The White Paper, titled “Wireless System Considerations When Implementing NERC Critical Infrastructure Protection Standards,” can be found at www.automationworld.com/whitepaper-5312. NERC stands for North American Electric Reliability Corp., the organization charged with enforcement of the CIP standards. And while the White Paper discusses wireless security concerns specific to CIP and control centers in the electric power industry, many of the wireless issues it raises are applicable to other industries as well, as are the cyber-security “defense-in-depth” strategies that it recommends.
To get an overview of the issues, Automation World spoke recently with three of the Paper’s seven co-authors: Wayne Manges, a program manager at the U.S. Department of Energy’s (DOE) Oak Ridge National Laboratory, in Oak Ridge, Tenn.; Teja Kuruganti, research-and-development staff member, Modeling and Simulation Group, at the same lab; and Tom Flowers, president of Flowers Control Center Solutions, in Todd Mission, Texas, and a control systems consultant who specializes in the energy sector. The Paper’s other four authors hail from the Oak Ridge National Lab or from the Pacific Northwest National Laboratory, in Richland, Wash.
The impetus for the paper grew out of the CIP standards requirement that utilities must “monitor and control” all electronic access to their electronic security perimeters. In the world of wired connectivity, there are a variety of tools available for accomplishing this task. But the current tools for monitoring and control of wireless electronic access are unavailable, undeveloped or less capable than those used for wired network systems, and some are even illegal, noted Flowers.
One case in point involves cellular phones, which can pose a particularly troublesome vulnerability in control system environments, the authors said. For instance, said Kuruganti, “Somebody could actually hook up a cell phone to their laptop and use it as a transmitter to haul data from a control center to a long-distance location, so that poses a covert threat.”
In certain cases, then, a utility operator might want to consider jamming a cell phone that was being used for covert activities in or around a control center, Manges suggested. But in the United States, that’s not an option, he observed, because the FCC prohibits cell phone jamming for any purpose. As Flowers put it, “When you’re dealing with wireless technology, things get very fuzzy very quickly, as far as what you’re capable of doing, what you’re allowed to do legally and the overall effectiveness of what you can do.”
It’s not practical for electric utility operators to require employees, vendors and others to check their cell phones, laptop computers and other wireless-enabled devices at the gate when they enter an electric power plant. And even if techniques such as cell phone jamming were legal in the United States, to do so within a control center environment could interfere with the legitimate use of the technology at the facility, Flowers pointed out.
But Flowers added that FCC regulations also prohibit certain kinds of research that might lead to better solutions. “Until some of those regulations are changed or addressed in some form or another, nobody is going to be doing any kind of research on how to be able to control wireless technology in the same way that is common practice for wired technology today, because it’s illegal,” he declared.
Here’s the problem
While the authors believe that federal legislation or changes in the regulatory requirements will ultimately be needed, the White Paper is only a first step, they said. “We’re certainly not going to get any legislation kicked off as a result of this [White Paper],” said Flowers. “But from an awareness standpoint, we felt it would be a step in the right direction to identify the issues—that the use of wireless in a secured, controlled arena is not like wired electronic access. It’s still electronic access, but it’s not the same, and you don’t have the same tools and abilities.”
To be sure, various tools do exist today to help combat wireless cyber security threats to critical control center assets, said the authors. Radio Frequency (RF) detection systems can be constructed to monitor activity across multiple frequency bands to digitally search for unauthorized access and suspicious activity patterns, at a cost that Kuruganti called “moderately expensive.” Commercial products are also available from companies including AirDefense, Cisco and Kismet that can be used to monitor, locate and control Wi-Fi, or Wireless Fidelity, communication, he added. But as noted in the White Paper, “commercial solutions may not be available for ZigBee, Wireless Hart or ISA100 (other wireless standards) for many years.”
Wireless security threats can come not only through covert activities, of course, but also through approved and inadvertent use of wireless technologies within a control system environment. Several examples are described in the Paper.
Given today’s environment, the authors believe that the best approach to containment of wireless cyber security threats is a defense-in-depth methodology. The approach comes directly out of research that was done at the DOE’s National SCADA Test Bed program, in collaboration with several National Labs, Manges said. The basic idea, he explained, was finding a way to “build a secure system with unsecure components.”
The resulting “onion skin” approach, as Manges called it, involves multiple layers of defense, including personnel controls, physical controls, wireless network controls, wired network controls and containment measures. It has been mathematically shown that an improvement made to one layer results in a linear gain in the degree of protection, Manges noted. But additional layers greatly increase wireless cyber security, he said.“Your level of protection goes up exponentially with the number of layers you have, vs. just improving a single layer.” The defense in depth approach is described in detail in the White Paper.
To hear a podcast interview with co-authors Tom Flowers, Wayne Manges and Teja Kuruganti, please visit www.automationworld.com/podcast-5311.