Staying in control

In the utilities sector, supervisory control and data acquisition (SCADA) systems are commonly used on top of other control and protective systems to manage the generation, transmission and distribution of electric power. The ongoing security of SCADA systems and data networks is critical to the continued functioning of our national power grid.

As Rita Wells, Electric Sector Program Lead at Idaho National Laboratory, explains, SCADA is a system-on-system engineering approach that puts layers of control in different areas to enable the remote access to and control of devices that open and close breakers, switches and relays, and control the electric system.

“Compared to a protective system, which may have a response time in milliseconds, control systems usually have a response time within one second, or less than one second with command and status. SCADA systems commonly have response times in the five seconds or greater range because the status is from these other layered protective devices. These systems control and provide set points like generation levels or can put remote commands out there that the control systems and protective systems will act on.

“In the case of electric utilities, what’s unique is that the SCADA systems are highly integrated, with a lot of communication points with other neighboring utilities, and a lot of communication points to the underlying processes that control the more specific equipment whether it’s generation, transmission, or distribution. No other industry has a larger geographical footprint than the electric sector, with the possible exception of pipelines and transportation.”

Vulnerability

SCADA systems are a vital part of the infrastructure that keeps our electricity grid running, but they can also be open to attack. As Wells says, “The modernization of SCADA and control system environments has led to more cause for concern about their vulnerability. This modernization has meant that these control systems are now on common networks that are used in industry, such as the TCP/IP protocol that runs the internet. The number of connections has also increased, and there has been a move to more common operating platforms. Such systems are now susceptible to common vulnerabilities that have been identified in the IT world for years.

“These systems are large, complex and widely dispersed, and do not have the same refresh rates as those in the IT community. Upgrading patches every Tuesday as is commonly done for a computer operating system can’t be done in the SCADA and control systems in utilities. And as you go into the field to the remote devices, it becomes even more problematic to do those updates because the time, the distance, and the impact to the actual system are more acute.”

Wells takes care to point out that INL’s research work deals with vulnerabilities, as distinct from threats. “Threat deals with motivation, intent and capability. Those are very human-based qualities that are often difficult to characterize and fully understand. A happy employee today can become an unhappy one tomorrow, and somebody who has the knowledge and the capability who never had the intent or motivation suddenly can have both, if something has happened to make them disgruntled.

“That’s why we focus instead on the vulnerabilities within systems. We have done vulnerability assessments protected by non-disclosure agreements, cooperative research and development agreements for many of the large vendors in the electric sector. We understand those vulnerabilities and we attempt to characterize them. Pretty much all code, everything that is software-based, will be vulnerable at some point.

“The other issue is that not all vulnerabilities are equal. You have to ask yourself, how simple was that vulnerability to exploit? Can you write code to control the system, and then once you do control the system, to what level? What is your impact for that vulnerability? Were you able to change every set point? Were you able to make everything happen, or did you just get access to a host server, which doesn’t have many permissions? And then, how exposed is that vulnerability? Do you have to be an insider to be able to exploit that vulnerability, or is it an application that’s outward facing and you can get to that vulnerability from the external network?

“Lastly, is that vulnerability deployed? That’s a very simplistic question but it’s something we need to answer when the common vulnerabilities come out every day, and we do that analysis for the Department of Homeland Security National Cyber Security Division for their control system security program. We look at the common vulnerabilities and exposures, and we rate the four characteristics of simplicity, impact, exposure and deployment.”

Protection

Wells says that what utilities really need to focus on is their installation-specific configurations. “It’s one thing for a national lab to sit there and say this has a large impact because I can make this breaker open and close whenever I want to, as compared to a utility that says, ‘Well I actually have other protective processes in here that would prevent that from occurring.’ The actual implementation can change. That brings into the defense in-depth types of strategies. There are protective systems, there are safety systems, the system-on-system approach for this engineering, and the impact side can be addressed the best from within the utility.”

According to Wells, a person with malicious intent will usually take several vulnerabilities together to get different footholds on the system and then migrate to the next foothold in order to get to the targeted effect they want, whether it is opening and closing breakers or spinning down a generation plant.

“They would string many vulnerabilities together. Very rarely would one vulnerability go all the way through the system and have an impact. For example, one vulnerability may be able to get you through a firewall. The next vulnerability might get you from a demilitarized zone DMZ network partitioning aspect to that inner network of the control system or the SCADA system. The next vulnerability might be able to escalate your privileges. These are how they tie the vulnerabilities together in order to get a targeted effect.”

INL has done more than 50 assessments, ranging from 275 hours to 900 hours of cyber security research time. When INL researchers have agreements with the vendors, they are able to look at source code. Wells explains that some of these systems are huge, with millions and millions of lines of code. The team usually only assesses or looks at the areas in which they have an interest and the areas they think would have the most impact to the system, rather than doing a line-by-line review. They do, however, look at several thousand of lines of code with each assessment to figure out if there are potential vulnerabilities.

This information is then given back to the vendors and the vendors are able to update their systems. As Wells explains, with an on-site assessment, the information is given to the asset owners and they are able to make modifications to their configurations. “In more than 18 assessments we have done on-site with asset owners we’ve seen some unique configurations that are very specific. The one advantage that asset owner utilities have over the attackers is they know their systems. If they’re creating defenses that are unique to their system they’re usually a lot better off.”

Looking ahead

Wells says SCADA security is a growing area, with INL undertaking a number of ongoing programs in addition to the Department of Homeland Security National Cyber Security Division control system security program. “The Department of Homeland Security is very cross-sector but they realize that the electric sector is a high priority since without electricity all the other sectors have a problem.

“The Department of Energy’s OE office for the National SCADA test bed focuses on the energy sector. They’re looking at electricity and oil and natural gas, and they work in very close coordination with the Department of Homeland Security’s control system security program. The Department of Energy is doing some research developing better signatures for intrusion detection systems, and with more unique analysis they can have the situational awareness of the cyber activities that are occurring on these common networks.

“There is also other work going on that’s creating more resilient control systems, where you have knowledge-based tool where the sensors are aware of the process they are performing as well as the cyber aspects of the data being flowed back and forth, and combining those two provides a very different viewpoint and a stronger situational awareness that helps to protect these systems.

“We take this mission seriously, and one of the biggest goals is to provide value back to the utilities and back to the owners of this equipment, because they own the critical infrastructure of the United States.”

Idaho National Laboratory

In operation since 1949, INL is a science-based, applied engineering national laboratory dedicated to supporting the U.S. Department of Energy's missions in nuclear and energy research, science, and national defense.

Mission
Ensure the nation's energy security with safe, competitive, and sustainable energy systems and unique national and homeland security capabilities.

Vision
By 2015, INL will be the pre-eminent nuclear energy laboratory with synergistic, world-class, multi-program capabilities and partnerships.

Research Programs
The pressing challenge for nuclear energy sets the context for INL's strategy. We will create a technically achievable, economically competitive and environmentally sustainable nuclear energy option for the nation that is worthy of public confidence and trust.

Six attributes are critical to INL’s vision:

• World-leading nuclear science and technology programs
  national/homeland security, energy and environmental programs that leverage our nuclear capabilities
• A robust science base
• A central role revitalizing nuclear S&T and engineering education in the United States
• Extensive collaborations with the world's premier academic, government and industrial nuclear S&T organizations

Forefront research facilities, support infrastructure and management systems