Utilities Need an in-House Cyber Range for ICS
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Upgrading the cyber security for Industrial Control Systems (ICS) serving Electricity, Water and other utilities is no longer a question of “if needed” but rather when it shall be acquired and how shall it be used.
Cyber security experts can clearly say, that enhanced defense can be achieved by combining the three PPT factors; People, Policies/Procedures and Technology.
Knowing these facts, you realize that completely outsourcing cyber security related tasks is not effective. In order achieving the target goals outlined in variety of regulations such as NIST 800-82, NERC-CIP, ISO 27001-2013, IEC 63442 and you must develop these capabilities in house and outsource only the mentors and trainers.
Having such cyber range which imitate your real ICS will help you with critical tasks such as:
a) Training your team on operating an ICS.
b) Effective practicing on ICS related cyber-attacks.
c) Testing software programs prior deployment, etc.
Boosting ICS Cyber security
The cyber security goals set by regulators can be achieved by combining the three PPT factors; People, Policies/Procedures and Technology. You may view the triangle shape diagram and instantly notice that the “People” factor is on the top of the triangle. The justifiable reason for that is, that majority of “successful” cyber-attacks were possible due to peoples’ negligence, lack of training, mistaken actions, creating “temporary” defense which allow to bypass cyber security, etc.
Important mentioning, that while the prime role of IT personnel is to focus on protecting the Confidentiality, Integrity, and Availability (CIA) of their business data, the role of ICS personnel, is to focus on operational Safety, Reliability and Productivity (SRP).
Therefore, in order to prevent jeopardizing the SRP goals, engineers in charge of ICS cyber security must be trained by using a cyber range, which is similar to their real system.
Building an in-house cyber range is of course a costly project and depending on to what extend its architecture is similar to your operational ICS and how many remote sites are included.
Cyber Range Architecture
Once you consider this project, the next question refers to the content and the size of the architecture. When dealing with these tasks for your project, you will face few complex and costly decisions:
a) The architecture of the cyber range shall represent as much as possible your operation.
b) The type of PLCs/RTUs/IEDs shall be identical to those deployed in your system.
c) The internal ICS communication shall be similar to the type your system utilizes.
d) The communication and defense solutions: routers, switches, firewalls, shall be the same.
e) The master control center type, the HMI screens, alarm indications, etc. shall be similar.
f) The control architecture shall be based on similar platform: Powerful PC, Server, etc.
g) The installation, whether based on Windows, Linux or Virtual Server shall be the same.
h) Communication protocols, type of encryption, authentication process shall be the same.
i) The remote access by authorized users shall be protected in the same way as your ICS.
j) …. more
Defining the Cyber Range Architecture
The cyber range shall be built absolutely isolated from your ICS, as you must take into consideration that cyber-attack exercises may create unexpected malfunctions, which might laterally expand to the ICS in case these systems are “somehow” linked to the same network (even if isolated through a firewall !!).
Such test-attacks can be generated by entering a malware USB or through secured connection to an Ethernet network, which is representing the business network of your organization.
The next decision-topic refers to the number of RTU/PLC/IED which are aimed to represent a specific local control or remotely activated site. Some of these devices may use physical communication, wireless, cellular, license-free, analog radio or other communication.
You may also add few CCTV cameras, which record the behavior at specific sites linked to the cyber range. In order to make the system “look and feel” as a real one, you may develop a nicely-crafted demo, which is similar to a power turbine, industrial pump, water reservoir, water well, transformer station, etc.
Maintaining the Cyber Range
As already mentioned, this cyber range may serve for couple of purposes;
a) Training of new ICS operators.
b) Testing software updates and application patches prior installation.
c) Conducting proof of concept (PoC) for proposed modifications.
d) Penetration testing to detect security vulnerability (naturally you never do that on a real system).
e) Testing the operation behavior as response to a cyber-attack launched on your ICS, etc.
I’ll reluctantly mention the 6th benefit, often not considered. Your team may urgently need a spare part for the ICS which is out of stock, and they will not hesitate pulling it out from the cyber range. This action, may be the only possible choice they have to restore the operation, and is acceptable as long as they restore the missing part as quickly as possible.
Similarly, to what you do for the real ICS, you must maintain a reliable and complete software image (backup), so no matter what happens you can restore the “healthy” and stable configuration.
If you use the cyber range for all purposes mentioned above, you will have to do deal with that quite often.
Summary of Benefits
Sounds attractive? Absolutely yes. These 5 (+1) important benefits will help you boosting your confidence in the real ICS, allow to gain higher level of in-house expertise, shorten repair of critical failures and more. But, if you not act enthusiastically to obtain management commitment for such this project, if an attack comes you will not be able to claim that cyber defense measures were not available. The outlined topics and benefits in this paper may put you one step ahead of the cyber attackers, allow you responding faster and more effectively in case of as real attack and help preventing or at least minimizing damages caused by such event.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin
For more information: