Encryption algorithms require a crypto key. These keys can be manually delivered and injected into encryption devices, but as a practical and security matter, an automated and centrally managed solution is required for even a medium-size SCADA system.
TecSec, Inc. will apply their experience in developing key management solutions for other sensitive sectors to the SCADA environment in the prototype design of a Secure Crypto Management System (SCMS). The SCMS would cover the entire lifecycle of a crypto key including generation, allocation, distribution, use and destruction. The SCMS could be used in a variety of SCADA encryption solutions, potentially even some of the other DHS-sponsored projects previously described.Intrusion Detection
In a perfect world, security prevention measures would stop all attacks. Unfortunately, the world is not perfect and that means detection is required. Take for example, a bank. Banks have locks on the doors, bars on the windows and a vault, but the bank still deploys detection in the form of security guards, cameras and motion detectors. In the cyber world detection is provided by intrusion detection systems (IDS).
"Relying on passwords for user authentication is almost always a mistake. Users usually select easy-to-remember and therefore easy-to-guess passwords and often share them with other users."
One of the most popular IDSs is the open -source “Snort” program that currently detects attacks on common protocols, operating systems, and applications. Digital Bond’s research project will build on the Snort code and add SCADA protocol and system-specific intrusion detection signatures. Additionally, Digital Bond will work with SCADA application vendors and managed security service providers (MSSPs) to integrate the security events in SCADA application logs into the MSSP’s service. The results of this project will be open source.
Expert Microsystems, Inc. is working to improve SCADA security information management for intrusion detection. That company’s focus will be on anomaly detection techniques that identify new attacks. An interesting element of this project is the addition of artificial intelligence algorithms that allow the software to learn and to customize the detection engine for each SCADA system. In theory, a learning system would lower the number of false positives and be more accurate in setting the threat level of an incident.
SNVC, L.C. has teamed with Mykotronx in a third research project in the IDS area. Very little additional information on this project is publicly available at this time. Mykotronx’s background in providing hardware security modules and chips for the U.S. Government may provide some clues on the project’s direction.
Relying on passwords for user authentication is almost always a mistake. Users usually select easy-to-remember and therefore easy-to-guess passwords and often share them with other users. Even when security policies force users to select strong passwords and change them frequently, people will write the passwords down and leave them in plain sight by taping them to desks or monitors.
Today many SCADA applications offer strong authentication that includes at least two of the following three factors:
1. Something you know (password , PIN)
2. Something you have (token, smart card)
3. Something you are (fingerprint, iris scan)
Digital Authentication Technologies (DAT) offers fourth and fifth authentication factors: “Where you are now” and “Where have you been.” For example, the DAT system can determine if a user is in an authorized location to login to the network. The technology goes well beyond the radio-frequency identification (RFID) proximity cards that are easily exploited and includes a variety of complex algorithms that prevent spoofing and other attacks. Digital Authentication Technologies’ research project will focus on applying their existing technology to the authenticating of users and systems in SCADA networks.
While most of the projects apply to any SCADA system, three of the research projects are focused solely on electric power systems.
Architecture Technology Corporation in Ithaca, New York is developing a system to intelligently restrict commands sent from a SCADA control center based on the state of the electrical grid and a set of inputs such as identity and security policy. This sophisticated access control technology will be implemented via a new access control language and software architecture developed in this project. The system would prevent adversaries who have penetrated the control center from issuing harmful commands.
EnerNex Corp. will begin their project by analyzing the cyber security of the recently published IEC 61850–Communication Networks and Systems in Substations international standard. After identifying security deficiencies in the standard, EnerNex will implement a variety of readily available, low-cost cryptographic technologies and evaluate their performance in an electric power system.
Stan Klein Associates, LLC. is developing an open-source toolkit for constructing secure, next-generation SCADA systems and substation security appliances. In addition to basic SCADA and control center components, building blocks will be developed for many aspects of the utility security problem including a trusted computer platform, end-to-end protection, network protocol and communication components, user management, role-based access control and intrusion detection.
Little detail is available on the final research project from FieldMetrics titled “Affordable, Covert Power Grid Monitoring System” due to patent and security issues. Their published proposal abstract indicates the project will include a power grid monitoring system that communicates via a secure wireless network. This wireless network could also provide backup in the event the primary network was unavailable.
These thirteen projects are truly research projects and some of the ideas may undergo substantial revision or never work when the dust settles. In fact, the primary purpose of Phase I funding is to determine the feasibility of the ideas.
If the ideas have merit, DHS can continue funding the project in Phase II. Phase II funding is typically $750,000, covers up to two years of work, and is expected to produce a prototype suitable for testing on a real SCADA system. After Phase II, the vendors are expected to bring the products to market with private funding sources.
Dale Peterson, CISSP leads the Network Security Consulting Practice at Digital Bond, Inc. He may be contacted at email@example.com