200115-Unfettered
200115-Unfettered
200115-Unfettered
200115-Unfettered
200115-Unfettered

Patent issued for securing Intelligent Electronic Device (IED) networks

Jan. 14, 2020
There continues to be a significant gap in understanding of the Aurora vulnerability and other physics-related issues. The technology identified in the patent can help secure the grid from physics issues by preventing unauthorized changes to IEDs. 

There continues to be a significant gap in understanding of the Aurora vulnerability and other physics-related issues. The potential impact of an Aurora event can be very impactful potentially shutting down key industrial manufacturing facilities for extended periods of time and the grid for 9-18 MONTHS. As the declassified 2015 DHS Aurora material identified, an Aurora event can also cause long term damage to refineries/chemical plants, water pumping stations, and natural gas compressor stations. Both the 2015 and 2016 Ukrainian cyber events were the first step of the two-steps in initiating an Aurora event. There has also been at least one Aurora incident in the US that has damaged a facility and a possible Aurora attack overseas. The 2007 Idaho National Laboratory Aurora demonstration was a case of simply opening and then reclosing the breakers out-of-phase with the grid. It did not attempt to compromise the operation of the breaker or the programmed logic of the relay to ignore safety features. Attacking the relay logic could cause significantly more and different types of equipment damage and system impacts than occurred in the Aurora demonstration. In fact, it could cause impacts that might not have been previously considered. Attacking IEDs effectively turns the traditional security paradigm around by making the utility substation the attacker by proxy rather than the facility to be protected. This scenario can certainly affect the risk profile of electric utilities, particularly for issues such as credit ratings.

It was assumed it would require significant industry knowledge to impact a control system device. However, it does not though it would for a sophisticated attack plan. Specifically, a VxWorks Remote Terminal Unit (RTU) was compromised by individuals without industry knowledge - https://www.controlglobal.com/blogs/unfettered/security-by-obscurity-vendor-disclosure-nerc-requirements-etc-what-a-mess, The same lack of necessary industry knowledge occurred with compromising a modern protective relay. It took less than a day for cyber security researchers at Mission Secure, Inc.(MSI) with NO power industry experience to compromise an Intelligent Electronic Device (IED). In this case, it was the SEL-751A. This device happens to be an Aurora hardware vulnerability mitigation device. The compromise was demonstrated at the 2016 ICS Cyber Security Conference resulting in transforming the Aurora mitigation device into the Aurora initiation device https://www.controlglobal.com/blogs/unfettered/demonstration-of-hacking-a-protective-relay-and-taking-control-of-a-motor-the-grid-is-at-risk/

Consequently, the reason for pursuing the technology that resulted in the patent was the lack of adequate security for protecting an IED from any vendor from unauthorized changes. The need was demonstrated at the 2016 ICS Cyber Security Conference outlined in the blog https://www.controlglobal.com/blogs/unfettered/demonstration-of-hacking-a-protective-relay-and-taking-control-of-a-motor-the-grid-is-at-risk/. As stated, MSI, along with Mike Swearingen and myself, not only demonstrated the problem but developed a solution. The solution resulted in the patent issued January 7, 2020, (Patent Number 10,530,749) entitled “Security System, Device, and Method for Operational Technology Networks”. The patent abstract is: “A protection system, method, and a security device that can protect an operational technology (OT) system having connected hardware equipment, including at least an interface that can receive a control communication and an industrial control device (ICD) for controlling at least one industrial device. They feature tasks/steps that receive control communication from the communication interface, determine whether the received control communication contains an undesirable control command, and either pass or block the received control communication to the ICD depending on whether the received control communication contains an undesirable control command. The security device can be disposed between a source of communication in an OT network and the ICD for protection.”

This type of technology can help secure the grid from physics issues that can occur by preventing unauthorized changes to IEDs.

Joe Weiss