Communication and Security for the Smart Grid
Protecting the Smart Grid: Security for Legacy Endpoint Devices
The Smart Grid has arrived, and with it a new wave of cyber attacks targeting the net-connected devices comprising the grid. To date, Smart Grid security has not maintained pace with the threat.
ALAN GRAU, ICON LABORATORIES
Page 1 of 1
“After years of vendors’ selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended,” says Bob Lockhart, an analyst at Pike Research.
The Smart Grid is a large, diverse network of computing devices ranging from enterprise servers used for management systems, to small specialized devices such as smart meters and control systems. Many of the devices are located in the field, exposing them to cyber attacks without the defenses provided by a corporate firewall. These remote devices play a critical role in the Smart Grid, but also provide attractive and all too often easy targets for the motivated hacker.
The impact of a successful attack on the Smart Grid could be severe. Some may argue that the risk of attack on smart meters and other special purpose devices is low since hackers are not yet targeting those systems, that their specialized designs are assumed to make them immune, or that the devices’ IP addresses are not readily available. These factors may indeed increase the difficulty faced by a hacker, but the arguments are shortsighted. The FBI has reported that attacks on smart meters could cost utility companies as much as $400 million per year.
The Stuxnet worm demonstrated that motivated hackers will go to great lengths to attack embedded devices. Given the consequence of a successful cyber attack on the Smart Grid, it is critical that manufacturers rely on more than “security by obscurity” and temporarily assigned IP addresses to shield devices from attack.
The Smart Grid is an evolving network of new and legacy devices. Many legacy devices were designed years ago without security measures, but are now being connected to the Internet. In most cases, these devices lack the ability to detect and report traffic abnormalities, probes or attacks, or to manage and control security policies. While legacy devices are gradually being replaced by newer systems with improved security, many of the devices remain deployed for 10 years or more, often in remote areas or with difficult access, resulting in very slow turnover to newer, more secure devices.
Smart Grid Networks
“Smart Grid” is a broad term covering many aspects of the electrical energy network. It encompasses energy management systems, distribution management systems, advanced metering infrastructure, power generation management and other systems.
Smart Grid networks contain a mix of PCs and special purpose embedded systems running a real-time operating system. However, control PCs used in the Smart Grid were frequently installed when the system was first deployed and have not been updated with newer operating system versions or software patches for improved resistance to attacks. As a result they are often very vulnerable to attack. Many embedded computers in the Smart Grid networks were designed before security was a major concern and contain few, if any, security measures.
Attacks on the Smart Grid
There is little dispute that additional protection is needed for the Smart Grid. According to a report in the Wall Street Journal’s CIO Journal, more than 40% of the reported cyber attacks in 2012 were directed against energy companies. These attacks were described as being part of a “massive and sustained cyber-espionage campaign.” Examples of reported attacks on utility systems include malicious software that infected a power plant, delaying the plant startup by three weeks. In another case, malicious software was introduced into a quarantined network via an infected thumb drive.
Given the large number of deployed devices and the slow turnover to secure devices, the Smart Grid has an urgent need to add security to both existing legacy devices and to new designs in a cost-effective manner.
Even devices located behind a corporate firewall should still be protected by an endpoint or Smart Grid firewall. The security requirements for Smart Grid devices are typically different than for the corporate network as a whole. The endpoint firewall can be configured with communication policies that are more restrictive than those supported by the corporate firewall and that are customized for the individual device, rather than for the entire network. In addition, an endpoint firewall can be used to protect against insider attacks or attacks originating from within the corporate network. PCs located on corporate networks typically include an endpoint firewall to implement an additional layer of security. Smart Grid devices should be afforded the same level of protection.
Smart Grid Security Requirements
A Smart Grid security solution should provide protection against attacks, allow centralized control of security policies and report status information to a security management system. These capabilities would provide Smart Grid devices with a much higher level of security and protect them from the majority of cyber attacks.
Ideally, a Smart Grid firewall would provide control of the packets processed by the device as well as protection from hackers and cyber attacks that may be launched from the Internet, inside the corporate network, or Wi-Fi networks. It would also protect against denial of service (DoS) attacks and packet floods. It should also have the ability to detect and report traffic abnormalities, probes or attacks along with the ability to manage and control changes to filtering policies
These capabilities need to be provided for both legacy devices that cannot be upgraded as well as for new devices that are being designed. This can be achieved by providing a software module that can be integrated into new device designs. This same software module can be integrated into a small footprint appliance to protect legacy devices.
Unlike enterprise firewalls designed to protect all of the computers on a corporate network, a Smart Grid firewall protects just a single device or small number of devices located within what is known as a “secure enclave.” Since the firewall is only filtering traffic for a small number of Smart Grid devices, it can be customized specifically for the requirements of those devices. It only requires two Ethernet ports and can be implemented on low-cost hardware, providing a customized and yet cost-effective solution. This kind of “bump in the wire” device is simply plugged into the network in front of the Smart Grid devices, inserting a layer of protection.
Smart Grid Firewalls
Firewall technology is standard in home and corporate networks and is a proven and reliable technology. So why not just use one of these existing solutions to create a Smart Grid firewall? For the same reasons desktop operating systems are not used in embedded devices; they are slow, big, and are not easily ported to a low-cost, special purpose device. To build a Smart Grid firewall requires a small, low-cost solution that will work on inexpensive hardware. In addition, the solution must be customizable to support filtering of Smart Grid protocols.
In addition to providing filtering, there are a number of important requirements for a Smart Grid firewall. It is crucial to provide users with a flexible and easy-to-use yet secure configuration interface. If the firewall configuration can be compromised, then the firewall can be reconfigured and bypassed, or possibly even disabled.
The firewall should also provide statistics, logging and reporting capability to allow security audits to determine if the device has been attacked, what IP address the attack originated from and other relevant details. Integration with a management system to allow centralized policy management and configuration is also critical for large scale deployments.
The “Bump in the Wire” Smart Grid firewall can be used to protect devices located at remote locations without making any modifications to the Smart Grid device. It can also be used to protect devices located at non-remote location. For new Smart Grid devices, the firewall software can be integrated into the device itself to ensure protection (Figure 2).
A firewall to protect Smart Grid devices can be implemented as an external “Bump in the Wire” firewall that protects the Smart Grid device from Internet delivered threats.
Blocking Attacks with a Smart Grid Firewall
As stated above, many Smart Grid devices with limited security are now connected to the Internet, exposing their security vulnerabilities. This can be remedied by using a Smart Grid firewall to control communication. Smart Grid devices may only need to communicate with a small number of other devices. This can be enforced using polices that restrict communication to only what is required. Communication policies define who the device is allowed to talk to, what protocols are allowed and what ports are open. The policies are then encoded as firewall rules. The firewall filters messages before the device processes the messages and only allows communication with known, trusted devices.
In a system without a firewall, a hacker may attempt to remotely access the device using default passwords, dictionary attacks, or stolen passwords. Such attacks are often automated, allowing a huge number of attempts to break the system’s password. The same system can be protected by a firewall configured with a whitelist of trusted hosts. The firewall’s filters will block attacks from the hacker before a login is even attempted because the IP or MAC address is not on the whitelist, thereby blocking the attack before it even really begins (Figure 3).
Rules-based filtering is used to enforce communication policies, blocking packets from non-trusted senders and isolating devices from attack.
Smart Grid Firewall Design
The firewall must provide the ability to configure communication policies, a set of rules specifying which packets are processed and which are blocked. Rules can be set up to block or allow packets by IP address, port, protocol, or other criteria. Some firewalls support advanced rules allowing additional fine-grained control over the filtering process.
A Smart Grid firewall may also provide Stateful Packet Inspection (SPI) and threshold-based filtering. SPI filtering maintains information on the state of the connection and uses that information to distinguish legitimate from malicious packets. Threshold-based filtering maintains statistics on the number of packets received in order to detect and block packet flood DoS attacks. Undetected and unblocked DoS attacks may overload the Smart Grid device, degrading its performance or causing it to fail altogether.
Many attacks are blocked before a connection is even established because each packet received by the devices must pass through the firewall for filtering before being processed. This provides a simple, yet effective layer of protection that is currently missing from most Smart Grid devices (Figure 4).
A multi-stage filtering engine provides fine-grained control over the packets processed by the Smart Grid device.
Firewalls provide a simple and effective layer of security and have long been used to protect home and enterprise networks. A small Smart Grid firewall can be used to protect devices from a wide range of cyber attacks. By controlling who the device talks to, most attacks can be blocked before a connection is even established. A cost-effective firewall appliance can provide a critical layer of defense for legacy Smart Grid devices, while a software-based Smart Grid firewall can be integrated into new devices, ensuring security is part of the device.
Icon Laboratories, Des Moines, IA. (515) 226-3443. [www.iconlabs.com].