This article was updated on September 23, 2019.
Based on recent reports of Russian involvement in a multistage intrusion of the US power grid, and an Iranian nationals-led data breach of the Federal Energy Regulator Commission (FERC), it is no longer a question of “if” threat actors will gain access to critical infrastructure control systems – it’s when it will happen again, and for what purpose.
What can be done to thwart these potentially disruptive assaults on the electric utility industry?
Before I answer that, let’s take a step back and look at how the operating environment of utility providers contributes to their cyber vulnerability. The U.S. power system is made up of 3,300 utilities, 55,000 substations and 5.5 million miles of distribution lines. Physical assets are dispersed across the country, power generation, transmission and distribution is controlled by different operators, and OT/IT networks are highly interconnected.
A typical power plant has hundreds, if not thousands of substations that step power down from the transmission grid to the distribution grid. In a two-way communication of data, the smart grid passes information about consumption and operations needs back to a central point for analysis by energy management systems and substation automation systems. This complex web of integration exposes many exploitable points of weakness and entry.
The Benefits of Real-time, Passive ICS Detection
The situation isn’t nearly as bad as it sounds. Today, it’s considered best practice to have real-time visibility into cyber security attacks, risks and incidents. The good news is that technology advances have made that easily achievable.
Let’s think about how real-time, passive ICS anomaly detection works. Power substation equipment runs thousands of real-time processes generating a huge amount of data. Analyzing and monitoring it to detect anomalies that could have been triggered by a cyberattack is nearly impossible – unless you can a) tap into advanced computer science techniques like artificial intelligence (AI) and machine learning, and b) use the innovative techniques effectively.
While standard networking and cyber security tools rely heavily on direct programming, machine learning solves problems by programming algorithms that leverage AI to learn from data. With help from ICS cyber security experts, structures that allow the machine learning algorithm to view and interpret network and process data correctly are created. Once AI algorithms are enabled, they can quickly analyze the high volumes of ICS data that are impossible to evaluate any other way.
This data analysis is used to develop process and security profiles specific for each ICS. Once baselines are established, behavioral analytics are used to constantly monitor them. This leads to the rapid identification and alerting of cyberattacks, cyber incidents and critical process anomalies. The information can be used to prevent, contain or mitigate cyber threats or process incidents before significant damage occurs. The data analysis is also extremely helpful in reducing troubleshooting and remediation efforts.
What does all this have to do with cyberattacks targeting the power grid? Read on.
The Answer Lies in Threat Detection and Response
Two things are needed to thwart a hostile cyberattack on the substation control center – detection and counter response. The clever solution lies in advanced ICS anomaly detection that identifies the threat, creates cyber resiliency, and accelerates forensics.
Here’s how it all works:
- Security profiles have learned the behavior of the SCADA LAN and established baselines.
- The baselines are checked by system experts who have previously identified network peculiarities, such as VPN access, or IP ranges that are assigned to vendors. Pre-existing anomalies such as rogue PCs or dual-homed devices are incorporated into the baselines.
- The ICS cyber security solution rapidly identifies the suspicious activity associated with a threat actor accessing the LAN.
- A high-level incident alert is immediately sent to the appropriate operators and SOC staff.
- Staff execute the incident response plan utilizing network diagrams, asset inventories and process information available from the ICS anomaly detection system.
- ICS incident replay and archiving capabilities (“time machine”) hunt down advanced attacks that cover their tracks, and accelerate forensic analysis post incident.
Sound relatively simple? It can be with ICS anomaly detection tools like Nozomi Networks Guardian.
To learn more about the technical challenges of deploying effective cyber security for power substations and grids, and how passive ICS anomaly detection and monitoring can be used to detect and defend against cyber threat, check out the white paper below.