Primary Attack Scenarios and Network Challenges – Securing Cyber-Physical Systems in Smart Grid Utilities
By Mangaya Sivagnanam and Prof. Massoud Amin
The digital technology facilitates two-way communication between the end-to-end grid, the utility and smart buildings. By sensing customers’ needs/desires and automating for services such as demand response, through smartly equipped and connected with judiciously configured Internet-connected Cyber-Physical-Systems (CPS) to support proper, efficient, secure, effective and “price-smart” functioning.
CPS is an embedded system controlled and monitored by computer-based algorithms (analytics) with interactive network components. Many parts of these are not new and provide the basis for the emerging innovations and services in building technologies and help serve customer desires.
Connectivity, security, privacy, flexibility, dynamics and maximum efficiency are the core requirements for many CPS operations within Smart Grid architectures. The success primarily relies on maintaining the greatest synergy between IT/OT networks, building, and micro-grid/neighborhood’s necessities, flexibility, dynamics, safety, privacy, and security.
Smart Grids and Smart Buildings have two main networks: IT (Information Technology) and OT (Operational Technology). The OT overlay is often called the CPS network, which has a variety of CPS domains, noted below. The CPS network layers are levels 0-3.
- Level 0: Sensors, thermostats, meters, actuators and more.
- Level 1: Basic Controls such as HMI and PLCs
- Level 2: Supervisory-Controls like SCADA, Engineering Stations, and Operators’ interfaces
- Level 3: Operational-Controls needed for site production and operations
The devices in the OT network mostly uses IP, UDP, and Industrial Protocols for communications. The industrial protocols and field-bus used are BACnet, LON, Zigbee, Modbus DALI, Dynet, M-Bus, Profibus, IEBus, ANSI, IEC, DLMS... Some of these protocols are insecure with known vulnerabilities, and they are prone to various attacks.
Although the synchronized interoperability of the CPS/OT and IT networks make the utility smart and responsive, on the flipside, it also increases the cybersecurity risks and attack surfaces (including protocol attacks, routing attacks, intrusions, malware/spyware/worms, DoS, and insider threats). The North American power grid, Ukraine power grid (Black Energy), Stuxnet Malware, Irongate, Ukrenergo, Mirai, Smart-Meter hacks and US electric utility attacks are a few examples of vulnerabilities in the CPS and the interconnected network.
The OT network is often air-gapped, physically separated from the IT network. However, the organization connects the CPS to the Internet and often accessed via public IP.
- The public IP puts the CPS in jeopardy by itself. Now the CPS becomes vulnerable to receive infected payloads, being accessed from the Internet by intruders with intent and capability.
- At times, the CPS front-end is added to the network and is connected directly to the IT network; this opens an intrusion point, and attackers benefit from using this as a pivot-point to access sensitive data.
Connecting CPS to internet means, exposing its entire network to the Internet. With the help of free protocol/network scanning tools, the attacker can tunnel through the exposed devices to its network. According to “2017-Cost-of-Data-Breach-Study”, the discovered attackers stay undetected in the network for average ~191 days. The compromised CPS can either become a potential target or be a contributor to distributed attacks.
Non-air gapped Network:
While all the CPS are behind the corporate firewall, not exposed to the Internet, still, these CPS are susceptible to various vectors of attack. Some of the CPS indirectly access arbitrary Internet-servers (mail/weather) as a supported feature:
- Attackers can exploit this weak-point via social engineering, phishing, and drive-by-downloads. Not all enterprise intrusion detection systems (IDS) restrict Internet access, thus making it possible for an adversary to inject infected files with Virus, Trojan, and Malware.
This malware has low detection rates since they are specially engineered to target a particular CPS.
There include unmonitored edge systems in the building:
- Most buildings do not monitor the control networks; an attacker can either connect inline or remotely access the network and execute malicious software.
- Another way is to inject malicious USB/drives on unmanaged devices (outdoor/atrium/common-area).
Perpetrator’s Tools and Techniques:
The attackers benefit from the same tools the security professionals’ use. Most common are:
- Search engine to identify all the CPS devices on the Internet,
- Network tools help to learn the network topology, including all CPS connected to other subnets.
- Applications that perform brute-force attacks on identified target to gain complete access.
Human and organizational factors, including organized culture, influence the security performance in the multilayered defense. Often vulnerabilities are not caused by the misconfiguration and software failures in the systems but created by other conditions; such as management support and decisions made by employees, which combine to create situations in which failures may occur. In the complex Smart-Grid networks, the human contributors themselves are the most susceptible to failure and most adaptable to the disaster recovery.
Like any complex, dynamic infrastructure system, the electricity grid has many layers and is vulnerable to many different types of disturbances. While strong centralized control is essential to reliable operations, this requires multiple, high-data-rate, two-way communication links, a powerful central computing facility and an elaborate operations control center. For more profound protection, intelligent, distributed, secure control is also required, which would enable parts of the network to remain operational and even automatically reconfigure in the event of local failures or threats of failure.
Accordingly, protection of the system requires a multi-layered effort. At the highest level of generality there needs to be a corporate culture that insists on adherence to procedures, visibly promotes better security, and sees that management is well informed. The security program must be up-to-date, complete, closely supervised, and must include vulnerability and risk assessments. Of course, employees must be screened and trained, and emergency procedures must be rehearsed and drilled.
Focusing on the end-to-end electric power network, grid communications and control systems and emerging smart buildings, are often thought to be much more securely protected than is the case. Physical protection of the widely diverse and dispersed assets of power systems is impractical, and command control layers yield new benefits only if designed correctly and securely, posing additional challenges. Cyber connectivity has brought operational and business benefits, while it has increased cyber-risks, vulnerability to novel threats, which undermine the objectives of safe and reliable smart-grids.
Some of the low cost and highly effective security practices are:
- Avoid exposing “mission/business-critical” CPS and insecure protocol links to the Internet
- Prefer closing all unused ports and altering CPS factory settings – default user accounts – consider adopting dynamic/automatic ways to update CPS firmware
- Prefer hard encryption, system disposal policy to avoid sensitive information leak
- Prefer secure communication channel (TLS/HTTPS)
Security must be built-in as part of its design (within chips and devices, which layers of the architectures, and in the sensing/communications protocols and systems). The next-gen CPS approaches are “A self-defensive CPS architecture and a self-diagnosed CPS network.”
- Attack-Resilient Control (ARC) feature, accomplished by self-assessment, intelligent attack precursor detection, isolation/localization and mitigation module capabilities
- Analyzing intelligence sources including Attack Templates, Forecasts, Situational Awareness, System Resources, and System/Network Data to achieve dynamically "optimized" system/network adaptation and responses.
This article was edited by Pardis Khayyer.
Mangaya Sivagnanam is the Principal Cybersecurity Systems Architect at Ingersoll Rand. She has 17 years of experience in software applications design, analysis, development, testing and deployment of web/enterprise based on client/server applications and commercial industrial control systems. She is responsible for the framework and application design and development of web-based and embedded software for control systems. Mangaya has expertise and experience in innovation, security architecture for the web application, industrial control systems, internet of things, mobile, cloud computing, big data security, smart connected buildings and smart cities. She has extensive experience with heterogeneous system’s software design (Secure SDLC), threat modeling, security and risk analysis, penetration testing. She is also responsible for coordinating and managing the incident response process for the advanced building automation systems and solutions. She received an MS degree in security technologies and cybersecurity from the Technological Leadership Institute (TLI.umn.edu) at the University of Minnesota.
Dr. Massoud Amin, IEEE Fellow, is Director of the Technological Leadership Institute (TLI). He holds the Honeywell/H.W. Sweatt Chair, is a professor of electrical & computer engineering (ECE), and a University Distinguished Teaching Professor Award Recipient at the University of Minnesota. He is Chairman of the IEEE Smart Grid, a Fellow of ASME and, from June 2010 to August 2017, was a member of the Texas Reliability Entity (as board chairman), a utility industry regional entity that oversees reliability. From January 2013 to August 2017, he also served as a board member of the Midwest Reliability Organization.
Before joining the University of Minnesota in March 2003, Dr. Amin was with the Electric Power Research Institute (EPRI) in Palo Alto, Calif. He pioneered R&D in smart grids in 1998, and led the development of 24 technologies that transferred to industry. After 9/11, he directed all security-related R&D for U.S. utilities. He has led research, development, and deployment of smart grids, and the enhancement of critical infrastructures’ security during this period. He is considered the father of the smart grid.
At EPRI he received several awards including six EPRI Performance Recognition Awards for leadership in three areas, the 2002 President’s Award for the Infrastructure Security Initiative, and twice received the Chauncey Award, the Institute’s highest honor.
He has been recognized by his alma maters, receiving the 2011 Distinguished Alumni Achievement Award at Washington University, and the 2013 Outstanding Senior Alumni Award at the University of Massachusetts. He was the inaugural Thought Leader of the Year, Energy Thought Summit 2015 (ETS '15); inducted into the University of Minnesota’s Academy of Distinguished Teachers (2008); President’s Award for the Infrastructure Security Initiative, EPRI (2002) twice - received the Chauncey Award, EPRI; Professor of the Year, Washington University in St. Louis (1992-1995). He is the author of more than 200 peer-reviewed publications, editor of seven collections of manuscripts, and served on the editorial boards of six academic journals.
In summary, Dr. Amin’s professional contributions have primarily been in three areas:
- defense networks, combat & logistics systems - C4I (1982-1997)
- modernization, efficiency, security & resilience of interdependent national critical infrastructures, including power, energy, communications, finance, and transportation (1997-present), and
- technology/business/policy foresight & strategy (1997-present).
Dr. Amin holds B.S. (cum laude), and M.S. degrees in electrical and computer engineering from the University of Massachusetts-Amherst, and M.S. and D.Sc. degrees in systems science and mathematics from Washington University in St. Louis, Missouri.