Stronger Cyber Defense for Power Plants is needed
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Power plant operators are well aware of IT cyber risks and defenses and in recent years they are investing in cyber security for their Operation Technology (OT) systems. The reasons for this trend are: recent cyber-attacks on power utilities, new regulations and requirements for increased productivity achievable by integrating the OT system into the company-wide IT network. Such requirements are usually arriving from the management (often not enough aware of cyber risks) to receive periodic updates on production, material, operating costs, outages, etc. While these directives sound legitimate, the question is not if the Chief Information Security Officer (CISO) shall comply with them, but which technologies shall be deployed to allow such connection.
Cyber security experts will tell you that there is no single technology which provides absolute defense (“no silver bullet”), and a reasonable level of protection can be achieved by use of layered defense involving PPT (people, policies, technology) related measures. The purpose of this paper is to list some typical scenarios and offer solutions, which minimize the risk.
Cyber Attack Risks
When speaking about enhanced cyber defense for power plants, we must refer to several power-generation technologies such as: gas and steam turbines, combined cycle power plant (CCPP), solar photovoltaic or steam plants, wind farms, etc. The reason for separately referring to these technologies is, that each power plant uses different type of ICS architecture, and this affect the cyber-attack risk.
While some low power plants (under 10 MW) may operate with a simple Industrial Control System (ICS) architecture, the more complex CCPP will require a Distributed Control System (DCS). Naturally the more complex ICS architectures are characterized with larger attack surface, meaning that the hacker may access the plant by penetrating trough a larger number of Industrial Internet of Things (IIoT) devices.
Let’s review few examples (partial list), which may lead to an” internally generated” vulnerability:
a) A service provider is allowed to monitor the operation-health of the electric generator. As a precondition for long term warranty, they require real-time data from Intelligent Electronic Devices (IED).
b) The solar plant is connected to the national power grid operator’s Energy Management System (EMS) in order to measure the produced energy in real time, according to sun-radiation conditions.
c) Complex CCPPs must be connected to an expert center operated by the gas turbine vendor. This is necessary in order to instantly (24/7/365) detect and correct problems by high level experts.
d) A solar plant or wind farm operator has a supply agreement with the national power grid. For this purpose, the solar pant shall transfer billing data, which require daily/weekly/monthly data transfer.
e) Your purchasing has a “just-in-time delivery” agreement with a provider of liquid gas. This requires the vendor to monitor the level of gas in the tank and predict when the refill process shall take place.
f) The power plant is conducting an accurate process for timely scheduling and performing maintenance of their steam turbine. This require information on the operating conditions and service hours.
g) An engineer of the service provider uses his own laptop PC (brought on site) for testing and updating the control system software with corrective patches and cyber security programs.
h) For an “air-gapped” facility, the updating files are brought in over a digital media (CD, USB, etc.) That device may be intentionally replaced or manipulated in order to include the attacking malware.
Analyzing the Vulnerability
When reviewing the above-mentioned scenarios, you may easily understand the consequences of requirements originally aimed to increase your plants’ productivity. Careful analysis lead to a conclusion that these flaws can be prevented by deployment of compensating cyber security measures.
Prior starting this process it is important to evaluate if each required function indeed delivers the expected benefits, which are “so important” that justify the vulnerability each one generates. When analyzing the described vulnerabilities, you may realize the following:
- Cases a) to d) are pointing to a vulnerability created by providing remote access to the facility
- Cases e) and f) are pointing to a vulnerability created by connecting the IT and OT networks
- Cases g) and h) are pointing to a vulnerability created by unsecured access to the OT system
For the purpose of this paper, let’s assume that all functions listed above were evaluated and found very important for the organization. Therefore, the CISO was instructed by the management to evaluate the true risk created by each vulnerability and propose a solution aimed to mitigate that risk.
- Case a) requires remote data retrieval but does not require remote intervention. Therefore, the risk can be mitigated by use of unidirectional diode allowing only outbound traffic.
- Case b) requires transfer of data related to produced energy. It can be done by connecting the analog output of the local Remote Terminal Unit (RTU) to another RTU which calculates the energy level.
- Case c) requires connection to an expert center, which in most cases require remote intervention. You may consider an ICS-aware firewall and allow such connection just for a very short time.
- Case d) requires transfer of billing information. This can be resolved by use of a unidirectional diode or delivery of the data from an onsite computer which resides in the Demilitarized Zone (DMZ).
- Case e) and f) requires constant connection between the OT and the IT zones. Again, the data transfer can be done through a unidirectional diode or a trough a DMZ similarly to the example above.
- Case g) requires a laptop PC for servicing the onsite ICS. For this purpose, it is recommended to purchase a dedicated PC which never leaves the plant and is locally used by the service engineer.
- Case h) requires transfer of authorized data into the plant. For ordinary data files, one may consider using the “data sanitizing” method through Content Disarm and Reconstruct (CDR) process. However, these solutions are not supporting most ICS protocols and might even damage the file. Therefore, as an alternative you must consider strong physical security when transferring files to the OT network.
Summary and Conclusions
Deployment of enhanced cyber security for OT and especially for power plants are highly important. They represent just a small part of the overall operating and maintenance costs and therefore, it’s important selecting a certified solution which fit for each case. Use of compensating cyber defense technologies helps to comply with Safety-Reliability-productivity (SRP) requirements and therefore more than justify the investment.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin
For more information: