At large generators, per-unit air compressors and Unidirectional Gateways are reducing risk and reducing compliance costs.
The latest CIP V5 transition guidance explains
how to assess the impact of segmented networks. Large generating sites are
duplicating site-wide resources, such as
pneumatic air compressors and control systems, for every
generating unit. NERC CIP V5 states that if there is a strong security
perimeter around each control system segment, and no segment can influence more
than 1500 MW of generation, then the site has no Medium Impact cyber systems.
This is a significant incentive; Low Impact systems cost much less to
administer than Medium Impact systems.
Done properly, increased redundancy and
segmentation can dramatically reduce compliance costs and the cost of risks.
The right way to segment generating networks is with Unidirectional Security
Gateways. Per-unit physical redundancy and per-unit network segmentation with
Unidirectional Gateways turns one large, valuable target into many smaller,
much harder targets. Unidirectional segmentation eliminates the single biggest
risk to generating networks: the risk of remote attacks reaching through
firewalls into control system networks. It does not matter how mundane or how
sophisticated the attack, it does not matter whether the attack is from
corporate insiders or the Internet, Unidirectional Security Gateways physically
prevent all message from external networks that may put a control network at
The bottom line: CIP-compliant segmentation
substantially reduces compliance costs. Per-unit Unidirectional Security
Gateways substantially reduce risks and costs. Investing a tiny fraction of
compliance cost savings into risk reduction with Unidirectional Security
Gateways is just good business.
Thursday, September 24, 2015
Friday, September 18, 2015
As the summer enjoyed its last hurrah, industrial cybersecurity became a hot topic in the news. In August, we saw the U.S. Department of Homeland Security working to increase security measures with a new committee, and the National Institute of Standards and Technology’s put out a new proposal to improve international standards in cyberspace. Underlying these developments are the ever-present myths and real threats against our critical infrastructure. For details on these stories and more, check out our monthly snapshot of important industrial cybersecurity news below.
Five myths of industrial control system security (SC Magazine, Aug. 20, 2015)
Despite widespread concern about cyberattacks on industrial control systems, IT security models continue to use outdated methods of cybersecurity based on several unfortunate myths. The belief that firewalls provide adequate protection of our critical infrastructure is one myth that perpetuates despite proof to the contrary. The fact is, firewalls offer only a small amount of protection, but not enough to protect our irreplaceable power grids or the many lives that could be affected by an industrial cyberattack.
Five Reasons The U.S. Power Grid Is Overdue For A Cyber Catastrophe (Forbes, Aug. 19, 2015)
The U.S. power grid is long overdue for a cyberattack, according to Forbes contributor and CEO of think tank Lexington Institute, Loren Thompson. The security community has noticed an increase in the number of attacks on industrial control systems used to operate the power grid, a majority of which were cyber-related. Thompson noted several reasons for this increase including the grid’s numerous vulnerabilities, consistent oversights in its regulatory structure and a lack of financial incentives to encourage security investments in the industry.
Homeland Security moves to prevent attack on power grid (The Hill, Aug. 14, 2015)
The U.S. Department of Homeland Security is creating a new committee to boost digital defenses for the industrial sector. The reason behind this decision is the increasing risk of cyberattacks to critical infrastructure sites, especially as electric grids are getting smarter. Homeland Security Secretary Jeh Johnson called for the panel to identify how well the department’s “lifeline sectors” are prepared to deal with threats and recover from a cyberattack. The committee is also tasked with providing recommendations for a more unified approach to state and local cybersecurity.
A Critical Time for Critical Infrastructure (Light Reading, Aug. 13, 2015)
According to a recent Intel Security and Aspen Homeland Security Program report, operators of critical infrastructure are over-confident in their ability to defend against attacks and misunderstand the scale of the current threat environment. In North America, this reality is one of the forces behind the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) requirements. NERC CIP Version 5 calls for utilities of all sizes to meet new cyber security protection requirements and has a compliance deadline of April 2016.
NIST identifies objectives for cyber standards (FCW, Aug. 11, 2015)
The National Institute of Standards and Technology recently drafting a new proposal, which includes four broad objectives for the government’s pursuit of international standards in cyberspace: improve national and economic security, ensure standards are technically sound, support standards that promote international trade, and develop standards in tandem with industry to boost innovation. If fully implemented, NIST declares the guidance will “enable a comprehensive United States cybersecurity standardization strategy.”
Interested in reading more cybersecurity news? Check out last month’s news roundup.
Wednesday, September 9, 2015
Waterfall Security Solutions released a new white paper describing how Unidirectional Security Gateways and related products are used in power generation applications. The white paper documents the big picture of how, where and why Waterfall’s customers are using the company’s products to protect generating networks. To my knowledge, this is the first time a comprehensive network architecture or use case for unidirectional protections of generating networks has been documented.
The various icons in the diagram depict either unidirectional security gateways, inbound/outbound gateways, the Waterfall FLIP or Waterfall’s Application Data Control add-on. Waterfall customers generally deploy this architecture because they have decided that the risk of an online attack from the corporate network or the Internet that could affect control systems, safety systems or protection systems is unacceptable. To address these risks, customers generally use unidirectional security gateways and related products to replace one layer of firewalls in their layered, defense-in-depth network architectures. With this layer in place, the chain of infection from the Internet and through corporate networks is broken.
Most customers deploy the layer of unidirectional protections at their plants’ IT/OT interfaces, separating plant networks or unit networks, from their corporate networks. The remaining customers generally deploy the unidirectional layer to protect safety-instrumented systems and networks of protective relays from plant and control networks.
In either case, the layer of unidirectional protections separates the most important plant systems from remote attackers. This results in dramatic reductions in cyber risk and the associated cost of risk. NERC CIP and other compliance programs are also very much simplified and reduced in cost, because the strong security of unidirectional protections means far fewer compensating measures need be deployed to reach security targets, and the NERC CIP and other standards increasingly recognize this. In addition, unidirectional gateways and related technologies deployed at the IT/OT connection require far less labor to maintain and monitor than do porous firewalls.
An ever-increasing number of customers are recognizing the benefits of unidirectional security gateways and related unidirectional protective technologies in power plants. Standards authorities agree. Power plants are, after all, not expendable, either to electric utilities or to society at large.
For more information about how unidirectional security gateways reduce threats to critical infrastructure, and to download a copy of the new white paper, check out our resources page.