By Radha Swaminathan and Anuja Nakkana
Globally, utilities are deploying digital devices to improve the reliability and resilience of electric grids. Digital devices help utilities manage, monitor and control end-to-end power flow in real time by integrating electric assets through a common communication network. The digitally connected grid is equivalent to a large set of inter-linked, scaled-down computing devices and can be remotely operated from local control centers.
With the advent of a connected grid, the security of devices and communication networks of the grid has emerged as an immense area of concern. Utility companies are constantly working to understand and mitigate external cyber threats. While these companies devise ways to cope with external threats, there is a new hazard looming on the horizon-that of insider threats. Insider threats require immediate attention and, if unabated, can lead to economic disruption, regulatory fines and even have the potential to ruin a utility company’s brand.
The Emergence and Impact of Insider Threats
Unlike external threats, there is less awareness about internal threats. Until the deployment of large-scale digital grid devices, utility companies were never concerned about insider threats impacting the electric grid. Most utility organizations, therefore, do not have a unified approach and architecture to address this issue.
The issue of insider threats was first identified with the emergence of digital devices that could be remotely controlled. These networked grid digital devices also support mass commands, where an inadvertent issuance of a command has the potential to bring down a significant portion of the electric grid. Most devices do not feature command segregation (privileged controls vs. the rest), disabling the ability to apply command-based protection and validation before issuing a grid-related command. In addition, the semantics of command and the probable impact cannot be easily validated at run-time, leading to security loopholes, both at the point of origin and point of execution of the command. The significance of insider threats is more pronounced in digitized utilities and this threat perception is likely to exacerbate with time.
The following are most commonly observed insider threat scenarios, although this is not an exhaustive list:
- Inadvertent activation of a control by authorized utility personnel, leading to a large-scale impact on the grid;
- Planned malicious activation of device(s) by a utility employee or by certified contractors, which could impact segments of the electric grid and customers;
- Situations where authorized utility employees may be forced to execute privileged commands, under duress or fraudulent impersonation of authorized employee access by insidious elements;
- Lack of process follow-through that may lead to inappropriate authorization of operating personnel;
- Modification of software to favor privileged access, leading to malicious grid attacks; and
- Lack of proper training and on-the-job experience, leading to inadvertent and erroneous actions.
Security Architecture to Protect Against Insider Threats-the Guiding Principles
To successfully mitigate insider threats, the grid architecture and solutions must be designed on the following set of security principles:
1. Security controls implemented to manage insider threats must not impede regular operations
Utilities must be cautious about developing and implementing mitigating methods because it is always easy to “outright tighten the operating environment,” which will impede normal operations. An overburdened security process exponentially diminishes the ability of a company to respond nimbly to emergency situations. Every set of security controls must strike a balance between addressing vulnerability vs. maneuverability, providing operators the ability to respond efficiently to situations while minimizing risks.
2. Security events must be isolated, contained and remediated within a certain perimeter
As hackers develop the ability to outdo even the best of security infrastructure, the residual risk in systems temporally increases, which can eventually lead to a compromised operating entity (i.e. a field device or operating equipment). Given a particular network configuration, these hacks may spread quickly, disabling operations or parts of the electric network. The utility’s security architecture must be in a position to quickly identify the impacted device(s) and isolate them from the network so the security breach is contained.
3. All security recommendations should not distinguish between malicious and inadvertent intent
Most of the security violations are a result to inadvertent breaches. From a security point of view, however, the resulting business impact of an inadvertent breach will be the same as that of a malicious attack. The remedial measures are nearly the same in both instances, and the security architecture and processes to manage these scenarios should be a unified one.
4. All commands must be contextually validated both at the point of origin of the command and point of execution
In spite of best practices and process management implementations, there is still a probability of human error leading to catastrophic events. To prevent these “black swans,” it is important to validate the command closer to the point of the origin for total impact. The risk of negative impact should be used as an indicator to contain the command. This validation principle must be implemented as a restrictive clause: “Every command with a non-zero risk must be contained.” This complements existing principles of authentication and authorization.
5. All security controls must accommodate special privileges and functions for regular operations and special operations (emergency management)
A unified approach to inadvertent and malicious actions will yield a simplified security architecture. The security architecture must accommodate certain features and functions to manage extraordinary business scenarios. In a weather induced widespread outage, the operations must be able to bulk restore several aspects of the power grid. In such cases, the security architecture must not restrict bulk operations and, as a special case, must enable privileged operations to ease operations management.
The previous five principles are core to developing an effective insider threat management security architecture that is simple, easy to implement, and can be seamlessly aligned to business operations.
An Integrated Architectural Approach to Address Insider Threats
Most utilities and the industry, in general, have managed this problem by implementing tightened process controls and mechanisms to enable simple command level authentication. They are not sufficient, however, for the many reasons previously mentioned. Given the advances in integrated technologies and security techniques, the following three specific methods, when used in conjunction with each other, yield the best results.
Automated validation of operating personnel using integrated, emerging technologies
The first point to consider while identifying an insider threat scenario is to establish that the personnel under consideration, at any given point in time, is the right individual with the right authorization. One also needs to establish that the validated person is present at the geo-location of reference. As security hackers become increasingly more sophisticated, the existing security implementations must advance to defend the enterprise using emerging technologies to verify operator credentials.
There have been advancements in integrated technologies, such as integrated video, voice and biometric analyzers. An inferential model should be able to simultaneously correlate biometrics, facial recognition, voice samples and card swipes to identify the individual. Subsequently, these credentials should be contextually verified to ensure the individual with the right authorization is at the right location and within the permitted operating time boundaries. These types of auto-inferring devices can be deployed within and along the perimeter of the subject infrastructure to validate that only authorized operating personnel are entering the control zones. These principles can also be applied to study the behavioral pattern of individuals during operations, especially while managing critical controls. The inferred behavior patterns can then be used to identify unusual operator behavior to proactively mitigate threats.
Contextual validation of a single command
The contextual impact of a single command within the operational environment of a utility may not be interpreted the same way by all. The validation of single command is not straightforward because of the complexity involved in inferring usage context and automatically evaluating the net impact. Utilities must implement a minimal requirement to validate the command through a set of rigorous, process controls.
For critical commands, the best practice is to have a system of multiple approvals-typically two out of three-to validate the intent and contextual appropriateness of outcomes. This process, however, is intense and impedes timely execution of control commands.
To automate the process, a net impact score must be defined and evaluated that can indicate the probability of intent and impact. The net impact score must be based on two essential components-the probability of command usage within a given context and its impact on adjacent assets on failure. Ideally, this score must be evaluated at the source of each command, using a real time operating network model. For slow changing networks, a nominal network that is periodically updated can be substituted. The resulting score, when combined with the historical success rates for such commands, can help filter high-risk elements for additional verification.
A practical approach to manage these high-risk commands would be to partition them into simpler elements, each with a lower risk factor. For those commands that cannot be partitioned, a manual verification can be used. This method will reduce the need for manual intervention to a minimum.
Rate limitation as a method to validate linear command sequences
Single command validation is a necessary but insufficient step in mitigating insider threats. Often a sequence of control commands can have an undesirable impact, such as with consecutive residential meter operations. Each meter switch disconnect may shed a negligible load, but the volume of these might induce a large load shed, shutting down parts of grid. There are many ways to address this problem, but the most practical method is to employ rate-limiting methods. A rate-limiting device, designed to operate on the following criteria, will effectively address the sequence issue; each network operation-relays, meter switches or feeder switches-is evaluated for the following two features:
– Tolerance limit on the number of operations per device, based on its connectivity model, and
– A number of devices of a given type that can be in a certain state (on or off) at any given time (to not impact load, reliability or operability of the network).
The derived rate limit by time of day is built into a secure device, which acts as a security controller for the network. Every command is passed from the source system to this device for validation and authorization. The end device through a security seal stamped by the rate-limiting device recognizes and executes the validated commands. The core function of rate-limiting devices is to protect the bulk grid as opposed to the single command validation focused on specific devices. This security controller can be central to manage the grid or can be distributed across the territory-by asset type and function.
How Should Utilities Look to Transition to Mitigate Risk?
Utilities must, in the near term, focus on programs to address insider threat scenarios and other security compliance activities. A good start would be to identify critical functions and assets that affect bulk grids and focus on implementing mitigating solutions. The automated validation of personnel using integrated technologies is an obvious and easy step that can eliminate many insider threats. Utilities must pursue rate limitations, in parallel, for key identified functions to minimize disruptions. Utilities must proactively establish these systems and processes to effectively mitigate insider threats.
Insider threats are evolving quickly, and utilities must take proactive steps to stay a step ahead. An insider threat architecture that adheres to the five guiding principles and the three approaches outlined in this article is likely to provide optimal and sustained protection to utilities over the long-term.