M. Braendle, M. Naedele & T. Koch, ABB, Switzerland, R. Vahldieck, ABB, Germany
Greater interconnection of utility automation systems provides more opportunities for breaches in IT security. The integration of IT security monitoring in the overall utility automation control structure is ABB’s response to this growing concern.
Industrial automation and control systems now feature in many critical utility applications such as power generation, transmission and distribution. Depending on the type and purpose of the system, its components might be distributed on a local, national or even global scale.
In the past, automation systems were not interconnected, either to each other or to public networks like the internet. Today, the market puts pressure on utilities to make fast, cost-effective decisions. This means that accurate, up-to-date information about the status of utility assets must be available immediately on-line, not just at the operational level, but also for senior management and even for supply chain partners. This changing commercial environment has resulted in increasing interconnection between different automation systems, as well as between utility systems and office systems.
Initially, such interconnections were based on specialized proprietary communication and protocols. Now, open and standardized internet technologies are more common and this has resulted in a significantly increased risk of electronic attacks on critical control systems. Indeed, with the continuous evolution in the capabilities of computers, and also the multiplicity of means of access (network connections, modems, memory sticks, CDs, laptops) it is no surprise that new vulnerabilities are continually being discovered and exploited.
Do electronic attacks really happen?
Several incidents of electronic attacks on utilities have been reported in recent years. Confidential information, including incident response plans, was leaked out of a Japanese power plant through a virus infected computer with peer-to-peer file sharing applications in two separate incidents in the first half of 2006, following a similar incident in a different plant in 2005.
In January 2003, the safety monitoring system of the Davis-Besse nuclear power plant in the US was infected with the ‘Slammer’ worm. The worm bypassed the plant firewalls via a contractor’s laptop that was connected to the plant network at the same time, and via a modem to the infected enterprise network of the contractor company.
In December 2000, attackers compromised the computer network of an unnamed US power utility via an unsecured data exchange protocol. They used the host to play networked computer games, taking up resources and bandwidth that severely impeded the utility’s electricity trading.
We can safely assume that a large number of similar attacks have not been reported in the press. Furthermore, an expert from the US DHS warns that intelligence agencies are increasingly see indications of terrorist interest in SCADA and embedded systems.
No security mechanism can guarantee absolute invulnerability against attacks and intrusions. A comprehensive security architecture therefore relies not only on preventive mechanisms such as firewalls and antivirus tools, but also includes technology and process elements to detect ongoing attacks and intrusions, and the capability to react to them.
One option is a dedicated team that monitors and analyzes intrusions round the clock. This involves significant and continuous financial investment, which may be hard to justify.
A more cost-efficient alternative might be to subscribe to the services of a managed security service provider, using central monitoring facilities with highly qualified staff to monitor continuously and concurrently the networks of multiple clients. While significantly less costly than the in-house equivalent, the external service provider approach may still be too costly for low risk plants. Furthermore, there are other concerns that may make this approach unsuitable. First, there is security related issue of external access having to be granted. Secondly, there is a safety issue; can the external service provider be trusted to properly appreciate the peculiarities of utility operations and the related hazards?
ABB has therefore developed a third alternative the integration of IT security monitoring in the overall utility automation control structure.
Many utilities already have electronic attack detection capabilities, such as network or host based intrusion detection systems, or scanners analyzing log messages from firewalls and hosts. However, many of them do not make effective use of these capabilities because they lack the staff resources to monitor them 24/7.
While IT security for utility automation systems has to overcome a number of specific challenges, some of them distinctly different from office systems, it also has certain advantages. One of these is that, very often, an operator is available to monitor system behaviour at all times. So, ideally, they should also act as the ‘first responder’ for IT security.
One objection to this approach may be that such a first responder role would require IT and IT-security knowledge, which is not always found among utility operations staff. This lack of expertise is being addressed through increased automation of the analysis and detection function using complex rules, hence removing the human element. Many real-life situations are, however, ambiguous. The environment is too dynamic for a fixed attack detection rule-base, but an approach based on dynamic updating of the rule-base reinstates the need for continuously available experts.
ABB’s view is that utility system operators who are well trained and experienced in monitoring hundreds of indicators, are very good at detecting anomalies. Their ability to use common sense to decide on the appropriate action should be extended to security-related areas.
ABB’s vision is to provide the operator with the tools and methods to deal with plant IT security problems in the same way as process deviations. This depends on the following prerequisites:
- IT security related information has to be presented to the operator as part of the normal work environment.
- IT security related information has to be presented using the same presentation paradigms used for monitoring the utility control systems. This includes graphics, colours, symbols, figures and trend charts, and excludes messages containing cryptic ‘hacker’ terminology.
- The process operator should not need any specific IT or IT-security knowledge in order to detect an attack and react to it in a meaningful way. Possible reactions could include isolating the automation system from external connections, activating predefined network islands inside the automation system, starting a vulnerability check, collecting additional data according to predefined procedures, or calling for expert help.
- Network devices such as firewalls and switches.
- Network segments.
- Computer systems attached to the network.
Starting from these requirements, ABB has developed a security and system health monitoring and visualization solution for utility control systems based on its System 800xA industrial automation framework System 800xA Security Workplace.
System 800xA Security Workplace
System 800xA Security Workplace consists of several faceplates and scripts that are loaded into the System 800xA at runtime. It uses and builds upon the 800xA base libraries and framework to incorporate data from different sources and accessed by different technologies. The data are accessed using System 800xA PC, Network and Software Monitoring (PNSM) scripts.
PNSM is used as the backbone of the Security Workplace and comprises a set of 800xA features for monitoring the hosts and network elements in an automation network. PNSM provides a pre-configured library of IT assets representing devices and system processes widely used within industrial businesses today. Through PNSM, Security Workplace incorporates data from the complete IT system including:
Data collected consists of general IT data, such as CPU load, and security specific data, such as information on antivirus installation.
Overall, the easy integration of information sources and the increasingly autonomous behaviour of components will lead to the implementation of fully automated and secured utility operations management.
Security Workplace is tailored to be used by an 800xA operator with standard training, who does not necessarily have an IT-security background and in-depth knowledge of IT networks and systems. There is no need for skilled interpretation to highlight signs of possible attacks. Neither is it intended that the operator should be able to identify the precise nature of the attack or to react to possible attacks from within the framework of Security Workplace.
The look and feel of Security Workplace resembles a standard 800xA workplace. It contains standard elements such as faceplates, trend displays or alarm lists. Having this seamless integration into a well known working environment fosters acceptance by the operators and does not introduce the additional complexity of an unfamiliar security system interface.
Figue 1: The Security Workplace for a demonstration system
Click here to enlarge image
Figure 1 shows the Security Workplace for a demonstration system. It consists of a process control network (PCN), a demilitarized zone (DMZ) and an external unsecure network (the Internet or business network). These zones are separated by firewalls and the PCN and DMZ have managed switches to connect the different nodes. The DMZ holds a proxy server that allows the PCN to be connected to from the outside.
The depiction of the IT system within the Security Workplace resembles the actual physical setup. This makes it easier for the operator to understand what they are looking at.
The Security Workplace overview contains icons for all network devices showing basic information such as type, IP address, name and status of the ports. All icons shown in the overview are linked to faceplates offering more extensive information. For network devices, the faceplates show the network usage of all interfaces individually and contain detailed trends for each interface showing the number of packets received, the number of packets sent, the number of dropped packets, the number of erroneous packets and other information. For Windows systems the faceplates contain detailed information on the operating system (version, installed service pack), the active sessions, the status of running threads, and trends on CPU usage, memory usage and thread activity.
Detected security issues
Security Workplace is designed to detect signs of attacks and to alert the operator. An important first step is to define a ‘normal’ system state.
Security Workplace allows the definition of thresholds for various values that, when exceeded, will trigger an alarm. In this respect the arrangement is similar to standard process supervision. In contrast to other intrusion detection system (IDS) approaches, however, thresholds are not predefined but it is up to the operator to decide what is normal. Network loads, for instance, are constantly monitored, so a sudden increase in network traffic will result in an alert. Deviations from normal network loads can be a sign for a security incident, for instance network scanning or malware trying to send data.
Exemplifying this, one might envisage a scenario in which network traffic seen at a firewall is abnormal and one-sided; traffic is only arriving at the firewall and not being re-transmitted. In this scenario, the network load has crossed the threshold (indicated by an exclamation sign in the Security Workplace) and some of the packets are erroneous (indicated by a red data plot). If almost no traffic is being sent from the firewall on either interface then it is likely that someone is either scanning the firewall or trying to send data to the PCN that is blocked by the firewall. Both would be a clear sign of an attack. Alternatively, it could be that a technician is uploading a file onto the firewall, new firmware perhaps, causing the abnormal traffic load. However, a high number of erroneous packets would make this unlikely.
The origins of any attack can also be clarified via the Security Workplace; for example, it will highlight if a device, such as a laptop, has been connected to this physical port even though the port should not be connected to anything. If the operator knows that a technician is performing maintenance of the DMZ network they can decide that the irregularity is caused by the technician’s laptop. The technician might actually be performing a firmware update of the firewall or their laptop is infected, perhaps with a worm that is trying to spread through the firewall.
Under an alternative scenario, the monitored Windows system has its antivirus functions turned off and the CPU load is very high. The disabled antivirus software would have triggered an alarm. Just as in the previous scenario, the operator might have additional knowledge to understand what is happening, for example, someone doing a software update on that machine. However, the antivirus software should typically never be disabled and this scenario would thus have to be classified as a security incident regardless of the circumstances.