Substation Security: Developing a grid security strategy supporting the more complex needs of multi-vendor, multi-edition substations
- Reviewing lessons learned from recent substation cyberattacks and determining the implications for designing next generation cybersecurity strategies
- Prioritizing the substations to address first by carrying out a thorough risk analysis and understanding the impact of an outage on the wider grid
- Leveraging standardized protocols and technologies to mitigate vulnerability increase in proprietary systems
- Implementing advanced prevention and detection solutions to optimize substation protection coverage, safeguarding the reliability of grid operations
- Managing the pace of digitalization within the substation to support a cybersecurity migration utilizing the optimal solutions
After the cyber incident is before the cyber incident
In the recent times, multiple cyber incidents have been reported to be affecting critical infrastructure across the world. The word ‘incident’ is used here to underscore the fact that, not every digitally aggravated power disruption or significant system degradation is caused due to malicious attacks. It can also be caused by cyber accidents owing to defects in energy automation products, defective system configuration, erratic human/technician actions, or even a combination of these. Case in point, in 2013 the “Kreisläufer” (network overload) cyber accident in Austria nearly brought the interconnected Austrian energy grid automation networks to a denial-of-service condition due to a packet avalanche caused by a falsely broadcasted propagation of invalid IEC 104 status request responses across Austrian grid operator networks. What was alarming was that the initial invalid status request and response originated in a south German gas operator’s energy automation network, which “jumped” over to the neighboring Austrian grid operator’s energy automation network, from where it began to surge and multiply unstopped. Such interconnectivity is not uncommon in the European power grid networks. The impact of this DoS condition was that the grid operators were blind to the actual power characteristics across significant parts of the power grid for hours, and were not in a position to control any power imbalances should they have arisen, which could have led to wide reaching power outages beyond Austria. The cyber incident acted as a wake-up call to the Austrian and German grid operators to rethink interconnectivity, the hardening of process communication networks and also resulted in protocol stack related improvements in substation controllers and communication gateways deployed commonly in these networks (more on this in an upcoming blog post.)
But perhaps most prominently, what comes to mind in the energy automation landscape when one speaks of cyber incidents are the unprecedented cyberattacks of December 2015 and December 2016 that targeted Ukrainian power grid operators, which have since been widely documented and analyzed.
To briefly recap, the December 2015 cyberattack affected many substations operated by three Ukrainian distribution system operators (DSO’s), causing a power outage for about 225.000 Ukrainian residents spread for over 6 hours. Some notable tactics used by the attackers included:
- Sending spear-phishing emails to DSO employees and getting them to run embedded macros in attached spreadsheets, which in turn delivered the BlackEnergy3 malware into the DSO networks
- Stealing credentials of remote access accounts that were by operators used to connect remotely to substations, and on the day of the attack using these credentials to remotely operate substation HMIs to actuate circuit breakers
- Modifying user passwords of legitimate operators on the substation HMI workstations so that they couldn’t take control over the HMI session in order prevent the attackers’ remote mouse operations that they were witnessing
- loading corrupted firmware into Ethernet-to-serial devices deployed in the targeted substations, thereby rendering them unusable and disrupting the SCADA connectivity to the control centers
A year later came the December 2016 cyberattack that affected the Ukrainian transmission system operator (TSO), Ukrenergo, bringing down a 330KV high voltage substation, disrupting power supply for a 20% of Kiev for about an hour. This cyberattack was novel in that it saw the usage of the first recorded malware to be purpose-written to specifically target energy automation technologies used in substations worldwide: this malware has come to be known as Industroyer or Crash Override.
The tactics used for the infiltration of the Ukrenergo networks for reconnaissance and OT network propagation purposes are reported to be similar to the 2016 attacks. What made this malware unique, however, is the final payload of the malware that caused the attacked substation to be de-energized. The discovered Industroyer malware held energy automation domain-specific protocol services and modules that could employ a diverse set of attack techniques as described in the MITRE ATT&CK description for Industroyer /Crash Override. Here are a few of those techniques:
- issue commands to substation controllers such as RTUs (remote terminal units) with well-established and standardized protocols such as IEC 60870-5-101, IEC 60870-5-104 and IEC 61850, making it the first recorded malware to do so
- kill Windows processes of legitimate communication protocol services (e.g. IEC 104) belonging to a specific substation HMI vendor’s software and replace them with malicious variants. This tactic allowed the malware to impersonate as a “master” or “client” (protocol-speak for controller) to control circuit breakers and switches in the substations over the RTUs. The specificity of this tactic indicates that the attackers had deep knowledge of the components used in the substation
- render any unpatched Ethernet-enabled Siemens SIPROTEC 4 protection relays in the substation unresponsive by exploiting a vulnerability that was previously disclosed and resolved by Siemens. This specific tactic has recently been assessed by Dragos to be a possible attempt to deactivate the protection relays around the time the Ukrenergo engineers would attempt to re-energize the sabotaged substation, which could cause power surges that are induced during the re-energization to go unchecked (due to no protection) and lead to potentially serious outcomes.
Ukraine cyberattacks: Recommended technical mitigation measures at the system level
Applicable mitigation measures to address these kinds of cyberattacks have been well documented – see for example the US ICS CERT alert related to the 2015 Ukraine attacks. Substation security or, for that matter ICS security in general, can only be addressed effectively by using a defense-in-depth approach, which looks into all aspects security measures: network segmentation, access control, security monitoring, patch management, backup and restore, secure remote access and malware protection among others. Such an approach has been clearly defined in the IACS security standard ISO/IEC 62443. The application of the part IEC 62443-3-3 “System security requirements and security levels” to protect ICS systems against the 2015 Ukraine style cyberattacks is available from the ISA.
Siemens is among many system integrators who apply the IEC 62443-2-4 (secure integration processes) and IEC 62443-3-3 (secure systems), and the first substation system integrator to have certified its secure substation blueprint according to these IEC 62443 parts. The secure substation blueprint is the basis for operational substations that Siemens has commissioned across the world.
A standards-compliant application of the Siemens secure substation blueprint with SIPROTEC 5 protection relays, SICAM PAS substation controller, SICAM A8000 RTUs and SICAM SCC HMI is described in our IEC 62443 secure substation conformance statement.
Ukraine cyberattacks: Additionally recommended technical mitigation measures at the product level (non-exhaustive list)
In addition to securing the substations at the system level as briefly outlined above, further countermeasures are already being used by power grid operators at the individual component / product level:
- Protecting ICS devices against corrupt/malicious firmware usage: employ energy automation and protection devices that support digitally signed firmware and validate the cryptographic integrity of the received firmware before loading them. See this article to learn how SIPROTEC 5 relays and SICAM A8000 RTUs from Siemens provide such functionality
- Protecting critical Windows-based ICS applications and runtime: enable application whitelisting solutions on operation-critical Windows workstations so that no unauthorized software will be permitted to execute on these systems. Windows binaries that constitute the Siemens software for substation automation and HMI are digitally signed to facilitate a robust implementation of application whitelisting. More on this in a subsequent blog post
- Protecting process communication protocols used in energy automation: use RTUs such as SICAM A8000 and substation controllers such as SICAM PAS that support TLS-secured process communication for Ethernet-based protocols such as IEC 104 and IEC 61850-MMS in adherence to the international standard IEC 62351 – more on this in a subsequent blog post
How to defend critical systems against future cyber incidents
It is safe to assume that we will continue witness cyber incidents affecting power grids in the future – both targeted attacks a la Industroyer to generic ransomware attacks (remember LockerGoga at Norsk Hydro in 2019?) to even ICS-targeted ransomware attacks such as EKANS, will likely cause power disruptions and make headlines. Securing substations and the grids will continue to be challenging, increasing in its complexity owing to higher levels of digitalization and connectivity. Keeping grids sustainably secure and resilient will require a holistic approach: encompassing people, processes and technologies.
So, how well are power systems operators around the world equipped to meet the challenges thrown at their critical infrastructure systems from the ever-evolving ICS threat landscape? What organizational measures do we, as a ICS / OT technology vendor, see being practised by power grid operators (our customers) during the procurement, commissioning, operations and maintenance phases of their OT systems? What ICS skills are they developing and what demands are they placing on their system integrators and component suppliers to cope with the cyber threats and risks? How much are they and their suppliers benefiting from the prevailing and evolving international information security and ICS security standards such as ISO/IEC 27001, IEC 62443 and IEC 62351? How are regulatory frameworks and their push for minimum ICS security standards across energy value chain being factored into all ICS-security related activities?
Learn this and more in my upcoming posts and in conferences where my colleagues or I are presenting on topics surrounding cybersecurity for digitally equipped power grids.
More to come in this series with grid security whitepapers and blog posts:
- A risk-based approach to securing substations
- Standardization: The babel fish for substation security?
- Going the extra mile: Advanced security add-ons for substations
- Securing Brownfield / legacy substations: Going back is going forward
- Securing tomorrow’s digital grids
- if you’re interested in learning about a specific topic, do let me know
© Siemens 2020, Smart Infrastructure, Digital Grid, Energy Automation