The Security Risks of Remote Access and “Cloud Control Systems”

Today, Waterfall Security has the privilege of participating in a panel at the Federal Energy Regulatory Commission (FERC) Technical Conference to discuss technical and operational issues in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards that the commission approved in late 2013. While Waterfall supports the improvements made in NERC CIP Version 5 over previous versions, we have expressed concerns over the cybersecurity of central turbine monitoring systems and other types of interactive remote access. 

Most turbine vendors require continuous monitoring of operations as a condition of hardware warrantees and hardware support contracts. Turbine vendors generally also require that sites allow occasional remote control of the turbines to correct vibration and other anomalies that might grow into catastrophic failures. This continuous monitoring and occasional remote access is most often enabled by an encrypted virtual private network (VPN) tunnel connected directly from the central monitoring site to the turbine owner’s control system network. This tunnel generally bypasses all of the owner’s corporate security technologies. This means is that there is only one layer of security between any vendor-monitored turbine anywhere in the world – even those turbines not under the jurisdiction of NERC CIP – and any vendor-monitored turbine in the U.S. Further, the remote access permissions that sites grant to vendor monitoring and diagnostics centers are much more intrusive than the Inter-Control Center Communications Protocol (ICCP) set point permissions that are typically granted by generating utilities to BES Control Centers. This makes no sense though. The CIP Version 5 standards require many technical security controls for BES Control Centers, but the central vendor sites are not held to the same standards. In fact, there are currently no technical security measures required of central vendor sites.

These concerns reflect a deeper issue around interactive remote access from any one site or laptop to a large number of similar targets in the Bulk Electric System (BES). In many utilities, there is a set of senior engineers’ laptops which are configured to with “occasional” on-demand access to any of hundreds of generating and substation/switching sites via VPN. In addition, many control system technology vendors are setting central “monitoring and diagnostics” sites for their products, not just turbine vendors. While individual remote access is a security problem, should an attacker take advantage of an opening, these risks are multiplied when one site or one laptop has access to hundreds of such VPN connections.

This issue is easily resolved through a combination of hardware-enforced Unidirectional Security Gateways configured with unidirectional Remote Screen View capabilities. Since the gateways enable one-way communication channels out of the control system, there is zero risk of a cyberattack getting back in. Vendors who need to fix anomalies can call the affected site and turn on screen sharing through Remote Screen View to see site screens and to direct engineering personnel to correct the problems.

Waterfall has formally submitted these comments in a prepared statement for the April 29 FERC Technical Conference. It is our hope that FERC and NERC will take a deeper look into the risks posed by central turbine monitoring and remote access systems, and will take the appropriate measures to mitigate these threats to the reliability of the BES.

S4 Takeaway: Differences between North America and Europe

I've had a week now to reflect on my experience at Digital Bond's 2014 S4 conference and compare it to others I had last quarter. I spent almost all of Q4 2013 on the road with customers and at conferences, both in North America and Europe. While it is unfair to paint either region with one brush, I do see broad differences in the level of understanding of industrial cybersecurity issues.

For example, in North America, I rarely have to explain why cybersecurity is important to industrial sites. I am often asked to relate what the latest developments are, how they fit into the overall risk and solution picture, and how various debates in the industrial control system (ICS) security field are evolving. I also tend to see people working to understand how the latest developments fit into their understanding, and deciding what these developments suggest as to how organizations need to evolve their security programs.

Compare that with Europe, where interactions with representatives of critical infrastructure owners and operators tend to be more challenging. Operations teams will often say that security is an IT problem. However, IT is busy deploying privacy-focused security technologies on operational and control system networks with limited success. Both groups struggle to see how state-of-the-practice OT security technology, like Unidirectional Gateways, fit in their IT-style integrated systems and IT security programs. The widely known, very effective techniques used to break into IT-style networks are a risk Europeans tend to discount.

In hindsight, my experience at S4 really highlighted these differences. The programs and discussions were all about control systems and issues and solutions specific to them. For example, I'd been hearing about the DNP3 news second-hand, and was really looking forward to Chris Sistrunk's presentation of his and Adam Crain's work. "Ahh," I thought, "they used a fuzzer! And against master stations, not remote terminal units. Of course they found vulnerabilities – good for them! More work like that needs to be done." And then there was the "risk-based" debate regarding the NIST cybersecurity framework, which crystallized the understanding that cyber risk assessment really does need to be different for critical infrastructure sites versus other kinds of industrial sites.

To be fair, there are other large (by ICS cybersecurity standards) and high-quality events on the slate every year in North America – NERC's GridSecCon, the SANS SCADA events, the ACS Cyber Security Conference and the DHS ICSJWG events all spring to mind. Many Europeans attend and contribute to these events and to S4 – the real leaders in Europe are no slackers. But S4 seems to be where the world's technical leaders get together to argue things out. Differences between experts remain when the day is over, of course, but at least everyone goes away armed with the latest data and counter-arguments.

Admittedly, my experience in Europe is limited. I've only just started attending events and visiting European customers, and there is a spectrum of sophistication in a region this large and diverse. For example, one meeting I had with senior government and industry leaders in the UK earlier this year was impressive. I did not have to explain to them why security was important or how control systems were different – they were the ones asking me the hard questions, testing my answers and seeing how my information fit into their understandings and plans.

On average though, I have the impression that there is more awareness-level work to do in Europe than there is in North America. Look for greater Waterfall participation in European industrial cyber-security events, as well as standards, guidance and research efforts.

By the way: business is booming. We're swamped. Waterfall is hiring. Not all the jobs are posted yet. Drop us a note if you enjoy working hard, doing important work and being on the road a lot:  jobs@waterfall-security.com