Safe Door on a Screen Tent

So… you built the world’s most impregnable Widget. Good for you. Sadly, that means bupkis.

In todays installment of “Ranting ‘bout the Grid”, we will discuss the pitfalls of poor implementation. SmartGrid components are no different than enterprise components in many ways. It is completely within the realm of possibility to take and incredible architecture and design and totally FUBAR the implementation.

I call it “Putting a safe door on a screen tent”.

The first stumbling block is a having a security policy. Most utilities have one, it’s just that the line folks don’t know it exists because they have never had to deal with it. Until recent events brought to light the sheer inanity of using a single password for every meter, re-closer, synchrophaser, etc., most meter shops and dispatch centers have not had reason to be concerned with simple security measures. The simple fact is that a majority of utility security policies I have read are geared toward the enterprise and lack specifics for the field. That puts the policy into the realm of “Speculative Fiction”.

So, step one; update the utility security policy to address SCADA systems. That done, it follows logically that process, procedure, SoP, etc. need to be updated as well. When you do this, please engage a security professional who understands control system concerns. All too often, I see polices written with the best intentions by the uninitiated, and it leads to mis-interpretation, confusion, and ultimately fails. Remember a security policy is supposed to be like the law. It requires legislative (Board of Directors) approval. It informs and directs the process and procedure.

Great, you have a policy and you have a process to use it. Now lets look at the landscape for a bit.

Working for a manufacturer, I always try to emphasize the concept of having as many points where you can exercise security controls as is practical. Separate the control network from the enterprise network from the outset. The isn’t much data that needs to flow directly from a control system to an enterprise desktop and what data DOES need to move into the enterprise, like billing data, can be moved through a proxy or bastion host. The weakest point in any network is inside the perimeter where you have to count more on administrative controls rather than technical ones. All it takes is one Stupid User Trick ^® (SUT) to bring a botnet to the office.

Beyond segregating the control network from the enterprise network, it’s a good idea to develop trust zones and control movement between them. One way to look at it is, the Head End (HE) is one zone, the WWAN another, the control components networks a third, and finally the control components themselves. By doing this, you can contain a compromise to a trust zone and act appropriately. Control components represent the largest attack surface most security professionals have or will ever deal with. Ask yourself, how much do you trust the traffic from an area like this? Not so much. With that in mind, you need to assure that the data flowing into the system has appropriate confidentiality and integrity. Crypto controls like DSA and AES help with this, but only if applied appropriately. If you have a good design, a hacker compromising one control component has accomplished just that. One component. Granted, if that one component can dump several hundred mega-watts, it’s still a Very Bad Thing, but at least it’s not ALL of that type of component that is now compromised. The WWAN represents the next zone, and while it has a smaller attack surface, it is a higher value target. Adding application and packet firewalls as well as IDS/IPS at the entry/exit points of this zone will help ensure that if someone effects a compromise at the carrier or on a Metro Wireless network, you still have a barrier. In theory, a well-designed system will have all the control data encrypted and signed, so a compromise of the backhaul SHOULD only allow DoS type attacks. There is a lot of “SHOULD” in this world.

In the next installment, I will discuss security at the Head End, Personnel Vetting, and Responsible Patching.