Applying cyber security measures to industrial control systems represents some unique challenges. How do you obtain situational awareness across zones while enforcing the maximum possible level of network separation? How do you protect against malware while limiting the application of patches and updates to real-time systems? If a system is compromised in some way, how do you detect that compromise—and more importantly, how do you remediate that threat when the compromised system is in a remote substation? Luckily, these challenges can be easily overcome using the right technologies, when deployed correctly and in the right place.
Why it Matters
Substation security is becoming more important day by day for a variety of reasons. One reason is that compliance regulations are being further out into the energy T&D system. Another is that ongoing security research—such as the work of Luigi Auriemma, Gleg research, and more recently Digital Bond’s Project “Base Camp”—is drawing more and more attention to the vulnerabilities of industrial systems. There are Metaspolit modules available today for some Base Camp exploits, providing unprecedented exposure to industrial systems. At the same time, the energy transmission infrastructure is being upgraded to accommodate new grid technologies. The result: a perfect storm of cyber risk.
The Intel/McAfee “reference implementation” was designed to replicate the critical infrastructure environment of a typical substation, showing how a combination of end-point security, network security and security management can be used together to ensure a more secure environment and maximize uptime. This demonstration uses hardware and software elements found in actual deployment and address security at multiple layers, each layer addressing a different attack surface on the infrastructure.
One of the more interesting results of the reference implementation is an interesting use case leveraging Intel Active Management Technology (Intel AMT), McAfee ePO and Deep Command. Consider this scenario: a computer in a substation is vulnerable. You know it’s vulnerable, and you’ve tested the available patch(es) offline to remediate the problem, but you need to wait until the next available maintenance window before you can take this critical system offline to apply the patch. If the system were compromised, that might change the decision quickly: it could now be acceptable to remove that critical system as soon as possible to clean the system and restore reliability … only the compromised system might be in a remote facility, in the middle of nowhere. This is where the combination of security controls, situational awareness, and Deep Command come together: when a machine is compromised, that compromised can be fully investigated and assessed remotely, and if it’s deemed necessary the corrupt machine can be remotely restored to operation.