12 Jul 2017 Insights from the NERC CIP Emerging Technologies Round Table
I recently attended the NERC CIP Emerging Technologies Round Table meeting on Cloud & IoT, where a primary focus was Bulk Electric System (BES) Cyber Systems in the cloud. BES Cyber Systems are systems with an adverse effect on the BES within 15 minutes of failure or compromise. Interestingly, the most thought-provoking discussion at the end of the day had to do with the Internet, not with the cloud.
Can electric utilities withstand the most sophisticated of Internet-based cyberattacks?
Imagine a massive distributed denial of service (DDoS) attack that targets, not Microsoft Azure or Amazon, but one or more electric utilities that have come to rely on the correct and timely operation of one or more BES Cyber Systems in some cloud. A massive Internet-based DDoS attack would cripple these utilities’ ability to receive control signals from Internet/cloud-based BES Cyber Systems.
To be fair, Stevan Vidich from the Microsoft Azure team did point out that leased, non-public or non-Internet connections to cloud infrastructure are available, at extra cost, by all three major cloud providers. This only raises other questions, such as: Will all electric utilities use such private connections? What do these connections do to our black start requirements? Will the communications providers or cloud services we rely on have any power in a black start scenario?
Cloud vendors tend to focus on how our IT data is protected in the cloud, but this is not the critical issue. Industrial sectors like electric utilities care much more about how to protect reliability-critical control signals passing from cloud systems back to generators and switches, than how to protect IT data.
Firmware, software and industrial cybersecurity
The interesting discussion in the day for Internet of Things (IoT) topics had to do with software. One participant suggested that pretty much all modern firmware is re-writable. So he recommends we stop using the word “firmware” and call it all “software” instead. He argued that since all IoT and Industrial IoT (IIoT) firmware/software has bugs and vulnerabilities, we need to pay more attention to security. His conclusion though, was that we need more security updates, anti-virus and firewalls for IoT firmware/software.
This makes no sense; if the cybersecurity issues originate with software, why would more software solve the problem?
Industrial Internet Consortium’s (IIC) guidance takes a more OT-centric view of this problem. The IIC Reference Architecture (IIC RA) describes edge devices talking more or less directly to public or private cloud applications. When edge devices cannot support public network security models, the RA recommends security gateways to bridge the gap. When the potential for software vulnerabilities in edge devices or gateways is unacceptable, the IIC Security Framework recommends hardware-enforced unidirectional gateways, not more software-based security.
Unidirectional Security Gateways create an impassable, physical barrier eliminating the possibility of external online attacks entering the grid’s control or SCADA network, including network-propagating malware and remote-control attacks, while enabling business processes of a BES to proceed as usual. Each unidirectional gateway has hardware modules and two CPUs – one running inside the protected control system network gathering data, and one outside, communicating across IT networks and the Internet. The external, exposed CPU is expendable. If the external CPU is DDoS’ed or compromised, then only monitoring functions of the BES are impaired. The unidirectional hardware modules though, are physically unable to communicate attack information from the external, impaired CPU into reliability-critical, internal systems. This means reliability-critical control of the utility continues, unaffected despite the attack.
There was a comment early in the proceedings that the electric grid was important to society – even more important than the government. This, of course, may be slightly out of proportion, but it was encouraging to hear frank discussions about how to keep that very important resource safe from threats that accompany emerging cloud, IoT and IIoT business models and technologies.