Part of the innovation driven by IP communications technologies in utility companies must include better forms of cyber security. Transitioning from one-way power grids to bi-directional smart grids to improve operational and customer service performance can only make sensitive data and programming that controls processes more vulnerable.
As part of the nation’s critical infrastructure, utility companies are prime targets for cyber attack. A January audit report by the Federal Energy Regulatory Commission on its Monitoring of Power Grid Cyber Security concluded that security “remains a critical area of concern.”
A report by Pike Research (News - Alert) on Smart Grid Cyber Security, which identifies key issues that require attention if smart grids are to become secure, noted that “many Industrial Control Systems have seemed secure simply by being isolated from IT networks. The Stuxnet attacks demonstrated that USB memory sticks give attackers a convenient workaround for that lack of connectivity.”
In fact, devices used for air-gap data transfer can be misplaced, stolen, or infected with malware, such as the Stuxnet worm, and transferred to a critical network, intentionally or accidentally. Even when connected systems and networks are fully compliant with the latest security standards, they are limited to DCOM-based access permissions and firewalls which, through human error and malicious intent, can be wrongly configured.
Data diode technology offers an effective solution to achieve both the systems interoperability envisioned for smart grid and the cyber security needed to protect sensitive systems and data. A data diode is a security system for connecting networks with different security levels. It allows data to be sent from a process control network for information updates but physically prevents electronic access to that network.
Just as a diode in basic electronics allows current to flow in only one direction, data diode technology allows data to flow safely in one direction to connect the sensitive part of smart grid infrastructure with less secure systems and networks.
Data diode security does not contain decision logic, software or firmware that could compromise infrastructure. It eliminates opportunities for software malfunctions, malware, tampering and online attacks. It cannot be misconfigured, eliminating the potential for human error.
This technology can be easily implemented at OPC servers that connect data from PLCs, RTUs, meters, sensors, analyzers, distributed control systems and improvised devices for smart grid systems interoperability. It improves connectivity between process networks and back-office systems by eliminating the delays in information transfer associated with air gap procedures, which are neither continuous nor real time.
Information can be exchanged between a high-security network and less-secure information management systems in real-time for up-to-date business visibility and decision making affecting financial, operational and customer service performance—without exposing the bulk electric grid to cyber threats.
A European-based provider of data diode security has had its technology certified for the highest level of computer security (Evaluation Assurance Level 7) in compliance with the internationally recognized Common Criteria for Information Technology Security Evaluation (ISO/IEC (News - Alert) 15408). The technology has been approved for connection of networks up to and including NATO secret and, in Europe, is increasingly used to upgrade the security of government networks. Security standards similar to those mandated by governments are needed for smart grid as well. This particular data diode technology supports all standard SCADA protocols including OPC, ICCP, DNP3 and Modbus.
The data diode technology is implemented with a hardware data diode, proxy servers, and software that provides data integrity (error detection and correction), data transfer synchronization, event logging and SNMP traps (on both sides of the data transfer), and a user interface for administrators and security auditors.
A one-way physical connection is made between the two servers to prevent data leakage and guarantee the security of the process control network. Each server has an easy-to-use web interface that allows authorized users to configure what information is to be transferred. As the physical connection between networks is one-way (hardware), malware will never compromise the security of the grid. One data diode can support transfers from multiple OPC servers. The basic solution can be augmented with additional application servers to add specific functionality to the one-way data transfer.
A leading provider of data connectivity software for SCADA networks now offers data diode technology as another layer of security for power companies’ overall Defense-in-Depth strategies. When used with advanced OPC server software, data diode technology supports complete control over information browsing, reading, and writing on a per-user, per-access basis in smart-grid environments. Instead of relying only on global, DCOM-based, "all-or-nothing" system access permissions, power companies can have granular, role-based control over security to prevent unauthorized access to process data and programming controls, whether accidental or intentional.
Joost (News - Alert) Bijl has been with Fox-IT since 2003, where he helped build the Plato IDS expert system and monitored customer networks for intrusions. He was also responsible for forensic investigations and penetration tests. In 2007 he switched to the Fox-IT Crypto unit to work as a project manager on security projects involving state secret information. As of 2010 Joost is responsible for the marketing of Fox-IT. Joost holds several certifications such as CISSP, CISA, CISM, NIMA-B and Prince2, with a Masters degrees in telematics from the Technische Hogeschool Rijswijk in the Netherlands.
TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.
Edited by Rich Steeves