Securing the utility: Try this OT cybersecurity framework

In 2014, the US Department of Homeland Security reported that 40% of all reported cyber attacks targeted the energy industry.
Published: Mon 05 Feb 2018

Considering the high volumes of older technology within electricity infrastructures that are using different proprietary equipment operating on different protocols, this stat is unsurprising. Being part of what is considered critical infrastructure, this stat is alarming.

The task of retrofitting the electric grid with new technology encompassing security dimensions such as authentication, authorisation and encryption is difficult - how can networks have the downtime to do this, questions Mauricio Subieta, Cyber Security for Utilities Program Lead and Private LTE Solutions Engineer at Nokia.  

The split between operational technology and information technology running with distinct mechanisms and mindsets also creates vulnerability, Subieta told Engerati in an interview.

While a normal IT infrastructure will have malware and end-point protection solutions, there is no equivalent operating system for operational infrastructure.

Think of a remote terminal unit that was installed 15 to 20 years ago, says Subieta. This network device is in an isolated location in the network and may not even be protected by username and password.

At the other end of the scale is the influx of industrial Internet of Things devices plugging into the grid. Their speed to market has meant that security mechanisms are lax and in some cases not standard, and individual deployed devices may lack properly configured parameters.

Against this challenging operational background, utility companies face the fear of attacks, outages, negative publicity, as well as regulatory pressure to minimise cybersecurity threats.

So what is the solution? Having a single-pane-of-glass and holistic view of the network are concepts that Subieta insists are essential for utilities managing mission-critical data.

In a whitepaper on the topic, Nokia outlines why the benefits of applying a cognitive security framework to help mitigate the threats against operations, remote locations along the network and at endpoints such as meters and sensors.

The research presents the benefits of a security framework backed by the International Telecommunication Union (ITU), the United Nations specialised agency for information and communication technologies, and follows regulatory requirements defined by the North American Electric Reliability Corporation (NERC).

Nokia Bell Labs has contributed to the creation of the ITU-T X.805 framework which considers controls for three security properties that need to be maintained - the confidentiality, availability and integrity of data and services.

By following this framework and utilising a set of overlapping controls, ITU believes that network operators have the tools to combat five key high-level threats:

  • Destruction - Destruction of information and or/ network resources
  • Corruption - Unauthorised tampering with an asset
  • Removal - Theft or removal, or loss of information or other resources
  • Disclosure - Unauthorised access to an asset
  • Interruption - Interruption of services, network becomes unavailable or unusable
Nokia’s unprecedented traffic encryption flexibility

Nokia’s unprecedented traffic encryption flexibility

Data security control

Applying this to mission-critical utility communications, Nokia has mapped a solution that utilises frameworks such as X.805 and others to protect data traffic.

This includes one of the key components, multi-layer encryption, to protect at the IP/MPLS layer and transport layer using optical and microwave systems.

Nokia’s 7705 service aggregation router (SAR) utilises IP/MPLS as the principal communications infrastructure protocol, allowing operators to build “highly secure networks for resilient and reliable delivery of both critical operational and high-value business data”, states the paper.

Meanwhile, Nokia Network Group Encryption (NGE) provides end-to-end protection for data and control plane traffic in an Internet Protocol/multiprotocol label switching (IP/MPLS) network. One key benefit is providing a tiered approach to managing encryption keys depending on specific security policies to ensure nodes do not contain more critical information than is necessary.

The whitepaper outlines an example of a smart grid where distribution automation (DA) and field area networks (FAN) may be considered less critical than transmission or distribution substation networks.

So even if a cyber attack can penetrate the DA/FAN networks, the attacker still cannot access information on other parts of the network, therefore “limiting the intruder in scope thanks to key group domains and partitioning.”

This type of functionality is one way that a structured framework can reduce the security risk - alongside reducing the attack surface (see the whitepaper for more explanation).

The paper concludes that “employing a range of security controls from physical, technical and procedural categories based on the ITU-T X.805 and other security frameworks will effectively protect critical assets with a layered defence-in-depth approach.”

Nokia’s Subieta supports the framework as a way for utilities to pick security capabilities such as the right encryption component using a best-fit approach based on the network architecture.

The current challenge for utilities is to leverage all their infrastructure, knowledge and technology to bridge the gap between IT and OT networks, with the main goal to integrate security in a true end-to-end fashion involving both areas, and truly enabling a cognitive secure environment.