WP-022-2020: Risk assessment of physical attacks against field devices

This report assesses the risk of physical attacks against field devices to be able to select the right hardware security measures.

Increasingly vendors are including hardware security measures in smart grid field devices. Some are encrypting the external flash modules on smart meters. Some are using hardware security modules on data concentrators to encrypt key databases. And others are implementing secure boot through specialized chips on IEDs. Implementing such measures on field devices appears to make sense, as they are exposed to physical attacks.

Grid operators now have a choice of procuring devices with these features or not. Before evaluating the efficacy of such measures on mitigating attacks, this report first assesses the possible risk of field equipment being compromised.


WP-028-2020: Market survey of OT security sensors for substations

This report contains the results of a market survey on OT security sensors for substations.

In 2017, the ENCS ran a project on security monitoring for Operational Technology (OT) systems. In this project, ENCS did a market survey on new products specifically designed for OT. It showed that there were several network-based sensors on the market offering similar functions. They combined the functions of an anomaly-based intrusion detection system with a passive vulnerability scanner.

Many ENCS members are now using such OT security sensors. Most deploy them in their control center networks. Although in 2017 some vendors were already offering industrial PCs or embedded sensors that could be placed in field locations, the costs of such sensors were then prohibitively high.

But recent procurement projects at members have shown however prices have gone down considerably. It is now becoming economically feasible to deploy sensors in the internal networks of high voltage substations.

This raises the question if and how these OT security sensors could be used to effectively monitor the security of substations. ENCS has started a member project to answer this question. As a first step, a market survey was conducted.


WP-027-2020: Security measures for grid operators connecting to DER

This reports recommends security measuers for grid operators connecting to distributed energy resources (DER).

As alternative energy sources, such have wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid. They can however cause congestion or quality problems in the electrical grid. To solve these problems, grid operators are connecting to the DER control systems to monitor and control their generation.

The connections to DER create new cyber-security risks for grid operators. By compromising the connections, attackers could send unauthorized curtailment commands to DER locations. If they manage to switch off enough locations, they could disrupt the grid balance. Additionally, the connections could be used as an entry point into grid operator systems. By first compromising a DER system, attackers may get into critical grid operator control systems, such as SCADA systems or substation automation systems.

This document recommends security measures for grid operators to protect the digital connections to DER and mitigate these new risks. The measures cover:

  • threats to the connection and information passing through it;
  • threats to grid operator systems through the DER connection;
  • interests that come into play in the new relationship between the grid operator and DER operator.

 


WP-024-2020: The risk of using web interfaces remotely

ENCS recommends to avoid remotely managing field devices, such as RTUs, gateways, and data concentrators, through a web interface. Engineers commonly use a web interface to configure and maintain devices, as they provide easy access. But by using it they may inadvertently help to spread attacks.

Attackers can hop from one field device to many others through the engineer’s web browser. The attack would consist of two steps, explained in this whitepaper:

  1. Physically attack one field device to insert code into the web interface
  2. Trick the browser into making unwanted changes on other devices

This type of attack is hard to counter, as attackers have many options for each step. It can have large impact, as it scales a physical attack on one device to many other devices. Hence, ENCS recommends managing field devices through other means than web interfaces.


WP-023-2020: Protecting distribution automation systems against physical attacks

This document provides a strategy for grid operators to protect distribution automation systems against physical attacks on field locations.

Grid operators rely on distribution automation to monitor and control their grid. Because of the increased use of renewables and electric vehicles, they need to understand what is going on in the medium and low voltage parts of the grid. So, they are placing remote terminal units (RTUs) at medium voltage substations or pole-top reclosers. The same RTUs can also allow quicker recovery from power outages by reconfiguring the grid.

But RTUs are difficult to protect against physical attacks. They are placed at medium voltage substations or pole-tops spread around a grid operator’s area. These cannot all be feasibly protected against break-ins. Yet, the RTUs do provide an entry point into the SCADA system to which they are connected.

Current RTUs are not designed to withstand physical attacks. On older RTUs, there may be accounts with default passwords or debug ports giving full access. On newer RTUs, these may be disabled. But determined attackers can obtain access by tampering with the boot process or programs stored in flash.

So, what can grid operators do to manage the risk of physical attacks on distribution automation RTUs? The best strategy is to harden the RTU itself as much as possible, while using the system architecture to limit the impact of determined attacks to a single location. This document describes this strategy. The strategy has been implemented in the 2020 version of the ENCS Security architecture for distribution automation systems and the Security requirements for procuring distribution automation RTUs


WP-021-2020: Security requirements for hardware security measures

This document gives requirements that grid operators can use to specify hardware security measures.

More vendors are including hardware security measures in smart grid field devices. For instance, some encrypt the external flash modules on smart meters. Some use hardware security modules to encrypt key databases on data concentrators. And others are implementing secure boot through specialized chips on RTUs and IEDs. Such measures are useful for field devices, as they are exposed to physical attacks.

But some measures may not mitigate the real security risks. Protecting keys stored on smart meters is not that important if meters have unique keys. Attackers can decrypt or use key databases on data concentrators if they gain access to a running device.

To get effective measures, grid operators should therefore include specific requirements. This document gives requirements for hardware security measures that grid operators can use tin their procurement documents.


WP-019-2019: Response to EU questionnaire on certification

On 2 December 2019, the EU commission held a meeting to assess the need for cyber-security certification of products, systems and services in the Energy sector under the Cybersecurity Act. In preparation to this meeting, they sent a questionnaire to the participants. This document contains the responses from ENCS to their questions.