4
Vulnerabilities of Systems for Sensing, Communication, and Control

The operation of a modern electric power system depends on complex systems of sensors and automated and manual controls, all of which are tied together through communication systems. While the direct physical destruction of generators, substations, or power lines may be the most obvious strategy for causing blackouts, activities that compromise the operation of sensors, communication, and control systems by spoofing, jamming, or sending improper commands could also disrupt the system, cause blackouts, and in some cases result in physical damage to key system components. Hacking and cyber attacks are becoming increasingly common.

Most early communication and control systems used in the operation of the electric power system were carefully isolated from the outside world, and were separate from other systems such as corporate enterprise computing. However, economic pressures created incentives for utilities to make greater use of commercially available communications and other equipment that was not originally designed with security in mind. Unfortunately, from a security perspective, such interconnections with office and electronic business systems through other layers of communications have created vulnerabilities. While this problem is now well understood in the industry and corrective actions are being taken, the industry is still in a transition period during which some control systems have been inadvertently exposed to access from the Internet, intranets, and remote dial-up capabilities that are vulnerable to cyber intrusions.

Many elements of the distributed control systems now in use in power systems are also used in a variety of applications in process control, manufacturing, chemical process controls and refineries, transportation, and other critical infrastructure sectors and hence vulnerable to similar modes of attack. Dozens of communication and cyber security intrusions, as well as penetration red-team attacks, have been conducted by DOE, EPRI, electric utilities, commercial security consultants, and others. These “attacks” have uncovered a variety of cyber vulnerabilities including unauthorized access, penetration, and hijacking of control.

While the committee is unaware of any successful hostile cyber attack on the systems that control the operation of a power system, the risks posed by such attacks are sufficiently large to warrant serious consideration, continued improvement of key systems, and high levels of vigilance including careful attention to personnel training and operational procedures.

EPRI has conducted a survey of electric utilities to identify their concerns about grid security, cyber security, and communications security (EPRI, 2000). Figure 4.1 ranks the perceived threats to utility control centers. The most likely threats identified were bypassing controls, integrity violations, and authorization violations, with 40 percent of respondents rating the seriousness of each as either a 5 or a 4 on a scale of 0 to 5. Concern about the potential threats generally increased as the size of the utility peak load increased.

SENSING, COMMUNICATION, AND CONTROL SUBSYSTEMS

Functions of Sensing, Communication, and Control Elements of a Typical Power System

Figure 4.2 provides a simplified schematic diagram of the sensing, communication, and control elements of a modern power system. The elements of the system depicted in Figure 4.2 are defined and described below. Further details on the operation of many of these elements are provided in chapter 6.

Energy Management System

The objective of the Emergency Management System (EMS) is to analyze the real-time measurements gathered by the supervisory control and data acquisition (SCADA) system (see next paragraph) to determine the reliability of the present operating condition of the grid, to alert the operators to any vulnerabilities to possible disturbances (contingen-



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 38
4 Vulnerabilities of Systems for Sensing, Communication, and Control The operation of a modern electric power system depends While the committee is unaware of any successful hostile on complex systems of sensors and automated and manual cyber attack on the systems that control the operation of a controls, all of which are tied together through communica- power system, the risks posed by such attacks are sufficiently tion systems. While the direct physical destruction of gen- large to warrant serious consideration, continued improve- erators, substations, or power lines may be the most obvious ment of key systems, and high levels of vigilance includ- strategy for causing blackouts, activities that compromise the ing careful attention to personnel training and operational operation of sensors, communication, and control systems by procedures. spoofing, jamming, or sending improper commands could EPRI has conducted a survey of electric utilities to iden- also disrupt the system, cause blackouts, and in some cases tify their concerns about grid security, cyber security, and result in physical damage to key system components. Hack- communications security (EPRI, 2000). Figure 4.1 ranks ing and cyber attacks are becoming increasingly common. the perceived threats to utility control centers. The most Most early communication and control systems used in likely threats identified were bypassing controls, integrity the operation of the electric power system were carefully violations, and authorization violations, with 40 percent of isolated from the outside world, and were separate from other respondents rating the seriousness of each as either a 5 or a 4 systems such as corporate enterprise computing. However, on a scale of 0 to 5. Concern about the potential threats gener- economic pressures created incentives for utilities to make ally increased as the size of the utility peak load increased. greater use of commercially available communications and other equipment that was not originally designed with secu- SENSING, COMMUNICATION, AND CONTROL rity in mind. Unfortunately, from a security perspective, such SUBSYSTEMS interconnections with office and electronic business systems through other layers of communications have created vulner- Functions of Sensing, Communication, and Control abilities. While this problem is now well understood in the Elements of a Typical Power System industry and corrective actions are being taken, the industry is still in a transition period during which some control Figure 4.2 provides a simplified schematic diagram of systems have been inadvertently exposed to access from the the sensing, communication, and control elements of a mod- Internet, intranets, and remote dial-up capabilities that are ern power system. The elements of the system depicted in vulnerable to cyber intrusions. Figure 4.2 are defined and described below. Further details Many elements of the distributed control systems now in on the operation of many of these elements are provided in use in power systems are also used in a variety of applications Chapter 6. in process control, manufacturing, chemical process controls and refineries, transportation, and other critical infrastructure Energy Management System sectors and hence vulnerable to similar modes of attack. Dozens of communication and cyber security intrusions, as The objective of the Emergency Management System well as penetration red-team attacks, have been conducted (EMS) is to analyze the real-time measurements gathered by DOE, EPRI, electric utilities, commercial security consul- by the supervisory control and data acquisition (SCADA) tants, and others. These "attacks" have uncovered a variety of system (see next paragraph) to determine the reliability of the cyber vulnerabilities including unauthorized access, penetra- present operating condition of the grid, to alert the operators tion, and hijacking of control. to any vulnerabilities to possible disturbances (contingen- 38

OCR for page 38
VULNERABILITIES OF SYSTEMS FOR SENSING, COMMUNICATION, AND CONTROL 39 cies), and to calculate possible operational changes that could improve the operational condition (i.e., more optimized in terms of cost and less vulnerable to contingencies). A very important automatic function of an EMS is automatic genera- tion control (AGC), which involves measurements of system frequency interchange power flows, and power plant outputs to regulate system frequency and net power interchange via commands sent to power plants. An EMS always works in concert with a SCADA system, with the SCADA as the front-end component connected directly to the grid and the EMS as the back-end component with the heavy compu- tational capabilities; this combination is referred to as the EMS-SCADA (or just EMS) or simply, the control center. Communication connections between EMSs in neighboring grids are common for the exchange of data describing the NOTES: real-time conditions in the nearby interconnected system. Authorization violation: Access by an entity that lacks the proper More details on EMSs and their use in systems monitoring access rights. FIGURE 4.1 and control are provided in Chapter 6 of this report. Bypassing controls: Exploitation of system flaws or weaknesses by an authorized user in order to acquire unauthorized privileges. Supervisory Control and Data Acquisition Denial of service: Deliberate impedance of legitimate access to information. SCADA systems provide three critical functions in Eavesdropping: Acquisition of information flows, sometimes by the operation of an electric power system: data acquisi- "listening" to radio or wireline transmissions, sometimes by analyz- tion, supervisory control, and alarm display. It consists of ing traffic on a local area network. computers and display units with appropriate applications Illegitimate use: knowingly or unknowingly intruding on system software, and is connected by a communications system to resources. remote terminal units (RTUs) placed at substations that col- lect data and perform control of electrical system devices. Indiscretion: Indiscriminate opening of information files and so on. The SCADA system polls the RTUs periodically to gather Information leakage: Unintentional provision of information to a the real-time measurement data from all the substations disguised third party. and sends out control signals to the RTUs to control spe- Integrity violation: Messages and the computer infrastructure cific equipment. These supervisory control signals can be subjected to unauthorized modification or destruction. automatically generated by the SCADA computers or be Intercept/alter: Intercepting and altering information flows, usu- manually initiated by the operator. The controls can be for ally by accessing databases and modifying data. operations of many types, such as the opening and closing Masquerade: Posing as an authorized user on a network, the most of circuit breakers and the adjustment of control set points common method used by hackers to gain access to networks, often for transformer taps, generation of unit power outputs and enabled by having other users' passwords. A masquerader can voltage levels, DC transmission line flows, and so on. (It view secret information, alter or destroy data, use unauthorized should be pointed out that SCADA is a generic name for this resources, and deny legitimate users access to services. class of equipment, which is used for similar applications in Replay: Use of information previously captured without necessar- many industries, including natural gas pipeline transmission ily knowing what it means. and chemical plants.) Repudiation: Denial by an entity that it undertook some action Most power system legacy SCADA systems operate in a such as sending a message or receiving information. several-second sample or polling rate. A separate SCADA Spoof: Occurs when a user or application believes it is using one of system may be used for AGC. Modern SCADA systems may the legitimate computer services, while actually performing some be networked using private Internet protocols, and may use different function. faster sampling rates. FIGURE 4.1 Perceived threats to power system control centers as reported in a survey of electric utilities conducted by EPRI in 2000. Remote Terminal Unit SOURCE: Adapted from EPRI (2000). RTUs are special-purpose microprocessor-based elements that are located at substations or power stations to interface with all the substation equipment. An RTU is connected to the SCADA system through a communication channel that

OCR for page 38
40 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM 1 System Control Center cyber Data to market and protection other systems EMS Links to other Energy Management System control centers 3 2 SCADA Supervisory Control and Data Acquistition 4 RTU RTU RTU Remote terminal unit Remote terminal unit Remote terminal unit 5 sensors sensors sensors actuators actuators actuators etc. etc. etc. PLCs, protective relays, systems to control transformer tap settings and capacitor FIGURE 4-2 Simplified banks, diagram metering automated of the sensing, communication, systems, and DCSs andascontrol well systems associated as a variety with devices of field a typical all power system. Program- mable logic controllers, operate protective at this level.relays, systems to control transformer tap settings and capacitor banks, automated metering systems, and distributed control systems as well as a variety of field devices all operate at this level. NOTE: Numbers refer to points of vulnerability discussed in the text. uploads measurement data from the station and downloads Programmable Logic Controller control orders from the SCADA system. Within the station, Programmable logic controllers (PLCs) have been used the RTU is either directly connected to the equipment being extensively in manufacturing and process industries for controlled, or (because the new equipment is increasingly many years and are now being used to implement relay being controlled by microprocessors) through intra-station FIGURE 4.2 and control systems in substations and power plants. PLCs local communication networks. RTUs contain analog-to- replace binary (Boolean) logic networks of series and par- digital and digital-to-analog converters, digital inputs for allel combinations of electromechanical coils and contacts. status, and digital or analog output for control. They are used in mission-critical applications such as the A newer development is the intelligent electronic device, special protection systems described in Chapter 6, some- which often implies a built-in network capability such as times in fault-tolerant configurations (e.g., triply redundant Internet Protocol. Networked devices are, of course, more with two out of three required to agree for an output deci- susceptible to cyber attacks. Sensors and the devices dis- sion). PLCs have extended input/output (I/O) systems simi- cussed below may also be considered intelligent electronic lar to those of transmission substation RTUs. The control devices. outputs can be controlled by software residing in the PLC

OCR for page 38
VULNERABILITIES OF SYSTEMS FOR SENSING, COMMUNICATION, AND CONTROL 41 and via remote commands from a SCADA system. In some Field Devices applications, PLCs with RTU-reporting capability may have Examples of field devices are process instrumentation advantages over conventional RTUs. PLCs can have many such as pressure and temperature sensors and chemical ana- real-time communication links inside and outside substa- lyzers. Other standard types of field devices include electric tions or plants. actuators. Intelligent field devices include electronics to A step beyond PLCs are programmable automation enable field configuration, upload of calibration data, and so controllers (PACs), which include data acquisition, signal on. These devices can be configured offline. They also can processing, monitoring, monitoring/display, and feedback have real-time communication links between plant control control. In one manufacturer's product line of hardware and systems, maintenance management systems, stand-alone software, for example, the hardware can be either a PC or PCs, and other devices inside and outside the facility. one of several real-time, embedded control devices. Threats and Risk Protective Relays As noted above, perhaps the most serious vulnerability to Protective relays are mission-critical electromechani- the various sensing, communication, and control subsystems cal, analog, electronic, or digital controllers designed to that has developed in recent years, and which is now being respond to system faults and short circuits. When faults rapidly rectified, has been lack of attention to connections occur, the relays must signal the appropriate circuit break- from system control centers to the outside world (labeled as 1 ers to trip and isolate the faulty equipment. Distribution sys- in Figure 4.2). If these connections are not treated with great tem relaying must be coordinated with fuses and reclosures care, and if proper cyber security protection is not provided, for faults while ignoring cold-load pickup, capacitor-bank they can in principle become a route for attackers from the switching, and transformer energization. Transmission-line outside world to create disruption, take control, and cause relaying must locate and isolate a fault with sufficient speed damage. Recent steps to dramatically improve the security to preserve stability, reduce fault damage, and minimize of these links are discussed below. the impact on the power system. Modern digital protec- While some of the operations of an electric power system tive relays can be networked, and settings can be changed are automatic, ultimately human operators in the system remotely. Chapter 6 of this report discusses applications control center make decisions and take actions to control and the functional reliability of the control and protection the operation of the system. Physical threats to such centers systems. and the communication links that flow in and out of them are described in Chapter 3. But it is also essential to be con- Automated Metering cerned about two other factors: the reliability of the operators within the center, and the possibility that insecure code has Automated metering is designed to upload residential been added to one of the programs in a center computer. The and/or commercial gas and/or electric meter data. These threats posed by "insiders" are discussed in Chapter 5. The data can then be automatically downloaded to a PC or other risk of a "Trojan horse" or other deleterious program being device and transmitted to a central collection point. With this intentionally embedded in the software of one or more of technology, real-time communication links exist outside the the control centers is real, and this can only be addressed by utility infrastructure. careful security measures both within the commercial firms that develop and supply this software, and careful security Plant Distributed Control Systems screening of both utility and outside service personnel who perform software maintenance within the center. Today Plant distributed control systems (DCSs) are plant-wide software security upgrades often are not always supplied to control systems used for control and data acquisition. The I/O end users, or users do not promptly apply the upgrades for count can be higher than 20,000 data points. Often, the DCS fear of impacts on system performance. Current practice is is used as the plant data highway for communication to and to apply upgrades after SCADA system vendors thoroughly from intelligent field devices, other control systems (such test and validate them, sometimes delaying deployment by as PLCs), RTUs, and even the corporate data network for several months. enterprise resource planning applications. DCS technology A third source of vulnerability can arise from the essential has been developed with operating efficiency and user con- links to other system control centers (labeled as 3 in Figure figurability as drivers, rather than system security. In addi- 4.2). Such links are essential for the operation of a large tion, technologies have been developed that allow remote interconnected grid. However, even if the control center access, usually via a PC, to view and potentially reconfigure (shown as 2 in Figure 4.2) has taken all the necessary steps the operating parameters. to protect itself from unauthorized access, either by external electronic logic or direct human intervention, if other control

OCR for page 38
42 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM centers have not taken similar steps, the entire system is vul- an effort co-sponsored by the U.S. Departments of Energy nerable. That is, the system is no stronger than the weakest and of Homeland Security in cooperation with Natural link in the chain. Resources Canada, was developed through a collaborative The communication links between the system control process led by energy owners and operators. The authors center and various devices in the field labeled as 4 in Figure explain that the purposes of the roadmap effort were to: 4.2 are perhaps less worrisome than the items labeled as 1, 2, and 3 but still constitute a source of vulnerability. While Define a consensus-based strategy that articulates the obtaining access to the electronic logic of these communi- cyber security needs of owners and operators in the cation channels and spoofing (i.e., sending a false signal) is energy sector; always a possibility, a greater concern is jamming, or physi- Produce a comprehensive plan for improving the cal disruption, that would prevent system operators from security, reliability, and functionality of advanced knowing what is going on in key parts of the system, or from energy control systems over the next 10 years; and issuing needed commands. Guide efforts by industry, academia, and government Finally, the myriad devices that sense and control the and help clarify how each key stakeholder group can power system in the field present vulnerabilities. Of par- contribute to planning, developing, and disseminat- ticular concern are wireless and dial-up connections that ing security solutions. could be monitored, spoofed, jammed, or reprogrammed. For example, if it were possible to reach and reprogram The authors note: relays that control circuit breakers, considerable physical harm could be inflicted on some devices under some circum- [The] Roadmap builds on existing government and industry stances. However, today such relays can no longer be reached efforts to improve the security of control systems within the from the outside on most major systems, and new mandatory private sector by working through (1) the Electricity Sector security regulations are rapidly resulting in corrective action Coordinating Council (coordinated by the North American Electric Reliability Council) and (2) the Oil and Natural Gas in those few (typically smaller) utilities where it is still pos- Sector Coordinating Council (coordinated by the American sible. Similarly, while wireless systems are seeing greater Petroleum Institute and the American Gas Association). use, they are typically not employed in vital control systems. The Roadmap is also intended to help coordinate and guide Nevertheless, because wireless is often much cheaper to related control system security efforts, such as the Process implement than secure hard-wired controls, this is a potential Control Systems Forum (PCSF), Process Control Security source of vulnerability that warrants continued attention. Requirements Forum (PCSRF), Institute for Information None of the protective strategies discussed will be effec- Infrastructure Protection (I3P), International Electricity tive without regular programs of staff training, and careful Infrastructure Assurance Forum (IEIA), Control System adherence to thoughtfully developed procedures designed Security Center, and National SCADA Test Bed. (Eisenhauer to avoid the inadvertent introduction of alien software into et al., 2006) SCADA systems, or the creation of interconnections to out- side systems that may not be secure, or can be accessed via Figure 4.3 provides a graphical summary of the results of the Internet or similar means. this effort. The U.S. Department of Homeland Security's Advanced Research Projects Agency (HS-ARPA) has recently funded TOWARD SECURE SYSTEMS FOR SENSING, several innovative technology development efforts. These COMMUNICATION, AND CONTROL efforts have the potential to yield new and effective tools During the past few years there has been a notable to help secure SCADA and control systems for the electric increase in the level of activity and interest in security for power sector as well as for other sectors such as gas and oil, SCADA and control system communications both within the water, and transportation. U.S. government and within the electric power industry. For Individual companies and industry research organizations example, DOE has created the National SCADA Test Bed, have also been active. Two examples are the American Gas which includes the Idaho National Laboratory, Pacific North- Association (AGA) and the Electric Power Research Institute west National Laboratory, Sandia National Laboratories (EPRI). AGA has developed a specification for retrofit secu- (SNL), and the National Institute of Standards and Technol- rity of SCADA and control system communications. EPRI ogy (NIST). Work performed by these laboratories includes maintains several programs to provide member companies development of retrofit solutions, testing of vendor products, with security solutions for operational systems. However, validation of encryption techniques and algorithms, vulner- utilities' interest in investing in major new initiatives in this ability assessments for industry, and assessment of threats to area has been modest. SCADA and control system communications. The North American Energy Reliability Council (NERC) The January 2006 "Roadmap to Secure Control Systems Critical Infrastructure Protection Committee (CIPC) devel- in the Energy Sector" (Eisenhauer et al., 2006), the result of ops security standards and guidelines for the electric power

OCR for page 38
VULNERABILITIES OF SYSTEMS FOR SENSING, COMMUNICATION, AND CONTROL 43 FIGURE 4.3 Road map for achieving secure control systems in the energy sector. SOURCE: Eisenhauer et al. (2006), p. 3. industry. Formal CIPC representation is determined by the practices that can help mitigate the risks, and provides a FIGURE 4.3 NERC regions, but meetings can be observed by any qualified nonprioritized list of the 10 most common and threatening industry member. A March 2006 report (NERC, 2006) by the vulnerabilities to control systems in the electric sector based NERC Control Systems Security Working Group (CSSWG) on the combined expertise of the NERC CSSWG members. and the U.S. Department of Energy National SCADA Test The list, prepared by the CSSWG, is updated annually. As of Bed (NSTB) program highlights potential risks that can March 2006, the top vulnerabilities of control systems and apply to some electricity sector organizations, describes potential mitigation strategies were assessed to be:

OCR for page 38
44 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM Inadequate policies, procedures, and culture govern- tion, Systems, and Automation Society, and, of course, the ing control system security; IEEE and ASME. Inadequately designed control system networks that To address known vulnerabilities, the industry has worked lack sufficient defense-in-depth mechanisms; diligently for the last 5 years to develop mandatory cyber Remote access to control systems without appropri- standards through the NERC standards process. These man- ate access control; datory standards will require a variety of preventive actions Auditable system administration mechanisms (sys- by all firms operating electric power facilities connected to tem updates, user metrics, etc.) that are not part of the electric grids in North America. It is important to note control system implementation; that to effectively address the evolving spectrum of cyber Inadequately secured wireless communication; threats, cyber standards should allow new technology solu- Use of a nondedicated communications channel tions to be rapidly implemented and integrated to keep pace for command and control, such as Internet-based with these dynamic threats. Appendix E summarizes these SCADA, and/or inappropriate use of control system new standards, which should be fully adopted within 3 to 5 network bandwidth for noncontrol purposes (e.g., years. voice over Internet Protocol, or VoIP); In summary, given the dynamic nature of cyber and com- Lack of quick and easy tools to detect and report on munication threats, the long-term issue of cyber security and anomalous or inappropriate activity; inadequate or the hardening of the communications networks that provide nonexistent forensic and audit methods; mission-critical information to the energy control centers Installation of inappropriate applications on critical will require more investigation to enable dealing effectively control system host computers; with the threat. Software used in control systems that is not ade- quately scrutinized; and CONCLUSIONS Control systems command and control data not authenticated. Minimizing penetration pathways to critical cyber systems is essential. The use of information/cyber Electric power utilities typically own and operate at least systems makes more complex operation possible but parts of their own telecommunication systems, which often also introduces new vulnerabilities. Any intercon- consist of a fiber-optic or microwave backbone connecting nection of the control systems with various corporate major substations, with spurs to smaller sites. Historically, business systems, and thus to public networks, adds the energy industry operated closed, tightly controlled to the system vulnerability. Stand-alone autonomous networks. Deregulation and the resulting commercial influ- systems are ultimately the most secure. Isolation of ences have placed new information-sharing demands on the the critical systems must be the basic principle of industry. Traditional external entities like suppliers, consum- cyber security for the power grid. ers, regulators, and even competitors now must have access Judicious interconnection is unavoidable. Although to segments of the network. The definition of the network interconnection with public communication networks must be expanded to include the external wide-area network should always be avoided, control systems do need connections for these external entities. This greatly increases data from other systems, and vice versa. For example, the security risk to other functional segments of the internal energy management systems (EMSs) often need data network that must be protected from external connections. from neighboring control centers or from market This is true whether a private network or the Internet is used computers. Similarly, some engineering systems to support the external wide-area network. need data from the SCADA system or the EMS or The external entities already have connections to the Inter- from substation control or monitoring equipment. net, and as such the Internet can provide the backbone for Such interconnections represent security risks and the external wide-area network. Duplicating this backbone to should be designed with care using high-quality create a private network requires not only large startup costs security tools and the best available management but also ongoing maintenance costs and potentially higher practices. Firewalls with proper authentication and individual transaction costs than using the Internet. Nearly verification procedures, together with the use of uni- all control centers have multiple communication links. To directional data transfer when appropriate, should be understand the data security issues in the communication utilized. routes into the centers, more effort is required to determine Best practices for security provisions always apply. how key data are routed before it gets to the center and where Cybersecurity is part of FERC/ERO mandatory vulnerabilities exist (see Box 4.1). reliability standards. "Basic" security protocols In addition, standards for future solutions are being and architecture must be standardized and adopted. developed in several arenas, including, but not limited to, the SCADA/control system protocols should include International Electrotechnical Commission, the Instrumenta- elements to assure authentication and integrity. The

OCR for page 38
VULNERABILITIES OF SYSTEMS FOR SENSING, COMMUNICATION, AND CONTROL 45 BOX 4.1 Addressing Control System Vulnerabilities An article by Welander (2007) summarizes recent progress and work led by the North American Electric Reliability Council (NERC) in addressing 10 control system vulnerabilities highlighted in 2006 by the Control Systems Security Working Group of NERC (NERC, 2006). The article quotes a NERC official as stating that the 2006 version "`has grown from a simple listing of vulnerabilities in 2004, to include three levels of mitigations for each of the documented vulnerabilities'" (Welander, 2007, p. 38). Excerpts regarding 3 of the 10 listed vulnerabilities are given below: Inadequately secured wireless communication (including microwave technologies) Before installing wireless, it's important to do a complete assessment to identify the best areas for wireless use and ensure that leakage out of the plant is minimized. Wireless leakage occurs when you have transmitters or wireless-enabled workers walking around with tablet PCs or handheld devices. Those devices may be transmitting in an area outside a plant. (Welander, 2007, p. 42) On the wireless network side, technologies such as 802.11 b and g are often in place, operating in the 2.4 GHz spectrum. Often they have been deployed without a suitable site survey to determine if coverage is adequate and to evaluate if spurious emissions are limited so that people external to the facility must work hard to find these networks. (Welander, 2007, p. 42) Use of a nondedicated communications channel for command and control [An example of this] would be the case with Internet-based SCADA. This vulnerability also could include inappropriate use of control system network bandwidth for non-control purposes, such as VoIP (voice over Internet Protocol). . . . IT [information technology] professionals typically look at application performance, and near real time for control is a foreign concept. Taking 300-500 ms extra to receive e-mail or a Webpage is largely unnoticeable; 300-500 milliseconds for control messages or safety messages could be disastrous. Often, what is an acceptable level of saturation or utilization from an IT perspective can spell disaster for controls. (Welander, 2007, p. 42) Unauthenticated command and control data Not all controllers out there today authenticate who's making the change and authorize that the change is allowed for that user through the controller. This security step on most control systems is performed at a layer in the control system above the controllers. This leaves the controllers vulnerable, and that's why defense-in-depth is absolutely required. You've got to make sure the controllers are deep down in the security infrastructure, with multiple layers of defense above them. If you're not doing that, then your controllers are basically wide open on the Web. (Welander, 2007, p. 44) Mitigation strategies for all 10 of the vulnerabilities range from using software packages to changing corporate culture. The online ver- sion of Welander's article (at http://www.controleng.com/article/CA6433393.html?text=welander) includes the full text of the NERC document (NERC, 2006) with three-tiered strategies for addressing each vulnerability. process of developing, testing, and applying soft- authentication, and conducting regular testing are all ware security patches, and related upgrades, should important. Although wireless communication usage be accelerated and requires careful and continuing is increasing for various applications within substa- management attention. tions, wireless links should not be used to implement Substation cyber security requires defense at several critical control functions. levels. Assuring security of communication between Protection against human error is critical. Many con- a growing multitude of microprocessor-based devices trols are still manual and even the automatic control at substations and other distributed systems is a chal- systems require manual testing and maintenance, lenge that must be met with various levels of defense. thus allowing many human interfaces. In addition to All modern relays and other monitoring equipment limiting access and requiring strict authentication to have processors, and data capture and communica- screen out unauthorized personnel, systems should be tions interfaces, which need to be connected, but this hardened against human error. For example, testing must be done with security as a strict requirement. equipment (laptops) has been known to have intro- Minimizing connectivity, requiring/ensuring strict duced viruses into substation equipment. Hardening

OCR for page 38
46 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM against human error automatically raises the barrier DOE (U.S. Department of Energy). 2002. "National Transmission Grid against malicious attack. Study." Available at http://www.pi.energy.gov/documents/Transmission- Grid.pdf. Accessed August 2007. Investment in process and personnel must be a pri- DOE. 2003. "Annual Energy Outlook 2003." Energy Information Admin- ority. There has been a serious lack of investment istration. in power system infrastructure in recent years, and Dy Liacco, T.E. 1967. "The Adaptive Reliability Control System." IEEE market-based priorities are unlikely to support stra- Transactions on Power Apparatus and Systems 86(5): 517531. tegically increasing security in power systems. Cyber Eisenhauer, J., P. Donnelly, M. Ellis, and M. O'Brien. 2006. "Roadmap to Secure Control Systems in the Energy Sector." Report prepared by Ener- security, like the reliability of the grid, probably has getics Incorporated, Columbia, Md., sponsored by the U.S. Department to be mandated by the FERC/ERO process, which of Energy and the U.S. Department of Homeland Security in collabora- usually means that the mandatory standard (i.e., the tion with Natural Resources Canada, January. Available at http://www. minimum required) will lag behind best practices. controlsystemsroadmap.net/. Because cyber security weaknesses tend to provide EPRI (Electric Power Research Institute). 1999. Electricity Technol- ogy Roadmap: 1999 Summary and Synthesis . Technical Report highly opportunistic windows for would-be attackers, CI-112677-V1. 160 pp. Palo Alto, Calif.: EPRI. and mandatory standards processes tend to be slow, EPRI. 2000. Communication Security Assessment for the United States the industry must continue to look for ways to facili- Electric Utility Infrastructure. EPRI Report 1001174. Palo Alto, Calif.: tate rapid and the reliable implementation of security EPRI. upgrades and patches and to ensure that its personnel EPRI. 2001. Electricity Infrastructure Security Assessment. Vol. III. Palo Alto, Calif.: EPRI. are well trained and applying best practices. Simply EPRI. 2003a. Complex Interactive Networks/Systems Initiative: Final Sum- conforming to the last round of standards will often mary Report--Overview and Summary Final Report for Joint EPRI and not be sufficient to provide adequate protection. U.S. Department of Defense University Research Initiative. Palo Alto, Calif.: EPRI, 155 pp. EPRI. 2003b. Electricity Technology Roadmap: Synthesis Module on Power BIBLIOGRAPHY Delivery System and Electricity Markets of the Future. Palo Alto, Calif.: EPRI. AGA (American Gas Association). AGA-12 Cryptographic Protection of EPRI. 2004. Supervisory Control and Data Acquisition (SCADA) Systems SCADA Communications. Available at http://www.gtiservices.org/secu- Security Guide. EPRI Report 1002604. Palo Alto, Calif.: EPRI. Avail- rity/aga12_wkgdoc_homepg.shtml. Accessed August 2007. able at http://www.epri.com. Amin, M. 2000. "Toward Self-Healing Infrastructure Systems." IEEE Com- EPRI. 2005a. Guideline for Securing Control System and Corporate Net- puter Magazine 33(8): 4453. work Interfaces. EPRI Report 1010714. Palo Alto, Calif.: EPRI. Avail- Amin, M. 2001. "Toward Self-Healing Energy Infrastructure Systems." able at http://www.epri.com. IEEE Computer Applications in Power Magazine 14(1): 2028. EPRI. 2005b. "Strategic Insights into Security, Quality, Reliability, and Amin, M. 2001 and 2002. Special issues on control of complex networks. Availability" (co-authors: M. Amin et al.). Report 1008566. Palo Alto, IEEE Control Systems Magazine 21(6) and 22(1). Calif.: EPRI, 128 pp. Amin, M. 2002. "Security Challenges for the Electricity Infrastructure." Fink, L.H., and K. Carlsen. 1978. "Operating Under Stress and Strain." IEEE IEEE Computer Magazine 35(4)(Part Supplement): 810. Spectrum 15(March): 4853. Amin, M. 2003. "North America's Electricity Infrastructure: Are We Ready Gellings, C.W., and K.E. Yeager. 2004. "Transforming the Electric Infra- for More Perfect Storms?" IEEE Security and Privacy Magazine 1(5): structure." Physics Today 57(12): 4552. 1925. Hauer, F.F., and J.E. Dagle. 1999. Review of Recent Reliability Issues and Amin, M. 2004a. "Balancing Market Priorities with Security Issues: In- System Events. Consortium for Electric Reliability Technology Solu- terconnected System Operations and Control Under the Restructured tions, Transmission Reliability Program, Office of Power Technologies, Electricity Enterprise." IEEE Power and Energy Magazine 2(4): 3038. U.S. DOE, August 30. Amin, M. 2004b. "Electricity." Pp. 116140 in Digital Infrastructures: House Committee on Energy and Commerce. 2003. Blackout 2003: Enabling Civil and Environmental Systems Through Information Tech- How Did It Happen and Why? Committee hearing September 34, nology, R. Zimmerman and T.A. Horan, eds. London, U.K.: Routledge. 2003. Available at http://energycommerce.house.gov/reparchives/108/ Amin, M. 2004c. "North American Electricity Infrastructure: System Hearings/09032003hearing1061/print.htm. Accessed August 2007. Security, Quality, Reliability, Availability, and Efficiency Challenges Kropp, T. 2006. "System Threats and Vulnerabilities: An EMS and SCADA and their Societal Impacts." Chapter 2 in National Science Foundation Security Overview." IEEE Power and Energy Magazine 4(2): 4650. (NSF), Continuing Crises in National Transmission Infrastructure: Kundur, P. 1994. Power System Stability and Control. EPRI Power System Impacts and Options for Modernization. Arlington, Va.: NSF. Engineering Series. New York: McGraw-Hill. Amin, M. 2005a. "Energy Infrastructure Defense Systems." Proceedings of Marburger, J. 2002. Testimony before the House Committee on Science, the IEEE 93(5): 861875. June 14. Amin, M. 2005b. "Scanning the Issue." Proceedings of the IEEE 93(5): National Science Foundation, Division of Science Resources Statistics. 855860. 2003. Research and Development in Industry: 2000. NSF 03-318. Amin, M. 2005c. Special issue on energy infrastructure defense systems. Available at http://www.nsf.gov/statistics/nsf03318/pdf/taba19.pdf. Proceedings of the IEEE. May. Accessed August 2007. Amin, M., and C.W. Gellings. 2006. "The North American Power Delivery NERC (North American Electric Reliability Council). Undated. Distur- System: Balancing Market Restructuring and Environmental Economics bance Analysis Working Group database. Available at http://www.nerc. with Infrastructure Security." Energy 31(67): 967999. com/~dawg/. Accessed November 2007. DHS (U.S. Department of Homeland Security). 2006. "National Infra- NERC. 2002. "NERC Security Guidelines for the Electricity Sector." structure Protection Plan." June. Available at http://www.dhs.gov/nipp. Available at http://www.esisac.com/library-guidelines.htm. Accessed Accessed August 2007. August 2007.

OCR for page 38
VULNERABILITIES OF SYSTEMS FOR SENSING, COMMUNICATION, AND CONTROL 47 NERC. 2006. "Top 10 Vulnerabilities of Control Systems and Their Associ- SNL. 2005b . Framework for SCADA Security Policy . SAND2005- ated Mitigations--2006." North American Electric Reliability Council, 1002. Available at http://www.sandia.gov/scada/documents/ Control Systems Security Working Group, U.S. Department of Energy, sand_2005_1002C.pdf. Accessed August 2007. National SCADA Test Bed Program, March 16, 8 pp. US-CERT. 2005. "Control Systems Cyber Security Awareness." Pittsburgh, President's Commission. 1997. Critical Foundations: Protecting America's Pa.: Carnegie Mellon University, Software Engineering Institute, July Infrastructures. Report of the President's Commission on Critical Infra- 7, 7 pp. structure Protection. Washington, D.C., October. Weiss, Joseph. 2004. "Control Systems Cyber Security--Maintaining the Samotyj, M., C. Gellings, and M. Amin. 2003. "Power System Infrastructure Reliability of the Critical Infrastructure." Testimony before the House for a Digital Society: Creating the New Frontiers." Keynote address. Government Reform Committee's Subcommittee on Technology, Infor- Pp. 110 in Proceedings of the CIGRE/IEEE PES International Sym- mation Policy, Intergovernmental Relations, and the Census, March 30. posium on Quality and Security of Electric Power Delivery, Montreal, Welander, P. 2007. "10 Control System Security Threats." Control Engi- October 710. neering 54(4): 3844. Available at http://www.controleng.com/article/ SNL (Sandia National Laboratories). 2005a. A Reference Model for Con- CA6433393.html?text=welander. trol and Automation Systems in Electric Power. SAND2005-1001C. Albuquerque, N.Mex.: Sandia National Laboratories. Available at http:// www.sandia.gov/scada/documents/NSTB_Ref_Model_V1_2.pdf. Ac- cessed August 2007.