Securing Energy Substations

Applying cyber security measures to industrial control systems represents some unique challenges.  How do you obtain situational awareness across zones while enforcing the maximum possible level of network separation?  How do you protect against malware while limiting the application of patches and updates to real-time systems?  If a system is compromised in some way, how do you detect that compromise—and more importantly, how do you remediate that threat when the compromised system is in a remote substation? Luckily, these challenges can be easily overcome using the right technologies, when deployed correctly and in the right place.

The proof: Intel and McAfee have built a joint implementation of existing products and technologies to successfully demonstrate energy substation cyber security.

• Situational Awareness – To stop zero-day attacks there needs to be actionable intelligence and not just the creation of more security logs.  This is the role of the McAfee Enterprise Security Manager that gives a contextual view that helps identify and isolate attacks produced by unknown malware.
• Unified, Multi-zone Protection – Energy IT organizations need to centrally manage assets and substation network operation centers to better understand their environments.  McAfee ePolicy Orchestrator and McAfee Enterprise Security Manager unify security and policy management of the endpoint, network, and data security controls that have been deployed across all zones.
• Malware Protection.  Application white-listing is particularly effective against zero day attacks and is much more resource “light” than blacklisting solutions. McAfee Embedded Control combines whitelisting technology with change control to provide absolute protection against malicious activity at the endpoint.
• Intrusion Prevention – McAfee IPS actively detects, analyzes and protects from an array of attacks and neutralizes them real-time.
• Remote Remediation – Intel Advanced Management Technology (AMT) on 2nd generation Intel Core processors has been enhanced with a feature called KVM redirection over Internet Protocol (IP), permitting the keyboard-video-mouse (KVM) for an IT console to control and display the graphical user interface (GUI) of an embedded device in the field. As a result, technicians can manage the remote device as if they were sitting right in front of it using normal input devices and not only through command line instructions. To resolve issues, it’s possible to reboot the device, observe errors, launch tools for analyzing failure data and guide the OS to fix the error. Lowering the cost of servicing endpoints especially remote sites is more important.  McAfee Deep Command allows administrators to remotely deploy, manage, and update security even on disabled or powered off devices.
• Monitoring Critical Software – Using Intel AMT deployed through McAfee ePO Deep Command, security administrators can remotely deploy, manage and update security and device software on disabled or powered-off endpoints through an out-of-band (OOB) connection to the endpoint. This allows utility IT departments to take control of the devices regardless of the hardware or software state – even a rogue device. Using Intel AMT, the device can be taken offline and replaced by a redundant, failover device, thus minimizing downtime.
• Continuous Compliance – The solutions provide continuous compliance in a fast, automated easy-to-use interface that addresses audit requirements in minutes instead of hours or days.

Why it Matters

Substation security is becoming more important day by day for a variety of reasons.  One reason is that compliance regulations are being further out into the energy T&D system.  Another is that ongoing security research—such as the work of Luigi Auriemma, Gleg research, and more recently Digital Bond’s Project “Base Camp”—is drawing more and more attention to the vulnerabilities of industrial systems.  There are Metaspolit modules available today for some Base Camp exploits, providing unprecedented exposure to industrial systems.  At the same time, the energy transmission infrastructure is being upgraded to accommodate new grid technologies.  The result: a perfect storm of cyber risk.

The Intel/McAfee “reference implementation” was designed to replicate the critical infrastructure environment of a typical substation, showing how a combination of end-point security, network security and security management can be used together to ensure a more secure environment and maximize uptime. This demonstration uses hardware and software elements found in actual deployment and address security at multiple layers, each layer addressing a different attack surface on the infrastructure.

One of the more interesting results of the reference implementation is an interesting use case leveraging Intel Active Management Technology (Intel AMT), McAfee ePO and Deep Command.  Consider this scenario: a computer in a substation is vulnerable.  You know it’s vulnerable, and you’ve tested the available patch(es) offline to remediate the problem, but you need to wait until the next available maintenance window before you can take this critical system offline to apply the patch.  If the system were compromised, that might change the decision quickly: it could now be acceptable to remove that critical system as soon as possible to clean the system and restore reliability … only the compromised system might be in a remote facility, in the middle of nowhere.  This is where the combination of security controls, situational awareness, and Deep Command come together: when a machine is compromised, that compromised can be fully investigated and assessed remotely, and if it’s deemed necessary the corrupt machine can be remotely restored to operation.

Tags: critical infrastructure, energy, substation