Defense in Depth Cyber Security for Substation Communications

Electrical substations are vulnerable to both intentional and accidental cyber incidents.

Defense in Depth–Multiple Layers of Protection

If you are an engineer in North America, you are familiar with NERC (the North American Electric Reliability Corporation), which sets standards for the operation of power systems across the U.S., Canada and parts of Mexico. It has a standard called NERC CIP (CIP standing for Critical Infrastructure Protection) that mandates compliance with minimum security requirements.

Unfortunately, for many years a core NERC CIP concept was an electronic security perimeter (ESP) philosophy based on hiding all critical assets behind a monolithic boundary. For example, a single firewall could be installed on the boundary between all critical control assets and the business network, with the hope that it would prevent all unauthorized access to the critical assets.

Industry experience has shown that monolithic designs present a single point of failure in a complex system. Few systems are so simple as to have a single point of entry. With the help of Murphy’s Law, eventually all single-point solutions are either bypassed or experience some sort of malfunction, leaving the system open to attack.

A more realistic strategy is based on Defense in Depth (DiD)–multiple layers of defense distributed throughout the control network. DiD maintains an ESP firewall between the business and control networks, but adds security solutions inside the control system that protect the substations if the main firewall is bypassed. The solutions work in parallel, with one technology often overlapping with others, to form a significant safeguard against either attack or human error.

The techniques used should be based on doing a risk assessment for critical assets and processes. Then, a multi-layer defense model, which includes protection technology and other items, is developed. The other items include things like physical security, policies, procedures and more.

Defense in Depth means using multiple, overlapping layers of protection to secure critical infrastructure.

A network protected using a Defense in Depth strategy responds to threats, such as a traffic storm (caused by device failures) or a USB-based virus, by limiting the impact to the zone where the problem started. Alarm messages from the firewalls would pinpoint the zone and even the source of the problem.

Routing Firewalls Guarding the Substation Perimeter

To create a security perimeter for the substation, a security control point needs to be established  to restrict and monitor traffic flowing into and out of the substation.

Typically, this will be a dedicated firewall, but in some cases a router or terminal server can be used. These need to be able to filter large amounts of traffic and interface transparently to IT systems using security protocols, such as RADIUS and TACACS+. It is critical that this device is both security hardened and monitored for indication of attacks.

There are two primary options for implementing network security technologies for a substation:

• Industrial firewalls that control and monitor traffic; comparing the traffic passing through to a predefined security policy & discarding messages that don't meet policy requirements. Firewalls can be installed both at the ESP boundary & between internal zones.

• VPNs (Virtual Private Networks) are networks layered onto a more general network using specific protocols or methods to ensure “private” transmission of data. VPN sessions tunnel across the transport network in an encrypted format, making them “invisible” for all practical purposes.
  
  

Transparent Firewalls to Protect Core Processes

Transparent firewalls, such as the Tofino Xenon Security Appliance, are security devices with special features for industrial use. At first glance, they function on the network like a traditional Ethernet switch, but they can actually inspect network messages in great detail.

The “transparent” feature allows them to be dropped into existing systems without requiring readdressing of the station devices. This means that organizations can retrofit security zones into live environments without a shutdown. They also allow the installation of security controls within a single sub-network, for example within a large process bus.

The “firewall” feature provides detailed “stateful” inspection of all network protocols so inappropriate traffic can be blocked. For example, rate limits can be set to prevent “traffic storms” while deep packet inspection rules can be set to prevent inappropriate commands from being sent to IEDs or controllers.

How Belden and Tripwire Can Help

In addition to our substation communications products, Belden’s offerings now include advanced threat, security and compliance software solutions from Tripwire. This includes Tripwire’s market leading NERC CIP Solution Suite, which is used by more than 100 NERC-registered entities. Nine out of the top ten utilities in the United States use Tripwire, and jointly, Belden solutions can deliver state-of-the-art cyber security solutions that meet the needs of both ICS operations and Enterprise IT.

If you would like assistance, in North America, Belden offers a no-charge Industrial Ethernet Infrastructure Design Check-Up that includes a high level security review. This process evaluates your network based on best practices that have been learned across our development and deployment of hundreds of systems. Call 855-400-9071 to arrange for an Infrastructure Design Check-Up.

In Europe and other parts of the world, the Belden Customer Innovation Center employs network design engineers who can work with your technical team to design the most cost-effective solution for implementing Defense in Depth cybersecurity.