At
large generators, per-unit air compressors and Unidirectional
Gateways are reducing risk and reducing compliance costs.
The latest CIP V5 transition guidance explains
how to assess the impact of segmented networks. Large generating sites are
duplicating site-wide resources, such as
pneumatic air compressors and control systems, for every
generating unit. NERC CIP V5 states that if there is a strong security
perimeter around each control system segment, and no segment can influence more
than 1500 MW of generation, then the site has no Medium Impact cyber systems.
This is a significant incentive; Low Impact systems cost much less to
administer than Medium Impact systems.
Done properly, increased redundancy and
segmentation can dramatically reduce compliance costs and the cost of risks.
The right way to segment generating networks is with Unidirectional Security
Gateways. Per-unit physical redundancy and per-unit network segmentation with
Unidirectional Gateways turns one large, valuable target into many smaller,
much harder targets. Unidirectional segmentation eliminates the single biggest
risk to generating networks: the risk of remote attacks reaching through
firewalls into control system networks. It does not matter how mundane or how
sophisticated the attack, it does not matter whether the attack is from
corporate insiders or the Internet, Unidirectional Security Gateways physically
prevent all message from external networks that may put a control network at
risk.
The bottom line: CIP-compliant segmentation
substantially reduces compliance costs. Per-unit Unidirectional Security
Gateways substantially reduce risks and costs. Investing a tiny fraction of
compliance cost savings into risk reduction with Unidirectional Security
Gateways is just good business.
Thursday, September 24, 2015
Friday, September 18, 2015
August news roundup: Debunking myths and unveiling threats to critical infrastructure
As the summer enjoyed its last hurrah, industrial
cybersecurity became a hot topic in the news. In August, we saw the U.S.
Department of Homeland Security working to increase security measures with a
new committee, and the National Institute of Standards and Technology’s put out
a new proposal to improve international standards in cyberspace. Underlying
these developments are the ever-present myths and real threats against our
critical infrastructure. For details on these stories and more, check out our
monthly snapshot of important industrial cybersecurity news below.
Five
myths of industrial control system security (SC Magazine, Aug. 20, 2015)
Despite widespread concern about cyberattacks on industrial
control systems, IT security models continue to use outdated methods of
cybersecurity based on several unfortunate myths. The belief that firewalls
provide adequate protection of our critical infrastructure is one myth that
perpetuates despite proof to the contrary. The fact is, firewalls offer only a
small amount of protection, but not enough to protect our irreplaceable power
grids or the many lives that could be affected by an industrial cyberattack.
Five
Reasons The U.S. Power Grid Is Overdue For A Cyber Catastrophe (Forbes,
Aug. 19, 2015)
The U.S. power grid is long overdue for a cyberattack,
according to Forbes contributor and CEO of think tank Lexington Institute, Loren Thompson.
The security community has noticed an increase in the number of attacks on
industrial control systems used to operate the power grid, a majority of which
were cyber-related. Thompson noted several reasons for this increase including
the grid’s numerous vulnerabilities, consistent oversights in its regulatory
structure and a lack of financial incentives to encourage security investments in
the industry.
Homeland
Security moves to prevent attack on power grid (The Hill, Aug. 14, 2015)
The U.S. Department of Homeland Security is creating a new
committee to boost digital defenses for the industrial sector. The reason
behind this decision is the increasing risk of cyberattacks to critical
infrastructure sites, especially as electric grids are getting smarter. Homeland
Security Secretary Jeh Johnson called for the panel to identify how well the
department’s “lifeline sectors” are prepared to deal with threats and recover
from a cyberattack. The committee is also tasked with providing recommendations
for a more unified approach to state and local cybersecurity.
A
Critical Time for Critical Infrastructure (Light Reading, Aug. 13, 2015)
According to a recent Intel Security and Aspen Homeland
Security Program report, operators of critical infrastructure are
over-confident in their ability to defend against attacks and misunderstand the
scale of the current threat environment. In North America, this reality is one
of the forces behind the North American Electric Reliability Corporation's
(NERC) Critical Infrastructure Protection (CIP) requirements. NERC CIP Version
5 calls for utilities of all sizes to meet new cyber security protection
requirements and has a compliance deadline of April 2016.
NIST identifies
objectives for cyber standards (FCW, Aug. 11, 2015)
The National Institute of Standards and Technology recently
drafting a new proposal, which includes four broad objectives for the
government’s pursuit of international standards in cyberspace: improve national
and economic security, ensure standards are technically sound, support
standards that promote international trade, and develop standards in tandem
with industry to boost innovation. If fully implemented, NIST declares the
guidance will “enable a comprehensive United States cybersecurity
standardization strategy.”
Wednesday, September 9, 2015
Unidirectional protections for electric generation (A white paper)
Waterfall Security Solutions released a new
white paper describing how Unidirectional Security Gateways and related
products are used in power generation applications. The white paper documents
the big picture of how, where and why Waterfall’s customers are using the
company’s products to protect generating networks. To my knowledge, this is the
first time a comprehensive network architecture or use case for unidirectional
protections of generating networks has been documented.
The various icons in the diagram depict either unidirectional
security gateways, inbound/outbound gateways, the Waterfall FLIP or Waterfall’s
Application Data Control add-on. Waterfall customers generally deploy this
architecture because they have decided that the risk of an online attack from
the corporate network or the Internet that could affect control systems, safety
systems or protection systems is unacceptable. To address these risks,
customers generally use unidirectional security gateways and related products
to replace one layer of firewalls in their layered, defense-in-depth network
architectures. With this layer in place, the chain of infection from the
Internet and through corporate networks is broken.
Most customers deploy the layer of unidirectional protections
at their plants’ IT/OT interfaces, separating plant networks or unit networks,
from their corporate networks. The remaining customers generally deploy the
unidirectional layer to protect safety-instrumented systems and networks of
protective relays from plant and control networks.
In either case, the layer of unidirectional protections
separates the most important plant systems from remote attackers. This results
in dramatic reductions in cyber risk and the associated cost of risk. NERC CIP
and other compliance programs are also very much simplified and reduced in
cost, because the strong security of unidirectional protections means far fewer
compensating measures need be deployed to reach security targets, and the NERC
CIP and other standards increasingly recognize this. In addition, unidirectional
gateways and related technologies deployed at the IT/OT connection require far
less labor to maintain and monitor than do porous firewalls.
An ever-increasing number of customers are recognizing the
benefits of unidirectional security gateways and related unidirectional
protective technologies in power plants. Standards authorities agree. Power
plants are, after all, not expendable, either to electric utilities or to
society at large.
For more information
about how unidirectional security gateways reduce threats to critical
infrastructure, and to download a copy of the new white paper, check out our resources page.
Subscribe to:
Posts (Atom)