Secure Connectivity Solution “Cloaks” Power Facility Networks

One of the persistent challenges for power sector cybersecurity is integrating operational and information technology teams and functions, especially when they include remote or third-party systems. A new military-grade security approach provides industrial control system security without compromising ease of daily operations.

What do power generating companies have in common with The Boeing Co.? The need to protect digital industrial control systems without hampering day-to-day operation of those systems and their necessary communications with remote—even third-party-controlled—devices and systems. Given Boeing’s long history with both civilian and military aircraft and systems, it may not come as a surprise that one of the latest and most robust cybersecurity systems is based on seven years of research and development at Boeing involving mobile robots for 777 tooling.

Although there are multiple approaches to protecting industrial control system (ICS) assets, a major challenge has been finding a one-size-fits-all approach that easily integrates with all the legacy systems at, and interfacing with, a facility. Ensuring the cybersecurity of critical assets will never be just a one-step process. Patches to ICS and network software should be made systematically to ensure the highest level of security, and staff awareness training is a never-ending task. (See previous POWER cybersecurity articles for details.) But with the number and diversity of digital systems that are central to today’s industrial operations, an “umbrella” solution can significantly improve the odds of maintaining a secure operating environment.

Secure by Default

With the increasing dependency on computer automation to optimize electricity production, power facilities have increased their attack surface. Operational teams (OT) are faced with optimizing mission-critical systems at these distributed facilities, but resources and information technology (IT) security expertise is typically limited. The Tempered Networks solution bridges the OT and IT teams’ needs and requirements by increasing the operational integrity and availability of the organization’s critical infrastructure and information. Its solution is purpose-built to help power generation facilities measurably improve their overall security posture while enhancing the robustness of their distributed assets and distributed control system (DCS) networks.

Tempered Networks provides a centrally managed security appliance solution. It consists of ruggedized drop-in hardware and software components that leverage customers’ existing network infrastructure to efficiently enable secure industrial connectivity. Though there is no silver bullet security solution, the Tempered Networks system is engineered to be secure by default, simple to use, and highly cost-effective.

The company’s solution consists of three tightly integrated components: the HIPswitch Conductor, HIPswitch Security Appliance, and SimpleConnect Web Management Interface (Figure 1). The HIPswitch Conductor is a scalable orchestration engine that manages configuration, security policies, trust relationships, monitoring, and analytics between the SimpleConnect web management interface and distributed HIPswitches.

PWR_020115_ICS_TemperedNetworks_Fig1
1. The Tempered Networks system. The HIPswitch Conductor is a scalable orchestration engine that manages configuration, security policies, trust relationships, monitoring, and analytics between the SimpleConnect web management interface and distributed HIPswitches. Courtesy: Tempered Networks

Tempered Networks’ approach for protecting industrial control systems and devices has three main components: segmentation, secure connectivity and remote monitoring, and managing third-party connections.

Segment Process Control and SCADA Networks to Isolate and Cloak Connectivity. The industry’s best practice for protecting critical infrastructure and DCS networks within power facilities is to segment networks. The Tempered Networks solution enables organizations to segment and isolate connectivity to and between production facilities, following the ISA-99/IEC 62443 zones and conduits model.

However, unlike traditional firewalls or virtual private networks (VPNs), the Tempered Networks solution goes beyond simple inspection, adding authorization, confidentiality, integrity, and availability protection to the data as it traverses the control systems network. It essentially provides a “VPN as a service,” where you can provision individually managed private overlay networks—at unlimited scale.

Another difference is that the solution is designed to be deployed and managed by OT teams, whereas firewalls and VPNs require advanced security skills and are resource intensive, especially on a large scale.

Additionally, the solution is transport and topology agnostic, which is crucial for many of these remote facilities where there may be any mix of cellular, WiFi, wired Ethernet, or satellite communications networks.

The Tempered Networks solution provides an overlay network to segment and isolate critical production systems and devices. It “cloaks” all devices within the overlay network, leaving no configuration footprint from outside the Tempered Networks private network. This approach leverages existing infrastructure to connect plants, without exposing device communications, and without the brittleness of complex configurations.

Securely Connect and Monitor Remote, Distributed Equipment. Customers require an independent layer of connectivity, security, and trust management that allows management of devices—even across a third-party’s network infrastructure. They also require easy connectivity and monitoring of production equipment with centralized supervisory control and data acquisition (SCADA) and historian systems. As noted earlier Tempered Networks’ HIPswitch security appliances are transport and topology agnostic, supporting any mix of cellular, Wi-Fi, wired Ethernet, or satellite communications networks (Figure 2).

PWR_020115_ICS_TemperedNetworks_Fig2
2. Secure connections for distributed equipment and diverse systems. Tempered Networks’ HIPswitch security appliances are transport and topology agnostic, supporting any mix of cellular, Wi-Fi, wired Ethernet, or satellite communications networks. Courtesy: Tempered Networks

Manage Third-Party (Contractor and Vendor) Connections. Most facilities have vendors or contractors that need access to their networks, but this creates yet another security vulnerability. Tempered Networks facilitates authorized third-party access to SCADA networks, which can be granted and revoked in minutes, and monitored and logged. Once granted, access can be constrained to a single isolated device or a group of devices, for a specific period of time, using only specific applications.

When no longer required, access can be revoked quickly, without modifying the shared network. The solution can be configured to require user authentication prior to enabling access, thus adding integrated authentication services to automation environments.

Overview of Orchestration/Control

Compliance with industry standards was a key element when the solution was engineered, and it continues to be a valued aspect by customers. Tempered Networks provides a purpose-built solution for ICS and critical infrastructures, based on Trusted Computing Group (TCG), the Internet Engineering Task Force (IETF), and the International Society of Automation (ISA) standards. The orchestration is based on the Trusted Computing Group’s IF-MAP protocol and follows a specification purpose-built for secure networking of industrial control systems.

The orchestration follows a concept from networking called the control plane and is used only for control and monitoring of the deployed HIPswitches. This is a powerful approach because it avoids making the Tempered Networks Conductor a bottleneck in the system. The HIPswitches handle the data plane independently of orchestration and, therefore, can continue to operate with their current configuration if orchestration becomes unavailable. Even with a highly available orchestration service, this independence is vital for a highly resilient network.

There are no silver bullets in security; however, Tempered Networks believes its new approach raises the bar very high. The HIPswitches are transparent on the ICS side, meaning that protected devices cannot communicate with the HIPswitch. On the shared network or uplink side, the HIPswitch has only one listening service, and that is for connections from peer HIPswitches. And, unless the incoming HIPswitch connection presents a trusted cryptographic identity in the first packet, the connection is ignored.

Insider attacks within the network are mitigated with this approach because it is easy to microsegment the customer’s network. If a compromise (whether human or malware) occurs, the ability for that threat to propagate to other parts of the network is very limited, and log messages will be generated to indicate these attempts. Furthermore, authentication services can be layered into network access for human users to provide additional levels of security control, awareness, and logging.

Human factors at the administrative level will always be an important consideration in any organization, and this issue is present when using an orchestration service to manage security and connectivity. Tempered Networks has incorporated approaches for managing this risk, including role-based authorization, granular logging, and increased visibility through an emphasis on collaboration.

Works Well with Other IT Security Systems

Customers often have invested in other IT security solutions, such as firewalls, deep packet inspection (DPI), security incident and event management (SIEM) systems, data diodes, and network intrusion detection systems (NIDS). The Tempered Networks solution works with any of these existing systems and preserves the customer’s investment.

For example, a customer may use firewalls for perimeter protection of IT assets, but firewalls only provide inspection capabilities based on elements of the communication payloads that can be spoofed by any attacker. The Tempered Networks solution not only builds a secure perimeter for protection but also includes an additional layer of security by cloaking the footprint of the critical infrastructure. So, even if an attacker gained access to an existing virtual local area network (VLAN) or VPN, the customer’s critical infrastructure and information is protected because it is cloaked and invisible to hackers. Meanwhile, critical assets remain available only to peers with trusted cryptographic identities.

System Adoption

There is a trend in network resources being used as a shared resource by multiple business users throughout an enterprise, blurring the traditional one-network, one-user model. Furthermore, companies cannot afford to roll out multiple independent networks. Given this trend, companies in the utility, energy, and other sectors are looking for efficient and secure ways to segment their networks to support the variety, complexity, and scale of various operational groups.

This trend of increased connectivity and convergence of ICS and enterprise IT networks introduces complex security challenges. As industrial devices are networked, they are inherently exposed to cybersecurity threats, causing security to be a chief concern across the enterprise. As a result, IT departments across many industries are increasingly burdened with protecting their critical and revenue-generating infrastructure.

That concern has led to early deployments of the Tempered Networks system by Boeing and Yokogawa as well as by customers in the water/wastewater utility, petroleum, and oil and gas sectors. Tempered Networks is also seeing rising interest from organizations outside critical infrastructure, such as those in the healthcare, banking, and retail industries.

The Tempered Networks solution adds additional protection to secure ICS equipment as it moves through patch cycles. Even in today’s escalated threat environment, ICS vendors are still slow to release certified patches for their currently supported products. The vendor’s delay can leave critical ICS components exposed. Furthemore, many facilities continue to use ICS products long after vendor support has ended. By constraining connectivity to the absolute minimum, the attack surface of the ICS devices protected by the HIPswitch is reduced.

Tempered Networks is in the early stages of being deployed at and is under evaluation by several North American generation facilities, including coal-fired, gas-fired, and wind power facilities. The primary application is to secure remote connections for energy management system (EMS)/SCADA systems and remote access users.

Ease of Deployment

In addition to providing military-grade security (see sidebar) customers like the solution because it is easy to deploy and maintain.

Making the [Military] GradeWhen Tempered Networks describes its system as providing “military grade” security, that means it meets military grade security specifications:■ Secure channels bound to unique RSA 2048 bit cryptographic identities.

■ Per-peer explicit trust relationships validated up the certificate chain with SHA-256 signatures.

■ Full lifecycle identity management, including instant blacklisting and revocation.

■ Secure channels protected with Diffie-Hellman exchange, AES-256 encryption, SHA-1 message authentication.

■ Stateful packet inspection.

■ Denial-of-service mitigation.

■ Microsegmentation based on device whitelisting.

From its roots on the Boeing manufacturing floor, one of the principle design requirements was to provide a transparent drop-in solution. Customers cannot tolerate disruption to existing operations, which might include installing software on existing equipment, making configuration changes to existing equipment, and widespread outages while the system is installed. To avoid such disruptions, the Tempered Networks HIPswitches can be shipped preconfigured and quickly deployed on a network.

The system is also cost-effective. A minimum configuration starts at less than $10,000; tiered licensing is available for HIPswitches based on the number of endpoints that must be secured. For example, an organization could purchase a starter kit for $9,995, which ships with the HIPswitch Conductor, a SimpleConnect web management interface, and two HIPswitches. The starter kit supports up to nine endpoint devices, for less than $1,000 per device.

A comparable configuration using firewalls would be similar in hardware and software costs, but the operating and maintenance costs would be significantly higher. Plus, firewall and VLAN solutions are vulnerable to human configuration errors, delays in applying security updates, and the like.

The HIPswitch-100 is an entry model and protects a single local device. The other HIPswitch models have no license limitations for the number of managed devices; however, there are practical limitations based on the performance capacities of the HIPswitch.

Compliance and Beyond

Power generators are currently weighing the advantages of increasing Internet protocol (IP) connectivity across all levels of operations against the costs of regulatory compliance. Meeting North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards can be a costly effort in terms of implementation, verification, and potential penalties. Moving forward, power infrastructure owners must implement network architectures that meet regulatory compliance. Ideally, they will be able to achieve compliance while also enhancing operational integrity, availability, and resiliency at an acceptable total cost of ownership.

For deployment at a NERC-regulated entity, the Tempered Networks solution is used to create and manage high-assurance yet flexible Electronic Access Control and Monitoring Systems (EACMS) into distributed Electronic Security Perimeters (ESPs), and to provide increased monitoring and situational awareness about those environments.

The solution is designed to be deployed in regulated electric utility environments in order to achieve the business objectives often associated with increased connectivity while also facilitating compliance and reducing the labor cost of compliance with NERC-CIP standards. Beyond compliance, the system is engineered to provide security hardening, resilience, and awareness.

Editor’s Note: Thanks to Rob Engels, director of IT support at Access Intelligence (POWER’s owner), for assistance in helping with initial development of this article based on his interest in and study of ICS security.

David Mattes (d.mattes@ temperednetworks.com) is cofounder and chief technical officer of Tempered Networks and Alane Moran (a.moran@temperednetworks.com) is vice president of marketing communications.