PhD Student Working On Cyber Security In Critical Infrastructures

Fredrik Heiding (PhD Student) wrote the other day:

Fredrik Heiding, PhD StudentNetwork and Systems Engineering
KTH, Royal Institute of Technology

I am doing a PhD on cyber security in critical infrastructure. Currently I study the security trends for critical infrastructures in Europe, analyzing where it is heading and how it is developing. To strengthen the study I have identified seven general questions, they are general in nature so they can be answered by people in critical positions without revealing sensitive information.

Here are the Questions from Fredrik and Answers from a very senior expert:

Vytautas Butrimas

Cybersecurity consulting

See also: http://blog.nettedautomation.com/2020/06/scada-security-matters-should-matter.html
Vytautas Butrimas wrote in the introduction to his answers:

This a particularly interesting time in CIP. I come from and IT background and have focused mostly on the cybersecurity of industrial control systems in the past 10 years. This has been a long learning curve for I found that my IT knowledge did not provide enough to understand the engineering and laws of physics that are dominant in the monitor and control of physical processes found in the pumps and compressors on fuel pipelines, treatment of drinking water, routing of trains, and the generation and distribution of electricity. One needs to know the implications and peculiarities between working IT office time and real time to work in this field.
I looked at your questions and will give brief answers.  If you wish to further discuss them with me then we can do so offline.

---------------------------------

Question 1:

What concerns for the future do you have regarding cyber security in critical infrastructure?

Answer 1:

How the introduction of increased complexity of systems (systems of systems, adding more sensors, increased connectivity) will be managed without taking away from safety, reliability and performance.

Question 2:

Over the past decade, digital attacks have become more central to the security of critical infrastructure. Do you think the trend will continue to increase or culminate?

Answer 2:

There are some signs that things will get better but at the same time they will get more complicated.  Security practitioners need to realize that much more attention is needed where the physical process is taking place and the devices closest to it that are monitoring and controlling it, not where they are being monitored by humans in a remote location or control room.  ** One more thing we should not just be focused  on „ATTACKS“.  We also have to consider unintended actions or accidents. As the complexity of systems and connectivity of devices increases so will the unintended or „why did that happen?“ incidents.***

Question 3:

What relevant research or technological advances do you find most interesting for the future?

Answer 3:

Have to think about this one.  It feels we are all trying to keep afloat in a tsunami of technological advances.  The ones that worry me the most are the new features which also come with vulnerabilities that need to be addressed before a malicious group decides to exploit them.

Question 4:

Do you see IIoT (Industrial Internet of Things) as an opportunity or a concern, if both, which part is greatest (positive or negative)?

Answer 4:

I see it mostly as a concern (see my earlier answers). I suggest watching a video available on youtube called "Brave New Internet 4.0 " by one of your famous countrymen, Ralph Langner.  The questions and concerns he raised in that lecture IMHO have not been addressed.

Question 5:

Do you have plans to, or do you think that you will expand the cyber security department in the coming years?

Answer 5:

I am currently working my out of "mandatory retirement" and am not in position in expand anything (perhaps later this year I will change my answer).  If I was in a position of influence at an operator of CI (energy sector for example) I would do my best to set up some support for the senior engineer of the plant.  When he sees something unusual going in the operation he should be able assign this problem to an security operation center. Could be at least one person or a small team that understands cyber threats and how they could be applied to the engineering side of the operation.  The senior plant engineer has to keep things running and does not have time to stop and investigate something.  He needs someone to help him and a ICS SOC could be a good solution is management is willing to spend the money for the positions and training.

Question 6:

Can you share anything about past attacks/intrusion attempts, both successful and unsuccessful attempts are interesting?

Answer 6:

Look at the freely available information on line. Look up Ralph Langer to learn about STUXNET. It happened 10 years ago and this is probably the most analyzed and documented incident we have today that is publicaly  available.  Much can still be learned for the methods continued to be applied today. In 2014 in Germany your government (BSI) published its yearly report on cyber incidents.  There is a section devoted to a cyber attack on a steel mill that had an uncontrolled shutdown and resulted in damage. Look at Triton/Trisis/Hatman incident of 2017 where the safety systems of a petrochemical plant tripped not one but twice. Look for video lectures on this from Dale Pedersons S4 conferences in 2018/2019 (see lecture by Julian Gustmanis and by Schneider Electric)

Question 7:

Has the attitude towards cyber security changed in the last 5 years, why and in which way/

Answer 7:

The attitude is changing and for the better. Much better in the engineering community who have  understood how threats from cyberspace can get into their operations. On the other hand as far as government policy makers go they still have a long way to go. Much technical expertise has left government for the private sector leaving some governments blind to some issues. The 3 Little Pigs problem is evident where one thinks one has taken the appropriate measures and build a house of straw or of sticks to protect from the wind and the rain but the possibility of their being a wolf is somehow missed.  You would be surprise at how many government policy makers do not know what scada is and yet think they are doing a great job at protecting critical infrastructure.

--------------------------------

FERC is about to Strengthen the Critical Infrastructure Protection (CIP) Requirements

Security is (so far) likely the most crucial key word in 2016. We all want to live in a secure world with a secure power delivery system and many other infrastructures.
There are many rules set by well known standard setting organizations. One is the US Federal Energy Regulatory Commission (FERC). They have published the Critical Infrastructure Protection (CIP) Reliability Standards years ago. Usually the rules are improved after something serious happened. What happend some months ago? Yes, the Dec 23, 2015 cyber attack on the electric grid in Ukraine.
A lot of reports have been published recently.
FERC seeks comments (in this summer) on possible modifications to the CIP Reliability Standards - and any potential impacts on the operation of the Bulk-Power System resulting from such modifications - to address the following matters:

1. separation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions; and
2. computer administration practices that prevent unauthorized programs from running, referred to as “application whitelisting,” for cyber systems in Control Centers.

Click HERE to access the FERC Docket No. RM16-18-000 that has all the details.

Security standards are one measure to improve the protection of technical systems - but the most crucial issue is: TRUST! Trust is what it's really all about. I hope that all readers of this IEC 61850 blog trust me! I do my best!

By the way, the security requirements on paper or in a PDF document do not protect any system. It is the human beings (you can trust) that have to understand the complexity of the power delivery system, the software applications, communication, and administration of the hardware and software. This requires well educated people - educated in many different (or even all) domains -, sufficient resources, and decisions to implement what is needed.

Rene Descartes (1596-1650) understood it already very well what we have to do: "Hence we must believe that all the sciences are so interconnected, that it is much easier to study them all together than to isolate one from all others. If, therefore, anyone wishes to search out the truth of things in serious ernest, he ought not to select one special science, for all the sciences are cojoined with each other and interdependent."

And: Teamwork makes the dream work!

Stay safe!

Security: A Never Ending or a not Yet Started Story?

Everybody talks about security! Who is working on it? Some people are working on meeting compliance requirements like those defined in NERC CIP. Very few are dealing with measures to make and keep systems secure.

What's the difference between compliance and security? Does being compliant also mean being secure? NO – not at all. Being compliant may let you sleep better …

Two excellent publications touch on these issues:

1. NERC CIP v5 Suggests Compliance Does Not Equal Security

2. What effective legislation would you write for CI ICS

The first article closes:

“Compliance means you won't be fined. Security means you won't end up in the headlines. A friendly security suggestion would be to look beyond CIP compliance and use it as a baseline for your security policies.”

and the second:

“Hopefully, industry can get behind some sort of meaningful control system
security legislation before we end up with a catastrophic attack on a control
system.”

Since most people likely not yet have tried to implement security measures … the following sign (I purchased the other day) wouldn’t help either:

Try it again or the first time. But don’t give up before you have a process for a higher level of security in operation. And never give up to improve.

How to secure Millions of devices in a Smart(er) Grid?

There are may R&D projects underway to find appropriate ways how to secure millions of devices that need to communicate – all over.

A nice paper discusses this issues in the light of the question: what is a workable solution for a some hundred devices may not scale for millions of devices.

The report concludes: “The cryptographic infrastructure underlying the smart
grid the community envisions will likely require PKI, for scalability – but this is the beginning, not the end, of the solution.”

The good message we hear more often these days is: The path to smart(er) Hybrid Grids (power, gas, heat, …) will be long and steep. A challenge for a people involved – one way or the other.

Click HERE for the 3 page paper.

There is some progress in making power system automation more secure. Siemens writes in the SIPROTEC 5 - System Overview, Protection, Automation and Monitoring · Siemens SIP 5.01 · V1.0 (not yet available for download):

• Long-lasting, rugged hardware with outstanding EMC immunity and resistance to weather and mechanical loads
• Sophisticated self-monitoring routines identify and report device malfunctions immediately and reliably
• Conformance with the stringent Cyber Security requirements defined in the BDEW Whitepaper and NERC CIP
• Encryption along the entire communication segment between DIGS I 5 and the device
• Automatic recording of access attempts and security critical operations on the devices and systems

Click HERE for the DBEW Whitepaper “Requirements for Secure Control and Telecommunication Systems” [Dual Language: EN/DE]

Click HERE for further information in German (only).

Garderos (Munich, Germany) offers industrial-grade (ruggedized) routers which are self-managing and cyber-secure … secure against cyber-attacks … applicable for power grid applications.

Can IEC 61850-7-2 Edition 2 be used to build Agents?

There are more and more discussions on the question if IEC 61850 could be applied to build an Agent. Some understand this as IEC 61850 versus Agent.

What is an Agent? There are as many answers when you ask experts.

I found a very interesting definition of an (special) Agent on Wikipedia:

“Monitoring and surveillance agents (also known as predictive agents) are a type of intelligent agent software that observes and reports on computer equipment. Monitoring and surveillance agents are often used to monitor complex computer networks to predict when a crash or some other defect may occur. Another type of monitoring and surveillance agent works on computer networks keeping track of the configuration of each computer connected to the network. It tracks and updates the central configuration database when anything on any computer changes, such as the number or type of disk drives. An important task in managing networks lies in prioritizing traffic and shaping bandwidth.”

More generally Wikipedia provides a definition of an Agent:

“In computer science, a software agent is a piece of software that acts for a user or other program”.

IEC 61850 can be used for many applications: Protection and Control in Substations, SCADA, monitoring any simple and complex computer based applications in the (power system) Automation or assets like transformer, etc. This covers also network components like Ethernet Switches – there is work underway to model the network management MIB onto Logical Nodes and DataObjects and use the IEC 61850 services!. An IEC 61850 Server can act for a Client (and its User – a person or program). Crucial characteristics of Agents can be found in IEC 61850, too. You are not (yet) convinced!?

Let me point to the Edition 2 of IEC 61850-7-2 (ACSI) published in August 2010. What is new there? A lot great stuff for more secure systems!

Edition 1 had already the service model of Reporting and Logging observing (monitoring) application information like status or limit violations – allowing to send and log spontaneous events. There was also a possibility to monitor attributes of the various control blocks (Reporting, Logging, GOOSE, SMV); allowing to report or log the enable request of a control block. This last application has been extended in Edition 2 to keeping track of all ACSI services.

Edition 2 of IEC 61850-7-2 introduces the concept of the Service tracking in clause 14:

The reporting and logging functions of process and function related data objects as defined in Edition 1 of IEC 61850-7-x and IEC 61400-25-2 are extended in Edition 2 of IEC 61850-7-2 to keep track of changes, event, or actions in the process related information modeled as Logical Nodes and DataObjects. IEC 61850-7-2 Edition 2 provides the possibility to keep track of all services, even those with negative responses. The services are classified as follows:

• Control block related services
• Command related services
• Other services

IEC 61850-7-2 Edition 2 defines additional specific common data classes for each type of service to be reported or logged. For a given Server, a single data object instance (tracking data object) needs to be instantiated in the object model for each kind of service, that will mirror the value of the service parameters exchanged and its acceptance by the server. This allows that a service can be logged or reported to any client. This requires that the tracking data object is a member of the data-set referenced by a LCB, BRCB, or URCB.

The following additional Common Data Classes (CDC) are defined in IEC 61850-7-2 Edition 2:

• Common service tracking (CST)
• Buffered report Tracking Service (BTS)
• Unbuffered report Tracking Service (UTS)
• Log control block Tracking Service (LTS)
• GOOSE control block Tracking Service (GTS)
• MSVCB Tracking Service (MTS)
• USVCB Tracking Service (NTS)
• SGCB Tracking Service (STS)

The tracking of services could be used to record the “manipulation” of the process and the information exchange control block attributes, e.g., the settings of relays or other functions. The FERC CIP (Critical Infrastructure Protection) requires to keep logs (records) of many information changes. The reporting and logging of IEC 61850-7-2 and the extended common data classes could be used to implement such a “Recorder” or “Data Logger”.

IEC 61850 (IEC 61400-25) provides a reach suite of service-oriented, event-driven or agent-oriented application and information exchange models.

The answer of the question in the headline is simply: YES, IEC 61850 can.

Kostengünstige IEC-61850-Lösung für kurze Entwicklungszeiten

Ein hoher finanzieller und zeitlicher Aufwand bei der Realisierung der IEC 61850 und IEC 61400-25 in Steuerungen und andere Geräten hat bisher die breite Anwendung in den unteren Spannungsebenen, in der Energieerzeugung und weiteren Bereichen gebremst oder gar blockiert. Seit der Hannover Messe 2010 ist jedoch eine kostengünstige Komplettlösung auf Basis des Beck IPC@Chip verfügbar, welche die Entwicklung von IEC-61850-konformen Schnittstellen innerhalb kurzer Zeit ermöglicht. Die Stack-Software auf dem Chip (von SystemCorp, Perth, Australien) bietet ein sehr einfaches IEC-61850-API an - MMS (ISO 9506) und weitere Definitionen sind verborgen. Das API hat neben einigen Management-Funktionen nur drei Call-Back-Funktionen als Schnittstelle zwischen IEC 61850 und Anwendung: Read, Write, Update.

Click HERE for the paper in German recently published by etz / VDE Verlag.
Click HERE to access the pdf version of the paper.
Click HERE for the API documentation in English.
Click HERE for the description of the starter kit DK61 (development kit).

First Release of the NIST Framework and Roadmap for Smart Grid Interoperability Standards

Commerce Secretary Gary Locke today (2009-09-24) unveiled an accelerated plan for developing standards to transform the U.S. power distribution system into a secure, more efficient and environmentally friendly Smart Grid and create clean-energy jobs.

The NIST Draft Publication "NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0 (Draft)" published by the Office of the U.S. National Coordinator for Smart Grid Interoperability" is the result of thousands of working-hours of hundreds of smart people from many states and countries.

Smart Grids will be build on standards. The most crucial standards are required for the following areas:

• Demand Response and Consumer Energy Efficiency
• Wide Area Situational Awareness
• Electric Storage
• Electric Transportation
• Advanced Metering Infrastructure
• Distribution Grid Management
• Cyber Security
• Network Communications

NIST found that the market has reached already consensus on 16 standards. After review of this list, there are now 31 standards understood as crucial for the smart grid. Many crucial IEC standards like standards from IEC TC 57: IEC 60870-6 (TASE.2), IEC 61850, IEC 61969/61970 (CIM), IEC 62351; IEC TC 65: IEC 62541; other committees: ISO/IEC 15045, ISO/IEC 15067, ISO/IEC 18012, ... are members of the list of the 31 standards!

The experts identified some 70 gaps in the list of standards. 14 gaps have been identified as MOST CRUCIAL to be solved:

"For each, an action plan has been developed, specific organizations tasked, and aggressive milestones in 2009 or early 2010 established. One action plan has already been completed. The Priority Action Plans and targets for completion are (in bold = impact from/on standards of IEC TC 57):

1. Smart meter upgradeability standard (completed)
2. Common specification for price and product definition (early 20I0)
3. Common scheduling mechanism for energy transactions (year-end 2009)
4. Common information model for distribution grid management (year-end 20I0)
5. Standard demand response signals (January 2010)
6. Standard for energy use information (January 2010)
7. IEC 61850 Objects / DNP3 Mapping (2010)
8. Time synchronization (mid-2010)
9. Transmission and distribution power systems models mapping (year-end 20I0)
10. Guidelines for use of IP protocol suite in the Smart Grid(mid-year20I0)
11. Guidelines for use of wireless communications in the Smart Grid (mid-year 2010)
12. Electric storage interconnection guidelines (mid-2010)
13. Interoperability standards to support plug-in electric vehicles (December 2010)
14. Standard meter data profiles (year-end 2010)

Click HERE to read the press release of today (2009-09-24).

Click HERE to download the 90 page Draft Release 1.0 of the NIST Framework and Roadmap for Smart Grid Interoperability Standards

With that official Draft it is confirmed that crucial international Standards published by IEC TC 57, TC 65, and TC 88 are key for the sustainable interoperability of smart devices and smart systems in smart grids - developed by smart people.

Click HERE for a discussion on the availability of smart people.

Revised Input to NIST Interoperability Roadmap available

The input from EPRI to NIST was out for public review until end of July 2009. The team has received 83 comments that have been used to revise the EPRI input to NIST.

Many IEC Standards are referenced in the document: IEC 61968/70 (CIM), IEC 61850, IEC 61400-25, IEC 61499, ...

Click HERE to download the Report to NIST on the Smart Grid Interoperability Standards Roadmap After Comments were addressed [pdf].

Click HERE to download the Consolidated Comments August 10, 2009 [pdf].

Click HERE to check results of the Workshop, August 3-4, 2009.

Click HERE to check the latest Priority Action Plans (PAPs) that has been updated on August 10; after the August 3-4, 2009, Workshop.

ENTSO-E – EC Workshop on “Critical Infrastructure Protection” for Transmission Grid

The workshop on Critical Infrastructure Protection (CIP) for electricity transmission networks was held on 15/16 June 2009 in Cologne, Germany. ENTSO-E and the European Commission jointly organized the workshop. This workshop was an important platform for experts of European TSOs and other organizations involved in security issues.

Click HERE [pdf] to download the agenda and HERE to download the presentations [zip].