The Stuxnet 2, Coming to a SCADA System Near You!

With a new Stuxnet 2  (W32.Duqu) now found and the Department of Homeland Security warning of a possible security attack by Anonymous, it probably is a good start to define some security solutions to protect these critical infrastructure targets. Breaching these supervisory control and data acquisition systems (SCADA) could bring our country’s safety and economy to their knees.

One good thing that came out of designing intelligence for the smart grid was we that had to take a look at how to securely integrate some old, transitioning and new-grid technologies into stand-alone, local or regional control centers. A big part of these control centers are SCADA systems that monitor and control industrial, infrastructure and facility-based processes. These control systems in many more areas than the power-grid facilities. They can be found in manufacturing, production, power generation, fabrication, refining, water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense sirens systems, large communication systems, buildings, airports, ships and space stations, just to name a few. Some of the debilitating security warnings that were found in the smart grid unfortunately are not limited just to power-grid SCADA infrastructure.

No matter how new or old the technology, there are tremendous concerns about how to secure these core supervisory control systems and their interconnected intelligent networks. Whether physically pulling down a mechanical switch, pushing a button on an electromechanical device or operating an intelligent smart grid from a centralized network operation center (NOC) — they all have inherent security vulnerabilities. There are those who say that we should delay any digital intelligent modernizing of our power grid.  So while moving forward, we need to do this in stages, watching security at every point.

Richard Clarke’s bookCyber War warns of cyber-attacks on the smart grid but also demonstrates an existing ability to breach and take down our legacy power grid infrastructure. Simply doing nothing is not an option in securing the power grid or any critical infrastructure. Countries like India, China and Brazil are moving forward with smart-grid deployments as fast as they can. They recognize the benefits that intelligent networked systems would offer in eliminating power theft while improving their global energy cost competitiveness. They see these benefits far outweighing any catastrophic system security breach and have massive smart-grid deployment in process. So what are the real answers in addressing critical infrastructure security today? Just three things need to be done, and they need to be done simultaneously.

Evaluate Current Security Vulnerabilities

From physical security, to legacy and extended networks, there is a lot of work to be done to address critical infrastructure security. Critical infrastructure facilities can't just hunker down and hope an attack doesn't happen. From simple personal procedures to complete intrusion detection studies, the potential vulnerabilities must be targeted before they are breached. There are automated methodologies that are being developed, though, that may rapidly address these requirements.

To expedite and future-proof security evaluations, Sensus, EnerNex and the Oak Ridge National Laboratory (ORNL) are working on an advanced security demonstration project called the Automated Vulnerability Detection system (AVUD).  This project is aimed at developing a cyber-security system for smart energy meters and other advanced grid technologies. The project will use a Function Extraction (FX) technology evaluation platform developed by ORNL to find and fix security issues before they actually cause problems. The initial project is targeting advanced meter infrastructure (AMI) systems.  With millions of smart meters ready to deploy, this can't happen soon enough.

Focus on Prevention

If there was ever a security industry award for the best metaphor, the word “virus”  perfectly explains what can happen without preventive measures in systems and network security. Just like measures against colds and flu, it seems we are now beginning to focus more on prevention than detection. This is why intrusion prevention systems (IPS) are so critical in SCADA systems. IPS can securely cloak systems with frame-to-frame encryption even to the layer 2 level. This could eliminate port and application vulnerabilities right down to the device chip set. It can eliminate man-in-the-middle (MITM) spoofing/sniffing risks or denial-of-service (DoS) vulnerabilities while enabling strong security on even legacy devices.

Because IPS is inline with the traffic flows on a network, it can shut down attempted network edge attacks, stop attacks by terminating the network connections or user/device session origination.  Attack responses can include targeting from the user account, IPS address or other attribute associated with that attacker, or blocking all access to the targeted host, service or application. It seems like an obvious first choice. Don't let the security breaches in.

Detection and Prevention a Natural  Mix

Then there is an intrusion detection system (IDS). This system is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. With Stuxnet 2  (W32.Duqu)  now a big concern, we need systems that can detect these now more serious security attack methodologies. These new attacks are now targeting information for SCADA systems used to control machinery and other key critical infrastructure operations.

Although IDS has great value, just seeing the problem is not enough. There must be system security solutions put in place to immediately react to security breaches. This is why bundling both IPS and IDS solutions together seems to be the direction many companies are taking in their security product lines, including recent corporate mergers and acquisitions.

In Conclusion

The AVUD project by Sensus, EnerNex and the Oak Ridge National Laboratory is a good sign of public-private sector cooperation in addressing critical infrastructure security. There has been too much oversight and finger pointing in the past and not enough action. Hopefully the responsible collaboration will be used as a model of how to work together in securing our critical infrastructure. This sure will be different than the “build first, then secure it” methodologies that have been so prevalent in the past. Look at security first and prepare for the future security risks. This is almost too good to believe.

Larry Karisny is the director of Project Safety.org, a smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.