POWER May 2016 - 48

INSTRUMENTATION & CONTROL
2. Remote access attack. The Ukraine grid attack was made possible by a simple first
step. Courtesy: Michael Toecker
same goes for poor cybersecurity infrastructure.
The industry has been lucky that motivated
attackers are spending more time on
credit cards and personal data than on compromising
control systems.
The Vendor Challenge
Remote service providers/vendors actually
present a larger risk than those existing
at an individual power plant. Vendors who
remotely access generation facilities usually
have contracts with multiple facilities
and routinely install their own methods
for remote access to the site. Methods of
access provided by remote vendors are
often very poor. Vendor-installed remote
access gains this distinction by a combination
of:
generators, 24/7, always available, remote
access by critical personnel can mean the difference
between being in the red and being
in the black.
Additionally, there are now service providers
that offer remote services to support generators
from afar. These services range from
very mundane predictive maintenance to full
engineering and control system work, all
done via the Internet, all using some form of
interactive remote access. Service providers
in this area are even more interesting because
they have the potential to access many different
generation facilities remotely, and, presumably,
use the passwords for that remote
access from their own corporate systems.
Remote Access Vulnerability in
Power Generation
When vulnerability assessments are conducted
on generation systems, it's the
North American Electric Reliability Corp.
Critical Infrastructure Protection (NERC
CIP)-regulated entities that are the most
resilient to this sort of attack. NERC requires
two-factor authentication, a method
stronger than just a password. The two-factor
approach is very resistant to password
stealing, as it requires a password plus access
to a physical token (Figure 3). An at3.
A two-factor authentication token.
Courtesy: Wikipedia Contributor Kharitonov
tacker
can steal the password by infecting
your desktop system, but the physical token
cannot be captured as easily. There are
other means of providing two-factor authentication,
but this is the standard NERC
implementation used by many utilities and
owners of power infrastructure.
The physical token generates a unique
string of numbers every 30 to 60 seconds.
The unique numbers are the output of a timebased
function, which is also stored and computed
on your security systems. When users
want remote access, they enter their username,
password, and unique numbers. If all
three are correct, then they are allowed into
the system.
For generation facilities that are nonNERC,
of which there are many, the vulnerability
assessment is not as promising.
Without the NERC requirements for two-factor
authentication, many generation facilities
have extremely poor security for their remote
access, generally one of the methods shown
in Figure 4.
Because the remote access infrastructure
isn't a direct part of the revenue stream, generators
treat remote access with a very casual
attitude. On the one hand, they will often
consider remote access to be a vital business
need, paramount to maintaining production
by allowing personnel to troubleshoot from
anywhere, at any time. Then, often in the
same breath, generation owners will refuse
to invest in a reasonable and standards-based
method of ensuring that their vital remote access
is reliable and secure.
If engineers bought and installed protective
relays with the same attitude used when
buying infrastructure for remote control via
the Internet, there would be more broken and
unreliable generation facilities. A poor protection
relay might work pretty well under
normal conditions, but it would likely fail
to protect equipment in a real-world event,
where conditions are less predictable. The
48
www.powermag.com
■ Poor proposal requirements for security.
■ A vendor's need for fast, simple, and
cheap-where security isn't welcome.
■ A budget need to award the support contract
to the cheapest vendor.
Here's one example (some details have
been changed to obscure the vendor and implementation).
Years ago, I was conducting a
vulnerability assessment at a facility where
the remote access router had been installed
for use by the facility's distributed control
system (DCS) vendor. It used a strong virtual
private network (VPN), the equivalent of
a deadbolt on a good steel door, and used a
physical key to enable and disable remote access.
While it was not two-factor authentication,
this was a reasonable method, on paper,
for remotely accessing the facility. Vendor
personnel would call in and request access,
and an operator would " turn the key " in order
to allow the vendor to access the systems. At
the end of the need, the vendor would call
back in and let the operator know to disable
the remote access by literally turning the key
to the lock position.
Problems with this method became apparent
quickly:
■ Facility personnel routinely forgot to turn
the remote access off, so it would stay enabled
for months at a time, directly connected
to the vendor's internal network via
that same VPN connection.
■ The vendor would often forget to call the
operators when the work was complete.
■ There were also no procedures specifying
time limits for the remote access, nor any
regular checks to ensure it was turned off
when not in use.
■ The equipment was not open to inspection
by the generator-it was part of a secret
sauce in the remote support market.
POWER | May 2016
http://www.powermag.com
POWER May 2016

Table of Contents for the Digital Edition of POWER May 2016
