September 2008

Power play: Standards key to secure plants, infrastructure

By Thomas Kropp

The electric power industry is well aware the electric power grid is more vulnerable to cyber attack today than it was in the past. Economic considerations have driven the industry to reduce staff and to automate the systems that control the flow of power throughout the developed world. The move to a market-based energy structure has added to vulnerabilities by increasing requirements for transmission from new merchant generators located remotely from the loads they serve.

Experts in the energy industry, government organizations, and politicians have warned the electric power industry is not secure from cyber attacks. Efforts are underway to help the industry develop and deploy standards-based technologies, processes, and procedures to secure the infrastructure upon which the industry depends. While it is difficult to accurately evaluate the actual threats to the electric power industry's critical infrastructure, it is relatively straightforward to evaluate its cyber vulnerabilities and to determine the actions needed to secure that infrastructure.

Standards take time to develop, and many complain that we do not have this time to spare when we consider the need to develop and deploy security solutions. While this is true, we need to balance the urgency of securing our system with the need to develop standard solutions, which can be effectively and efficiently applied across the industry.  Here is a brief overview of security standards development activities currently in progress.

IEC security standards development

The ISO/IEC 27000 series of standards discusses requirements and establishes guidelines for implementing, maintaining, and improving information security management systems, risk management, metrics, and measurement. Although they were not specifically developed for electric power companies, most of their principles are relevant, especially to enterprise IT systems and to the business processes point of view. The series will consist of seven standards, three of which have been published while the others are in draft conditions.

The International Electrotechnical Commission (IEC) Working Group 15 of Technical Committee 57 (TC57 WG15) is developing IEC 62351, focusing on power system control, data communications, and security. WG15 develops standards for the cyber security of the electrical system with a focus on the communication protocols defined within TC57. The standards are designed to meet security objectives, which vary according to protocols, implementations, and constraints. The group developed abstract network and system management data objects for the power system operational environment (currently under review). The standards are organized as a technical specification.

Power Engineering Society

WG C4 of the Power Engineering Society Substations is developing P1689, a trial use standard for retrofit cyber security of serial SCADA links and intelligent electronic devices (IED) remote access.  It adapts standards developed by the American Gas Association for cryptographic protection of SCADA communications to the electric power industry. It also defines high-level requirements to protect serial communications between SCADA master stations and remote terminal units (RTUs) from cyber attack. It specifies authenticated remote access to maintenance ports in RTUs and other IEDs. P1689 specifies requirements to retrofit existing communications equipment with minimal changes to installed devices. The standard will benefit electric power companies and vendors.

Correlation between standards

IEEE P1711 is a companion standard to IEEE P1689 and sets forth the cryptographic protocol to help implement cyber security required by IEEE P1689 on serial links connecting SCADA systems to master stations. P1711 specifies a cryptographic protocol that will protect serial communications from cyber attacks. Use of P1711 will ensure interoperability of cyber security devices, which protect installed asynchronous serial communications from cyber attack.

ISA99

ISA99 addresses cyber security for control systems. Participants in the development of this standard include over 300 North American and international members from end users, suppliers, contractors, universities, and government organizations. It addresses distributed control systems, PLCs, SCADA, networked electronic sensing, monitoring, and diagnostic systems. ISA99 defines standards and recommended practices; it produces technical reports and related information to define procedures for implementing electronically secure control systems and security practices or assessing electronic security performance.

ISA99 Part 1 covers concepts, terminology, and models in security for industrial automation and control systems and establishes the basis for the remaining standards in the ISA99 series. ISA99 Part 2 provides guidance for developing a program for the security of industrial automation and control systems. ISA99 Part 3 is about operating an industrial automation and control system security program; and Part 4 covers specific security requirements.

The ISA99 scope encompasses manufacturing and control systems whose compromise could result in endangerment of public or employee safety, loss of public confidence, violation of regulatory requirements, loss of proprietary or confidential information, economic loss, and impact on national security.

NERC CIP standards

The North American Electric Reliability Corporation (NERC) is responsible for the reliability of the North American power grid. NERC has established the Cyber Security Standards for critical infrastructure protection (CIP-002 through CIP-009) to provide a security framework for the identification and protection of critical cyber assets that support reliable operation of the electric power grid. The Federal Energy Regulatory Agency has approved these standards, and they have strong penalties for non-compliance. These standards differ from those previously mentioned in that their goal is to protect the North American Power Grid rather than to help individual companies secure their own systems.

The standards apply in varying degrees to the differing roles of each entity in the operation of the grid. They apply only to those cyber assets critical for grid reliability.

National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce, involved in standards development and testing done by the private sector and U.S. government agencies to promote innovation and industrial competitiveness.

NIST SP 800-53 contains management, operational, and technical safeguards and countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

NIST 800-82 provides specific recommendations and guidance for securing Industrial Control Systems. It provides an overview of the activities currently ongoing among U.S. government organizations, standards organizations, industry groups, and automation system vendors to make available "best practices" in the area of ICS security.

ABOUT THE AUTHOR

Thomas Kropp (t.kropp@computer.org) is director of energy services for Dyonyx, a consulting firm specializing in design, implementation and support of secure, efficient infrastructures, out of Houston.