Securing SCADA networks in the power distribution sector is crucial to ensure the safe and reliable operation of the power grid. A major cyber attack on a SCADA network in the power distribution sector could result in widespread power outages that last for days or even weeks, causing significant economic damage and disruption to daily life. Cyber attack could also cause damage to critical infrastructure equipment, such as transformers and circuit breakers, resulting in costly repairs and replacement. In addition, a cyber attack could pose safety risks to workers and the public, such as by causing equipment to malfunction or operate in an unsafe manner.
Nation-state actors are a major threat today. These actors may have advanced capabilities and resources to launch sophisticated cyber attacks, causing significant damage to critical infrastructure and posing a threat to public safety. Protecting these networks against cyber threats is essential to ensure the continued operation and resilience of the country’s infrastructure, as well as to safeguard national security interests.
India’s power sector has been targeted by cyber attacks multiple times in recent years. With the rapid automation in the power sector, including the power distribution side as well, cyber-attacks is a major concern. The Indian government has recognized the importance of cybersecurity in the power sector and has taken steps to improve cybersecurity in critical infrastructure, including the establishment of the National Critical Information Infrastructure Protection Centre (NCIIPC) and the development of cybersecurity guidelines for the power sector.
Vulnerabilities of SCADA Network in the Power Distribution Sector
The rollout of Remote Terminal Units (RTUs) across substations linked to a control room via MPLS network poses several security threats that must be mitigated. These threats include unauthorized access, weak passwords, vulnerable software and firmware, lack of encryption, and the risk of insider threats posed by employees with access to the network.
Unauthorized access is a significant concern as it can be initiated by external hackers or malicious insiders. Strong access control policies, such as two-factor authentication, are necessary to prevent unauthorized access.
Weak passwords can also lead to unauthorized access. Organizations must enforce strong password policies and provide regular training to employees on how to create and maintain secure passwords.
Vulnerable software and firmware pose a risk of exploitation by attackers. Regular patching and updates are necessary to address known vulnerabilities and ensure that the latest security patches are installed.
Encryption is essential to protect sensitive data transmitted across the MPLS network. Organizations must ensure that all data is encrypted, especially data transmitted over the internet.
Insider threats posed by employees must be considered. Organizations must conduct background checks on employees and implement access control policies to limit access to critical systems. Regular employee training is also necessary to raise awareness of the risks associated with cybersecurity and the need for all personnel to remain vigilant against potential threats.
Major Cyber Attacks in the Power Sector
SCADA (Supervisory Control and Data Acquisition) networks are critical systems that manage and control industrial processes, including power plants, water treatment facilities, and transportation systems. These systems are often connected to the internet and other networks, making them vulnerable to cyber attacks. Here are some examples of reported cyber attacks on SCADA networks:
- Stuxnet (2010): One of the most well-known cyber attacks on SCADA networks is the Stuxnet worm, which targeted Iran’s nuclear program. Stuxnet was a sophisticated malware that exploited vulnerabilities in Siemens SCADA software to manipulate industrial processes and cause physical damage to Iran’s uranium enrichment centrifuges.
- Ukraine Power Grid Attack (2015): In December 2015, a cyber attack on Ukraine’s power grid caused a blackout that affected over 200,000 people. The attackers used malware to gain access to the SCADA network and manipulate the system to shut down power.
- Triton (2017): The Triton malware, also known as Trisis, was discovered in 2017 and was specifically designed to target industrial safety systems. The malware targeted a safety instrumented system (SIS) at a petrochemical plant in Saudi Arabia, which could have led to a catastrophic explosion.
- Colonial Pipeline (2021): In May 2021, a ransomware attack on the Colonial Pipeline, which supplies gasoline to the eastern United States, caused the company to shut down its pipeline for several days, leading to fuel shortages and price increases. The attackers used a phishing email to gain access to the company’s SCADA network and install ransomware.
Sourish Dey, Director at Trisim Global Solutions, a company offering cyber security solutions based out of Kolkata, India said “These attacks demonstrate the severity of the cyber security risks associated with SCADA networks. As these networks become increasingly interconnected and accessible, power utilities must remain vigilant and implement robust cyber security measures to prevent attacks and protect critical infrastructure. Compromise may result in jeopardizing national security. ”
Major vulnerabilities in SCADA equipment reported in the past
In Feb, 2022 the the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported major vulnerabilities in SCADA equipment manufactured by leading OEMs and said “Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay. This could result in loss of protection to your electrical network.”
Here are some examples of reported vulnerabilities by OEMs of SCADA equipment:
- Siemens: In 2012, a vulnerability was discovered in Siemens’ WinCC SCADA software, which allowed attackers to gain remote access to the system and execute arbitrary code. This vulnerability was exploited in the Stuxnet attack.
- Schneider Electric: A vulnerability was discovered in Schneider Electric’s Modicon M221 PLCs, which allowed attackers to remotely execute arbitrary code and take control of the system. The vulnerability was caused by a lack of input validation in the firmware. (Source: https://www.cisa.gov/news-events/ics-advisories/icsa-19-136-01)
- GE Digital: In 2018, a vulnerability was discovered in GE Digital’s iFIX SCADA software, which allowed attackers to remotely execute arbitrary code and take control of the system. The vulnerability was caused by a lack of authentication and encryption in the software. (Source : https://www.cisa.gov/news-events/ics-advisories/icsa-21-040-01)
- Rockwell Automation: In 2020, a vulnerability was discovered in Rockwell Automation’s Logix controllers, which allowed attackers to remotely execute arbitrary code and take control of the system. The vulnerability was caused by a flaw in the firmware that allowed attackers to bypass the authentication mechanism. (Source : https://www.cisa.gov/news-events/ics-advisories/icsa-22-342-03)
These examples demonstrate that vulnerabilities can exist in SCADA equipment from different OEMs. To mitigate the risk of exploitation, organizations must stay up-to-date with the latest security patches and updates, conduct regular vulnerability assessments, and implement robust security measures, such as network segmentation, access control policies, and encryption. It is also essential to work with OEMs that prioritize security and regularly release security updates to address known vulnerabilities.
Guidelines to be considered for Cyber Security
Indian Computer Emergency Response Team (CERT-In) guidelines: CERT-In provides guidelines and best practices for securing IT systems and networks in India. These guidelines cover various aspects of cybersecurity, including network security, access control, incident response, and security auditing.
Information Technology (IT) Act, 2000: This is the primary law governing cybersecurity and e-commerce in India. The act provides legal recognition for electronic transactions, digital signatures, and other related areas. It also includes provisions for cybersecurity, such as unauthorized access to computer systems, data theft, and hacking.
ISO/IEC 27001: This is the internationally recognized standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving information security management in an organization. Following this standard can help ensure the confidentiality, integrity, and availability of information assets.
NIST Cybersecurity Framework: The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set of guidelines for improving cybersecurity risk management in critical infrastructure sectors, including the energy sector. It provides a framework for organizations to manage and reduce their cybersecurity risk in a structured and cost-effective way.
Infrastructure to build cyber resilience for a SCADA Network in Power Distribution Sector
A bill of materials (BOM) for a cybersecurity project in the power distribution sector involving the rollout of RTUs across substations linked to a control room over an MPLS network would typically include the following components:
- Firewall: A core firewall and perimeter firewall are necessary to secure the network and prevent unauthorized access. A core firewall is installed internally to segment and secure different subnets within the SCADA network, while a perimeter firewall is installed at the network boundary to protect the network from external threats. Firewalls capable of deep packet inspection, intrusion prevention, and malware detection are essential for protecting against cyber attacks targeting the SCADA network.
- Anti-APT solution: Advanced persistent threats (APTs) are a significant threat to power SCADA networks. An anti-APT solution is necessary to detect and prevent these sophisticated attacks that may evade traditional security measures. Such a solution may include behavioral analysis, machine learning, and other advanced techniques to identify anomalous behavior and prevent data exfiltration.
- Threat Intelligence: Threat intelligence solutions gather information on emerging threats and vulnerabilities in real-time. Power SCADA networks face a wide range of cyber threats, and timely access to threat intelligence is essential for proactive threat detection and response. Threat intelligence may also help organizations stay up-to-date with new malware, phishing campaigns, and other threats targeting power systems.
- Antivirus and Anti-malware software: Antivirus and anti-malware software should be installed on all endpoints, including servers and workstations, to protect against malware and other cyber threats. Power SCADA networks may be targeted by various types of malware, such as ransomware, trojans, and rootkits. Antivirus and anti-malware software can help prevent these attacks and protect against data loss and downtime.
- Patch management system: A patch management system is necessary to ensure that all software and firmware are up-to-date and that known vulnerabilities are addressed promptly. Power SCADA networks may use various types of software and firmware, and regular updates are essential to maintain security and prevent exploitation of known vulnerabilities.
- Security Information and Event Management (SIEM) system: A SIEM system is necessary to collect and analyze security-related data from various sources in real-time. SIEM systems provide advanced log management, threat detection, and incident response capabilities, enabling organizations to quickly detect and respond to security incidents. For power SCADA networks, real-time monitoring and alerts are critical for maintaining operational resilience and preventing downtime.
Deploying Cyber Security equipment and solutions not enough
- Identify training needs: Organizations should assess the cybersecurity knowledge and skills of their employees to determine the areas in which training is required. SCADA system operators, network administrators, and other employees with access to critical systems should receive specialized training to address the unique risks associated with these systems.
- Conduct regular security assessments: Organizations should conduct regular security assessments to identify vulnerabilities and gaps in the network’s security architecture. The assessment should be conducted by an independent third party to ensure objectivity and thoroughness.
- Develop an incident response plan: Organizations should develop an incident response plan that outlines the steps that need to be taken in the event of a cyber attack. The plan should include contact information for key personnel, procedures for notifying stakeholders, and guidelines for containing and remediating the attack.
- Conduct regular drills: Regular drills should be conducted to test the effectiveness of the incident response plan. These drills can help identify areas for improvement and ensure that the organization is prepared to respond to a real-world cyber attack.