November 15, 2016 I attended the San Francisco IEEE/ Industrial Automation Society (IAS) Chapter Meeting on networked power distribution systems. The presenter (Bob Hunter from AlphaGuardian Networks) reviewed the threat to commercial/industrial power distribution networks, and discussed the various network protocols susceptibility to cyber attacks.
I asked if there were representatives from PG&E attending as the presentation dealt with low and medium voltage power distribution systems that are used throughout the electric industry. The answer was no because this was an IAS not Power Engineering Society (PES) meeting. It seems that various organizations still can’t seem to understand that when it comes to cyber, the equipment is the same and similar cyber threats apply to all industries using similar equipment. One also wonders if the electric industry cyber security requirements that exclude distribution systems (NERC CIPs) plays a role in the lack of adequate attention to the cyber security of power distribution systems.
There were a number of items that I found of great interest:
- Many power distribution devices are still cyber vulnerable by design such as power meters using Zigbee, distribution reclosers using Bluetooth, and numerous power distribution devices with built-in webservers.
- The presenter gave a brief Shodan review to show the large number of building control devices that are directly connected to the Internet. He also showed many building control devices with their passwords in clear text.
- Many building control devices utilize SNMP protocols which are cyber vulnerable allowing the takeover of Uninterruptible Power Supplies (UPS) and power distribution units (PDUs). This has already happened as the presenter mentioned a financial institution that was hacked through the PDUs. Also recall the Target hack was through the HVAC vendor.
- The presenter also mentioned that many IT security requirements such as HIPAA, PCI, the Gramm Leach Bliley Act, and FCC requirements actually have cyber requirements for electrical and mechanical equipment.
- The HIPAA security compliance standards require Full Implementation of Physical Network Protection Measures. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. When a covered entity is operating in emergency mode due to a technical failure or power outage, security processes to protect EPHI must be maintained.”
- Credit Card Payment security compliance standards require Full Physical Network Protection Measures. “Tie all access control and monitoring systems to an Uninterruptible Power Source (UPS).” In addition, most all Point of Sale (POS) servers include UPS systems as a standard component. Maintaining and monitoring all UPS systems is critical to ensuring the integrity of all credit card data. Inherent in PCI DSS standards are maintaining an environment conducive to maximizing network equipment uptime. This includes proper cooling and environmental controls for all areas in which data is transported or stored.
- Gramm Leach Bliley Act security compliance standards require All Appropriate Physical Network Protection Measures be taken. “Computing equipment should have a continuous uninterrupted power source. Management should take reasonable action to protect computing equipment power sources. Consequently management should monitor and condition the voltage of electricity sources to prevent power fluctuations.” “Disruptions to the IT operations environment can pose significant operational, strategic, transaction, and reputation risks. Consequently, management should control and monitor environmental factors…”
- FCC Telecommunications Security Standards require Full Physical Network Protection Measures. FCC Physical Network Security Standards specifically require the remote monitoring of the physical environment of local and remote sites within a telecommunication provider’s network. “The physical environment is monitored to detect potential cybersecurity events.”
The requirement to deploy backup power systems throughout a provider’s network can introduce cyber threats. Batteries, generators and other backup power can be hacked by various means such as the October 2016 ICS Cyber Security Conference demonstration of hacking power supplies.
As mentioned, power supplies have been out-of-scope for most electric utility cyber security requirements (NERC CIP scope). It was replacing the UPS that was the initiating event for the 2010 San Bruno natural gas pipeline explosion. The 2015 Ukrainian cyber attack targeted electric power distribution systems. Additionally, November 6, 2016, the Finnish Communications Regulatory Authority disclosed that a cyber attack had disrupted home automation systems in Lappeenranta, Finland. The incident, the work of criminals, caused services such as heating to restart when web traffic overloaded the capacity of computers controlling the systems.
There is a need to cyber secure power distribution systems in utility and non-utility applications.