Primary Attack Scenarios and Network Challenges – Securing Cyber-Physical Systems in Smart Grid Utilities

By Mangaya Sivagnanam and Prof. Massoud Amin

The digital technology facilitates two-way communication between the end-to-end grid, the utility and smart buildings. By sensing customers’ needs/desires and automating for services such as demand response, through smartly equipped and connected with judiciously configured Internet-connected Cyber-Physical-Systems (CPS) to support proper, efficient, secure, effective and “price-smart” functioning.

CPS is an embedded system controlled and monitored by computer-based algorithms (analytics) with interactive network components. Many parts of these are not new and provide the basis for the emerging innovations and services in building technologies and help serve customer desires.

Connectivity, security, privacy, flexibility, dynamics and maximum efficiency are the core requirements for many CPS operations within Smart Grid architectures. The success primarily relies on maintaining the greatest synergy between IT/OT networks, building, and micro-grid/neighborhood’s necessities, flexibility, dynamics, safety, privacy, and security.

Smart Grids and Smart Buildings have two main networks: IT (Information Technology) and OT (Operational Technology). The OT overlay is often called the CPS network, which has a variety of CPS domains, noted below. The CPS network layers are levels 0-3.

• Level 0: Sensors, thermostats, meters, actuators and more.
• Level 1: Basic Controls such as HMI and PLCs
• Level 2: Supervisory-Controls like SCADA, Engineering Stations, and Operators’ interfaces
• Level 3: Operational-Controls needed for site production and operations

The devices in the OT network mostly uses IP, UDP, and Industrial Protocols for communications. The industrial protocols and field-bus used are BACnet, LON, Zigbee, Modbus DALI, Dynet, M-Bus, Profibus, IEBus, ANSI, IEC, DLMS... Some of these protocols are insecure with known vulnerabilities, and they are prone to various attacks.

Although the synchronized interoperability of the CPS/OT and IT networks make the utility smart and responsive, on the flipside, it also increases the cybersecurity risks and attack surfaces (including protocol attacks, routing attacks, intrusions, malware/spyware/worms, DoS, and insider threats). The North American power grid, Ukraine power grid (Black Energy), Stuxnet Malware, Irongate, Ukrenergo, Mirai, Smart-Meter hacks and US electric utility attacks are a few examples of vulnerabilities in the CPS and the interconnected network.

Air-gapped Network:

The OT network is often air-gapped, physically separated from the IT network. However, the organization connects the CPS to the Internet and often accessed via public IP.

• The public IP puts the CPS in jeopardy by itself. Now the CPS becomes vulnerable to receive infected payloads, being accessed from the Internet by intruders with intent and capability.
• At times, the CPS front-end is added to the network and is connected directly to the IT network; this opens an intrusion point, and attackers benefit from using this as a pivot-point to access sensitive data.

Connecting CPS to internet means, exposing its entire network to the Internet. With the help of free protocol/network scanning tools, the attacker can tunnel through the exposed devices to its network. According to “2017-Cost-of-Data-Breach-Study”, the discovered attackers stay undetected in the network for average ~191 days. The compromised CPS can either become a potential target or be a contributor to distributed attacks.

Non-air gapped Network:

While all the CPS are behind the corporate firewall, not exposed to the Internet, still, these CPS are susceptible to various vectors of attack. Some of the CPS indirectly access arbitrary Internet-servers (mail/weather) as a supported feature:

• Attackers can exploit this weak-point via social engineering, phishing, and drive-by-downloads. Not all enterprise intrusion detection systems (IDS) restrict Internet access, thus making it possible for an adversary to inject infected files with Virus, Trojan, and Malware.

This malware has low detection rates since they are specially engineered to target a particular CPS.

Unmonitored CPS:

There include unmonitored edge systems in the building:

• Most buildings do not monitor the control networks; an attacker can either connect inline or remotely access the network and execute malicious software.
• Another way is to inject malicious USB/drives on unmanaged devices (outdoor/atrium/common-area).

Perpetrator’s Tools and Techniques:

The attackers benefit from the same tools the security professionals’ use. Most common are:

• Internet,
• Search engine to identify all the CPS devices on the Internet,
• Network tools help to learn the network topology, including all CPS connected to other subnets.
• Applications that perform brute-force attacks on identified target to gain complete access.

Human Factors:

Human and organizational factors, including organized culture, influence the security performance in the multilayered defense. Often vulnerabilities are not caused by the misconfiguration and software failures in the systems but created by other conditions; such as management support and decisions made by employees, which combine to create situations in which failures may occur. In the complex Smart-Grid networks, the human contributors themselves are the most susceptible to failure and most adaptable to the disaster recovery.

Like any complex, dynamic infrastructure system, the electricity grid has many layers and is vulnerable to many different types of disturbances. While strong centralized control is essential to reliable operations, this requires multiple, high-data-rate, two-way communication links, a powerful central computing facility and an elaborate operations control center. For more profound protection, intelligent, distributed, secure control is also required, which would enable parts of the network to remain operational and even automatically reconfigure in the event of local failures or threats of failure.

Accordingly, protection of the system requires a multi-layered effort. At the highest level of generality there needs to be a corporate culture that insists on adherence to procedures, visibly promotes better security, and sees that management is well informed. The security program must be up-to-date, complete, closely supervised, and must include vulnerability and risk assessments. Of course, employees must be screened and trained, and emergency procedures must be rehearsed and drilled.

Conclusions:

Focusing on the end-to-end electric power network, grid communications and control systems and emerging smart buildings, are often thought to be much more securely protected than is the case. Physical protection of the widely diverse and dispersed assets of power systems is impractical, and command control layers yield new benefits only if designed correctly and securely, posing additional challenges. Cyber connectivity has brought operational and business benefits, while it has increased cyber-risks, vulnerability to novel threats, which undermine the objectives of safe and reliable smart-grids.

Some of the low cost and highly effective security practices are:

• Avoid exposing “mission/business-critical” CPS and insecure protocol links to the Internet
• Prefer closing all unused ports and altering CPS factory settings – default user accounts – consider adopting dynamic/automatic ways to update CPS firmware
• Prefer hard encryption, system disposal policy to avoid sensitive information leak
• Prefer secure communication channel (TLS/HTTPS)

Next-Gen CPS:

Security must be built-in as part of its design (within chips and devices, which layers of the architectures, and in the sensing/communications protocols and systems). The next-gen CPS approaches are “A self-defensive CPS architecture and a self-diagnosed CPS network.”

• Attack-Resilient Control (ARC) feature, accomplished by self-assessment, intelligent attack precursor detection, isolation/localization and mitigation module capabilities
• Analyzing intelligence sources including Attack Templates, Forecasts, Situational Awareness, System Resources, and System/Network Data to achieve dynamically "optimized" system/network adaptation and responses.

This article was edited by Pardis Khayyer.

Contributors