.

  • Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.

  • Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

  • Providing logical separation between the corporate and ICS networks (e.g., inspection firewall(s) between the networks, unidirectional gateways).

  • Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks). Ensuring that critical components are redundant and are on redundant networks.

  • Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.

  • Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation. Restricting physical access to the ICS network and devices.

  • Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).

  • Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).

  • Applying security techniques such as validated cryptographic controls (encryption / signatures / integrity checks – FIPS 140 validated) to ICS data storage and communications where determined appropriate.

  • Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.

  • Supply Chain Integrity Controls to ensure a software library and software integrity are maintained for all assets

  • Supplier vulnerability disclosure and incident response programs are in place through a qualified supplier program

  • Strict adherence to regulatory cyber security requirements

  • Tracking and monitoring audit trails on critical areas of the ICS..

Best Practices for Ensuring Cyber Secured Infrastructure

Comprehensive integration of people, process and technology is necessary for defense-in-depth implementation on the infrastructure

 

Secure

Vigilant

Resilient

Risk Mitigation

People

Evaluate employees and vendor for potential cyber risks. This includes screening for malicious actors, engaging supply chain procurement function to ensure suppliers follow applicable security practices, performing supplier consolidation.

Implementing security awareness training for all the employees of the organization based on their roles and responsibility by creating value stream and competency matrix

Developing a comprehensive incident response system and forensic training to the key IT & OT personnel to reduce the impact and prevent future incursions through constant drills where key suppliers and partners are also involved.

Conducting risk based analysis of the critical personnel and creating do's and don’s for each category of the user

Process

Restricting and documenting access policies for the OT and high risk systems who have cyber - physical interfaces. Unique criteria shall be used each system based on criticality and impact analysis.

Designing triage protocols to systematically identify potential cyber incidents and assess the severity, which shall include incidents occurring from attacks and advanced planning for mitigation

Expanding management of change to include the impact of cyber-attacks on operational and business system and preparing for attacks on key third party partners

Defining device and network hardening policies such as patch management, security updates, real time monitoring of the firewall and other network components. Creating rule for remote access through secured internal network and also policies for monitoring and managing the changes from remote

Technology

Performing business IT & OT network segmentation. Also OT network segmentation for creating isolation among high risk process and plant IoT infrastructure. Identifying software necessary to run the operations and performing tracking mechanism by using Blockchain

Deploying automated asset & services inventory and threat intelligent tool for continuous monitoring & managing anomalies potential breaches in the network & devices and performing advance mitigation planning.

Building redundancy in the key processes through duplication of physical equipment, cyber/physical interfaces, backup of the software. Identifying alternate technologies and partners in the event of primary supplier is attacked.

Integrating IDS & IPS system and monitoring the devices and network interfaces

Performing scheduled risk assessment and vulnerability assessment & performing penetration testing (VAPT) on the all the cyber/physical interfaces and devices connected to these interfaces.

Cognizant Apex on-premises and cloud platform provides following capabilities for continuous monitoring and management of the communication network & power and any change in the information shall provide early detection of the event occurrence. Below are the few of the features of Cognizant solution;

  • Device Enrolment & Provisioning: Provides functionality of individual, bulk enrolment of device with certificates/keys. It also provides certificate management functionality and integrates with Azure Keyvault.

  • Device Management Service: Provides typical device management functionalities, which includes enable / disable devices, device metadata handling, device search and query.

  • Roles and Permission Service: Provides role bases functionality permission, & mapping management. Maintains multiple level customer hierarchy. Comes with client SDK that can be consumed in business services. Integrates with enterprise identity providers on OAUTH standards.

  • Device Agent: Provides configuration driven ability to send telemetry messages to the IoT Hub.  The agent performs device twin update, health reporting, receives messages from IoT Hub and handles direct methods. It facilitates device provisioning.

Security vs. Functionality Conundrum

Security professionals in the utility industry often find themselves facing a conundrum in trying to balance best practices against the demand for increased functionality.  The drive for digitization and adoption of modern mitigating technologies such as Digital Twin, AI, and AR/VR require that mission-critical process data be delivered to remote or cloud-hosted data centers.  In following the reference architecture, this level of external connectivity for OT assets quickly becomes very complex, involving multiple firewalls and proxy applications and changes to security policies making them more permissive to allow connectivity to remote systems.  This approach changes the overall security posture of the OT network and raises concerns about which regulatory requirements must be applied and how they should be interpreted. 

The result is that many utility network operators choose to delay adoption of technologies that incorporate cloud-hosted services or selectively deploy them only for lower risk assets.  This is not a sign that the industry is filled with technology laggards.  It is a sign that conventional solutions are out of step with the requirements for a modern, cloud-enabled technology stack.  Novel new security technologies are needed that respect and enforce clear segmentation between OT and IT networks with robust isolation capabilities while still supporting the authorized transfer of select operational data out of the plant so that it can drive modern analytics and data-intensive use cases. 

Conclusion

Utilities are currently struggling with the OT/IT dichotomy.  Working with focus groups within our Utility customers, we have seen first-hand the confusion which currently reigns in most OT/IT teams.  The need of the OT team to have visibility and predictability of the security framework deployed and maintained by the IT team is just one of the key issues we are trying to resolve through our Best Practices. 

It is critical to recognize that the “dance” between security professionals, Utilities, and the regulatory bodies must come to an end. Until all three parties come to the table to understand their strengths and weaknesses, risk and probability, and operational impact, each will continue to operate independently and out of sequence with one another.  NERC will keep pushing new CIP regulations, Utilities will keep adopting a compliance-based security methodology and security practitioners will continue the hyperbolic conversations of risks. Ultimately, nothing of substance will be achieved.

With respect to the future, novel solutions are needed to safely enable Industry 4.0 deployments.  There is a need for solutions that simplify cloud connectivity while maintaining strict OT and IT segmentation and meeting regulatory requirements.  Practical solutions need to translate unique protocols and access models used by OT systems into a format that can be easily imported into cloud-native applications. 

This is the perfect time for standardization bodies to collaborate on taking the next steps for architecture design and testing for Utilities to be able to address the requirements of future Edge Computing use cases. Regulators need to acknowledge and encourage alternative architectures that facilitate connectivity without compromising the integrity of critical OT systems.  Considering the high degree of work required, it is also crucial that the subject matter experts of the various Global System Integrators (GSIs) begin to contribute to a common effort to standardize Edge Computing design and deployment for Utilities as well as for the Telco environment.


About Cognizant:

Cognizant has been supporting utilities modernize their IT/OT environments to accommodate changes in technology and market demands for over 20 years. With that said our core utility IoT business focuses on supporting our utility partners efficiently and effectively navigate through their grid modernization journeys.  Ultimately our goal is to enhance utility partners’ operations through delivering innovative and secure grid solutions, modernizing operational and business processes, while accommodating flexible training and support models.

As our utility partners continue down their modernization journeys and move towards greater levels of adoption of layered intelligence (System, Network, & Edge), the need for more advanced security solutions are required. Through the Cognizant and Owl strategic partnership our teams are designing and delivering innovative security approaches that scale with the utilities ever increasing attack surface. Together we aim to help secure our utility partners sensitive data, and critical control systems tied to their Grid Modernization programs.

About Owl Cyber Defense:

Owl Cyber Defense cross domain, data diode, and portable media solutions provide hardened network security checkpoints for absolute threat prevention and secure data availability. Certified by the U.S. government, independent testing authorities, and international standards bodies, Owl technologies and services help to secure the network edge and enable controlled unidirectional and bidirectional data transfers. For over 20 years, clients worldwide in defense, intelligence, and infrastructure have trusted Owl’s unmatched expertise to protect networks, systems, and devices. Owl is a portfolio company of U.S.-based private equity firm, DC Capital Partners.

Contributors:

Brian Romansky - Owl Cyber Defense 

Dana Anderson - Cognizant

Ravimurthy Krishnamurthy - Cognizant

Carson Zerpa - Cognizant

Stephen Chasko - Cognizant

John Cupit - Cognizant

 

Connect with Owl Cyber Defense

Fill out this form to receive more information from Owl Cyber Defense.

Owl Cyber Defense
Owl Cyber Defense Solutions, LLC leads the world in data diode and cross domain network cybersecurity. Owl develops market-first, one-way data transfer products to meet a variety of operational needs, from entry level to enterprise.
RECENT POSTS FROM THIS COMPANY
Brian  Romansky's picture
Thank Brian for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Discussions

Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »