🔍
Intrusion Detection in Energy Systems – An Important Building Block in OT Security Processes - YouTube
Channel: unknown
[4]
Hello and welcome to my presentation on
intrusion detection in energy systems.
[9]
I would like to show you today that
IDS can be an important building block
[13]
in the OT security processes around
substations and SCADA systems.
[19]
Sometimes all those security measures are
focused on the control center side of things
[26]
but I think that especially the substations are an
underestimated attack surface because there's many
[33]
of these substations out there in the grid and
many of them don't have enough protection against
[39]
physical intrusions or cyber intrusions. So,
let's have a look at the OT security processes
[48]
in the power grid. Here the NIST cybersecurity
framework is a very good guideline.
[55]
This cybersecurity framework has been used in many
national security regulations in EU member states
[62]
and all across the world this model has been used.
So, I’m going to use it as a rough guideline here.
[70]
So, the security processes can be
split up into these five functions.
[78]
The first function is to identify the
situation what are my essence there
[83]
what are the attack vectors how somebody could
reach down into my SCADA and substation networks
[90]
and also the risks involved with these assets and
the attack vectors. And then I’m going to start
[96]
with the attack vectors with the highest risk to
protect them. To protect them against intrusion
[102]
from adversaries. But what sometimes is forgotten
is that the detection step is an important part
[110]
of the security process because only using
detection I’m able to notice if somebody
[120]
or some threat is there in my network and only
then I can respond and recover my services. In
[127]
the response it's not only important to get rid
of the threats but it's also important to learn
[134]
for the next time what has happened there.
And then of course especially in the OT side
[141]
I need to define processes first how I
can recover certain affected services.
[147]
So, let's have a look at substations now: What
are the attack vectors on substations first.
[154]
So I will go through that briefly
[157]
here now: And so, the first two attack
vectors are probably very well known.
[162]
Attack vector number one in this picture has
been used in many cyber-attacks on OT systems and
[170]
also in the two most famous cyber-attack
on a substation in the Ukraine in 2016.
[179]
Attack vector number two is also
feasible so an attack originating from
[184]
the control center affecting the devices
in the substation is possible regardless
[188]
of the SCADA protocols used. Something which is
often forgotten is that also the Stuxnet kind of
[197]
cyber-attacks using engineering
laptops directly connected
[201]
to the devices in the substations are also
feasible. So, this happened 10 years ago in
[207]
the Stuxnet cyber-attack, but it can
happen again in substations as well.
[213]
Another topic is testing PCs especially
for SCADA testing and the signal testing
[219]
involved with IEC 61850 or without typically
windows software is plugged into the network
[227]
of the substation or into the SCADA network
and this poses of course also an attack vector.
[235]
Another attack vector number five here is the
testing equipment the testing device is used
[242]
to test the protection or the communication
functions in the SCADA system or in the substation
[249]
and also, they pose an attack vector. And we as
a test vendor is investing a IoT over the last
[256]
years to make sure that this attack vector
number five becomes unattractive for an attacker.
[263]
What also needs to be considered of course
is the storage of the files in those systems.
[270]
For the testing files and the engineering files
those file servers virtually belong to the secure
[276]
parameter of a substation and they need to
be secured in the same way. If you now apply
[282]
intrusion detection in such a substation or
generally in OT systems, there are mainly two
[289]
approaches available. Both of them have certain
drawbacks involved. The first and oldest approach
[298]
Is the signature-based approach? It
is the same as with our virus scanner.
[305]
The problem is it can only
detect attacks which are known
[309]
which have an entry in this in this deny list
and only then a certain attack or threat can be
[317]
detected. So, for power systems this is
clearly not a good approach. There are other
[324]
systems available which use a baseline approach.
And with this approach the systems look into the
[331]
communication in the OT network for two weeks
or two months for example and they learn
[336]
the average behavior the average protocol values
generically for all the communication involved in
[343]
the OT network. So, this sounds feasible and
it can then after this learning phase
[350]
be switched to operational and then it will alarm
on each significant deviation from the average.
[357]
The problem is this approach has many false
alarms because of the seldom activity like
[362]
switching operations, routine protection testing
and other maintenance. But this is not the biggest
[371]
problem - the amount of false alarms. The bigger
problem is how do you analyze these alarms.
[377]
They are often related directly to the protocol
communication and you need people who are equally
[382]
qualified in cybersecurity and in those OT
specialized SCADA and substation protocols.
[391]
And this is the problem you don't have those
specialists available 24/7 for alarm analysis.
[399]
With StationGuard we used a different approach.
And the approach in StationGuard uses the fact
[407]
that substations and the power grid in general
is quite predictable. And with substations
[415]
according to IEC 61850 we even have the advantage
that we can use the machine-readable documentation
[422]
of the whole substation and the communication
especially which is in so called SCL files.
[429]
The intrusion detection system
StationGuard can read these files
[433]
and then it knows the behavior of the substation.
it can then compare each and every packet in the
[439]
communication against this system model
and with that it can be precisely detect
[448]
what is right and what is wrong in this
communication. Of course, you can then
[453]
also consider the whole substation lifecycle
in this system model. For example, maintenance
[459]
and switching operations and routine protection
testing. These things are already considered in
[464]
the system model. What is especially interesting
is that StationGuard is not just comparing and
[472]
detecting cyber threats. StationGuard verifies
all the communication against this system
[479]
model. This verification allows us also to
detect functional problems. This brings me
[486]
to the aspect of functional monitoring which can
also be performed by intrusion detection systems.
[492]
StationGuard can for example detect
configuration changes in the IEDs involved
[498]
with the communication. It monitors the specific
configuration revision fields in the messages, and
[504]
it can detect if there is a deviation if somebody
change the configuration into the devices.
[512]
It also monitors the communication continuously
and compares it with the timestamps in the
[518]
messages so that it can detect excessive
transmission delays. With this you can detect
[524]
denial of service situations in the IEDs, but
you can also detect network failures and delays
[530]
and especially and that is the most frequent case
time synchronization errors in the substation.
[537]
What StationGuard can also do? It can log
critical events. For example, switching operations
[544]
or any other control commands as well as
file transfers including the file names.
[550]
Quite a frequent question is: What
about the other protocols involved?
[556]
Of course, with IEC 61850 StationGuard
performs a fully detailed analysis using the
[563]
system model. But also, all other communication
protocols are covered by the same system model.
[569]
Any communication between any
two parties in the network
[572]
needs to be allowed and registered
in the system model beforehand
[577]
otherwise there will be an alarm. StationGuard
performs deep packet inspection for many other
[582]
protocols like DNP, the 104 protocol, Modbus
and many id protocols such as ftp and http.
[591]
It detects not just the protocol but
also the application using it behind.
[597]
And so StationGuard compares the MAC addresses
and IP-addresses of the devices involved but also
[604]
the VLAN-ID and the protocol and application.
For proprietary engineering protocols which
[612]
are frequently used in substations we provide
an additional function called maintenance mode
[618]
and with that you can limit what is allowed
during specific phases of the lifecycle of
[625]
a substation. Then you have a more specific
intrusion detection depending on the situation.
[634]
Another point I would like to discuss today is
the intrusion detection system alarm display
[642]
needs to be accessible for OT
engineers because OT engineers
[649]
especially protection and SCADA engineers are
needed in the analysis of the alert course.
[656]
They are needed in the response process in the in
the cybersecurity processes. And with StationGuard
[664]
we designed the user interface in a way so that OT
engineers such as protection and control engineers
[671]
immediately feel comfortable with the user
interface because we're using a graphical diagram
[678]
very close to the single line diagram of
the substation and as you can see here
[682]
in that screenshot intrusion detection system
alarms are depicted graphically in that system
[689]
diagram as this red arrow that's coming from
the test PC in that feeder number one here.
[696]
Another important topic in the OT
security processes is the asset inventory.
[705]
It is important for the identification of
your risk that you get to know what the
[712]
assets are communicating and what are the firmware
versions for example of these assets in order to
[717]
perform a risk analysis. With StationGuard you can
export this asset inventory automatically because
[725]
it detects all the assets in the network based
on the passive traffic analysis but StationGuard
[731]
can combine this information with the engineering
files and then you have a detailed description of
[739]
all the assets their firmware versions and
all the other parameters such as the proper
[746]
device name and description. This can be even
combined with active communication active device
[753]
interrogation using StationGuard and then you can
reach a combined view of your asset inventory.
[761]
How do I integrate such an intrusion
detection system into the substation?
[766]
There is a simple way for legacy substations
and there are more advanced steps possible.
[772]
For legacy substations, StationGuard
[775]
provides a dashboard for central monitoring to
see in which substations do I have an alarm.
[782]
We also provide binary contacts so that a binary
contact operates on each IDS alarm and then
[790]
this can be wired to an RTU and easily integrated
into the SCADA signal list and that's an easy way
[798]
to have the alert status visible in the
SCADA control room. More advanced methods
[806]
are the integration into software used in
security operation centres such as SIEM systems
[815]
security incident information and event
management systems. And for this we're
[819]
providing a syslog interface which integrates
into most systems from all different vendors.
[826]
What is also available is an
integration into ticket systems.
[830]
There you can make sure that the
alerts automatically create tickets
[834]
assigned to the engineers
responsible for the particular asset.
[839]
So, these are the options how
StationGuard can be integrated.
[844]
This brings me to the
conclusion that there are many
[847]
different attack vectors possible for substations.
[850]
Especially considering their whole lifecycle.
Security solutions like intrusion detection
[858]
systems must speak the language of the protection
and SCADA engineers. Otherwise the response
[864]
processes become inefficient. And there are
tailor-made IDS solutions for energy systems
[871]
available such as StationGuard. And with this I
want to thank you very much for your attention.
Most Recent Videos:
You can go back to the homepage right here: Homepage