Documente Academic
Documente Profesional
Documente Cultură
If we look at the infrastructure as whole, we see that the extensive networking is not limited to data
networks, but will soon also leave its mark on our energy infrastructure. The Smart Grid will
become the "Internet of Energy", in which the loads will also be energy producers and will feed
power into the network and sell it. This might not sound so exciting if you only have three people in
your family, but it is very interesting for glass or steel producers, for example.
But even if you are the parent of a family of three, it would be interesting for you if your refrigerator
"knew" how to cool in low-energy mode on a hot August afternoon when the power grid is reaching
the limits of its capacity. To do this, however, the refrigerator must be able to communicate with the
network and respond to demand signals. The refrigerator only represents an example for the
"Internet of Things", i.e. the connecting of millions of electronic devices via the Internet, from the
onboard computer in your car, which sends warranty information to your dealer, to the pickups in
your water meter, which report water consumption data to your city water supplier via radio signals.
To ensure that everything runs without errors, from Cloud computing to the water meters, you need
a reliable network infrastructure which is well protected against attacks by malware and hackers.
Today, a wall no longer represents an overwhelming obstacle. An attacker only has to think about
how to overcome this one obstacle. It is then a matter of time before the attacker figures out their
way in. The intruder also has to put forth time and effort just once to achieve their goal. Thus, a
wall by itself is not an effective protective measure.
There is no such thing as 100% security of a system, but a Defense in Depth approach can
reduce the risks involved.
"Defense in Depth" means setting up as many protective measures as possible between the
"outside world" and the devices or systems to be protected.
Electric Power Systems (EPSs) emerged as one of the most critical infrastructures in the sense
that all other critical and vital infrastructures depend on reliable electricity supply. At the same time
they are considered as the most vulnerable to physical and cyber attack.
Main vulnerabilities in EPSs are connected with the ability to remotely access protection, control,
automation and SCADA equipment. Using vulnerability of a power substation communication an
electronic intruder could, for example, access the substation SCADA system and operate circuit
breakers in the substation that could affect the reliability of electricity supply or even cause a big
EPS
failure.
Utilities
ƒ United States and some provinces in Canada are to enforce NERC-CIP version 5 (North
American Electric Reliability Corporation Critical Infrastructure Protection) guidelines or
standards on power systems. Failure to comply may result in financial penalties.
ƒ Most European countries follow best practices from the industry
NERC is a non-profit organization whose mission is to ensure the reliability of the North American
bulk power system.
NIST (National Institute of Standard and Technology) Cybersecurity Framework provides a policy
of computer security guidance for how private sector organizations can assess and improve their
ability to prevent, detect, and respond to cyber attacks.
Industrial Automation
ƒ ISA99 / IEC 62443, the leading standard for security in industrial automation
ISA – International Society of Automation Committee on Security for Industrial Automation and
Control systems (ISA99)
Default passwords are very easy to obtain from the vendor’s user guides. NERC-CIP proposes the use
of the following criteria: at least 8 characters long, contain at least one uppercase and one lowercase
letter, contain at least one number, contain at least one non-alphanumeric character (e.g @,%,&,*,
etc…)
Stay away from using clear-text based protocols which if intercepted can impose significant security
problems, such as finding out what passwords are being used. Your equipment should support
protocols that are capable of encrypting the session between the field device and the managing end
user.
Most routing protocols support some level of authentication. A rogue router could simply learn your
network topology by exchanging routing messages with your routers only to then advertise better
metrics to networks that exchange critical data. This data could then be collected.
ƒRIP timed keys
ƒOSPF uses message digest keys
ƒBGP uses passwords on a per neighbor basis
ƒISIS allows area authentication
The network layer may be subject to other form of attacks, for example, but not limited to:
ƒIP spoofing. An attacker may source packets as if they were coming from a trusted host.
ƒICMP attacks such as ICMP Denial of Service, ICMP flood attack, IP directed broadcast attack, ICMP
Tunnel (any udp/tcp traffic can piggy back into echo requests/replies), etc…
ƒPacket sniffing
Protect insecure communications to other networks you don’t have control over. For example, an
interconnection between a Control Network and the IT Corporate Network.
Other Layers to protect are the transport layer (Layer 4) where attackers may run port scanners to
discover what services your devices have open. Also, if traffic gets intercepted, a TCP session could be
potentially hijacked and taken over by an attacker.
Elements that help you protect these communications range anywhere from firewalls, Intrusion
Detection Systems/Intrusion Prevention Systems, to VPN (Virtual Private Networks) capable devices.
The RUGGEDCOM Ethernet Switches provide security at the local area network level. The key
cyber security features of these switches include:
ƒPasswords – Multi-level user passwords secures switch against unauthorized configuration
ƒSSH / SSL – Extends capability of password protection to add encryption of passwords and data
as they cross the network
ƒEnable / Disable ports – Capability to disable ports so that traffic can not pass
ƒ802.1Q VLAN – Provides the ability to logically segregate traffic between predefined ports on
switches
ƒMAC based Port security – The ability to secure ports on a switch so only specific devices / MAC
addresses can communicate via that port
ƒ802.1x Port Based Network Access Control – The ability to lock down ports on a switch so that
only authorized clients can communicate via this port
ƒRadius Protocol – Switches as authenticators interact with an authentication server in order to
validate user or field device credentials.
ƒSNMPv3 - encrypted authentication and access security
SSH:
The Secure Shell protocol is an encryption protocol. This protocol will allow two machines to
communicate with each other by using authentication. SSH also supports tunneling, Port
Forwarding and File Transfer.
HTTPS:
Data transported via Hyper Text Transfer Protocol Secure protocol are readable as plain text. It is
important that the transmission of confidential and personal data is secure and protected against
unauthorized access. HTTPS is the secure version of HTTP, the protocol over which data is sent
between your browser and the website that you are connected to Securely.
When you request a HTTPS connection to a webpage, the website will initially send its SSL
certificate to your browser. This certificate contains the public key needed to login to the secure
session. Based on this initial exchange , your browser and the website then initiate the ‘SSL
handshake’. This SSL handshake involves the generation of shared secrets to establish a uniquely
secure connection between yourself and the website
A proven Secure Access Management solution designed to provide NERC CIP compliant access
to Intelligent Electronic Devices. The CROSSBOW solution focuses on delivering productivity gains
for administrators and users while achieving full NERC compliance in managing, securing and
reporting on remote access.