Assessing Power Substation Network Security and Survivability

1
Assessing Power Substation Network Security and
Survivability

• Carol Taylor, Axel Krings, Paul Oman
• Computer Science Department, University of Idaho,
  Moscow, Idaho
• The 2003 International Conference on Security and
  Management
• June 23-26, 2003

Graduate of Dept. of IM Wendy Y.F. Wen
2
Incentives

• Electric power grid can be regarded as a complex
  network.
• Risk Management Survivability
• The failure of power substation network will
  result in cascading failure.
• Node Dependency

3
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• Mitigation Strategies
• Survivability and Vulnerability Assessment
• Conclusion

4
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• Mitigation Strategies
• Survivability and Vulnerability Assessment
• Conclusion

5
Risk Management Concepts

• The process of identifying, assessing and
  reducing risks to an acceptable level.

Reference Symposium of Risk Management,
2005/11/11, Po-Hao Tsang
6
Risk Management Concepts (cont)

• Risk Assessment
• Risk Analysis
• Risk Evaluation
• Risk Treatment

Reference Symposium of Risk Management,
2005/1/1, Po-Hao Tsang
7
Goals of Risk Analysis

• Asset valuation and threat identification
• To quantify or qualify the impact
• To provide cost-benefit comparison for safeguards
  or countermeasures

Reference Symposium of Risk Management,
2005/1/1, Po-Hao Tsang
8
Risk Management
9
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• Mitigation Strategies
• Survivability and Vulnerability Assessment
• Conclusion

10
Incentives

• The on-going problem of securing our critical
  infrastructures from cyber threats is becoming
  more acute.
• Terrorism and its consequences
• Dependency on the computer networks that support
  our daily lives
• As the critical infrastructure industries have
  become more computerized, the risk of digital
  disruption has increased.
• The threat groups range from casual hackers to
  terrorists.

11
PCCIP

• In 1997, the Presidents Commission on Critical
  Infrastructure Protection (PCCIP) to investigate
  threats and mitigation strategies for cyber
  controlled critical networks.
• This group identified eight critical
  infrastructure systems.

12
PCCIP -- Electric Power Grid

• Power grid vulnerabilities and mitigations were
  documented in the PCCIPs NSTAC Electric Power
  Risk Assessment report.
• PCCIP Presidents Commission on Critical
  Infrastructure Protection
• NSTAC National Security Telecommunications
  Advisory Committee
• Their suggestions included a broad program of
  education and awareness.
• Between government and industry, sharing of
  information and cooperatively developing risk
  assessment methods.

13
Assessment techniques

• To adapt existing vulnerability assessment
  methods and/or develop new approaches.
• Checklists
• Survivable Systems Analysis (SSA)/ Probability
  Risk Assessment (PRA)
• Expert system

14
Goals of Paper

1. To report the results of applying these
   techniques to the assessment of power substation
   control networks for cyber based attacks.
2. To report on the cyber security challenges still
   facing the electric power industry after the
   vulnerabilities were documented.
3. To examine some of the underlying design issues
   typical of power substation networks that impact
   security efforts.

15
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• 2.1 Current Vulnerabilities
• 2.2 Current Challenges
• Mitigation Strategies
• Survivability and Vulnerability Assessment
• Conclusion

16
On-site Visit

• To conduct site assessments.
• To interact with people knowledgeable about the
  systems.

17
2.1 Current Vulnerabilities

• The greatest vulnerability of the power
  substation control networks is the lack of cyber
  security awareness within the power industry.
• Lack of security awareness can be found at all
  levels of the industry.
• developers of systems and software
• operators of the power control systems
• power engineers
• Power Grid Vulnerabilities

18
Power Grid Vulnerabilities
19
Why Old-Vulnerabilities Exist?

1. There still appears to be a lack of urgency in
   the attitude of power industry executives.
2. Power industry deregulation has created
   competition, forcing power companies to trim
   development and work closer to their margins
   without extra resources.
3. Executives that make company decisions are
   business oriented and lack the technical
   background.

20
2.2 Current Challenges

• Geographic distribution of these networks
• the sheer number of devices connected to a single
  network
• the sheer size of the network
• Diversity of equipment and protocols
• Diversity and lack of interoperability in these
  protocols
• Diversity of electronic control equipment

21

1. Proprietary SCADA protocol or Ethernet
2. Proprietary, EIA232, EIA485, Ethernet, UCA, or
   ControlNet
3. Vendor Proprietary Protocol
4. Ethernet
5. Local Ethernet or Internet
6. EIA-232
7. V.32, V.34, WAP, or WEP
8. DNP, Modbus, Profibus, Fieldbus

22
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• Mitigation Strategies
• Cyber Security Education
• Enforcement of Cyber Security Policy
• Authentication Enforcement
• Enact Encryption
• Firewalls, Virus Scanners, Intrusion Detection
  Systems
• Keep SCADA control and Corporate networks
  separate
• Survivability and Vulnerability Assessment
• Conclusion

23
Mitigation Strategies

• Cyber Security Education
• Education creates employee cyber awareness
  employees assist with cyber security.
• Enforcement of Cyber Security Policy
• A security policy is critical for cyber security.

24
Mitigation Strategies (cont)

• The greatest reduction from the threat of cyber
  intrusion can be achieved by enacting a program
  of cyber security education and training combined
  with an enforced security policy.
• The insider threat is considered to be more
  serious due to the insider's knowledge of
  electric power system operations.
• The education and enforcement will assist with
  counteracting both external and insider threats.

25
Mitigation Strategies (cont)

• Authentication Enforcement
• Strong password policy multifactor
  authentication.
• Enact Encryption
• Communication data should be encrypted --
  encrypting modem or VPN device.

26
Mitigation Strategies (cont)

• Firewalls, Virus Scanners, Intrusion Detection
  Systems
• Network security devices for both corporate and
  power control networks will help reduce cyber
  threats.
• Keep SCADA control and Corporate networks
  separate
• Connecting critical SCADA control networks
  increases risk of intruder access.

27
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• Mitigation Strategies
• Survivability and Vulnerability Assessment
• 4.1 Standards Checklists
• 4.2 SSA/ PRA
• 4.3 Expert System Analysis
• Conclusion

28
4.1 Standards Checklists

• Prior to undertaking several on-site industry
  visits, we compiled checklists derived from
  industry standards and guidelines.
• IEC 61850 TC 57
• IEEE Standard 1402-2000
• IEEE Draft Standard 1525

29
Standards Checklists (cont)

• Limitation of checklist
• The checklists require a certain level of
  knowledge and computer security expertise in the
  person performing the assessment.
• In summary, checklist is a good starting point,
  but not adequate.

30
4.2 SSA/ PRA - SSA (Survivability System
Analysis)

• SSA is particularly suitable for assessing
  unbounded networks with ill-defined boundaries
  and non-centralized control.
• SSA emphasizes survivability.
• The continued operation of the essential services
  of a system in spite of deliberate compromise or
  natural failure of some components.

31
SSA (cout)

• A problem with SSA is its lack of quantification.
• In an effort to add quantification capability to
  SSA, we have combined PRA with SSA.

32
4.2 SSA/ PRA - PRA (Probability Risk
Assessment )

• PRA utilizes probabilities to determine the
  likelihood that adverse events will occur.
• statistical sampling
• historical records
• solicitation of expert opinion
• A PRA for cyber security threats
• Quantification of the risk from these threats
• Specification of mitigating actions including
  costs

33
Problems with PRA (cont)

1. Lack of historical cyber security data for
   estimating risk
2. Difficulty of analyzing risk for large networks

34
Combined Approach -- RAPSA

• Risk Analysis and Probabilistic Survivability
  Assessment (RAPSA) seeks to leverage the
  strengths of both approaches.
• There are four stages in RAPSA method.

35
RAPSA (cont)

• Stage 1 System Self-assessment
• An analysis team performs a self-assessment to
  understand system mission objectives.
• Partition the system into services that are
  essential to the mission and those services that
  are identified.

36
RAPSA (cont)

• Stage 2 Threat Identification
• Threats from cyber attacks are enumerated for the
  essential services identified in the previous
  step.
• Intrusion scenarios/ attack stages are outlined.
• Vulnerabilities associated with each intrusion
  scenario are identified.

37
RAPSA (cont)

• Stage 3 Risk Quantification
• Quantify the risks for each intrusion scenario.
• Event/fault trees will be used where needed to
  assist with understanding how attacks can be
  neutralized.
• Mitigation mechanisms will be proposed.

38
RAPSA (cont)

• Stage 4 Risk Mitigation Trade-off
• Several types of tradeoff analyses are possible.
• Partitioned Multi-objective Risk Method (PMRM)
• Decision Tree Analysis
• Produce survivability map including risks and
  costs for mitigation strategies.

39
4.3 Expert System Analysis

• To analyze the individual components using a
  prototype ES.
• Prolog - AI language
• Model the visibility conditions
• Implement the shortest path algorithm

40
visibility condition
visibility path
41
Output of ES Vulnerability Assessment

• Visibility paths from Internet to CircuitBreaker
• Internet, "SubstationController", "IED2",
  "CircuitBreaker" with vulnerability level 10
• "Internet", "IED2", "CircuitBreaker" with
  vulnerability level 7
• "Internet", "CorporateNetwork", "SCADAMaster",
  "SubstationController", "IED2", "CircuitBreaker"
  with vulnerability level 23
• Most vulnerable visibility path from Internet to
  CircuitBreaker
• "Internet", "CorporateNetwork", "SCADAMaster",
  "SubstationController", "IED2", "CircuitBreaker"
  with vulnerability level 23

42
Outline

• 0. Risk Management Concepts
• Introduction
• Current State of Power Networks
• Mitigation Strategies
• Survivability and Vulnerability Assessment
• Conclusion

43
Conclusion

• In looking at the current state of power industry
  cyber security, it appears to lag behind the
  state-of-the-practice in both network security
  and ultra-reliable systems design.
• In spite of the national emphasis on terrorism
  awareness, the power industry as a whole appears
  to be lacking in cyber security awareness.

44
Thank you for your listening

• Wendy Y.F. Wen