This blog was inspired by the March 14th, 2019 article in E&ENews Energywire "Pentagon to Utilities: Uncle Sam Wants You" (https://www.eenews.net/stories/1060127201).
Cyber Command is recruiting U.S. energy companies as partners in developing and defining the new strategy disclosed last Fall, "Defend Forward". The strategy includes for the first time a commitment by Pentagon cyber operators to engage adversaries to block the most dangerous attacks before they're launched. The “Persistent Engagement” strategy has gained support from leaders in Congress who are eager to send a message to U.S. rivals. But the support is joined by anxiety about throwing open the door to a dangerous, more chaotic new chapter in digital warfare. There are numerous policy issues that have been raised but I will address technical and philosophical issues. My first concern is philosophical, and it revolves around Stuxnet. As best as I can tell, Stuxnet has been the only time the physical security, cyber security, and engineering teams seamlessly worked together, in this case, to successfully attack systems. Unfortunately, this type of coordination has not been the norm in defending critical systems. The second concern was the “blowback” from Stuxnet. Prior to Stuxnet, critical infrastructure was not a primary target of the hacker community. That changed after Stuxnet.
Cyber security efforts for the North American utilities have been involved with developing and then meeting the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. The NERC CIP process has a number of major shortcomings. Most importantly, it’s a compliance process focused on policies, and not an actual security process focused on protecting critical power plant and grid equipment. As such, current NERC CIP processes do not include the power plant and power system engineers. Yet, the network security personnel who are involved in the NERC CIP process generally are not trained or familiar with power plant or power system operations. Other major shortcomings in the CIP process include the exclusion of non-routable protocols and electric distribution. As the NERC CIP process and reports concerning protection misoperation and system congestion are public information, it essentially provides a roadmap for hackers.
There needs to be increased emphasis on securing control systems. Control system cyber security poses a different set of problems from those that arise within network security. Yet, power plant and power system engineers have often been excluded from the NERC CIP process. Major concerns lie in the lack of understanding of power plant and power system operations apart from Supervisory Control and Data Acquisition (SCADA) and networked systems. Consider the case of an electrical distribution substation. When a substation is designed, the control system’s logic programming and operation are specified by logic diagrams that define the operational functions and the interconnected coordination of the different relays, programmable logic controllers (PLC) and sensors (it is like mapping the brain). Coordination of these devices’ operations is based on operational conditions of current, voltage, frequency and timing of coordination as defined by time to current curves (TCC), trip delays and zone coordination through direct communications between relays. This process allowed power systems, both transmission and distribution, to operate before the use of SCADA systems. If SCADA should be lost or disabled due to compromise, then the power system should work unless the individual control systems themselves were altered. The low-level networks (e.g., wired HART, serial Modbus, etc.) and field equipment (e.g., process sensors, actuators, and drives) that can cause long-term outages also have been excluded from the NERC CIPs. There is no cyber security or authentication integrated in the sensors, actuators, and drives in the power plant and power grid systems. Yet, the sensors are the input to all OT networks. The physics issues such as Aurora that can cause long term damage effectively have been excluded from the NERC CIPs and the utilities still have not followed the requirements in the original 2007 NERC Aurora advisory. These are engineering concerns and require the participation of power plant and power system experts. Yet, IT and OT typically scoff at engineering participation. This approach of exclusion can, and has, caused as much damage as a cyber intrusion or cyber-attack.
Because there is a lack of adequate control system cyber security training, particularly for power plant and power system engineers, how would network security personnel identify a cyber attack when a sophisticated cyber attack could look like a mechanical malfunction? There have been cases where unintentional events looked like cyber attacks (see https://www.controlglobal.com/blogs/unfettered/are-the-good-guys-as-dangerous-as-the-bad-guys-an-almost-catastrophic-failure-of-the-transmission-grid
https://www.controlglobal.com/blogs/unfettered/a-recent-event-demonstrates-the-lack-of-grid-resiliency-and-the-inability-to-clearly-identify-cyber-attacks. Moreover, there were many cyber attacks that were not identified as being malicious (see https://www.controlglobal.com/blogs/unfettered/the-need-to-train-control-system-engineers-and-monitor-process-sensors-for-possible-cyber-attacks). What is just as disconcerting is that even power grid network attacks have sometimes gone undetected or unrecognized for many months (see https://www.controlglobal.com/blogs/unfettered/russia-has-compromised-the-us-grid-this-year).
For the Pentagon’s efforts to work effectively, agile and continuous collaboration which includes a systems engineering perspective is essential. This strategy can succeed by taking a functional approach in building security teams. This can only be done by consulting beyond the executive, IT, and OT levels to include the power plant and power system engineers. Engaging with power plant and power system engineers who run the electric grid every day will greatly benefit Cyber Command as it builds more traditional relationships with CEOs, Executives, network (IT/OT) senior managers and CISOs. Evolving the approach to be more inclusive is an important step as private sector creates its relationships with DoD. This collaboration can strengthen DoD’s ability to help secure the grid while providing DoD the information it requires to defend forward in cyberspace. There’s no substitute for a thorough working familiarity with the systems we’re trying to protect.
Joe Weiss
