[iwar] [fc:Protecting.the.Grid.from.Cyber.Attack]

From: Fred Cohen (fc@all.net)
Date: 2002-02-28 20:44:01


Return-Path: <sentto-279987-4541-1014957823-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 28 Feb 2002 20:45:08 -0800 (PST)
Received: (qmail 15477 invoked by uid 510); 1 Mar 2002 04:43:36 -0000
Received: from n29.groups.yahoo.com (216.115.96.79) by all.net with SMTP; 1 Mar 2002 04:43:36 -0000
X-eGroups-Return: sentto-279987-4541-1014957823-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.166] by n29.groups.yahoo.com with NNFMP; 01 Mar 2002 04:43:43 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: unknown); 1 Mar 2002 04:43:42 -0000
Received: (qmail 3399 invoked from network); 1 Mar 2002 04:43:41 -0000
Received: from unknown (216.115.97.171) by m12.grp.snv.yahoo.com with QMQP; 1 Mar 2002 04:43:41 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.snv.yahoo.com with SMTP; 1 Mar 2002 04:43:40 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g214i1r31368 for iwar@onelist.com; Thu, 28 Feb 2002 20:44:01 -0800
Message-Id: <200203010444.g214i1r31368@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 28 Feb 2002 20:44:01 -0800 (PST)
Subject: [iwar] [fc:Protecting.the.Grid.from.Cyber.Attack]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Protecting the Grid from Cyber Attack

By Paul Oman, Edmund Schweitzer and Jeff Roberts, Utility Automation,
2/27/02
<a href="http://ua.pennwellnet.com/Articles/Article_Display.cfm?Section=Articles&SubSection=CurrentIssue&ARTICLE_ID=136659&VERSION_NUM=1">http://ua.pennwellnet.com/Articles/Article_Display.cfm?Section=Articles&SubSection=CurrentIssue&ARTICLE_ID=136659&VER
SION_NUM=1</a>

Safeguarding IEDs, Substations and SCADA Systems

Modern configurations of electric power control systems and protection
devices are essentially systems of distributed intelligent devices that
clos ely resemble networked computing systems. Figure 1 shows a typical
substation utilizing a multitude of communications protocols. These
protocols are used to connect protection equipment such as breakers,
reclosers, relays and intelligent electronic devices (IEDs), to control
equipment like programmable logic controllers (PLCs), remote terminal
units (RTUs), data processing units (DPUs), communications controllers,
local PCs and SCADA devices.

The network topology and remote access points create vulnerabilities
that electronic intruders, or hackers, can exploit. Integration and
automation engineers need to recognize these vulnerabilities and apply
information security (InfoSec) technology to either reduce the risk of
electronic intrusion or close it off altogether.

Typical safeguards against computer intrusions involve authentication of
communicating partners, securing the connection between sites,
encrypting data communication between sites, and identification and
remediation of intrusions if and when they penetrate the network.
Fortunately, several techniques and processes can be used to safeguard
virtually every type of programmable digital device used in electric
power systems control and protection.

The cornerstone to all network security is access restriction and user
authentication. Beyond that, the concern is with safeguarding
communication packets from prying eyes, via encryption, and verifying
packet transmission and reception (i.e., non-repudiation). Table 1
contains a synopsis of technologies to safeguard network equipment,
ordered by increasing cost and complexity. A closer examination of these
tools and technologies follows.

Tools for Mitigating Vulnerability
Access restriction can be both physical and electronic. Physical access
restriction is commonplace and will not be discussed here. Electronic
access restriction is easily implemented via password or personal
identification number (PIN) keyed to systems, individual computers,
digital devices, databases or database records. A one-to-many mapping
between password or PIN and users, such that a whole group of users has
the same password or PIN, is an example of a simple access restriction
technique.

User authentication occurs when there is a one-to-one mapping between
the user and his or her authentication mechanism. For example, entering
a unique password or PIN to gain access to the protected system, device,
database or data record allows the protection system to authenticate
that person as a legitimate user. There are three vectors of user
authentication mechanisms-knowledge, physical and biological. A password
or PIN falls in the knowledge vector, a SmartCard or similar device
falls in the physical vector, and fingerprints or other biologic
characteristics fall in the biological vector.


ID devices are electronic mechanisms that furnish authentication
information from one of the three authentication vectors. For example,
credit and debit cards, SmartCards, magnetic strips, barcodes, and
embedded ID chips are all electromagnetic ID devices.

Biometrics are authentication measures or mechanisms that fall into the
biological vector. Fingerprints are the most commonly used.
Fingerprinting devices are now available for less than $200, complete
with software to create and maintain a database of users' fingerprints.
Retinal eye scans, voice prints, face recognition systems and other
biological measurements also are used for multifactor authentication.
Application limitations are usually based on cost and/or complexity.

User authentication strength is a function of the number of factors used
in the authentication process. For years, single-factor authentication
was considered "adequate" for computing systems, but with increased
e-commerce and the corresponding increase in electronic theft, many
systems now use two-factor and even three-factor authentication.
Two-factor authentication requires authentication mechanisms from two
vectors, and three-factor authentication requires authentication in all
three vectors. Two-factor authentication (e.g., your credit card and
PIN) is common in e-commerce, and three-factor authentication (e.g., a
password, SmartCard and fingerprint) is often used for access to
critical military and proprietary systems.

Audit logs are used to record instances of valid and invalid user
authentication and session termination (among other things) so that an
activity record exists for every system access, or attempt at system
access. Audit logs are indispensable when diagnosing and prosecuting
electronic intrusion cases.

Secure modems come in a variety of types and complexities. Simplest are
modem key/lock combinations that work in pairs to ensure all
communication is conducted between similarly configured pairs (or
groups) of modem devices. An authenticated connection is established by
the keyed handshaking that occurs when the connection is established;
data transmission is not encrypted beyond the normal compression needed
for high-speed modem communication. Next are programmable modems with
on-board security features that enable creation of user accounts,
complete with assigned passwords and dial-out phone numbers. Again,
security is limited to authentication upon initial connections, and data
packets are not encrypted. Finally, secure encrypting modems have been
introduced recently with embedded, secret keys that only work between
pairs (or groups) of similarly configured modems. Encrypting modems use
both secure authentication and secure data transmission, to safeguard
against eavesdropping on public phone lines.

Encryption safeguards the communicated data packet while in transit from
source to destination. Unencrypted data communications over phone or
network lines are susceptible to phone taps and network sniffers,
respectively. For example, a TCP/IP packet or UCA packet transmitted raw
(unencrypted) is visible to anyone on the network running a network
analyzer in promiscuous mode or someone who spoofs (pretends to be) the
destination address. Fortunately, both TCP/IP and UCA permit encrypted
data packets. Unfortunately, few electric power service providers are
using this capability.

Encryption techniques can be grouped into three broad categories: a)
secret key algorithms known only to the transmitter and receiver, b)
private keys used in symmetric public encryption algorithms, and c)
public/private key pairs used in asymmetric public encryption
algorithms. Secret key encryption is typically based on reversible
hashing or ciphering algorithms. Symmetric encryption uses a private key
to encrypt the message using a public encryption method so anyone
knowing your private key can decipher the message. The Data Encryption
Standard (DES) is a commonly used symmetric encryption technique.
Asymmetric public encryption, like the popular RSA algorithm, uses two
keys, one public and one private, so anything encrypted with your
private key can be deciphered with your public key. Similarly, anything
encrypted with someone else's public key can be deciphered only with
that person's private key. Private keys cannot be derived from the
public key, so two-way secure communication is possible.

Public key infrastructure (PKI) provides a means of issuing and revoking
public keys and public key certificates via a Certificate Authority (CA)
responsible for verifying public key ownership. PKI enables
authentication, encryption and non-repudiation services via asymmetric
public key cryptography. Through appropriate use of cryptography and
cryptographic algorithms, it is possible to achieve private
communications with improved assurance of communicating partner
identity, and non-repudiation technology to verify the message was
transmitted and received correctly. However, designers of integrated
substation solutions and SCADA systems may find that PKI solutions are
too slow for supervisory control and power system protection. Single key
algorithms may be needed in time-critical applications, leaving PKI for
advisory and informational applications over the public network.

Network topology is a crucial factor in determining the security of
network accessible IEDs and SCADA and IT systems. Star network
topologies with point-to-point home-run lines and no modem connections
or public network gateways are the most secure and reliable. Ring
topologies suffer from the "one-down, all-down" single point of failure
vulnerability, and bus topologies are insecure because all devices have
access to all data packets on the bus. Ethernet, the most widely used
LAN technology, was originally a bus topology that permitted any device
connected to the hub to "see" the data packets meant for all other
devices. Fortunately, revised Ethernet standards exist for
point-to-point star topologies, and when devices are connected to a
switch, rather than a hub, the packet switch ensures that each device
only receives the data that was specifically addressed to it.

Firewalls are used to defend a site against external network intrusions.
A firewall is a protected gateway that stands between the resources
requiring protection and the "outside." Firewalls create segmented
networks with restricted access into and between segments. By setting up
layers of segmented, restricted subnets, a hacker who penetrates one
layer would have access only to the data and systems within that
segment. A firewall can be implemented via a router that filters out
undesired traffic, or through more complicated combinations of hardware
and software. To be effective, a firewall must guard all access to the
internal network, including modem connections and remote network access.
Internet Protocol Security (IPSec) and Virtual Private Networks (VPNs)
are closely allied technologies that provide the means to protect
communications between physically distant sites. IPSec uses encryption
to safeguard data and embed authentication information in TCP/IP
packets.

A virtual private network (VPN) combines IPSec technology and firewalls
to form a point-to-point secure, encrypted connection over public
networks. From a privacy standpoint, a VPN appears to be a single
internal network. This is often referred to as "tunneling." By
encapsulating data packets within other protocols that permit encryption
and allow point-to-point addressing, you can send secure packets from
one firewall to another, across a public network. VPNs can be
implemented via either software or hardware. VPN boxes are hardware
devices that transmit and receive secured, encrypted network packets
from similarly configured routers.

An intrusion detection system (IDS) is useful in identifying both
internal misuse and external attackers attempting to gain internal
access. The intent is to determine if insiders or external users are
misusing the system. There are two types of IDS: signature detection
systems and anomaly detection systems. Intrusions often have attack
signatures (similar to virus signatures), which are patterns associated
with system misuse. Signature detection systems match known, observable
intrusion characteristics against a database of intrusion profiles and,
based on sensitivity settings, determine if a match is likely. The goal
is to recognize the attack signature as it unfolds and shut off the
attack or notify the system administrator that an attack is occurring.
Anomaly detection compares ongoing system behavior against a profile of
normal system behavior and warns when anomalous behavior is occurring.
For example, an IDS might notice unusually high activity during the
middle of the night. When abnormal activity occurs, the IDS may shut it
down and/or inform the system operator.

Both IDS types have different advantages and disadvantages, but they
both have the same common problem-sensitivity setting. Too sensitive a
setting generates false alarms when there is no intrusion. In essence
the IDS cries wolf, which distracts and overburdens a systems staff that
must respond to each warning. Too insensitive a setting generates false
negatives, or misdiagnosed actual intrusions. These are actual
intrusions that have gone unnoticed.

Applying the Tools
Once familiar with electronic intrusion techniques and countermeasures,
utilities can assess the vulnerability of their facilities and take
steps to mitigate risk. Table 2 is a Vulnerability-Mitigation matrix for
devices and systems used in electric power generation, transmission and
distribution. For each type of device, the associated vulnerability and
risk is shown, and the mitigation strategy used to reduce those risks is
described. The first row of the matrix shows the nominal risk of
physical access to stand-alone protective equipment. In the mitigation
column for that equipment, the base set of mechanisms used for access
control is defined. In subsequent rows, these are referred to as "Basic
Mitigations."

Recommendations A variety of tools and techniques can mitigate risk
associated with electronic intrusions. The following are recommendations
related to securing electric power control and protection systems:

*Use passwords, PINs, data access restrictions, and other means of user
authentication to guard against unauthorized access to equipment and
systems.
*Match the strength of user authentication to the criticality of data
being protected. Two-factor, and even three-factor, authentication may
be appropriate for access to critical SCADA systems.
*For single-factor authentication, passwords are better than PINs.
Strong passwords consist of six or more characters with mixed case and
special characters. Do not use common words, acronyms, or personal
information like birthdays and names that can be cracked.
*Change passwords periodically, and change them immediately after
instances of contractor installation and maintenance, after suspected
intrusions, and when personnel turnover or strife increases insider
risk.
*Use different passwords in differing locales, equipment and systems; do
not be tempted by single sign-on ease of use.
*Issue alarm contacts for access, password and settings events. Monitor
alarms for intrusion detection and to verify device functionality.
Automate alarm responses with preprogrammed disconnects, auto-dial
warnings, and increasing audio and visual alarms.  * Log alarms and
suspicious activity (e.g., failed password attempts) in nonvolatile
storage. Scan audit logs and files regularly.
*Use private communications lines when possible to limit public
eavesdropping and potential intrusions. When using public lines, encrypt
access and control information such as passwords.
*Implement access hierarchies with different levels of permission for
viewing and setting devices. Use segmented network topologies and/or
star topologies to increase survivability and avoid "one down, all down"
vulnerabilities.
*Secure SCADA and IT systems with virus scanners, firewalls and
intrusion detection systems.
*When communicating over the Internet, use VPN or PKI technology to
authenticate partners and secure data packets.
*Keep communications systems design and network access information
private.
 Use "warning banners" to discourage electronic intrusions and enable
electronic monitoring and trespass prosecution.
*Use secure dial-back, encrypting, or authenticating modems or
modem-keys.
*Terminate interactive sessions after long periods of inactivity, and
ensure that open ports are properly closed so the next user does not
inherit unauthorized access privileges.  * Limit the number of failed
attempts to enter a password, then disconnect and time-out the
communications line after a set limit.

Summary
The risk of computer-based electronic intrusions and attacks on the
electric power industry is increasing. These attacks already have
occurred in the computer and telecommunications industries, and they are
increasing in frequency and magnitude. The probability of a serious
electronic intrusion into an IED, substation controller or SCADA system
is rising. Stronger security measures are needed. Each organization
involved in electric power production and distribution must conduct its
own risk assessment and decide where to focus efforts. Fortunately,
there are many InfoSec tools and techniques, with a wide range of
pricing and complexity, that can help safeguard IEDs, substations and
SCADA systems. By implementing lessons learned in the computer and
telecommunications industries, the electric utility industry can stop
electronic intrusions before the power grid's safety and reliability are
compromised.

Paul W. Oman is a Senior Research Engineer at Schweitzer Engineering
Laboratories Inc. in Pullman, Wash. Dr. Oman has published more than 100
papers and technical reports on computer security, computer science
education and software engineering. He has a Ph.D. in Computer Science
from Oregon State University, serves as a Senior Member in the IEEE, and
is active in the IEEE Computer Society and the Association for Computing
Machinery.

Edmund O. Schweitzer, III founded Schweitzer Engineering Laboratories in
1982 to develop and manufacture digital protective relays and related
products and services. He is recognized as a pioneer in digital
protection, and holds the grade of Fellow of the Institute of Electrical
and Electronic Engineers (IEEE). Dr. Schweitzer received his Bachelor
and Master degrees in electrical engineering from Purdue University, and
received his Ph.D. from Washington State University. His Ph.D.
dissertation was on digital protective relaying.

Jeff Roberts is the Manager of Research Engineering at Schweitzer
Engineering Laboratories Inc. in Pullman, Wash. Prior to joining SEL he
worked for Pacific Gas and Electric as a Relay Protection Engineer for
more than three years. Mr. Roberts holds a BSEE from Washington State
University and is a Senior Member of the IEEE.

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:04 PST