Containing Wireless Cyber Security Threats

Error message

  • Notice: Undefined index: browser in om_preprocess_html() (line 213 of /var/www/sites/automationworld.com/sites/all/themes/om/core/template.php).
  • Notice: Undefined index: browser in om_preprocess_html() (line 214 of /var/www/sites/automationworld.com/sites/all/themes/om/core/template.php).
  • Notice: Undefined index: version in om_preprocess_html() (line 214 of /var/www/sites/automationworld.com/sites/all/themes/om/core/template.php).

Containing Wireless Cyber Security Threats

Print
Proliferating use of wireless technologies sets up conflicts between the federal CIP standards and FCC regulations, say the authors of a newly available White Paper. To mitigate wireless cyber security risks, they recommend a defense-in-depth approach.
Electric utility operators already have their hands full in achieving compliance with mandatory federal Critical Infrastructure Protection (CIP) standards aimed at cyber security in the electric power industry. But when the use of wireless technologies is thrown into the mix, the problem gets even more complicated. In fact, according to the authors of a recent White Paper on the topic, the CIP standards are not only ambiguous on the use of wireless technologies, but also present potential conflicts with other federal regulations, such as those of the Federal Communications Commission (FCC).

The White Paper, titled “ Wireless System Considerations When Implementing NERC Critical Infrastructure Protection Standards ,” can be found at www.automationworld.com/whitepaper-5312
. NERC stands for North American Electric Reliability Corp., the organization charged with enforcement of the CIP standards. And while the White Paper discusses wireless security concerns specific to CIP and control centers in the electric power industry, many of the wireless issues it raises are applicable to other industries as well, as are the cyber-security “defense-in-depth” strategies that it recommends.

To get an overview of the issues, Automation World
spoke recently with three of the Paper’s seven co-authors: Wayne Manges, a program manager at the U.S. Department of Energy’s (DOE) Oak Ridge National Laboratory, in Oak Ridge, Tenn.; Teja Kuruganti, research-and-development staff member, Modeling and Simulation Group, at the same lab; and Tom Flowers, president of Flowers Control Center Solutions, in Todd Mission, Texas, and a control systems consultant who specializes in the energy sector. The Paper’s other four authors hail from the Oak Ridge National Lab or from the Pacific Northwest National Laboratory, in Richland, Wash.

That’s illegal!

The impetus for the paper grew out of the CIP standards requirement that utilities must “monitor and control” all electronic access to their electronic security perimeters. In the world of wired connectivity, there are a variety of tools available for accomplishing this task. But the current tools for monitoring and control of wireless electronic access are unavailable, undeveloped or less capable than those used for wired network systems, and some are even illegal, noted Flowers.

One case in point involves cellular phones, which can pose a particularly troublesome vulnerability in control system environments, the authors said. For instance, said Kuruganti, “Somebody could actually hook up a cell phone to their laptop and use it as a transmitter to haul data from a control center to a long-distance location, so that poses a covert threat.”

In certain cases, then, a utility operator might want to consider jamming a cell phone that was being used for covert activities in or around a control center, Manges suggested. But in the United States, that’s not an option, he observed, because the FCC prohibits cell phone jamming for any purpose. As Flowers put it, “When you’re dealing with wireless technology, things get very fuzzy very quickly, as far as what you’re capable of doing, what you’re allowed to do legally and the overall effectiveness of what you can do.”

It’s not practical for electric utility operators to require employees, vendors and others to check their cell phones, laptop computers and other wireless-enabled devices at the gate when they enter an electric power plant. And even if techniques such as cell phone jamming were legal in the United States, to do so within a control center environment could interfere with the legitimate use of the technology at the facility, Flowers pointed out.

But Flowers added that FCC regulations also prohibit certain kinds of research that might lead to better solutions. “Until some of those regulations are changed or addressed in some form or another, nobody is going to be doing any kind of research on how to be able to control wireless technology in the same way that is common practice for wired technology today, because it’s illegal,” he declared.

Here’s the problem

While the authors believe that federal legislation or changes in the regulatory requirements will ultimately be needed, the White Paper is only a first step, they said. “We’re certainly not going to get any legislation kicked off as a result of this [White Paper],” said Flowers. “But from an awareness standpoint, we felt it would be a step in the right direction to identify the issues—that the use of wireless in a secured, controlled arena is not like wired electronic access. It’s still electronic access, but it’s not the same, and you don’t have the same tools and abilities.”

To be sure, various tools do exist today to help combat wireless ...

Pages

Comments(0)

Add new comment

By submitting this form, you accept the Mollom privacy policy.

Follow Us

 

Newsletters

Click on any newsletter to view a sample.

 News Insights 
News & Analysis (2x Month)   Product Insights
Latest Automation Products (2x month)  TalkPoints
Automation Columnists (1x month) Feed Forward
Latest from Gary Mintchell (1x month)  Automation Focus
Sponsored white papers, videos and products (1x month)
Process Automation
Industry Trends & Applications (1x month)  Motion Control 
Machine & Motion Control (6x year)  Automation Skills
Improve Industry Skills (1x month)   Industrial Ethernet Review
Network Application of IE (4x year)
Packaging Automation Review
Trends in Packaging Automation (4x year)  Safety Automation Insights
The How & Why of Safety (6x year)

 

OPConnect Newsletter
OPC Foundation Developments (4x year) PROFInews NA
PI News in North America (6x year)
Totally Integrated Automation
Applications and News from TIA (1x month)  Automation Catalyst
Igniting Ideas to Solve Automation Challenges
 Manufacturing Intelligence
Your Source for Operation Trends (3x year)

Once monthly. Don’t miss intelligence crucial to your job and business! Click on any newsletter to view a sample.

 

Feedback Form