01 Oct 2020 Generating Unit Segmentation for Security
- Defending process engineering systems and the continuous operation of the critical generation systems requires a new approach to network resilience. Breech and compromise to generating units, protective relays, cloud connections and generating turbines have high physical consequence – and a generalized one-size-fits-all security solution is insufficient in this high stakes environment. Pervasive threats continue to worsen, attack tools are more powerful than ever, and modern ransomware attacks can extort using nation-state like techniques and tools. Reactive interventions such as intrusion detection systems and government and private response teams cannot move fast enough to prevent the consequences of compromise.
For these reasons, power generation sites around the world have deployed Unidirectional Gateway protections. In Waterfall’s upcoming Webinar ”New, Advanced Cybersecurity for Power Generation” we will review the well-known applications of unidirectional technology to power generation control systems as well as address lesser-known security topics within the generating control environment, particularly segmentation as a security method for generating units.
In the United States and Canada, many generating utilities have adopted a tactic of generating unit segmentation. Segmentation reduces the cost of complying with NERC CIP security mandates, by eliminating all CIP High Impact and Medium Impact systems from the power plants by “segmenting” the network, thus reducing its size. This is accomplished by making all generating unit control systems in effect stand-alone. In theory, when no digital failure or compromise can impair the operation of more than one generating unit, and when each generating unit at a site is smaller than the NERC CIP limits that trigger Medium Impact requirements, the entire plant is rated as Low Impact. Compliance cost for Low Impact plants are much less than such costs for Medium Impact plants.
In a typical segmented plant, each generating unit’s network is connected to the plant-wide network using a firewall. The NERC CIP rationale for permitting such connections is that if a little care is taken in configuring each generating unit’s firewall and other systems, then compromised cyber assets in one unit’s control system do not pose a threat to assets in any other unit’s control system.
A problem with this design is the new pervasive threat of targeted ransomware. Imagine that a ransomware group has managed to break into the plant-wide network and pivot through a generating unit’s firewall to plant their ransomware. Generating unit firewalls tend to be configured identically, exposing the same set of identically-configured control system components to attack through open ports. It is thus very likely that whatever tools and techniques succeed in breaking through a firewall into one unit’s network will also succeed in breaking through every other generating units’ firewall at that same plant. This negates the intended benefit of firewall-based segmentation; to prevent a single attack from affecting multiple generating units.
Firewall-based generating unit segmentation reduces compliance costs but ignores the security threats posed by modern targeted ransomware and other attacks. Utilities deploying state of the art security have taken these risks into account and are deploying a simple solution: a single Unidirectional Gateway device at the IT/OT interface for the plant-wide network. In such designs:
- NERC CIP compliance savings are unaffected,
- Monitoring of plant operations via unidirectional replicas is straightforward,
- Targeted ransomware and any other attack pivoting through enterprise or Internet networks are reliably defeated, no matter how sophisticated those attacks, and
- Firewalls connecting generating units to the plant-wide network still provide as much protection as they always have from common malware and other low level threats propagating between generating unit networks.
Generating unit segmentation with firewalls provides compliance savings with minimal security. Protecting the entire IT/OT network with Unidirectional Security Gateways provides strong protection from targeted ransomware and other modern attacks, while preserving and even enhancing the compliance cost savings of generating unit segmentation.
Unidirectional Gateways are essential to the next level of protection to defend the resilience and continuous operations of power generating utilities. Even one layer of unidirectional technology in a control system defense-in-depth architecture provides robust, future-proof protection for generating networks. Block the flow of information back into the protected network with physical, unidirectional hardware, and we block attacks, no matter how sophisticated those attacks are today, or will become in the future.
- Protecting the protective relays
- Protecting cloud connections
- Preventing credentialed compromise
- Safe OT Intrusion Detection