Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
The Industrial Control Systems’ (ICS) operators and experts received another wake-up call last week, when Siemens, the world-class producer of power plants announced under title SSA-451445 a series of vulnerabilities in their top-tier Distributed Control System (DCS), type SPPA-T3000, which is deployed worldwide for controlling a wide range of fossil and renewable power plants.
According to other publications referring to this topic, the detected vulnerabilities were rated critical because they might cause an operation outage through internal denial-of-service (DoS) type condition or an arbitrary code exploitation on the DCS server.
We also learned that the vendor of this DCS had already started receiving information on these vulnerabilities in late 2018. The questions power plant operators which have these DCS in their facility should ask are: a) what is the impact of that vulnerability? b) what is probability of occurrence? c) why this information was not published earlier and finally d) what can be done to minimize the potential risk in their facility?
This article outlines some practical action items and tips which utilities can consider, to minimize the exposure to the risky situation described by the disclosed vulnerabilities.
What is the level of risk?
According to published information, exploitation of these vulnerabilities requires access to the internal DCS networks. Experts are well aware that IT-type segments are not normally exposed to external access, but in light of these publications there are a few more questions which they should review:
- Is the DCS in their power plant absolutely isolated from outside access or, due to the requirement to perform continuous data transfer to the IT zone of their facility, do they allow such connection?
- Is their DCS strongly protected from physical access, which might allow an attacker to insert a USB with a precisely designed malware, directly into the critical network of the DCS?
- When did they perform the latest cyber security assessment to verify that there are no “backdoor” – type connections, which an attacker could already have detected and may use for deploying an attack?
Why be worried?
Indeed, there are good reasons to worry, because exploiting these vulnerabilities could shut down the power plant and reduce the available supply capacity in the served region. Furthermore, it is important to explain that prior to these publications, attackers were not aware of these attack vectors and therefore knowing that the DCS operation is always well protected, they did not try attacking them.
The time period between the publication of a critical vulnerability until the correction software is deployed is considered a high-risk period. Referring to this specific case, the situation is even worse because the announcement above mentioned tens of vulnerabilities. Some of these are easy to exploit while some others may require a high level of expertise and development of specific tools for deploying the attack.
It is also important to take into consideration that power plants are operating 24/7/365 in order to supply the demand and it is not possible to shut them down. This is especially critical during winter or summertime when the demand is high for heating and air-conditioning. The situation can be even worse if a utility is heavily reliant on several power plants which use the specific DCS in their power plant.
How can the risks be mitigated?
Typical risk mitigations are described in the user manuals of each vendor and therefore ICS Cyber security experts assigned to this task should review and study these recommendations. Here are listed ten obvious tips which operators may consider:
- Strong physical security is always a critical precondition for deployment of cyber security. Therefore, consider restricting unnecessary access to the DCS network and the associated components.
- Verify that all external components and computers which obtain information from the DCS are connected through a unidirectional diode or through a Demilitarized Zone (DMZ).
- Perform physical inspection by experts who know the system and verify that there are no temporary bypassing of defense components and the internal DCS network is no accessible from outside.
- Prioritize actions which might negatively affect the safety of employees working on site. If you detect a vulnerability, take immediate action to minimize its exploitation and prevent risk to people.
- If you have already received update codes for the DCS from the vendor which were not deployed, schedule the update process as soon as possible. This action may also mitigate the risk.
- Review all recent cyber security-related information received from the vendor and act accordingly. Some of these recommendations may further reduce the level of exposure to attacks.
- Review existing Virtual Private Network (VPN) type connections to external service providers or expert centers and strengthen the cyber defense by simple to deploy complimenting measures.
- Postpone planned expansions which may require adding external Industrial Internet of Things (IIoT) type components, which might expand the attack surface on the power plant.
- Review the available policies and procedures for power plant operators and all technical personnel working on site and make sure they act accordingly.
- Conduct power plant-related training and drills for the operators and technical personnel in order to be able to detect anomaly conditions and react quickly and effectively.
Summary and conclusions
We all know that ICS serving power plants and other industry segments were always designed with operation safety and reliability in mind and, until a decade ago, cyber security was not defined as a mandatory requirement. Since then, industry experts and C-level executives have received several “wake-up” calls, and demand to comply with new regulations such as NERC-CIP, IEC 62443, NIST 800-82, etc.
Deployment of enhanced cyber security measures for electric power related to ICS such as: Energy Management Systems (EMS) and Distribution management Systems (DMS) and the DCS which control the production facility, are highly important. They represent just a small part of the overall operating and maintenance costs for power utilities and therefore more than justify the management attention. Starting with that process as soon as possible will position your utility a step ahead of attackers.
About Daniel Ehrenreich
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, and periodically teaches in colleges and present at industry conferences on integration of cyber defense with industrial control systems; Daniel has over 27 years’ engineering experience with ICS and OT systems for: electricity, water, gas and power plants as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the 5th ICS Cybersec 2020 conference in Israel and the 3rd Asia ICS Cyber Security conference taking place in Singapore on 05-2020.