1. Home

Are the Good Guys as Dangerous as the Bad Guys – an Almost Catastrophic Failure of the Transmission Grid

Nov. 2, 2017

A security group at a large utility with experience only scanning data center assets scanned a number of critical transmission substations. The scanning cut all communication between hundreds of relays and SCADA was unaware.

As stated many times, there are few forensic tools for ICS cyber security and fewer that can discriminate between an unintentional mistake and malicious intentions. Moreover, many of these incidents are intentional, that is, scheduled, but the end user is not aware of potential unintended consequences.

I was recently made aware of a large utility that performed security scans of a number of very critical substations. Until recently, the security group was only scanning data center assets and then expanded the scanning into NERC CIP substations, starting primarily at the 230/500KV level. The security group had no previous experience with scanning substations. No notification was given for the scanning change to the internal support groups that are responsible for this function. The OT Team was notified that substation scanning was started with a new security port scanning tool. Following the scans, the relays showed trouble, but the DNP polling was working properly and the networks in most substations were stable – SCADA was unaware of the problems. The port scanning of this new tool caused the real time protocol operation of the relays (IEEE61850/GOOSE) to stop and suspend operation at the CPU (two different relay suppliers) and left the DNP/non-real time operations alone - the worst possible circumstance. In order to clear the trouble, each relay had to be cut out and rebooted, to restore operation. Several hundred relays were affected. All the devices in each substation were affected at the same time in every case. Without knowing that a security scan was initiated, it looked like a DDOS attack resulting in equipment malfunction.

This case reinforces that:

-        IT security should NEVER be left alone in industrial operations

-        IT security should NEVER use a tool that hasn’t been thoroughly tested for use in OT environments

-        It is not always clear what is or isn’t a cyber event

-        SCADA is not a fail-safe to identify potential cyber attacks. There have been other cases where SCADA, by design, did not detect critical “malfunctions”.

What other types of catastrophic situations are as yet undiscovered that good guys can tumble into or bad guys use?

Joe Weiss

Continue Reading

Sponsored Recommendations

2024 Industry Trends | Oil & Gas

We sit down with our Industry Marketing Manager, Mark Thomas to find out what is trending in Oil & Gas in 2024. Not only that, but we discuss how Endress+Hau...

Level Measurement in Water and Waste Water Lift Stations

Condensation, build up, obstructions and silt can cause difficulties in making reliable level measurements in lift station wet wells. New trends in low cost radar units solve ...

Temperature Transmitters | The Perfect Fit for Your Measuring Point

Our video introduces you to the three most important selection criteria to help you choose the right temperature transmitter for your application. We also ta...

2024 Industry Trends | Gas & LNG

We sit down with our Industry Marketing Manager, Cesar Martinez, to find out what is trending in Gas & LNG in 2024. Not only that, but we discuss how Endress...

Latest from Home

Source: Trihedral

Most Read

Sponsored