NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities

www.netspi.com 612-465-8880

Ryan WakehamSenior Security Consultant, NetSPI

The electrical industry addresses cyber security

Securing our nation’s critical power infrastructure has never been more important. Electrical power utilities generate and distribute the energy that is needed to drive the economy, as well as daily life, in modern America. However, these utilities depend on networks of aging systems and devices and are therefore vulnerable to cyber threats, which can be malicious attacks from hackers or terrorists, as well as unintentional damage done by employees.

In response to the risks posed by insufficient cyber security controls, industry regulators and organizations such as the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), and the Nuclear Energy Institute (NEI) have implemented a number of regulations and standards to address these weakness and ensure the continued safe and reliable generation of electricity. In particular, the NERC Critical Infrastructure Protection standards CIP-002 through CIP-009 provide a cyber security framework for non-nuclear facilities. These standards require critical cyber asset identification, in additional to certain physical, logical, and administrative controls.

Regulatory requirements

The key systems that utilities typically identify as critical cyber assets include servers and workstations in process or SCADA environments. These environments are central to the efficient generation and distribution of power; therefore, the servers and workstations that operate in concert with digital devices throughout power plants and the electrical grid must be available and functioning properly around the clock. The need for high availability in these systems, combined with the fact that they run proprietary software applications, means that they are rarely protected by controls such as security patches and anti-malware programs that are often taken for granted in other environments.

continued on next page

Utilities depend on networks

of aging systems and

devices and are therefore

vulnerable to cyber threats,

which can be malicious

attacks from hackers

or terrorists, as well as

unintentional damage done

by employees.

White PaperHardening Critical Systems at Electrical UtilitiesMeeting Regulatory Requirements Through Endpoint Controls


The NERC CIPs apply a number of requirements to these sorts of systems. For example, the CIPs require configuration hardening (CIP-007 R2), patch management or compensating controls (CIP-007 R3), anti-malware controls (CIP-007 R4), and security monitoring and logging (CIP-007 R6). Because process and SCADA servers and workstations are often not suited to more conventional controls, electrical utilities may find it difficult to fulfill these requirements in an appropriate way. However, a relatively new set of solutions, dubbed “endpoint security” or “endpoint control,” shows great promise in helping utilities to meet these requirements laid out in the NERC CIPs.

What is endpoint control?

While the term “endpoint control” may mean different things to different people,endpoint control products generally provide administrators with more granular control over the systems for which they are responsible. The first generation of these products includes anti-malware scanners, host-based firewalls, and other host-based software that can be configured to control access to removable media and the network. The second generation increases the abilities of administrators to control the activities occurring on endpoint systems through the use of technologies such as application and process whitelisting.

A first-generation control product such as an anti-malware scanner relies on signature matching with a blacklist or else uses heuristic-based guessing to determine if an application or process should be allowed to run. By contrast, the whitelist approach adheres to the fundamental security tenet of denying by default all applications and processes except those that have been granted explicit permission to run. This approach both eliminates the chance that an unknown or unidentified process will be run and also gives administrators the capability to control processes at a much more granular level than was previously possible.


White PaperHardening Critical Systems at Electrical Utilities

The whitelist approach

adheres to the fundamental

security tenet of denying by

default all applications and

processes except those

that have been granted

explicit permission to run.


Endpoint control in process environments

Endpoint control products can provide significant benefits when implemented in process systems. For one thing, process environments are fairly static, with servers and workstations running only a limited number of pre-defined applications and services. In such an environment, endpoint control solutions that use application whitelisting can prevent unauthorized applications from ever executing.

If properly implemented, this level of control can protect these critical systems from threats that originate at the network, that may be introduced by removable media, or that are already resident on the system. Additionally, application whitelisting can eliminate the need for security patching because potential malware or exploits are prevented from ever running. This reduces the administrative burden of applying security patches and also minimizes the downtime of these critical systems. Finally, because no full-system malware scans ever need to be performed, a properly designed whitelisting solution has the potential to minimize the negative impact on system performance.

Of course, endpoint control solutions are just one piece in a multi-layer defensive strategy. An endpoint control solution will be unable to directly provide additional security to digital devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs). These PLCs and RTUs, which rarely have security controls more sophisticated than a password, are abundant in process networks, including within power plants and across the bulk power grid. In light of this reality, other logical controls, such as network segmentation and firewalls, should be deployed in addition to endpoint control solutions.


Application whitelisting

can eliminate the need for

security patching because

potential malware or

exploits are prevented from

ever running.



What to look for in an application whitelisting solution

As with any security product, the effectiveness with which the solution performs its task is the critical deciding factor. The most effective whitelisting solutions need to operate at the kernel level of the operating system in order to ensure that they cannot be undermined. This should give the additional advantage of allowing the solution to monitor and manage network-level activity.

Finally, no matter how well a security solution may enforce controls, it will not be completely effective if it is difficult to manage over a potentially large environment; for administrators, the management features of the solution are just as important as the security controls that it provides. These features should include the ability to configure multiple hosts as a group and apply policies remotely, as well as provide monitoring, logging, alerting, and reporting features.

The whitelisting software that meets both the security and the management requirements fills an important need for endpoint control that supports regulatory requirements in electric utilities.

The table on the following page maps several NERC CIP requirements to important features of an application whitelisting solution.


The most effective

whitelisting solutions need

to operate at the kernel

level of the operating

system in order to ensure

that they cannot be

undermined.



Requirement Applicable Excerpt Whitelisting Solution FeatureCIP-007-R2 The Responsible Entity shall

establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled.

Network-level controls, based on integration with the operating system kernel, can act as a firewall and prevent communication over unauthorized ports or protocols.

CIP-007-R3.2 The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.

Application whitelisting solutions can act as a compensating control on unpatched systems because they prevent illicit activities such as the execution of unauthorized code and the exploitation of network services.

CIP-007-R4 The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).

Application whitelisting can prevent any malware, known or unknown, from running on protected systems. Additionally, this solution provides superior performance compared to blacklisting solutions.

CIP-007-R6 The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security.

Solutions should support management requirements, which include the ability to monitor, log, alert, and report on status and events.

No matter how well a

security solution may

enforce controls, it will not

be completely effective

if it is difficult to manage

over a potentially large

environment.


Technology

NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities