July 2008

Protecting power plants

By James Batug, Jonathan Pollet, and Walter Sikora

When control engineers go about securing electrical generating units in the North American bulk electric system, it is critical they follow requirements from the North American Electric Reliability Council (NERC). Owners and operators must evaluate these units under the NERC critical infrastructure protection CIP-002 standard to determine those that are critical assets and to identify critical cyber assets that require protection. What they need is a technically feasible approach to comply with the NERC standards. We hope here to help control system professionals identify changes needed to comply with those standards.

Critical cyber assets in a generating plant may range from a complex control system to a single device, such as microprocessor-based protective relays connected for remote access via a routable protocol (ubiquitously the Internet protocol or IP) or a dial-up telephone line. A plant control system with critical cyber assets could use components of a distributed (or digital) control system (DCS) or a programmable logic controller (PLC)-based control system or a combination of both technologies.

In general, the standards require critical cyber assets to be protected with an electronic security perimeter (ESP) and a six-walled physical security perimeter. Non-critical cyber assets within an electronic security perimeter must receive the same protection under the standards as a critical cyber asset. Before designing protection for critical cyber assets as required by the CIP standards, control system engineers should familiarize themselves with the complete range of standard requirements, as well as the frequently asked questions, and work with their corporate compliance team to prepare for eventual compliance audits.

CIP-005, Revision 1

The CIP-005 standard requires establishing and documenting an ESP around critical cyber assets, including certain other cyber assets, and identifying communication penetrations through the perimeter. You must control, monitor, and log external access to the cyber assets within the ESP 24/7 for routable protocol (such as IP) and dial-up communications. Two or more factor authentication (2FA) is required for external access to cyber assets within the ESP.

Where technically feasible, a security monitoring process is required to detect and alert unauthorized accesses or attempts. Where not technically feasible, access log review is required at least every 90 days. Communication through the ESP using a non-routable protocol or dedicated telephone line (i.e. not dial-up accessible) does not require monitoring under the standards.

CIP-007, Revision 1

The CIP-007 standard requires protection of the critical cyber assets (including certain other cyber assets) within the ESP, such as control system subsystems or major components, including PLCs, HMIs, and data processing units.

The protection requirements of CIP-007 include, as a minimum:

  • Limiting the IP ports and services to only those necessary for operations
  • Malicious software detection, prevention
  • Account management controls
  • Security status monitoring
  • Security patch management

Defense-in-depth approach

Defense-in-depth strategies are a recommended best practice for cyber security. Hardware and software appliances are available for access control, monitoring, and logging to comply with the CIP-005 and CIP-007 standard requirements.

A universal threat manager (UTM) is a special type of firewall for the perimeter of the ESP with stateful packet inspection, network anti-virus protection, inline network intrusion detection sensor (NIDS), intrusion prevention system (IPS) and built-in authentication mechanisms. It commonly sees use as the checkpoint for routable communication from an outside network LAN/WAN to a LAN within an ESP.

A UTM often sees use to establish a demilitarized zone, which is a separate LAN for devices that do not need to be located within an ESP or to comply with the CIP standards. For business reasons, they still require a level of protection from outside LAN/WAN communication traffic. An example would be a plant data historian open to enterprise users.

You can implement UTMs to support redundant control and monitoring LANs used for communication among critical cyber assets or redundant external LAN/WAN communication traffic. One of the key functions of a UTM is the ability to provide compensating controls for CIP-007 (R2, R3, R4, R5, and R6).

Quite a few control systems employ ports and services that cannot be disabled on the servers or HMI computers. By using a UTM to establish the ESP, you can lock down access to those ports and services, providing the necessary compensating controls for NERC CIP 007 - R2.

The UTM's network anti-virus and intrusion prevention capabilities provide the necessary compensating controls to achieve compliance with NERC CIP 007 - R3 and R4. The UTM intrusion prevention and network antivirus capabilities mitigate the issues where it is technically not feasible to run anti-virus application on supervisory control and data acquisition (SCADA) systems or DCS/PCS computers. Traffic is scanned with UTM's network antivirus and IPS capabilities to halt viruses, worms, and hacking attempts. Validated patches are not usually available from SCADA/DCS vendors for their applications. A UTM that offers SCADA/DCS-aware protocols as part of the intrusion prevention capabilities can help mitigate the need to patch control systems.

NERC CIP 007 (R5 and R6) require account management, strong password, restricted administration access, and security status monitoring. You can use the UTM's access control capabilities to restrict access and provide accounting logs for access to the critical cyber assets. The UTM's remote authentication features securely identify and permit only allowed users and can interface with remote authentication services such as radius and active directory to raise the level of remote access security still further and comply with the 2FA requirements of the standards.

NIDS is an appliance located within an ESP that monitors network traffic for malicious behavior, including rogue devices, application exploits, worms, and dangerous or unauthorized traffic. You can also use it to monitor communication on LANs within the ESP.

NIDS is capable of passively listening to network traffic and monitoring the network activity in real-time for known exploits, signature-based attacks, as well as port scanning activity, or other activities that would be classified as someone trying to discover or compromise systems within the ESP network. NIDS will not stop the activity, but it will log anything it thinks is abnormal to a security event management console.

Also, if any foreign device is attached to the network or if the address resolution protocol tables are modified, as is often the case when a man-in-the-middle attack is being attempted, NIDS will alert the security event management console, since it is running ARPWATCH , and is used to monitor communication on LANs within the ESP.

A host intrusion detection sensor (HIDS) monitors the operation of host computers and other networked devices within an ESP. HIDS is a passive listening entity (or agent) that monitors activity and gathers metric data on hosts on which they are deployed, and then transmits it back to a central SEM.

Metric values are reported on a periodic basis, such as once per minute. Alerts are reported immediately when they are detected.


James Batug (jpbatug@pplweb.com) is engineering manager of instrumentation and controls at PPL Generation. Jonathan Pollet is vice president of North American operations at Industrial Defender, Inc. Walter Sikora (wsikora@verano.com) is vice president of security services at Industrial Defender, Inc., in Foxborough, Mass.