-SPONSORED CONTENT-
By Dieter Vogel, Marketing Communications Manager, OMICRON electronics GmbH
Critical components of the energy supply infrastructure are increasingly becoming the target of cyber attacks. Manipulated components and deactivated protection functions can have serious consequences for grid operation and vital assets.
Wvery substation offers potential gateways for cyber attacks: including the test sets used, especially if they are connected to the station network. Explicit barriers in the hardware and software, as well as software development and production processes geared towards cybersecurity, prevent test sets from becoming a weak link in the security chain.
Vulnerabilities open to exploitation
OT security experts from OMICRON analysed over 7,000 vulnerabilities in critical infrastructure protection and control devices (source: www.omicroncybersecurity.com) and their work revealed that numerous security risks exist, which are often exacerbated by functional problems in the substations. These include outdated firmware versions, configuration problems with system components, and undocumented external connections to protection devices and switches.
If attackers gain access to a piece of critical infrastructure, these vulnerabilities can be exploited by immediately sending protection trip commands or manipulating protection devices, for example. As work by the Ponemon Institute has shown, every single cyber attack carried out on the power grid was instigated via a known vulnerability (Source: “Cost of a Data Breach” study, Ponemon Institute, 2018).
Substation attack vectors
There are numerous entry points into the substation (Figure 1), one of which is unauthorised access to OT networks. “Hackers are now familiar with station networks that communicate using special protocols such as IEC 61850 or IEC 101/104. This was demonstrated by ‘CrashOverride’ in Ukraine in 2016,” says Christopher Pritchard, Head of Product Management at OMICRON. Maintenance computers infected with malware which are used to parameterise protection devices also pose a risk, as do station computers connected to the network and the protection testing solutions used.
A roaming risk
“The security risks presented by the protection test systems used are not to be underestimated —especially if they have a communication interface,” explains Christopher Pritchard. If, for example, inadequate protective measures allow malware to be executed on a service provider’s device, the malicious code can be transported with the device from one substation to the next like a Trojan horse.
Cybersecurity by design
Comprehensive protection is afforded by an ISO/IEC 11889-compliant “trusted platform module” (TPM2.0)—a special cryptoprocessor on which various keys and certificates are securely stored (Figure 2). This ensures the reliable encryption of communication during device operation and firmware upgrades, which in turn reduces the risk of sensitive information being disclosed.
In addition, the test set can be uniquely identified by the test software using a digital product certificate stored on the TPM chip, which prevents attackers from impersonating one of the two communication partners (“man-in-the-middle” or “spoofing” attack). Password-protected communication provides extra security against unauthorised use of the test set.
With the TPM2.0 module, the test set can also be protected against manipulated firmware (“firmware tampering”). Like the firmware itself, the firmware upgrade files are encrypted and signed to ensure their authenticity and integrity. During the boot process, the signatures of the boot loader and operating system are verified first (“Secure Boot”). Each step in the boot process is then checked by measuring so-called “hash” values (“Measured Boot”). If the signature check or hash check fails, the device will not boot, effectively preventing malicious code from being executed on the test set and malicious software from entering the network of the critical infrastructure.
Protected from the outset
Nevertheless, operators are not automatically protected for the long-term just because they have a secure testing solution. “Cybersecurity is a continuous process,” says Christopher Pritchard. A cyber-secure software development process employs a range of measures to ensure secure implementation of the software right from the development phase of the device. Handling and disclosing vulnerabilities with transparency also ensures that protective measures can be implemented right away if risks are identified at a later stage.
Following development, the production chain also needs to be hardened against cyber threats. One example would be to protect keys for signing firmware or generating certificates with a hardware security module so that they cannot be stolen by employees. These measures ensure the greatest possible level of cybersecurity over the entire life cycle of the test set.
Hardened solutions for secure substations
Critical infrastructure operators need to be more aware than ever of the potential vulnerabilities of their systems and the risks posed by cyber attacks, because cybersecurity starts with selecting the right system suppliers. Substation operators should critically scrutinise the specific protective measures implemented in the testing solutions of their installation, as well as how the underlying processes are hardened. Because only in this way is it possible to ensure secure substation operation right from the outset.
For more information, contact OMICRON.
