Cyber attacks continue to increase in sophistication and severity. Sophisticated, targeted ransomware is the pervasive “hot, new” threat, using attack tools and techniques that were the sole domain of nation-state adversaries only a couple of years ago. This suggests that what are today’s nation-state attacks will be tomorrow’s pervasive threat. The steadily worsening threat environment demands a clear response with firm decisions to upgrade the security of all developed nations’ cyber defences for critical infrastructures.
With an average growth of 4% per year, hydropower is the leading renewable source for electricity generation – globally supplying 71% of all renewable electricity. Today, hydropower offers not only clean energy, but its infrastructure is also used for freshwater management, such as water supply and flood management. The importance of hydropower has increased significantly in the past decade, leading to the adoption of innovative technology, advanced control systems, and stronger equipment. All of this makes protecting hydro power installations from cyber assaults even more important.
When malicious attacks gain access to an industrial control system, they are able to sabotage industrial control and safety processes, leading to costly outages, damaged equipment, threats to personnel safety or even environmental disasters. While there are statistically fewer cyber attacks on industrial control systems than on enterprise systems, the severity of the attacks continues to increase. The TRITON attack compromised safety instrumented systems. The transmission system attack in the Ukraine targeted protective relays, apparently seeking to damage high-voltage transformers. NotPetya managed, in only minutes, to cripple the world’s third-largest shipping firm for days.
The problem with software
Classic cyber defences are of limited effectiveness against steadily evolving threats. All connections through firewalls are bi-directional once established, and therefore permit data and communications to pass from untrusted to protected networks – both legitimate communications and cyber attacks as well. Security updates are very costly to test and install on industrial networks, and any mistake in the installation process can lead to the very production outages our security program is designed to prevent. And the now-pervasive enterprise security monitoring, intrusion detection, and incident response and recovery programs are reactive, not preventive measures.
The challenge before us is significant. We must secure the safe, reliable, and continuous operation of hydropower control, protection and safety networks from threats originating on external, less trusted networks. We must do this while continuing to provide real-time access to operations data for enterprise users and applications, system and equipment vendors, and other third parties. This is a problem.
For thirty years computers have become steadily more powerful and cheaper, and as a result, more ubiquitous. All computers run software and all software has defects and vulnerabilities. Ubiquitous computing means a steadily increasing number of targets for cyber attack. An equally important trend for the last thirty years has been increasingly widespread communications and connectivity. But all cyber attacks are information, and so it follows that any communications channel which transmits information also transmits attacks. This means we are faced with not only a steadily increasing supply of targets, but also with steadily increasing opportunities for such attacks in the form of increased communications.
A robust solution
All of these factors combine to make unidirectional gateway technology a cybersecurity solution that is becoming very important in hydropower generation. Unidirectional gateways contain both hardware and software components. The hardware components are physically able to send information in only one direction – from a hydropower plant network into an external network, such as an enterprise network or the Internet. The software components in the gateways replicate servers and emulate devices. Enterprise and other external users interact normally and bi-directionally with the unidirectional replicas, and so have access to real-time production, equipment usage and other vital operations data.
Thoroughly secured hydro automation networks are increasingly deploying unidirectional gateway technology at their IT/OT interfaces, instead of or in addition to firewalls. The substitution is straightforward, since enterprise users can interact normally with replica servers, databases and devices on the enterprise network. The substitution offers a dramatic increase in security. Since unidirectional gateways are physically unable to transmit any information into a protected network, they are physically unable to transmit any attacks into that network either. It does not matter how sophisticated cyber attacks continue to become – no “zero day vulnerability” or stolen password or attack tool can change the physical properties of the gateways. In this sense, unidirectional protection is future-proof.
The usual questions
Waterfall Security Solutions has been providing our Unidirectional Security Gateways and associated technology to dams and hydropower facilities around the world for over a decade. This level of experience with the sector allows for proactive Q&A. For example: many practitioners not familiar with the technology ask how can turbine vendors remotely monitor and adjust turbines when vibration anomalies build up? While unidirectional communications might seem to rule out remote support, this is not the case.
There are several options for unidirectional remote support. The most popular is a technology called Remote Screen View (RSV). RSV is software that runs on a unidirectional gateway and associated industrial equipment. When enabled, RSV starts taking pictures of the screens of industrial workstations, in a manner analogous to the ubiquitous Remote Desktop tool. Vendor personnel can see the screens of these workstations as the screens change in real time and can provide real-time advice over the phone to plant engineers. Vendor support engineers see the process as one of supervising plant personnel in the course of a complex adjustment, to make sure the adjustment is carried out according to vendor procedures. Plant personnel see the process differently – they see it as one of supervising and documenting what vendor personnel are doing to the plant’s equipment. Both perspectives are valid, and both are supported by the RSV technology.
A way forward
The benefits of deploying Unidirectional Security Gateways in hydro networks are clear:
- Future-proof security: Control networks are physically protected from threats emanating from external, less-trusted networks.
- Deep visibility: Enterprise networks and users continue to operate as if nothing has changed. Instead of accessing servers on the critical operational network, users on the external network now access real-time data from replicated servers for all informational and analytical needs.
- Reduced compliance costs: Unidirectional Gateways are recognized by many global industrial cyber security standards and regulations such as the NERC CIP standards. Unidirectionally-protected networks are required to use fewer costly compensating measures than are networks protected by only software firewalls.
Hydro power plants have more important things to do than spend time constantly chasing the latest security vulnerabilities and cyber attack techniques. Deploying at least one layer of unidirectional protections in a defence-in-depth network architecture provides robust and lasting protection from remote cyber attacks, no matter what software vulnerabilities are discovered, and no matter how sophisticated those attacks are today or become in the future.