ICS Security for the Power Grid Using Tofino Xenon for Energy
Energy and electric utility organizations are facing a range of challenges requiring a reevaluation of the cyber security within their industrial control networks, endpoints and controllers.
On the one hand, operators have to face losing access to phone lines, securing transmission substations, meeting pressing NERC CIP audit requirements and worrying about Internet connections to vital systems. On the other hand, they are confronted with data and media coverage (eg. Ukraine power outage) that indicate an increase in cyberattacks on energy Industrial Control Systems (ICS).
Given this environment and the importance of energy systems as critical infrastructure, Belden has increased its focus on cyber security solutions for the energy sector. In 2015, we acquired Tripwire, a provider of advanced threat, security and compliance solutions with a high number of electric utility customers. Going back even further, in 2011 we acquired Tofino Security, a provider of industrial firewalls with advanced Deep Packet Inspection (DPI) technology for securing industrial protocols.
Recently we announced a significant enhancement to the Tofino Security product line called Tofino Xenon for Energy. Most importantly, this new offering includes new DPI modules for securing the DNP3 and IEC 60870-5-104 (IEC 104) protocols for electric power and SCADA systems.
If you are involved with cyber security for energy, power or electric utility systems, read on to find out why this new product line is a game changer for protecting critical assets.
Cyber Attacks Target the Power Grid
It likely isn’t news to you that cyber threats to the energy sector are on the increase. Indeed a recent study done by Tripwire revealed a disturbing trend. When asked if their organization had experienced a rise in successful cyber attacks in the last 12 months, 77% of the respondents in Tripwire’s study replied, “yes.”
David Meltzer, chief research officer for Tripwire, commented:
“It’s tempting to believe that this increase in attacks is horizontal across industries, but the data shows that energy organizations are experiencing a disproportionately large increase when compared to other industries. At the same time, the energy industry faces unique challenges in protecting industrial control systems and SCADA assets.”
The U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) highlights the challenges to industry:
“We see more and more that attackers are gaining access to the control system layer,”according to Marty Edwards, director of ICS-CERT. He noted that the rise is due to increased exposure to the Internet, a trend that is not likely to change given smart grid and Industrial Internet of Things (IIoT) initiatives.
Tofino Xenon for Energy has both the advanced technology to secure the protocols used by the energy industry and is ideal as a security conduit. It plays a key role in contributing to a robust, layered defense strategy that ICS operations staff can easily manage and control.
Deep Packet Inspection for DNP3 and IEC 104
The network protocols used by SCADA and Industrial Control Systems (ICS) were never designed with security in mind and historically it’s been hard to secure them. This is because most firewalls either allow all messages using a protocol like DNP3 to pass through, or all of them are blocked.
Thus, if you allow data read messages from an HMI to a PLC to pass through, you are also allowing programming messages to pass through. This is a serious security issue. If you do the reverse and block all DNP3 messages, then the messages necessary for running the control network are blocked.
Particularly for protecting critical assets like RTUs and other control devices, finer grained protection is required.
This is exactly what Deep Packet Inspection does. It goes beyond looking at message headers to decode the payload itself, allowing the definition of very narrow rules. For example, the new Tofino Xenon DNP3 and IEC 104 modules:
- Restrict communication to only the master/slave devices specified
- Restrict traffic to allow only the DNP3 or IEC 104 message type and function codes specified by the control specialist
- Restrict traffic to correctly formatted DNP3 or IEC packets only (protocol “sanity check”)
Thus Tofino’s DPI technology protects systems against malware, protocol vulnerabilities, malformed packets and other known and unknown threats by authorized or unauthorized users.
Network Segmentation as per IEC 62443
The Defense is Depth (DiD) best practice, multiple layers of defense distributed throughout the control network, is one of the best ways to defend against today’s cyber threats. Network segmentation using zones and conduits as defined by ISA IEC 62443 standards is an important element of a DiD strategy.
A zone is defined as a grouping of logical or physical assets that share common security requirements. For example, the first division might be operational areas, such as regions or substation types, with secondary functional layers defined, such as Supervisory Level, Station Level and Bay Level.
Zones can also be defined according to an asset’s inherent security capabilities. For example, older IEDs that have weak authentication (i.e., poorly designed password controls) could be grouped into a zone that provides them with additional defenses.
The Tofino Xenon is an excellent security appliance to use as the conduit that controls the communication between the zones. Its advanced filtering capabilities allow the lockdown of communications to just what is needed and it provides a high level of protection for hard-to-secure devices. Many of our customers use it to provide robust, up-to-date security to legacy systems that will take years, if not decades, to be replaced.
Tofino Xenon for Energy Increases ICS Security and Reliability
Tofino Xenon for Energy provides asset owners and operators with increased ICS/SCADA protection and reliability, improved safety, reduced risk at substations and increased NERC CIP audit efficiency and sustainability.
It is different from other products on the market because it:
- Is a unique Layer 2 device that requires no IP address
- Has certifications for the most challenging industrial environments
- Delivers Plug-and-Protect implementation with no network downtime
- Is designed to be easy-to-use for control technicians
- Enforces robust security policies for DNP3 and IEC 104 communications
If you are interested in finding out more, additional information is provided in the links below. Or arrange a demo in one of the following ways:
- Contact your Belden account manager
- In North America call 1-855-400-9071, option 2
- Complete the form on this webpage and a sales representative will be in contact with you
What is the greatest cyber security challenge you face? Will a solution like this help? We look forward to hearing from you.
Source | Belden