Cisco Blogs
Share

Don’t play cat and mouse with grid security


September 13, 2016 - 4 Comments

Many of us remember growing up watching the TV show Tom and Jerry. Tom always plots to capture Jerry resulting in mayhem and destruction, but Tom rarely, if ever, is able to catch Jerry because of Jerry’s cunningness.

tom_jerry

Source: Google Play

Jerry’s ability to beat Tom is more than just luck. It’s his understanding of the situation, planning, and execution that helps him constantly beat Tom at his own game.

Whenever I think of cybersecurity, the tale of Tom and Jerry fills my mind. Tom can be likened to black hat hackers – the bad guys who are always out there plotting ways to go after the good guys like Jerry.

Being Jerry and as stakeholders, we need to think about all the ways Tom can attack and come up with plans to avoid these risks.

To lay out the foundation for foolproof grid security it takes a team of trusted experts with deep knowledge of power systems engineering, the latest communication technologies, and evolving industry regulations (NERC/CIP).

Any security solution that is devised must be flexible enough to accommodate existing IT/OT infrastructure and at the same time meet mandatory NERC/CIP compliance requirements, such as traffic segregation and prioritization among others.

grid_security

One of the most prevalent sources of grid attacks is through operating system vulnerabilities in Windows or Linux platform. With the frequency of cyberattacks increasing exponentially, OS vendors such as Microsoft or Redhat are forced to release frequent updates. However, it might not practical for IT and OT departments to implement these patches across thousands of computers repeatedly as many times it requires computer reboots and disruptions.

The solution to this lies in implementing proactive measures using the latest security technologies such as firewalls and Intrusion Prevention Systems (IPS) which have built-in rules to close gaps caused by the most common vulnerabilities.

Another key challenge Utilities face is legacy SCADA protocols such as DNP3, Modbus, etc. which have no built-in security mechanisms like authentication and encryption. If not properly secured, this is an open invitation for a cyber-attack. All communication thus must be properly secured via end-to-end encryption and authentication.

At Cisco we bring together complex skills in IT, OT, communication, and power systems to create the comprehensive end-to-end security solutions for Utility companies.

Learn more about our approach to grid security by visiting our website:

page-cta-2



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

4 Comments

  1. Did you know that DNP3 actually *does* have authentication baked in? DNP3-Secure Authentication v5 has been out since 2012 and version 6 is currently under development. Several major vendors have put SAv5 support in their products. Unfortunately, end users are very slow to adopt secure authentication. The same authentication method is in IEC 104, and 61850 as well.

    • Thanks Chris, as you rightly said, "end users are very slow to adopt secure authentication". This is because of the nature of the utility industry. Also not all legacy devices will get updates from vendors and with equipment upgrade cycles where 15 - 20 years is quite common, the best way to protect communications is by introducing network based security measures such as Firewalls, IPS, IDS. This not only secures these critical infrastructure devices as also makes it easier to manage security across an array of different vendors.

  2. Actually no. Cisco doesn't just bring it together...Cisco is the leading edge. You have read the Gartner report, you know the pro's, con's, strength's, and cautions depicted in the Gartner report. Yes, SCADA is showing a little wear and tear for her age and it is time for Cisco to step-up the game like no one else can. For example US CERT released a vulnerability advisory, Jerry Brown submitted a buffer overflow advisory and other reports are troubling. SAN has stepped in with a Best Practices white paper on the MDS 9500 and 9700 Multilayer Directors. Another player is the government, looking over the shoulder of NERC/CIP. Yes, you did mention them although they simply project power with lip service and intimidation; a proactive stance is the only answer and again Cisco comes forward. The moral of the cat and mouse game; CIP's v6. I enjoyed the piece Mr. Agarwal, I hope NERC is watching. There's a new Sheriff in town.

    • Barry, thanks very much for your comments ! Certainly Cisco is bringing decades long experience in Enterprise Security and combining it with OT specific needs. For example Cisco's Identity Services Engine can reach deep into the network to deliver superior visibility into who and what is accessing resources. Through the sharing of vital contextual data with technology partner integrations and the implementation of Cisco TrustSec® policy for software-defined segmentation, Cisco ISE transforms the network from simply a conduit for data into a security enforcer that accelerates the time to detection and time to resolution of network threats. Also Cisco ISA3K with Firepower delivers an integrated threat defense across the entire attack continuum — before, during, and after an attack. It combines the proven security capabilities of the Cisco ASA Firewall with industry-leading Sourcefire® threat and advanced malware protection features in a single device. It has inbuilt SCADA Signature that can detect and prevent attack on the electrical grid.