Serious shortcomings
Based on our experience working with utilities throughout the U.S., Aegis Technologies finds that many are now addressing their control systems’ vulnerability. Unfortunately, many of their chosen solutions are of limited scope and capability.
For example, most “bump-in-the-wire” solutions that encrypt and authenticate a line do not secure dial-up modems. Even when encryption secures a line that has an unprotected modem at its endpoint, the line remains unprotected. In this case, any malicious packets sent through an unsecured modem would simply be encrypted on their way to the master computer.
Furthermore, many solutions lack a centralized management architecture that integrates security logging and monitoring for a common host. In these systems, encryption keys and passwords must be changed at the remote device itself, a costly and time-consuming process for securing substations that are typically far-flung and remote. Without central management, there is no central repository for active security monitoring and reporting. Should a security breach occur, there’s no coordinated way to send alerts to a host operator.
Exemplifying yet another cyber threat, some control system security solutions rely on conventional IT operating systems, such as Linux or Windows, to power remote equipment. Web servers are often also deployed on remote hardware, effectively putting “embedded servers” in the field. Though such configurations may offer some benefits, they are potentially vulnerable to viruses, Trojans, worms, or other cyber nasties that exploit flaws in unpatched versions of the underlying operating system. Many of us know first-hand how difficult it is to rid our home computer of a virus or Trojan. Imagine how much more challenging the task becomes when a virus infects remote equipment far from the control center.
With due respect to the power industry’s embrace of better, more-effective IT systems, most IT-based security solutions fail to acknowledge the needs of control systems. Many of the encryption devices now in use are based on high-speed IT security protocols and/or utilize block encryption algorithms. But these modern technologies require too many resources to operate efficiently on legacy control system networks such as those used by most utilities. The inefficiency leads to unacceptable levels of communications latency in the devices, in turn causing the control system to malfunction.
Finally, existing utility cyber security systems are not likely to be adequate for long-term use. Why? As computing power follows Moore’s Law and continues to double every 18 to 24 months, today’s 64-, 128-, and even 256-bit encryption keys will become easier to hack. Encryption systems must become more robust to cope with the ever-faster technologies that hackers will have at their disposal.
Email
Comments
Print
Reuse
