PSC: What is the problem with today’s grid security?

ERCOT control center. Photo courtesy of Barco.

Barco: Our aging electricity infrastructure is susceptible to domestic terror attacks aimed at damaging the U.S. grid. If power stations are attacked, the impact threatens not only entire communities but also potentially affects entire states. Conflicting federal, state, and local regulations make cohesive security guidelines and enforcement challenging. Furthermore, the U.S. grid’s mixed bag of public and private ownership makes consistent governance difficult.

PSC: What are the top three physical security challenges to electric utilities?

Barco: The hardest part of integrating security into the control room is big data, that is, integrating data from assets, including those from monitoring systems, into the control room. When you get audited, auditors will challenge why data from the outside is available in the control room. There is no guidance other than whatever the security officer thinks is best. NERC CIP guidance is often not 100% defined but rather it’s interpreted.

PSC: What are other physical security challenges?

Barco: Layered defense in depth intrusion detection capabilities, or multiple sensors in the event the intruder gets around the first sensor, are a great idea. Why not feed these sensors into a Security Information Event Management System, a SIEM, to help the operators? Perhaps look at a solution involving anomaly detection. We should look to other industries for ideas. For instance, companies with pipelines take physical security more seriously than electric utilities. I think it’s just a matter of time before anomaly detection gets adopted by electric utilities. We’ve been an active player in the security operations market for a long time, and we’ve found that the key to everything is getting the systems to talk to one another and to automate things as much as possible.

PSC: You’ve mentioned the lack of guidance regarding Integrating data into the control room and not having a layered defense in-depth capability for physical security. Any others?

Barco: Larger organizations have the budgets to outsource physical security to companies with dedicated security monitoring and response capabilities. Smaller utilities don’t have the same resources. That’s a risk. Asset hardening is also missing; it’s something that nobody really explains or states what needs to be done or how. Hardening a device means making it more resilient against threat actors. In cybersecurity, that means making that device more secure and resilient to attacks. By hardening a device, you are making it more difficult to break into for hackers. Some devices must be configured and hardened by end-users. Devices should be manufactured to enable hardening to best practices.

PSC: If we think of monitoring intrusion in terms of data and data feeds to a utility, and the devices are transmitting data, are there any asset hardening specs you must comply with? And if so, what are those? Where are those standards pointing to? Are they NIST standards? Do they fall under NERC CIP? Any thoughts on that?

Barco: In our experience, CIP-007 is the most misunderstood and thus most violated of the CIP standards, and because of this, Barco makes sure the bare minimum physical ports on our hardware are operational, and we disable extra features not used. At the same time, we use the bare minimum ports for network communication between our devices. Barco products, prior to any release, whether that is a hardware or software release, are pen tested and scanned against Software Technical Implementation Guides (STIGS) by a third party, and we work through the third-party results and apply any needed patches or fixes to mitigate high NIST scan scores.

PSC: Are there remote protocols involved with these remote devices that would allow a company like Barco, or a maintenance provider, to access these assets remotely? How do we lock that down and harden that whole process and protocol?

Austin Energy. Photo courtesy of Barco.

Barco: Barco does not have products that allow for direct control of assets inside the control room. What Barco does have is a solution that allows the operator to share a read-only source in the control room outside via a web browser whether on a phone or laptop.  That solution is called SecureStream and is a purpose-built appliance that is a gateway between the DMZ network and the internet.  All communications are secured using encryption and well-known worldwide providers for distribution. Again, everything we do is third-party scanned and pen tested for security.

PSC: Going back to the hardening of assets, do you have best practices that apply to other physical intrusion monitoring devices that would qualify or would give utilities guidance on how to do that and what to think about?

Barco: Unfortunately, we do not! Asset hardening is different for each company and manufacturer. The USB port on a device might need to be active to allow for software updates, or system recovery.  So instead of physically turning it off, a company might elect to secure that port behind a lock or some type of physical security to prevent access and mitigate physical device hacking. The NSA has a public document called “Hardening Network Device” with recommendations on services, interfaces, ports and device access mitigations to support all devices and networks to harden them to reduce the risk of unauthorized access.

Go to part 2 of this conversation between PSC and Barco.