Electric Utilities: Securing the Perimeter

From the Editors of CIOSC

The Comment Period for Draft 4 of the NERC CIP Standards recently expired. Under a revised implementation plan, this suite of Cyber Security Standards (formally known as CIP-002 through CIP-009) will go into effect June 1, 2006. In this article we look at one of these standards, CIP-005, in some detail, and then recommend some best practices for perimeter security. We'll also discuss the need for securing Supervisory Control and Data Acquisition (SCADA) networks utilizing the Inter-control Center Communications Protocol (ICCP) protocol.

The requirements for CIP-005

CIP-005 "requires the identification and protection of the electronic security perimeter inside which all critical cyber assets reside, as well as all access points on the perimeter." The standard contains six requirements:

• R1. Electronic Security Perimeter Responsible entities must identify the electronic security perimeter and identify access points to it. The electronic perimeter must be inside the physical perimeter, and all cyber assets inside the perimeter are to be protected. Cyber assets that control/monitor the perimeter are to be defined as Critical Assets. A special case is made for dial-up access using non-routable protocols.
• R2. Electronic Access Controls Responsible entities must ensure that only necessary ports and services are enabled. They must secure dial-up access. And they must identify access controls and authentication methods.
• R3. Monitoring Electronic Access Controls For dial-up-accessible Critical Assets that use non-routable protocols, responsible entities must implement and document monitoring processes at each access point to the dial-up device (where technically feasible). They are also responsible for detecting unauthorized access attempts. In addition, they are responsible for 24x7 monitoring and periodic review of access logs.
• R4. Cyber Vulnerability Assessment Responsible entities must produce a document identifying the vulnerability assessment process, and conduct a review to verify that only ports and services required for operations at these access points are enabled. They are also responsible for the discovery of all access points to the perimeter; a review of the controls for default accounts, passwords, and network management community strings; and the documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities, and the status of the action plan.
• R5. Documentation Review and Maintenance Responsible entities must ensure that all documentation reflects current configurations and processes that it is reviewed at least annually.

As CIP-002 through CIP-009 in their entirety make clear, until utility companies can ensure that all internal systems and networks are "hardened," perimeter security will be a critical first layer of defense.

Best practices

To meet these needs, effective practices should include the following at the network gateway:

• In light of the limited IT resources in some distributed control system (DCS) environments, the purchase of an integrated solution that combines firewall, intrusion detection, and antivirus technologies in a comprehensive gateway solution is recommended. Purchasing separate firewall, intrusion detection, and antivirus technologies from different vendors can be costly to purchase, deploy, and update.
• The firewall solution that is deployed should include both "stateful" inspection and full application inspection -- in other words, a "hybrid" firewall. It should be noted here that some companies assume a firewall alone provides sufficient gateway security. But according to the recent FBI/CSI report, one-third of all cyber attacks penetrate firewalls. Moreover, according to a recent Internet Security Threat Report, 54% of all attacks in the first six months of 2005 were so-called "blended threats," which are not addressed by firewalls.
• Due to the multiple protocols used in the DCS environment, the intrusion detection device that is deployed should use both anomaly-based and signature-based protection.
• The antivirus solution that is deployed should scan for at least 60,000 viruses and provide proactive protection via both signature-based and heuristics-based scanning. The antivirus solution is best deployed at the gateway, to minimize performance impact and facilitate updates. A solution that has received a high Evaluation Assurance Level (EAL), such as EAL level 4 or higher, is recommended.

Securing ICCP connections

It is also essential that electric utility companies proactively detect and prevent malicious attacks against their SCADA networks utilizing the ICCP protocol. ICCP is the primary protocol used to communicate real-time data, schedule, and control command exchanges between the energy control centers that operate these SCADA networks and remote terminal units (RTUs) and substations. While it has been developed with built-in security, in today's interconnected environment additional security measures are critical for enabling uninterrupted operations for transmission, generation, and independent service operators.

ICCP security signatures are available for appliances offering real time intrusion prevention (IPS) and detection to proactively protect critical enterprise assets. These signatures were developed to address not just known attacks, but also for protection against new and unknown exploits.
 
The signatures were lab tested by leading ICCP provider SISCO for three months, using live ICCP traffic, and produced no false positives. This testing also included a known attack procedure, which had previously resulted in crashed systems, and the signatures correctly "triggered" against this known attack.
 
The bottom line is that the ICCP protocol is one of most critical areas that must be addressed in terms of cyber security.

Conclusion

As part of their effort to meet pending NERC CIP compliance requirements, and to mitigate the risk of potential service disruptions, electric utility companies would do well to follow the perimeter security best practices outlined in this article.
 
These best practices recognize that there are many areas to cover, and there is no silver bullet. Indeed, it's an ongoing process. These best practices also require genuine (and perhaps unprecedented) collaboration between engineering, operations, and IT. Ultimately, they are designed to help electric utility companies find a balance between optimal NERC CIP compliance and profitable, cost-effective operations.