Today, Waterfall Security has the privilege of participating
in a panel at the Federal Energy Regulatory Commission (FERC) Technical
Conference to discuss technical and operational issues in the North American
Electric Reliability Corporation (NERC) Critical Infrastructure Protection
(CIP) Version 5 standards that the commission approved in late 2013. While Waterfall
supports the improvements made in NERC
CIP Version 5 over previous versions, we have expressed concerns over the
cybersecurity of central turbine monitoring systems and other types of
interactive remote access.
Most turbine vendors require continuous monitoring of
operations as a condition of hardware warrantees and hardware support contracts.
Turbine vendors generally also require that sites allow occasional remote
control of the turbines to correct vibration and other anomalies that might
grow into catastrophic failures. This continuous monitoring and occasional
remote access is most often enabled by an encrypted virtual private network
(VPN) tunnel connected directly from the central monitoring site to the turbine
owner’s control system network. This tunnel generally bypasses all of the
owner’s corporate security technologies. This means is that there is only one
layer of security between any vendor-monitored turbine anywhere in the world –
even those turbines not under the jurisdiction of NERC CIP – and any
vendor-monitored turbine in the U.S. Further, the remote access permissions
that sites grant to vendor monitoring and diagnostics centers are much more
intrusive than the Inter-Control Center Communications Protocol (ICCP) set
point permissions that are typically granted by generating utilities to BES
Control Centers. This makes no sense though. The CIP Version 5 standards
require many technical security controls for BES Control Centers, but the
central vendor sites are not held to the same standards. In fact, there are
currently no technical security measures required of central vendor sites.
These concerns reflect a deeper issue around interactive
remote access from any one site or laptop to a large number of similar targets
in the Bulk Electric System (BES). In many utilities, there is a set of senior
engineers’ laptops which are configured to with “occasional” on-demand access
to any of hundreds of generating and substation/switching sites via VPN. In
addition, many control system technology vendors are setting central
“monitoring and diagnostics” sites for their products, not just turbine vendors.
While individual remote access is a security problem, should an attacker take
advantage of an opening, these risks are multiplied when one site or one laptop
has access to hundreds of such VPN connections.
This issue is easily resolved through a combination of
hardware-enforced Unidirectional Security Gateways configured with
unidirectional Remote
Screen View capabilities. Since the gateways enable one-way communication
channels out of the control system, there is zero risk of a cyberattack getting
back in. Vendors who need to fix anomalies can call the affected site and turn
on screen sharing through Remote Screen View to see site screens and to direct
engineering personnel to correct the problems.
Waterfall has formally submitted these comments in a
prepared statement for the April 29 FERC Technical Conference. It is our hope
that FERC and NERC will take a deeper look into the risks posed by central
turbine monitoring and remote access systems, and will take the appropriate measures
to mitigate these threats to the reliability of the BES.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.