Asymmetric solutions. ICS Information Security in Energy
Energy is itself a critical infrastructure on the one hand, and on the other hand any other infrastructure that is critical in one way or another, today, depends on it directly. To stop the train, it is not necessary to disassemble the roads or blow up bridges, it is enough to de-energize several traction substations or even not to strain so much, but simply to influence a number of electric power quality parameters. Moreover, the latter option is also very difficult to diagnose using the means that transport workers use today.
With the advent of market relations, new technologies have come to the energy sector. Extremely conservative industry, the last 10 years is in a stage of serious transformations. There are modern substations in operation, built on the latest generation of microprocessor protections (by western standards) and substations using power transformers manufactured in the 1930s of the last century, exported from occupied Germany in 1945 with relay protection from the 1960s. According to various estimates, from 60 to 80 percent of the equipment needs to be replaced or upgraded. Let us imagine a situation that such an upgrade has been implemented, everything is set up, it works, the dispatcher takes full advantage of the newly discovered possibilities, automation provides a reduction in operating costs, the number of outages decreases sharply. This is one side of the coin, while the new equipment requires qualified service, provides observability through public networks, work using international standards. We will actually find ourselves (in some cases, have already turned out) completely open and unprotected in terms of information security. Around the world, an entire industry is actively forming the “Information Security of Critical Infrastructures”. Articles are written, conferences are held, training simulators are issued, the market is flooded with a series of products that position themselves in this industry. Let's try to analyze this situation from different points of view and build our own security strategy.
State. Officials in any civilized country are well aware of the danger of man-made problems, primarily from the point of view of “social explosions”, although financial, defense and political risks are also very important. The truth in itself is the threat of an attack on the infrastructure is so global that an erroneous opinion is often formed that here we are precisely protected, there is accountability, responsible officials, etc.
Corporations and business. We invest in improving the efficiency of business processes. The money invested should bring economic benefits. Calculation of losses from potential attacks on infrastructure is very interesting, but it is only a calculation. In real life, the likelihood of such a scenario is not zero, but try to convince me that this concerns our company.
Technologists. The list of tasks and priorities are formulated clearly, yes, there are many factors around that can potentially influence the solution of our problems, but they are secondary, nobody has changed priorities, and in order to understand the new area time and resources are needed.
Large technology vendors. We guarantee the performance of our complexes "turnkey", with an appropriate level of operation. To provide it, we need remote channels for diagnosing installed equipment by a specific narrow specialist, who can be geographically located in Italy, Australia or the USA. We deal with information security issues, we are ready to provide traffic coding using a superalgorithm that cannot be decrypted (unless the code is initially known). We develop (we buy ready-made solutions on the market) of a class firewall, providing traffic control by logical rules, but only in the information mode, that is, we are not ready to take responsibility for making a decision.
Specialists and developers of information security solutions. A new direction, with the banks figured out, why not use their experience and best practices for another industry. Security is the same everywhere, now we’ll pick up the materiel and just hold on. And then a couple of years there was a stupor, it turned out that technologists speak their own language, the topic of information security is not as obvious for them as for banks, a lot of incomprehensible devices and protocols. To overcome the barrier, the movement continued in two directions. First, heuristic analysis. Put the device and listen to what is happening for a specific period of time (from 2 months to six months), write down everything, analyze it and voila, here’s a “normal” mode of operation, no technologists are needed, we are ready to work, now any “Outrage” in the network can be compared with the “normal” model and make a verdict. Funny Certainly ridiculous, technological control systems are themselves security tools. They work on an event and the more unusual (more dangerous) the situation is, the more unusual the system response will be.
The second, more advanced. These are tools for modeling the technological environment, control systems and (ATTENTION) control schemes of attacks on control systems. Products are put on the market (for example: www.cybati.org , www.skybox.com ), the so-called Hack days are held on YouTube, a whole series of videos with the analysis of vulnerabilities of technological protocols and methods of their use. That is, under the guise of developing competencies, information is thrown onto the market, which in its essence stimulates the endless process of identifying vulnerabilities and means of protection against their use.
Schoolchildren and students. Bored, tired of the game, yesterday a friend opened access to some libraries, saying that if you find a control device on the IP network, you can try to turn off the light in the whole neighborhood, what if it turns out? ..
An interesting picture is taking shape, isn't it? To find a way out, I suggest to look at the situation from a different angle. Most of the standards and technologies come to us from abroad. By engaging in the technology race, we are obviously in the role of lagging behind, since by closing one problem, we get a new version with a dozen others. Stop the progress, in turn, is also impossible. The way out suggests itself, but it is more likely, as usual in this area, more technological than informational. First of all, clearly divide information flows into bidirectional and unidirectional. And not according to the principle “we are so accustomed”, but strictly on the basis of production necessity and in accordance with the normative-technical documents. Bidirectional flows form an operational control loop, unidirectional monitoring loop. It is rather simple to separate the monitoring contour from the operational contour using the software and hardware available on the Russian market for the physical separation of networks with the support of a wide range of technological protocols (for example: www.onewaynetw.ru ). This also includes the tasks of organizing remote access for service companies and vendors. Even if the service regulations provide for changing configurations or other remote operations at the facility, the problem can be solved through the standard Procedure of Applications, available at any technological enterprise. The equipment is taken out of operation, a full-fledged channel is turned on for a predetermined time, work is being carried out, the channel is turned off, the changes are being tested, the equipment is being put into operation. Uncomfortable? But, I repeat once again - this is not IT.
Operational control loop. The most crucial segment, the task is to ensure its working capacity in accordance with the predefined algorithms for any external and internal influences. Several solutions have appeared on the market, analyzing the algorithms of protection and control systems for compliance with predetermined rules (for example: www.secmatters.com ), let me remind you that technological management is regulated in great detail. But for obvious reasons, these systems operate exclusively in the "passive" mode. The reason is that the control system ensures the functional performance of the technology, and the IT analyzer is only responsible for the formal compliance of the rules. The benefits of passive mode in providing “dropouts” in the early stages of a whole set of threats and errors, including operational ones. But at the same time, it is clear that such a solution will not save from a deliberate directional impact on an object, when time is calculated in tens of milliseconds. One of the outputs, in this case, may be the use of such systems in the form of a kind of ATS, received information about the mismatch of the equipment in the main control system, switched to the second (backup) control system, which was also tested by technologists and is in hot reserve. normally disconnected from the information network. Then again, the application procedure, the analysis of the main circuit problems, etc., but the technological reliability is ensured.
Of course the first question will be the cost of such a decision. I am sure that in any case it will be cheaper than participation in a constant race to increase defense-attack technologies and provide results for the next 15-20 years, rather than two or three years, until the next shift in the IT technology cycle.
In order for this to become a reality, it is necessary to provide for several factors:
1. The state should more formally formalize the requirements for the separation of networks related to critical infrastructure (the analogue is the US standard NERC)
2. The condition for attracting debt financing of businesses and corporations should be insurance against the risks of cyber attacks (world practice)
3. Technologists need a platform to discuss the development of technological management tools and information security of critical infrastructures (example SGTech conference)
4. The quality of services provided to consumers should be decisive in the formation of tariffs for energy resources.
The task is to systematize the work and move from empty disputes and complaints about the lack of understanding, to the systematic construction of a real threat model and a set of measures (methodological, organizational, technological and informational) to protect critical objects from deliberate and unintended cyber attacks. Such work in the first place will be of interest to technologists themselves, as it will allow to put things in order with the existing solutions, identify weak points, and justify the development of modern control systems. Managers will be able to effectively use real tools (for example: www.wck-grc.com ) for managing the risks of companies, and banks will receive additional guarantees of investment reliability. The state will solve the social task, in terms of improving the quality of services provided to the population and the task of improving the energy security of the country as a whole.
With the advent of market relations, new technologies have come to the energy sector. Extremely conservative industry, the last 10 years is in a stage of serious transformations. There are modern substations in operation, built on the latest generation of microprocessor protections (by western standards) and substations using power transformers manufactured in the 1930s of the last century, exported from occupied Germany in 1945 with relay protection from the 1960s. According to various estimates, from 60 to 80 percent of the equipment needs to be replaced or upgraded. Let us imagine a situation that such an upgrade has been implemented, everything is set up, it works, the dispatcher takes full advantage of the newly discovered possibilities, automation provides a reduction in operating costs, the number of outages decreases sharply. This is one side of the coin, while the new equipment requires qualified service, provides observability through public networks, work using international standards. We will actually find ourselves (in some cases, have already turned out) completely open and unprotected in terms of information security. Around the world, an entire industry is actively forming the “Information Security of Critical Infrastructures”. Articles are written, conferences are held, training simulators are issued, the market is flooded with a series of products that position themselves in this industry. Let's try to analyze this situation from different points of view and build our own security strategy.
State. Officials in any civilized country are well aware of the danger of man-made problems, primarily from the point of view of “social explosions”, although financial, defense and political risks are also very important. The truth in itself is the threat of an attack on the infrastructure is so global that an erroneous opinion is often formed that here we are precisely protected, there is accountability, responsible officials, etc.
Corporations and business. We invest in improving the efficiency of business processes. The money invested should bring economic benefits. Calculation of losses from potential attacks on infrastructure is very interesting, but it is only a calculation. In real life, the likelihood of such a scenario is not zero, but try to convince me that this concerns our company.
Technologists. The list of tasks and priorities are formulated clearly, yes, there are many factors around that can potentially influence the solution of our problems, but they are secondary, nobody has changed priorities, and in order to understand the new area time and resources are needed.
Large technology vendors. We guarantee the performance of our complexes "turnkey", with an appropriate level of operation. To provide it, we need remote channels for diagnosing installed equipment by a specific narrow specialist, who can be geographically located in Italy, Australia or the USA. We deal with information security issues, we are ready to provide traffic coding using a superalgorithm that cannot be decrypted (unless the code is initially known). We develop (we buy ready-made solutions on the market) of a class firewall, providing traffic control by logical rules, but only in the information mode, that is, we are not ready to take responsibility for making a decision.
Specialists and developers of information security solutions. A new direction, with the banks figured out, why not use their experience and best practices for another industry. Security is the same everywhere, now we’ll pick up the materiel and just hold on. And then a couple of years there was a stupor, it turned out that technologists speak their own language, the topic of information security is not as obvious for them as for banks, a lot of incomprehensible devices and protocols. To overcome the barrier, the movement continued in two directions. First, heuristic analysis. Put the device and listen to what is happening for a specific period of time (from 2 months to six months), write down everything, analyze it and voila, here’s a “normal” mode of operation, no technologists are needed, we are ready to work, now any “Outrage” in the network can be compared with the “normal” model and make a verdict. Funny Certainly ridiculous, technological control systems are themselves security tools. They work on an event and the more unusual (more dangerous) the situation is, the more unusual the system response will be.
The second, more advanced. These are tools for modeling the technological environment, control systems and (ATTENTION) control schemes of attacks on control systems. Products are put on the market (for example: www.cybati.org , www.skybox.com ), the so-called Hack days are held on YouTube, a whole series of videos with the analysis of vulnerabilities of technological protocols and methods of their use. That is, under the guise of developing competencies, information is thrown onto the market, which in its essence stimulates the endless process of identifying vulnerabilities and means of protection against their use.
Schoolchildren and students. Bored, tired of the game, yesterday a friend opened access to some libraries, saying that if you find a control device on the IP network, you can try to turn off the light in the whole neighborhood, what if it turns out? ..
An interesting picture is taking shape, isn't it? To find a way out, I suggest to look at the situation from a different angle. Most of the standards and technologies come to us from abroad. By engaging in the technology race, we are obviously in the role of lagging behind, since by closing one problem, we get a new version with a dozen others. Stop the progress, in turn, is also impossible. The way out suggests itself, but it is more likely, as usual in this area, more technological than informational. First of all, clearly divide information flows into bidirectional and unidirectional. And not according to the principle “we are so accustomed”, but strictly on the basis of production necessity and in accordance with the normative-technical documents. Bidirectional flows form an operational control loop, unidirectional monitoring loop. It is rather simple to separate the monitoring contour from the operational contour using the software and hardware available on the Russian market for the physical separation of networks with the support of a wide range of technological protocols (for example: www.onewaynetw.ru ). This also includes the tasks of organizing remote access for service companies and vendors. Even if the service regulations provide for changing configurations or other remote operations at the facility, the problem can be solved through the standard Procedure of Applications, available at any technological enterprise. The equipment is taken out of operation, a full-fledged channel is turned on for a predetermined time, work is being carried out, the channel is turned off, the changes are being tested, the equipment is being put into operation. Uncomfortable? But, I repeat once again - this is not IT.
Operational control loop. The most crucial segment, the task is to ensure its working capacity in accordance with the predefined algorithms for any external and internal influences. Several solutions have appeared on the market, analyzing the algorithms of protection and control systems for compliance with predetermined rules (for example: www.secmatters.com ), let me remind you that technological management is regulated in great detail. But for obvious reasons, these systems operate exclusively in the "passive" mode. The reason is that the control system ensures the functional performance of the technology, and the IT analyzer is only responsible for the formal compliance of the rules. The benefits of passive mode in providing “dropouts” in the early stages of a whole set of threats and errors, including operational ones. But at the same time, it is clear that such a solution will not save from a deliberate directional impact on an object, when time is calculated in tens of milliseconds. One of the outputs, in this case, may be the use of such systems in the form of a kind of ATS, received information about the mismatch of the equipment in the main control system, switched to the second (backup) control system, which was also tested by technologists and is in hot reserve. normally disconnected from the information network. Then again, the application procedure, the analysis of the main circuit problems, etc., but the technological reliability is ensured.
Of course the first question will be the cost of such a decision. I am sure that in any case it will be cheaper than participation in a constant race to increase defense-attack technologies and provide results for the next 15-20 years, rather than two or three years, until the next shift in the IT technology cycle.
In order for this to become a reality, it is necessary to provide for several factors:
1. The state should more formally formalize the requirements for the separation of networks related to critical infrastructure (the analogue is the US standard NERC)
2. The condition for attracting debt financing of businesses and corporations should be insurance against the risks of cyber attacks (world practice)
3. Technologists need a platform to discuss the development of technological management tools and information security of critical infrastructures (example SGTech conference)
4. The quality of services provided to consumers should be decisive in the formation of tariffs for energy resources.
The task is to systematize the work and move from empty disputes and complaints about the lack of understanding, to the systematic construction of a real threat model and a set of measures (methodological, organizational, technological and informational) to protect critical objects from deliberate and unintended cyber attacks. Such work in the first place will be of interest to technologists themselves, as it will allow to put things in order with the existing solutions, identify weak points, and justify the development of modern control systems. Managers will be able to effectively use real tools (for example: www.wck-grc.com ) for managing the risks of companies, and banks will receive additional guarantees of investment reliability. The state will solve the social task, in terms of improving the quality of services provided to the population and the task of improving the energy security of the country as a whole.
')
Source: https://habr.com/ru/post/277723/
All Articles