Securing Substations and Power Grids with ICS Anomaly Detection

Date: July 25, 2017 By: Moreno Carullo and Heather MacKenzie

One of the findings of the recent SANS report “Securing Industrial Control Systems – 2017” is that the number one technology industrial organizations are looking to implement over the next 18 months is intrusion detection. Up until recently, detecting anomalies that might be caused by a cyberattack has been “mission impossible.”

That’s because industrial networks typically include equipment from a wide assortment of vendors, run thousands of real-time processes and generate huge volumes of data. Analyzing and monitoring this data to detect anomalies that might be caused by a cyberattack is beyond the resources and capabilities of most industrial operations or security teams.

Furthermore, IT security tools that do the same job, just don’t work for industrial systems. That’s because they are too complex, they introduce too much risk to reliability, and they simply do not support the wide range of protocols and technologies used in OT.

The good news is that a new generation of ICS cybersecurity tool is available for industrial intrusion detection. This article describes how our product, SCADAguardian does it, and gives an example of how it would detect and counter a cyberattack on a regional control center of an electric power utility.

Using-ICS-Anomaly-Detection-to-Protect-Substations-and-Power-Grids
Cyberattacks on energy systems have increased the urgency for implementing industrial intrusion detection. SANS survey respondents cite it as the top technology they would like to add in the next 18 months.

How ICS Anomaly Detection Detects Intruders and Cyber Risks

One of the most important advances in computer science in the last decade has been the significant development of artificial intelligence (AI) and machine learning techniques. This technology uses algorithms that iteratively learn from data rather requiring direct programming instructions for each decision or result generated. Breakthrough applications that use it include IBM’s Watson for cancer diagnosis, Google’s self-driving cars, and Amazon’s voice recognition home assistant, Alexa.

In the realm of industrial cybersecurity, as the risks from malware attacks and connecting more and more devices to networks increases, machine learning and AI “become a force-multiplier for supplementing scarce cyber security operations talent.

A good implementation of AI for ICS security requires not just the technology, however, but the insight and structure that our industrial security experts provide to make it effective. This knowledge is built on both the academic and standards work that our founders have done in the areas of critical infrastructure security and artificial intelligence, and on the real-world experience our team has gained through large-scale deployments.

Once our AI algorithms have been properly enabled, they rapidly analyze the huge volumes of network communication and process variable data that are extremely difficult to evaluate any other way. This “smart” data analysis is used to model an ICS, and develop process and security profiles specific to it. Once baselines are established, high speed behavioral analytics are used to constantly monitor them.

The result is the rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities. This information can be used to prevent, contain or mitigate cyber threats or process incidents before significant damage can occur. The data analysis itself is also invaluable in reducing troubleshooting and remediation efforts.

Sounds interesting? Great, let’s look at how this capability would work if a malicious entity conducts a cyberattack on a regional control center of an electricity supplier.

Detecting / Countering a Cyberattack on a Regional Control Center

Imagine that a threat actor conducts a cyberattack on a regional control center and gains access to its LAN. From the vantage point of inside the LAN, the attacker has visibility to hundreds of bay control units and can possibly control them, threatening, or causing a power outage.

Example-Solution-Architecture
If a threat actor obtains access to the LAN of a regional control center, they can gain visibility of substations and threaten or cause a power outage. Click on diagram to enlarge it.

SCADAguardian’s ICS anomaly detection would detect the threat, provide cyber resiliency, and accelerate forensics.

Here’s how:

  • SCADAguardian had previously modeled the industrial network including its components, connections and topology. Its advanced learning capabilities then developed baseline process and security profiles specific to the substations and power grid in question.
  • Once the profiles were established, the system automatically switched into protection mode (a capability we call Dynamic Learning), without operator action. This shortens the length of time without monitoring for anomalies and avoids human errors involved with determining when to switch from learning to protection modes.
  • When a threat actor accessed the regional control center LAN, SCADAguardian rapidly identified the suspicious activity.
  • A high-level incident would be immediately sent to the appropriate operators and SOC staff.
  • Staff would then execute the incident response plan, taking actions that prevent, contain or mitigate process disruption or information theft. When doing so, they would utilize the network diagrams, asset inventories and process information available from SCADAguardian’s various modules.
  • ICS incident replay using point-in-time system snapshots (a feature we call TimeMachine), and querying capabilities, would be used to accelerate forensic analysis post incident. (These capabilities are also helpful for proactive threat hunting.)

In addition to detecting intruders using anomaly detection, SCADAguardian also uses YaraRules and custom rules to identify threats. You can read about that in our blog on the Industroyer malware.

ICS Anomaly Detection – An Easy to Deploy Solution that Delivers Value Today

If the recent wave of ICS cyberattacks or malware disclosures has your organization wanting to deploy intrusion detection, I hope this article helps you understand how next generation, advanced solutions can help. In the case of SCADAguardian, its ICS “smarts” are under the hood. It only takes a simple SPAN or mirror port install to deploy, and then its dashboards and network visualization tools immediately start providing useful, actionable information.

Furthermore, SCADAguardian’s capabilities extend beyond intrusion detection to include network security monitoring, process variable anomaly detection, asset tracking and vulnerability management functionality, making it a comprehensive platform for real-time cybersecurity and operational visibility.

For more details on how our solution improves cybersecurity for substations and power grids, plus eight more anomaly detection use cases, don’t miss the white paper available below.

Related Content to Download

White Paper “Improving ICS Cybersecurity for Substations and Power Grids”


Improving ICS Cybersecurity for Substations and Power Grids Real-time ICS Anomaly Detection and Operational Visibility Use Cases

Read this paper to learn: Power grid cybersecurity technical challenges Sample architectures for cyber resiliency Cybersecurity uses cases Operational visibility uses cases How ICS anomaly detection improves cybersecurity

    

DOWNLOAD NOW


Related Links

Tagged , , , , , , , , , , ,