Authors: – Liis Livin, Priit Anton, Guardtime –
Smart power grids are cyber-physical systems (CPS) that have an integrated structure of a physical power transmission and distribution system with the communication and cyber infrastructure. Hence, the attacks to grids can also be broadly grouped as physical and cyber-attacks with specific targets to damage the grid. This blog post focuses on cyber-attacks where the attack usually targets SCADA, RTUs, communication infrastructure, online measuring equipment etc that can potentially result in regional power blackouts, false electricity market prices, and destabilization of the power grid. E.g on December 23, 2015, the Ukrainian power system was attacked and the resulting power blackout affected around 200,000 people for several hours [1].
Considering the ever-growing, smarter, and more capable attackers, it is of critical importance to ensure timely detection of cyber-attacks to develop and implement countermeasures that can mitigate and minimize the impact of the attacks to the power grid. For this specific reason, Guardtime leverages the MIDA cloud control tool in the CyberSEAS project for detecting changes in systems which have been executed by an attacker.
MIDA is a cloud compliance monitoring software solution that allows the security team to verify the integrity of security control policies and the actual state of the asset, infrastructure, and services in real time, reflecting the reality of the infrastructure across the environments. Every digital asset on the network (cloud configuration, virtual machine, configuration files etc.) is registered and assigned an immutable proof. In case of any changes MIDA produces real-time alerts that are either sent directly to the grid operator for immediate investigation and remediation or to other tools or services for further automated analysis and processing to enhance the overall cybersecurity posture. This makes MIDA, among other aspects, valuable for real time cyber-attack detection as its capability to detect change in monitored environments. It is improved to detect changes in power grid critical systems which could be a target for the attacker. As such MIDA can offer integrity protection critical systems and also for the entire software/firmware supply-chain of the grid:
- though real time detection of changes in files that might be maliciously or accidentally tampered in the management system and offering integrity and
- origin validation to software packages before use and deployment.
For example, the operation technology devices in substations need software updates to remain up-to-date and functional. These updates come from vendors who produce both the OT devices and provide the updates. Let’s imagine that an IED (Intelligent Electronic Device) vendor releases an updated version of software that is needed for managing recently deployed IEDs. Unfortunately, because of malicious activity the vendor’s software repository has been compromised. The DSO installs the management software on a shared management terminal that has no direct access to the internet but has unlimited access to the OT network. As a result, the malicious service starts sending commands to devices or changes the configuration of other services, causing physical circuit breakers and disconnectors to rapidly switch between open and closed state. This attack could be avoided by deploying MIDA to the file-sharing system that enables the DSOs to validate the device state and updates when they are received from the vendor as well as monitor the software packages in the DSO’s system. In the case of malicious activity, the corrupted files are redirected from use and notification to the internal security team is provided. MIDA can provide control points in the system where files are checked for any unplanned modifications and extends state monitoring and the secure deployment of updates from the vendor’s site to the on the field substations. DSOs main benefit for such monitoring is reducing the risk that the attack on their infrastructure could go unnoticed and large-scale power outages, in the most challenging time, may occur. In case of a long and complex supply chain with many participants (human being the weakest link in the system), deploying MIDA will enable visibility over device state and the firmware update process and provide necessary buffer zone and time to deal with the potential complex cyber-attack on DSO energy grid.
Near real-time cyber-attacks in power grids are a reality with cascading effects that have crippling effects on the energy services and to critical systems that depend on energy supply. In order to protect against such threats, the detection action of threats must be efficient. Guardtime’s MIDA tool provides attack detection capabilities in DSOs file systems and covers the full supply chain from the vendor’s database to the DSO’s substation.
Photo by Yuan Yang on Unsplash
References:
- [1] G. Liang, S. R. Weller, J. Zhao, F. Luo, and Z. Y. Dong, “The 2015 Ukraine blackout: Implications for false data injection attacks,” IEEE Transactions on Power Systems, vol. 32, no. 4, pp. 3317–3318, July 2017.
