Preventing blackouts Flipbook PDF

Ensuring the resilience of critical infrastructure

---

109 Views
44 Downloads
FLIP PDF 1.9MB

DOWNLOAD FLIP

REPORT DMCA

e-tech A selection of articles from the I EC magazine

Preventing a blackout Ensuring the resilience of critical infrastructure

TABLE OF CONTENTS

Preventing a blackout Cyber security for the modern grid ...........................................................................

4

Preventing a potential cyber security nightmare ........................................................

8

Helping thwart cyber threats on nuclear plants

....................................................

12

Securing critical infrastructure all the way to the top ..............................................

16

No rest in efforts to thwart cyber attacks ................................................................

20

IEC work on cyber security for energy infrastructure .................................................

22

Ensuring the resilience of critical infrastructure The range and cost of global malicious cyber activities (cyber attacks) are growing. The cost is forecast to reach USD 2 000 billion by 2019, a threefold increase from the 2015 estimate of USD 500 billion. In addition to financial losses, concern is growing regarding attacks on critical infrastructure sectors. Safeguarding various parts of critical infrastructure from cyber attacks is becoming a priority for most countries. Energy installations are central to the entire critical infrastructure: without electricity there's no transport system, no fresh water supply or waste water treatment, healthcare facilities, factories can no longer function. As a result energy installations have become prime targets for cyber attacks in recent years some, arguably, to find out about possible vulnerabilities that can be exploited with a crippling effect at a later date. Power grids have been taken down, dams and nuclear power plants have been targeted. Protecting critical infrastructure, energy systems in particular, requires following a broad range of standards, such as the IEC/ISO 27000 family of International Standards on information security management, and industry-specific Standards prepared by a number of standards developing organizations, including the International Electrotechnical Commission (IEC - www.iec.ch). The IEC has issued 235 IT security-related publications, i.e. International Standards, Technical Requirements (TR), Technical Specifications (TS); some 160 have been developed by several Subcommittees of ISO/IEC JTC 1: Information technology, including the IEC/ISO 27000 family. This brochure contains a selection of articles from our magazine, e-tech - iecetech.org

CYBER SECURITY FOR THE MODERN GRID

Cyber security for the modern grid Protecting the keystone of critical infrastructure from cyber threats is an absolute priority Didier Giarratano, head of Marketing Cyber Security at Energy Digital Solutions/Energy, Schneider Electric, member of Working Group 3 of the IEC Systems Committee (SyC) on Smart Energy, SyC Smart Energy/WG 3: Smart Energy Roadmap, member of IEC CAB WG 17: cyber security.

Mitigating risk and anticipating attack vulnerabilities on utility grids and systems are not just about installing technology, but also about understanding risk

decentralized generation, intermittent renewable sources like solar and wind, a two-way flow of decarbonized energy and an increasing engagement from demand-side consumers. Decentralized model

Emerging challenges There’s an evolution taking place in the utilities industry to build a modern distribution automation grid. As the demand for digitized, connected and integrated operations increases across all industries, the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources. The pressing need to improve the uptime of critical power distribution infrastructure is forcing change. However, as power networks merge and become ‘smarter’, the benefits of improved connectivity also bring greater cyber security risks, threatening to affect progress adversely. Electrical distribution systems across Europe were originally built for centralized generation and passive loads – not for handling evolving levels of energy consumption or complexity. Now we are entering a new world of energy, with more

4

The grid is moving to a more decentralized model, disrupting traditional power delivery and creating more opportunities for consumers and businesses to contribute back into the grid with renewables and other energy sources. As a result, the coming decades will see a new kind of energy consumer – one who manages energy production and usage to drive cost, reliability and sustainability tailored to their specific needs. The rise of distributed energy is increasing grid complexity. It is evolving the industry from a traditional value chain to a more collaborative environment in which customers interface dynamically with the distribution grid, energy suppliers and the energy market. Technology and business models will need to evolve for the power industry to survive and thrive. The new grid wll be considerably more digitized, flexible and dynamic.

It will be increasingly connected, with greater requirements for performance in a world where electricity makes up a higher share of the overall energy mix. There will be new actors involved in the power ecosystem such as

CYBER SECURITY FOR THE MODERN GRID

transmission system operators (TSOs), distribution system operators (DSOs), distributed generation operators, aggregators and prosumers.

are now vulnerable. Sensitive information available online that describes how these devices work can be accessed by anyone, including those with malicious intent.

state actors and this is leading to a re-evaluation of these and the overall security approach for the industry. IT–OT integration

Regulation and compliancy Cyber security deployment focuses on meeting standards and complying with regulations. This approach benefits the industry by increasing awareness of the risks and challenges associated with a cyber attack. As the electrical grid evolves in complexity, with the addition of distributed energy resource integration and feeder automation, a new approach is required – one that is oriented towards risk management. Currently, utility stakeholders are applying cyber security processes learned from their IT (Information Technology) peers, which is putting them at risk. Within the substation environment, proprietary devices once dedicated to specialized applications

With the right skills, malicious actors can hack a utility and damage systems that control the grid. In doing so, they also risk the economy and security of a country or region served by that grid. Regulators have anticipated the need for a structured cyber security approach. In the US, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements set out what is needed to secure North America’s electrical system. The European Programme for Critical Infrastructure Protection (EPCIP) does much the same in Europe. We face new and complex attacks every day, some of which are organized by

Due to the shift towards open communication platforms such as Ethernet and internet protocol (IP), systems that manage critical infrastructure have become increasingly vulnerable. As operators of critical utility infrastructure investigate how to secure their systems, they often look to more mature cyber security practices. However, the information technology (IT) approach to cyber security is not always appropriate, given the operational constraints utilities are facing. These differences in approach mean that cyber security solutions and expertise geared toward the IT world are often inappropriate for operational

5

CYBER SECURITY FOR THE MODERN GRID

technology (OT) applications. Sophisticated attacks today are able to leverage co-operating services like IT and telecommunications. As utilities experience the convergence of IT and OT, it becomes necessary to develop cross-functional teams to address the unique challenges of securing technology that spans both worlds. Protecting against cyber threats now requires greater cross-domain activity where engineers, IT managers and security managers are required to share their expertise to identify the potential issues and attacks that may affect their systems. A four-point approach Cyber security experts agree that standards by themselves will not bring the appropriate level of security. It’s not a matter of having ‘achieved’ a cyber -secure state. Adequate

6

protection from cyber threats requires a comprehensive set of measures, processes and technical means and an adapted organization. It is important for utilities to think about how organizational cyber security strategies will evolve over time. This is about staying current with known threats in a planned and iterative manner. Ensuring a strong defence against cyber attacks is a continuous process and requires ongoing effort and a recurring annual investment. Cyber security is about people, processes and technology. Utilities need to deploy a complete programme consisting of proper organization, processes and procedures to take full advantage of cyber security protection technologies. To establish and maintain cyber -secure systems, utilities can follow a

four-point approach. The IEC Advisory Committee on Information security and data privacy (ACSEC), is working on the same issues, which will be incorporated into the forthcoming IEC Guide 120, Security aspects – Guidelines for their inclusion in publications, under development by ACSEC. 1. Conduct a risk assessment The first step involves conducting a comprehensive risk assessment based on internal and external threats. By doing so, OT specialists and other utility stakeholders can understand where the greatest vulnerabilities lie, as well as being able to document the creation of security policy and risk mitigation. 2. Design a security policy and processes A utility’s cyber security policy

provides a formal set of rules to be followed. These should be led by the ISO/IEC 27000 series of International Standards on IT Security Techniques, which provides best-practice recommendations on information security management. This series of Standards is developed by ISO/IEC JTC 1/SC 27: IT security techniques, a Subcommittee (SC) of the Joint Technical Committee set up by the International Organization for Standardization (ISO) and IEC. The purpose of a utility’s policy is to inform employees, contractors and other authorized users of their obligations regarding the protection of technology and information assets. It describes the list of assets that must be protected, identifies threats to those assets and describes authorized users’ responsibilities and associated access privileges as

well as unauthorized actions and the resultant accountability for violation of the security policy. Well-designed security processes are also important. As system security baselines change to address emerging vulnerabilities, cyber security system processes must be reviewed and updated regularly. One key to maintaining an effective security baseline is to conduct a review once or twice a year. 3. Implement the risk mitigation

They include, among others, the IEC 62443 series of publications on Security for industrial communication networks and for industrial automation and control systems (IACS), the IEC 62351 series of International Standards on Power systems management and associated information exchange and the IEEE 1686 Standard for Intelligent Electronic Devices Cyber Security Capabilities, developed by the Institute of Electrical and Electronics Engineers (IEEE).

plan Select cyber security technology that is based on international standards, to ensure appropriate security policy and proposed risk mitigation actions can be followed. A ‘secure by design’ approach that is based on international standards. These can help further reduce risk when securing system components.

4. Manage the security programme Managing cyber security programmes effectively requires not only taking into account the previous three points, but also the management of information and communication asset lifecycles. To do that, it’s important to maintain accurate and living documentation about asset firmware, operating systems and configurations. It also requires a comprehensive understanding of technology upgrade and obsolescence schedules, in conjunction with full awareness of known vulnerabilities and existing patches. Cyber security management also requires that certain events trigger assessments, such as particular points in asset life cycles or detected threats. For utilities, security is everyone’s business. Politicians and the public are increasingly aware that national security depends on local utilities being robust too. Mitigating risk and anticipating attack vulnerabilities on utility grids and systems is not just about installing technology. Utilities must also implement organizational processes to meet the challenges of a decentralized grid. This means regular assessment and continuous improvement of their cyber security and physical security process to safeguard our new world of energy.

7

PREVENTING A POTENTIAL CYBER SECURITY NIGHTMARE

Preventing a potential cyber security nightmare Unmanaged user accounts in industrial environments present significant cybersecurity risks Frank Hohlbaum, Bart de Wijs, Fernando Alvarez – Cyber security experts, ABB

Cyber security is now central to the safe operation of industrial installations, but user accounts for many devices used in these installations are not properly managed. Central user account management combined with Role Based Access Control is the perfect solution for managing user accounts and permissions efficiently and centrally while still providing a state of the art security solution. This eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Too many user accounts are not properly managed In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and/or weak passwords are also an issue. From a cyber security perspective, in today’s interconnected world, both factory default accounts and shared accounts represent a huge cyber security risk and are unacceptable. Besides cyber security concerns, both factory default and shared accounts can make control system management a nightmare for control system owners.

8

Operator managing stations from a central point using a SDM600 System Data Manager console (Photo ABB Oy)

PREVENTING A POTENTIAL CYBER SECURITY NIGHTMARE

Consider the case in which a power outage occurs as a result of a changed configuration, but it cannot be established which employee actually changed the configuration because a shared account or a factory default account was used to access the system and make the change.

change this shared password in a number of devices and locations, to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must also be informed of the new password, so that they can continue to carry out their work.

Another possible scenario is connected with a single employee leaving an organization. Since this member of staff knows a password that is shared by several other employees, a huge effort is required to

Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems so as to adapt to and defend against new security threats. Security managers need proven standardized technologies and modern tools to move to the next level. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution. It also eliminates the nightmare of having unmanaged user accounts on hundreds of devices. Technological change has brought both operational benefits and cyber security risks Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.

This change in technology has brought huge benefits from an operational point of view, but it has also exposed utilities to the kind of cyber security threats that have been confronting traditional enterprise systems for years. Cyber security is an essential component of modern networks, but fragmented access policies across network devices risk exposing critical vulnerabilities. Careless practices make system access easy The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials, or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on devices for their entire lifetime. Such practices and unchanged factory default accounts make it easy for an attacker to access devices rapidly and without needing to possess any special skills or knowledge. Furthermore, most control and network devices provide logging capabilities to record what users have done, but if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail say nothing about who has really performed which actions. Setting the stage for a possible solution Control system owners and managers would probably welcome positive answers to the following questions to ensure the security of their systems: • Would you like to manage user accounts easily? • Would you to like to administer new employees’ access and permissions in your company from a central point?

9

PREVENTING A POTENTIAL CYBER SECURITY NIGHTMARE

RBAC allows responsible persons to be able to manage users and their roles consistently from a central point – even for multiple control systems in different locations. Not everybody needs to be a system administrator. A common sense approach in cyber security management is to grant the fewest possible privileges to every user. A RBAC system based on IEC TS 62351-8 enables the person responsible for security in a company to manage users for the entire system and assign roles to those users from one place.

Configuring user accounts from a SDM600 workstation (Photo ABB Oy)

• Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves your company? • Would you like the changes you made in the central location to be immediately effective on all products from different vendors throughout your organization? • Would you like to eliminate worry about default user accounts remaining active on unmanaged local devices? The industry strikes back Following demands from the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) Standards, and many other cyber security requirements, the industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This Technical Specification sets out how vendors should implement and provide RBAC and central user account

10

management to their customer base. Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks, with a user-specific and unique user-id and password. Moreover, the addition or removal of users is done centrally, in a single step. This technology offers not only the central management of user-ids and passwords, but also the management of user permissions by assigning roles to users, depending on their job roles in the organization (RBAC). Possible solution for a nightmare scenario Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date. The management of a cyber security policy can become complex; therefore to be efficient, security managers need support from software applications. A Role Based Access Control system is such an application.

IEC 62351 is a series of technical security International Standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the series have been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for power systems. This is not a new concept; it is in fact part of best practice in many IT systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. This reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of predefined roles (e.g., Viewer, Operator, etc.) and of pre-defined rights. Adhering to International Standards as closely as possible To ensure high quality and dependable cyber security functionality in heterogeneous installations, it is fundamental to adhere to International rds as far as possible. A high level of cyber security can only be achieved by deploying and using

PREVENTING A POTENTIAL CYBER SECURITY NIGHTMARE

reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a wise path can find themselves locked in to a single supplier offering proprietary solutions.

Proprietary cyber security implementations should be avoided for seamless integration of multivendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 makes performing these tasks much easier.

Cyber security cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cyber security related events from the system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of such monitoring applications.

About the authors

State of the art cyber security products based on International Standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.

Fernando Alvarez, Cybersecurity Technical Product Manager, ABB Switzerland Ltd.

Frank Hohlbaum – Security Manager Grid Automation,ABB Switzerland Ltd. Frank is globally responsible for all aspects of cyber security within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank Hohlbaum joined ABB in 1996 and has 20 years’ experience in substation automation. Frank is a Member of IEC Technical Committee (TC) 57/Working Group (WG) 3: Telecontrol protocols. Bart de Wijs – Head of Cyber security for ABB's Power Grids Division. Bart represents this division in the ABB Group Cyber security Council, which is a cross-disciplinary team staffed with resources from various corporate

Bart de Wijs, Head of Cybersecurity, ABB Power Grids Division

functions. Additionally, he is a member of the ABB Cyber security Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cyber security specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cyber security expert groups. Between 2007 and 2010 Bart was responsible for cyber security in ABB’s Power Generation business unit. Fernando Alvarez – Cyber security Technical Product Manager,ABB Switzerland Ltd. Fernando is responsible for supporting the development of different cyber security technologies in ABB products and for managing and tracking ABB’s cyber security intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.

Frank Hohlbaum, Security Manager Grid Automation, ABB Switzerland Ltd.

11

HELPING THWART CYBER THREATS ON NUCLEAR PLANTS

Helping thwart cyber threats on nuclear plants Bespoke IEC International Standards to help against cyber attacks on nuclear power plants Morand Fachot

Cyber attacks on civil nuclear power plants (NPPs) would have devastating consequences for a country relying, even in part, on nuclear energy. It could affect the entire power network, might cause the release of radioactive material and would have a highly adverse impact on public opinion. A Subcommittee (SC) of the IEC is developing International Standards that reinforce the cyber resilience of NPPs.

Safeguarding critical infrastructure – a priority for all countries The range and cost of global malicious cyber activities is growing. A May 2015 Juniper Research report forecast that the cost to affected businesses will reach USD 2 000 billion by 2019, a threefold increase from the 2015 estimate of USD 500 billion. In addition to financial losses, concern is growing regarding attacks on critical infrastructure. The concept of critical infrastructure is categorized differently by various countries. The US government lists 16 critical infrastructure sectors. Three of these, dams, energy and “nuclear reactors, materials and waste” are directly related to power systems.

12

Nuclear power plant are sensitive installations

HELPING THWART CYBER THREATS ON NUCLEAR PLANTS

Lists from other countries may be the same, or dams and the nuclear sector might be covered together in a single energy sector. Safeguarding various parts of critical infrastructure from malicious acts by digital means (cyber attacks) is becoming a priority for most countries. Energy installations are central to the entire critical infrastructure. They have become prime targets for

cyber attacks in recent years, some, arguably, with a view of identifying possible vulnerabilities that can be exploited with a crippling effect at a later date. Power grids have been taken down (Ukraine 2015-2016); dams (US 2013) and NPPs (US 2014) have been targeted. Of all these, successful attacks on NPPs will have the most devastating consequences.

NPPs were built for safety, not cyber threats Systems within a nuclear power plant fall broadly into two categories, according to Bill Gross, a senior project manager at the US Nuclear Energy Institute (NEI). Primary systems control the reactor itself and, when needed, shut it down and maintain it in a safe condition to protect it. Secondary systems control the power generation equipment. Many of these systems, built years ago, are still based on analogue equipment that is not connected to the network and so is less susceptible to cyber attacks. "Primary systems are designed from the ground up to perform their intended safety function irrespective of any type of natural or manmade phenomenon. There is not a cyber attack that could prevent our safety systems from effectively shutting the reactor down," Gross said, adding that primary and secondary systems in nuclear plants are isolated from each other for greater protection. However, both systems in older NPPs are being gradually retrofitted with digital equipment, while new NPPs are designed with fully digital primary and secondary systems, he says. A 2015 nuclear safety report by the London-based Royal Institute of International Affairs, commonly known as Chatham House, notes that digital systems have been adopted later than in other types of critical infrastructure. “In addition, the industry’s longstanding focus on physical protection and safety has meant that while these aspects of risk response are now relatively robust, less attention has been paid to developing cyber security readiness,” the report says. Furthermore, it adds that “the cyber security risk is growing as nuclear

13

HELPING THWART CYBER THREATS ON NUCLEAR PLANTS

Cyberattacks present a serious security risk for the nuclear industry

facilities become increasingly reliant on digital systems and make increasing use of commercial ‘offthe-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks”. In October 2016, International Atomic Energy Agency (IAEA) Director General, Yukiya Amano, speaking of an unspecified "disruptive, not destructive" attack on an NPP "two or three years ago", told the Reuters news agency and a German newspaper: “This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.”

14

Long IEC involvement in cyber security

communication networks, control systems and power installations against cyber threats. They include:

The IEC has been closely involved in the development of Standards relevant to cyber security for years through its work in IEC/ISO JTC 1/SC 27: IT security techniques. This Subcommittee was set up by ISO/IEC JTC 1: Information technology, the Joint Technical Committee created by the International Organization for Standardization (ISO) and the IEC. IEC/ISO JTC 1/SC 27 has prepared dozens of documents covering various aspects of IT security techniques, including the ISO/IEC 27000 family of Standards on information security management systems. Other series of IEC Standards are relevant to the protection of

• IEC 62443: Industrial communication networks – Network and system security • IEC 61850: Communication networks and systems for power utility automation • IEC 60870: Telecontrol equipment and systems • IEC 62351: Power systems management and associated information exchange Addressing the NPPs’ specific needs To date, these Standards, and those developed by IEC/ISO JTC 1/SC 27,

HELPING THWART CYBER THREATS ON NUCLEAR PLANTS

have not addressed certain special needs of the nuclear industry. To fill this gap, IEC SC 45A: Instrumentation, control and electrical systems of nuclear facilities, set out to develop specific Standards. The scope of this SC includes the preparation of “Standards applicable to the electronic and electrical functions and associated systems and equipment used in nuclear energy generation facilities (…) to improve the efficiency and safety of nuclear energy generation”. Until recently SC 45A had dealt with safety, including some software aspects, but not tackled the generic issue of NPP cyber security. Its ambition was to develop Standards to prevent, detect and react to cyber attacks on NPPs. This led to the publication in August 2014 of IEC 62645, Nuclear power plants – Instrumentation and control [I&C] systems – Requirements for security programmes for computerbased systems. The Standard notes that “ ISO/IEC 27001 and ISO/IEC 27002 are not directly applicable to the cyber protection of nuclear” computer-based systems “due to the specificities of these systems, including the regulatory and safety requirements inherent to nuclear facilities”. However, it also states that “this standard builds upon the valid highlevel principles and main concepts of ISO/IEC 27001 and 27002, adapts them and completes them to fit the nuclear context”. This IEC Standard “is expected to coordinate more closely with the IEC 62443 series in the next few years”. This Standard is being revised and the second edition will have a slightly different and more specific title, as Requirements for security

programmes for computer-based systems will be replaced by Cyber security requirements.

Second Standard addresses coordination between safety and cyber security

IEC 62645:2014 was the first IEC International Standard aimed at defining “adequate programmatic measures for the prevention of, detection of, and reaction to malicious acts by cyber attacks” on computerbased systems in NPPs.

A second Standard, IEC 62859:2016, Nuclear power plants – Instrumentation and control systems – Requirements for coordinating safety and cyber security, “provides a framework to manage the interactions between safety and cyber security for NPP systems, taking into account the current SC 45A standards addressing these issues and the specifics of nuclear I&C programmable digital systems”. It "establishes requirements and guidance to:

IEC 62645 also compares the overall security framework it described with that of the framework developed by NIST (National Institute of Standards and Technology) in SP 800 82 and other supporting NIST documentation. IEC 62645 includes coverage of the following issues: • Establishing and managing a nuclear computer-based system security programme. This includes overall concepts for the preparation of programme, policies and procedures, roles and responsibilities, establishment, implementation and operation of the programme • Life-cycle implementation for system security, which embraces requirements, planning, design, installation, operation and maintenance activities and more • All aspects of security controls, such as policy, organizing security, asset management, access control, etc. IEC 62645, developed to prevent and/ or minimize the impact of attacks against computer-based systems, is intended to be used by designers and operators of NPPs (utilities), licensees, systems evaluators, vendors, subcontractors and licensors. It is the first Standard to be specifically designed for cyber security in NPPs. As such, it should prove essential for the nuclear power industry. Together with other TC 45 International Standards, IEC 62645 will help improve safety and security in nuclear power installations.

• integrate cyber security provisions in nuclear I&C architectures and systems, which are fundamentally tailored for safety; • avoid potential conflicts between safety and cyber security provisions; • aid the identification and the leveraging of the potential synergies between safety and cyber security”. Referring to ISO/IEC 27001 and ISO/IEC 27002 this Standard notes that “it adapts them and completes them to fit the nuclear context and coordinates with the IEC 62443 series”. Like other IEC SC 45A Standards, IEC 62645 and IEC 62859 were prepared taking into account the “principles and basic safety aspects provided in the International Atomic Energy Agency code on the safety of NPPs”. The terminology and definitions used by SC 45A Standards are consistent with those used by the IAEA. These Standards refer to various IAEA publications, in particular its Computer Security at Nuclear Facilities manual. These Standards and ongoing work by IEC SC 45A are set to make a significant contribution to a more robust protection of civil NPPs against cyber threats.

15

SECURING CRITICAL INFRASTRUCTURE ALL THE WAY TO THE TOP

Securing critical infrastructure all the way to the top Protecting myriad connected devices will require a holistic approach to security risks Morand Fachot

As more and more objects are connected, communicate and interact with each other, in what is labelled the internet of things (IoT), they become building blocks in larger systems. Known and unknown vulnerabilities in this wealth of objects are bound to attract cyber attacks that can bring down entire critical installations in many countries. Protection of IoT components against cyber threats, as well as of the systems that integrate them, is fast becoming a key priority.

Of connected toys and appliances IoT devices are present everywhere in rapidly increasing quantities. US research and advisory firm Gartner forecasts that their number will increase from 8,3 billion units in 2017 to 20,4 billion in 2020, with spending on these to reach nearly USD three trillion. Firms that produce consumer goods always look for new products to boost sales. The fairly recent introduction of connectivity into a variety of objects, made possible by the falling price of electronic components and of wireless

16

Industrial IoT (IIoT) encompasses many critical sectors such as smart grids, smart cities or smart factories

SECURING CRITICAL INFRASTRUCTURE ALL THE WAY TO THE TOP

technologies, has been behind the drive by many companies to produce a wide range of connected consumer products, such as web-connected toys and large household appliances like fridges, washing machines, dish washers and smart TV sets.

connected fridges sending thousands of spam emails may bring a smile to many as they concern mainly privacy issues, the implications could actually be very serious as so-called smart devices are rolled out in homes and industries.

Very often, little or no attention is paid at the design stage to ensure these connected objects are secure against malicious attacks.

On occasion, large numbers of connected objects, such as fridges, webcams, CCTV cameras and video recorders, have been infected with malware and forcibly networked together to create so-called botnets. These have been used to mount distributed denial of service (DDoS) attacks to take down large websites. This was the case in October 2016 with a DDoS attack that blocked access to many popular websites like Netflix, Twitter and Spotify and to several broadcast and print media outlets, such as CNN, Fox News, the Financial Times and The New York Times.

The shape of more serious things to come While reports of talking dolls being able to eavesdrop on their users or of

However, the impact of DDoS attacks could be overrated, according to Professor Isaac Ben-Israel from Tel Aviv University. He told participants in a roundtable event at the 2017 Verizon RSA Conference that “DDoS attacks get media coverage that’s disproportional to the amount of damage they do. There are two million DDoS attacks in Israel a day. You never hear about them because the success rate is so low and they’re relatively simple to defend against.” However, much more serious attacks can be mounted through connected devices. The IoT environment is complex… The IoT environment consists of two very different worlds: the consumer IoT and the industrial IoT (IIoT). The consumer IoT includes devices and systems such as “smart” phones, wearables, appliances and multimedia

equipment as well as some gear used in smart homes like connected alarms, smart thermostats, lighting and heating, ventilation, air conditioning (HVAC) control systems. The industrial IoT (IIoT) world covers applications in smart grids, smart cities, smart mobility, smart factories, healthcare services and, increasingly, smart farming. As such it encompasses many critical sectors. Another difference is that IIoT, unlike consumer IoT, brings together two different technologies: operational technology (OT) and information and communication technology (ICT), each one covering different yet sometimes overlapping domains. OT covers the use of computers to monitor or alter the physical state of a system, such as the control systems of industrial or power installations. It focuses, to a great extent, on safety (i.e., ensuring that processes and operations are reliable and comply with laws and standards and that the safety of workers and other people is guaranteed). ICT has much to do with the security of physical assets (protecting equipment against malfunctions, malicious or irresponsible actions, warning of possible failure or of the necessity for preventative maintenance, etc.) and of processes. OT and ICT intersect in IIoT. Rather than mentioning IoT in general, one should speak of the internet of everything with connections between people, process, data and things. Connectivity is inseparable from material “things” and from the rest. Connectivity includes transport, network, data link protocols and technologies, wireless (e.g. Bluetooth, ZigBee, radio-frequency identification (RFID), etc.) and physical infrastructure (cables, routers, etc.).

17

SECURING CRITICAL INFRASTRUCTURE ALL THE WAY TO THE TOP

protected in many countries. Details emerged in 2014 of a series of attacks on the industrial control systems of hundreds of US and European energy companies, which started in early 2013. Power cuts that affected parts of Ukraine’s power grid in December 2015 and December 2016 were identified as having resulted from cyber attacks using malware that exploited communications protocols. Smart cities, which rely on connected “things” and systems, will likely be also targets of choice for cyber attacks. International Standards are key to the protection of critical infrastructure

Utility control systems are part of the critical infrastructure that needs to be highly protected (Photo: RGB Spectrum)

Targeting critical infrastructure, the next frontier It is essential to differentiate between critical and non-critical systems and infrastructure. One could argue that consumer IoT systems and devices are critical only at an individual or small-scale level. Cyber attacks against them are serious for those directly concerned, but not vital to a larger population. If malicious actions target home thermostats or automated blinds, this can be annoying for users. In the worst case scenario, these attacks may open hidden gateways (e.g. door locks), but they do not bring down entire systems, which would affect a country’s ability to function normally: the so-called critical infrastructure. The perception of which areas are considered parts of a country’s critical infrastructure varies from country to country. For the US government, and increasingly for many other governments, "critical infrastructure means systems and assets, whether physical or virtual, so vital (…) that

18

the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." (Executive Order 13636, 12 Feb 2013) The sectors/systems mentioned in this Executive Order seen as most at risk include: • Energy supply (generation, transmission and distribution) • Financial services • Industrial controls systems • Healthcare • Telecommunications • Information technology (IT) • Insurance These sectors/systems are attractive targets for rogue attackers, state and non-state actors and for criminals bent on damaging a country or on making financial gains. Critical installations such as power networks are often insufficiently

International Standards prepared by a number of IEC technical committees (TCs) and subcommittees (SCs), and by ISO/IEC JTC 1/SC 27: IT security techniques, a SC of the joint technical committee formed by the IEC and the International Organization for Standardization (ISO) (the ISO/IEC 27000 series), are central to the protection of critical infrastructure assets against cyber attacks. In addition, ISO/IEC JTC 1/SC 27 set a working group, WG 4: Security controls and service, which works on domains such as cyber security, IoT, cloud computing, public key infrastructure, application security, incident management and virtualisation. The following IEC TCs and SCs prepare International Standards that protect specific domains and keep industry and critical infrastructure assets safe: IEC TC 57: Power systems management and associated information exchange, develops, among many others, the IEC 61850 series of publications for communication networks and systems for power utility automation, and the IEC 60870 series for telecontrol equipment and systems.

SECURING CRITICAL INFRASTRUCTURE ALL THE WAY TO THE TOP

IEC TC 65: Industrial-process measurement, control and automation, prepares publications that specify security requirements for industrial automation and control systems (IACS) in the IEC 62443 series. IEC SC 45A: Instrumentation, control, and electrical systems of nuclear facilities, has issued two publications on requirements for security programmes for computer-based systems and on requirements for coordinating safety and cyber security. It is developing more publications connected to cyber security for nuclear facilities. IEC TC 62: Electrical equipment in medical practice, and its SCs, develops Standards that are intended to protect medical data security, integrity and privacy. IEC TC 80: Maritime navigation and radiocommunication equipment and systems, has developed IEC 61162-450:2016, which states that “a shipboard security architecture should comply with information security industry’s best practices”. It has also published an add-on to this Standard, IEC 61162-460:2015, to expand requirements “when higher safety and security standards are needed, e.g. due to higher exposure to external threats or to improve network integrity”. Finally, the newly created ISO/IEC JTC 1/SC 41: Internet of things and related technologies, has initiated a study period on IoT trustworthiness. Trustworthiness is a user-oriented systems engineering concept that encompasses all the attributes that would make a system trustable. These include security, availability, sustainability, safety, resilience and privacy. Using IoT to target the critical top layers The multiplication of IoT systems and devices (like sensors, connectivity

modules, etc.) in parts of critical infrastructure sectors opens the way to cyber attacks and to potentially significant disasters. A 2014 study by the HP Inc. technology company claimed that 70% of IoT devices were vulnerable to attack. The report listed the most common and easily addressable security issues found in these IoT devices. They included lack of transport encryption, insecure web interface and inadequate software protection. IoT devices are often not the target of cyber attacks as such; they are the vector for targeting the network(s)/ installation(s) to which they are connected. Since many IoT devices are vulnerable, they often represent the weakest link in an installation and present major security risks for critical infrastructure systems. According to Kudelski Security's IoT Security Center of Excellence, other issues that may prevent the introduction of secure IoT devices across the board are: • the priority given to the urge for bringing devices to the market quickly, rather than ensuring they are fully secure • an absence of proper regulations, directives or even guidance from authorities or regulators • a lack of upgradeability of IoT devices, in spite of their long lifecycle • the entire low power wide area network (LPWAN) value chain – from module and device manufacturers to connectivity and platform providers, integrators and customers – that throws open the way to a wide range of threat scenarios. Security is important to the overall success of IoT. This is reflected in the expected robust compound annual growth rate (CAGR) of 34,4% of the IoT security market size between 2017

and 2022. This market is forecast to grow from USD 6,62 billion to USD 29,02 billion over this period, according to a recent report by the MarketsandMarkets™ research company. Network security (wireless communication and remote access security, and gateway) will have the largest market size in this market, the report shows. IoT security should be designed into systems (including wireless equipment) from the beginning, rather than being added as an afterthought or as an optional add-on. Some vendors provide a variety of answers that start with secure chips, such as those made by Germany’s Infineon semiconductor manufacturer, with embedded authentication, brand protection and other security applications, and extend all the way up to end-to-end secure solutions for connecting devices to the Cloud, such as Microsoft’s Intel® IoT Platform. In addition to secure IoT devices, the overall security of connected critical installations and assets will rest, to a growing extent, on International Standards, such as those prepared by various IEC TCs and SCs and by ISO/IEC JTC 1/SC 27.

The security of consumer IoT systems and devices is critical only at an individual or small-scale level

19

NO REST IN EFFORTS TO THWART CYBER ATTACKS

No rest in efforts to thwart cyber attacks IEC works to hinder IT security risks to industry and institutions By Morand Fachot

Following a surge in instances of attacks targeting government, organizations and private computer

incident that could impair [US] financial sector operations". A 2014 Information Security

Breaches Survey, commissioned by the UK Department for Business, Innovation and Skills and conducted

systems, cyber security threats are emerging as a major issue for economies and societies. Through its standardization and conformity assessment (CA) work, the IEC is taking steps to mitigate the risks posed by cyberthreats.

Multifaceted risks for government, industry and even individuals Hardly a week goes by without news of a major security breach affecting an institution. Many of the attacks are aimed at financial services, where the most lucrative pickings are to be made. However, many other industries report security breach attempts made via their IT networks. These often concentrate on pilfering commercial or trade secrets. Cyber attacks are seen as a growing threat for financial systems everywhere. In its 2015 annual report, the US Financial Stability Oversight Council warns that "malicious cyber activity is likely to continue in the future (…) more concerning is the prospect of a more destructive

20

Data centres strive to limit risks from cyberattacks

NO REST IN EFFORTS TO THWART CYBER ATTACKS

by PWC, revealed that 81% of large organizations and 60% of small businesses in the UK had been victims of an information security breach during the year. The average cost of the worst breach suffered was up significantly over the figure in the previous year, nearly doubling for small businesses as well as for large organizations. The same is reported in other countries. Energy suppliers and power grids are seen as a target of choice for state and non-state cybercriminals, seeking to cripple a country's economy and disrupt everyday life. Individuals are also at risk of attacks aimed at gaining access to personal or financial details or of viruses such as "ransomware" that encrypt their computers' content so as to blackmail

them into making a payment to have it decrypted. Another potential risk for institutions, companies and individuals is reputational damage when confidential information is made public. IEC work key to protecting infrastructure IT systems The IEC is aware of the risks cyber attacks pose and has launched a number of initiatives and developed International Standards to combat these. As cyber security is of prime importance for industrial safety, IEC Technical Committee (TC) 65: Industrial-process measurement, control and automation, has developed the IEC 62443 series of standards on Industrial communication Networks – Network and System Security. Energy installations, nuclear power plants in particular, are also seen as prime targets for state and nonstate cyber attacks. To address this risk, IEC Subcommittee (SC) 45A: Instrumentation, control and electrical systems of nuclear facilities, published IEC 62645:2014, Nuclear power plants – Instrumentation and control systems – Requirements for security programmes for computerbased systems. IEC 62645 is the first IEC International Standard aimed at defining "adequate programmatic measures for the prevention of, detection of, and reaction to malicious acts by cyber-attacks". SC 45A is also preparing an International Standard concerning requirements for coordinating safety and cyber security for instrumentation and control systems of nuclear power plants. Significant international standardization in the field of IT security techniques is carried out by ISO/IEC JTC 1/SC 27, an SC of the Joint Technical Committee (JTC) set up by the IEC and the International

Organization for Standardization (ISO) to work on International Standards for information technology. The second edition of ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements, published by the SC, "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization". The importance the IEC attaches to cyber security was highlighted by the decisions taken last year to create two entities. IEC Standardization Management Board (SMB) agreed to set up a new Advisory Committee on Security (ACSEC) at the 2014 IEC General Meeting. Its scope includes dealing with information security and data privacy matters which are not specific to a single IEC TC; coordinating activities related to information security and data privacy; providing guidance to TC/SCs for implementation of information security and data privacy in a general perspective and for specific sectors. ACSEC held its first meeting in May 2015. IEC Conformity Assessment Board (CAB) set up a Working Group, WG 17, on cyber security in June 2014. The WG, which may also involve participation by members of the IECEE WG 3: Industrial automation, held its second meeting in February 2015. Together with IEC International Standards on cyber security, ISO/IEC JTC 1/SC 27 publications in the information security management systems (ISMS) family of standards and work by IEC CAB WG 17 will play a key role in enhancing cyber security in the future.

21

IEC WORK ON CYBER SECURITY FOR ENERGY INFRASTRUCTURE

IEC work on cyber security for energy infrastructure International conference presents IEC activities in cyber security Morand Fachot

Protecting energy security and critical energy infrastructure against cyber attacks is fast emerging as an absolute priority. In mid-February, the

Energy infrastructures have been targeted in a number of countries in recent years, or are reported to be vulnerable.

EnergyPact Foundation organized an international conference in Vienna on cyber security aimed at protecting such infrastructure. Eyal Adar, an expert on cyber security, outlined the extent of IEC standardization and Conformity Assessment (CA) activities in the domain, giving details of the areas to which they apply.

Critical infrastructure: target of choice for cyber attacks The perception of which parts of critical infrastructures are most vulnerable to cyber attacks varies between regions. However, many of them include electricity generation plants, transportation systems and manufacturing facilities controlled and monitored by Industrial Control Systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) in the critical infrastructure category. This holds true for the European network and information security agency (ENISA) and for the US Government.

22

Ukrainian power distribution companies were the targets of a wave of cyber attacks that resulted in widespread power outages in late December 2015-early January 2016. In January 2014, The Nuclear Threat Initiative (NTI), a non-profit, nonpartisan organization, warned that nuclear facilities in 20 countries might be easy targets for cyber attacks.

the UN Office on Drugs and Crime (UNODC) and the International Telecommunication Union (ITU). It was attended by officials and representatives from industry, academia and think tanks. Topics discussed included modern data science to protect critical infrastructures of tomorrow, legal and regulatory frameworks, critical infrastructures, and business enablement. Outline of IEC activities in cyber security

International multistakeholder conference

Eyal Adar, a member of IEC TC 65/WG 10: Security for industrial process measurement and control – Network and system security, and of IEC Conformity Assessment Board (CAB) Working Group (WG) 17: Cyber security, and CEO of White Cyber Knight Ltd. (WCK), gave details of IEC activities in the cyber security sphere.

The EnergyPact Foundation conference, held at the Austrian National Defence Academy, was co-organized by the Austrian Cyber Security Platform (CSP) and the Austrian Institute of Technology (AIT), and was supported by IEC,

Global vulnerability to malicious acts in cyber space is growing, Adar said, adding that the exploitation of cyber vulnerabilities of infrastructure systems represents a mounting threat to the security of businesses and societies overall.

In the early 2000s, a number of US nuclear power plants were the targets of cyber attacks: Ohio in 2003, Alabama in 2006 and Georgia in 2008, according to a late 2015 special report by the London-based Chatham House think tank.

Critical infrastructures most vulnerable to cyberattacks include electricity generation plants.

IEC WORK ON CYBER SECURITY FOR ENERGY INFRASTRUCTURE

nuclear power plants...

The IEC has published over 200 International Standards that address cyber security and the privacy of health, business and critical infrastructure systems directly, Adar said, telling participants that “implementing the right Standards for your needs is a challenge, but with many benefits especially for complex infrastructures with Information/ Operational Technology and Internet of Things (IT/OT/IoT) technologies.”

security domain, Adar focused on the advantages of the IEC 62443 series, which to date includes seven available Standards, Technical Requirements and Specifications, out of a total

•

of 14 eventual deliverables. These publications: • provide an ecosystem of Standards for different needs. • provide Standards for unique needs. Adar gave as an example

•

the "Extended Set of Standards that support Smart Grids

Adar also added that IEC Conformity Assessment Systems were included in this area.

deployment" document, prepared by the European Committee for Standardization, the European Committee for Electrotechnical

IEC cyber security framework advantages

Standardization and the European

•

Telecommunications Standards Institute (CEN-CENELEC-ETSI)

As an example of the significance of IEC Standards and CA in the IT

24

Smart Grid Coordination Group. This document lists a number of

•

IEC Standards that cover power systems, information systems and industrial automation and apply to vendors, integrators and operators ensure international recognition: the IEC brings together 170 countries which represent nearly the entire world population and account for virtually all electricity generated guarantee that devices built to IEC International Standards are accepted in most countries in the world. They fully satisfy the requirements of the World Trade Organization Technical Barriers to Trade (TBT) Agreement. ensure coexistence with other standards by building the right hybrid of standards in selecting the best standard for each need guarantee compatibility

IEC WORK ON CYBER SECURITY FOR ENERGY INFRASTRUCTURE

with leading standards: e.g. implementing IEC 62443 means compatibility with the US (NIST) cyber security framework • integrate market needs: Adar gave as an example the International Association of end-users of components, systems and IT related items in the Process Industries (WIB). WIB needed a standard for industrial automation and control system (IACS) solution suppliers; it wrote the original standard based on industry needs; IEC adopted it as IEC 62443-2-4:2015, Security program requirements for IACS service providers • are adopted by vendors: most of the world’s leading multinationals and countless many small and medium-size companies actively participate in IEC work via their National Committees • represent a knowledge base for developing countries: certification bodies and evaluators are available worldwide, they can support energy organizations in providing the following key pieces of information: • What standard to implement in different use cases • How to implement it step by step • How to make gap analyses • And finally – how to be approved by regulators

Keen interest from participants

the Joint Technical Committee created by the International Organization for

Adar’s presentation to the conference attracted considerable interest and many questions from participants as the wide range of International Standards developed by IEC and by

Standardization (ISO) and IEC, ISO/IEC JTC 1 make a major contribution to the protection of critical energy infrastructure.

Working on CA Schemes A number of IEC CA systems are in place. Adar explained that CAB/WG 17 was investigating the market need and timeframe for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. However CAB/WG 17 work will exclude the scope of Industrial Automation Applications covered by IECEE CMC Task Force (TF) cyber security.

...as well as manufacturing facilities

25

ABOUT THE IEC

About the IEC The IEC, headquartered in Geneva, Switzerland, is the world’s leading publisher of International Standards for electrical and electronic technologies. It is a global, independent, notfor-profit, membership organization (funded by membership fees and sales). The IEC includes 170 countries that represent 99,1% of world population and 99,2% of world energy generation. The IEC provides a worldwide, neutral and independent platform where 20 000 experts from the private and public sectors cooperate to develop state-of-the-art, globally relevant IEC International Standards. These form the basis for testing and certification, and support economic development, protecting people and the environment. IEC work impacts around 20% of global trade (in value) and looks at aspects such as safety, interoperability, performance and other essential requirements for a vast range of technology areas, including energy, manufacturing, transportation, healthcare, homes, buildings or cities. The IEC administers four Conformity Assessment Systems and provides a standardized approach to the testing and certification of components, products, systems, as well as the competence of persons. IEC work is essential for safety, quality and risk management. It helps make cities smarter, supports universal energy access and improves energy efficiency of devices and systems. It allows industry to consistently build better products, helps governments ensure longterm viability of infrastructure investments and reassures investors and insurers.

Key figures

A global network of 170 countries that covers 99% of world population and electricity generation

170 Members and Affiliates

>200 Technical committees and subcommittees

Offers an Affiliate Country Programme to encourage developing countries to participate in IEC work free of charge

20 000 Experts from industry, test and research labs, government, academia and consumer groups

Develops International Standards and runs four Conformity Assessment Systems to verify that electronic and electrical products work safely and as they are intended to

10 000 International Standards in catalogue

4 Global Conformity Assessment Systems

IEC International Standards represent a global consensus of state-of-the-art know-how and expertise

>1 million Conformity Assessment certificates issued

>100 Years of expertise

A not-for-profit organization enabling global trade and universal electricity access

27

3 rue de Varembé PO Box 131 CH-1211 Geneva 20 Switzerland

T +41 22 919 0211 [email protected] www.iec.ch

® Registered trademark of the International Electrotechnical Commission. Copyright © IEC, Geneva, Switzerland. 2017.

Preventing a blackout 2017-09(en)

International Electrotechnical Commission