03 Aug 2020 Resilience: Protecting Protective Relays
One of the themes of the recent NSA/CISA AA20-205A Alert is resilience. The alert defines resilience as having a plan to continue operating critical infrastructures manually, when control system computers are shut down because of a cyber compromise such as ransomware. The example the alert cites is manual operation of high voltage substations. Power plants are a much larger and more complex examples of critical infrastructure than substations – so complex that manual operation may not be possible.
But a different kind of resilience is possible for a power plant. Yes, resilience can mean continuing to operate while compromised, but it can also mean returning to an operational state with minimal downtime. Minimal downtime is only possible when physical equipment has not been damaged as part of the cyber assault. In power plants, as in the entire electric grid, the task of preventing equipment damage falls to protective relays: single-purpose devices that monitor for dangerous conditions and disconnect generating units from the grid when such conditions are detected.
The problem: all modern protective relays are computers, running software. This means that the relays can themselves be compromised or re-configured in a cyber attack – modified to impair their protective function. If a large turbine or generator is damaged because of relay compromise, power production will be impaired or impossible for months, not the days that it takes to restore all computers from backups. Damaged turbines cannot be “restored from backups.”
The solution: there are voices in the industrial security community advocating a return to hard-wired protective relays, discarding two decades of progress in this space. This is not practical. A practical solution is to protect the protection. In power plants, as in high voltage substations, protective relays can be connected to networks separate from the main control network and integrated with the main control network using a Unidirectional Security Gateway.
What does such a design buy us?
- No compromise of the main control network can propagate through the Unidirectional Gateways into the relay networks to put physical equipment at risk. The hardware portion of a Unidirectional Gateway is physically able to send information in only one direction – from the relay network to other plant networks.
- As a result, worst-case cyber compromise impairs only control computers – physical equipment is still protected.
- The software portion of a Unidirectional Gateway emulates relay devices to the main control network, so that historians, HMIs, alarm servers and other equipment continue to work normally, as if that equipment could still connect to the relays.
The bottom line: a small investment in Unidirectional Gateways buys increased resilience for power plants. In the words of Andrew Bochman on the Industrial Security podcast – “we can tolerate disruption, but not destruction.” With protective relays protected from cyber tampering and compromise, the worst-case consequence for even a serious cyber breach is only a few days downtime – as long as it takes to restore control computers and PLCs from what the NSA/CISA alert calls “known-good gold images.”
To dig deeper: this blog post touches on one of many topics that will be covered on an up-coming Waterfall webinar: 3 Advanced Methodologies For Cyber Risk in Power Generation. Register for the webinar to explore modern approaches to power generation security.