Asymmetric solutions. ICS Energy Security

    Energy is itself a critical infrastructure on the one hand, and on the other hand, any other infrastructure that has critical status to one degree or another, today, depends on it directly. To stop the train, it is not necessary to disassemble the tracks or blow up the bridges, it is enough to de-energize several traction substations or not even strain so much, but simply affect a number of parameters of the quality of electricity. Moreover, the latter option will also be very difficult to diagnose by the means that transporters use today.
    With the advent of market relations, new technologies have come to the Energy sector. An extremely conservative industry, the last 10 years are in a stage of serious transformation. In operation are modern substations built on the latest generation of microprocessor protection (by Western standards) and substations using power transformers manufactured in the 30s of the last century, taken out of occupied Germany in 1945 with relay protection of the 60s. According to various estimates, from 60 to 80 percent of the equipment needs to be replaced or modernized. Let’s imagine a situation that such an upgrade has taken place, everything is set up, it works, the dispatchers make the most of the newly discovered capabilities, the automation ensures a reduction in operating costs, and the number of outages is sharply reduced. This is one side of the coin at the same time, new equipment requires qualified service, provides observability through public networks, and operates using international standards. In fact, we will find ourselves (in some cases, already found to be) completely open and insecure in terms of information security. A whole industry, “Information Security of Critical Infrastructures,” is actively forming around the world. Articles are written, conferences are held, training simulators are released, the market is flooded with a series of products that position themselves in this industry. Let's try to analyze this situation from different points of view and build our own security strategy. already turned out to be) completely open and unprotected in terms of information security. A whole industry, “Information Security of Critical Infrastructures,” is actively forming around the world. Articles are written, conferences are held, training simulators are released, the market is flooded with a series of products that position themselves in this industry. Let's try to analyze this situation from different points of view and build our own security strategy. already turned out to be) completely open and unprotected in terms of information security. A whole industry, “Information Security of Critical Infrastructures,” is actively forming around the world. Articles are written, conferences are held, training simulators are released, the market is flooded with a series of products that position themselves in this industry. Let's try to analyze this situation from different points of view and build our own security strategy.

    State. Officials in any civilized country are well aware of the danger of man-made problems, primarily in terms of “social explosions,” although financial, defense and political risks are also very important. True, the threat of an attack on infrastructure in itself is so global that an erroneous opinion is often formed that we are precisely protected here, there are reports, responsible officials, etc.
    Corporations and business. We invest in improving the efficiency of business processes. Invested money should bring economic benefits. Calculation of losses from potential attacks on infrastructure is very interesting, but it is only a calculation. In real life, the likelihood of such a scenario is not zero, but try to convince me that this applies to our company.
    Technologists. The list of tasks and priorities are clearly formulated, yes, there are many factors around that can potentially influence the solution of our tasks, but they are secondary, no one has changed priorities, and in order to understand a new area, time and resources are needed.
    Large technology vendors. We guarantee the performance of our turnkey complexes, with the appropriate level of operation. To provide it, we need remote channels for diagnosing the installed equipment by a specific narrow specialist who may be located in Italy, Australia or the USA. We deal with information security issues, we are ready to provide traffic coding using a superalgorithm that cannot be decrypted (if the code is not initially known). We develop (buy ready-made solutions on the market) a firewall class that provides traffic control according to logical rules, but only in an information mode, that is, we are not ready to take responsibility for making decisions.
    Specialists and developers of information security solutions. A new direction, with the banks sorted out, why not use your experience and best practices for another industry. Safety is the same everywhere, now we’ll learn the materiel and just hold on. And here a couple of years there was a stupor, it turned out that technologists speak their own language, the topic of information security is not so obvious for them as for banks, there are a lot of obscure devices and protocols. To overcome the barrier, the movement continued in two directions. First, heuristic analysis. We’ll put the device down and listen to what happens for a specific period of time (from 2 months to six months), write everything down, analyze it and voila, here’s the “normal” mode of operation, we don’t need any technologists, we are ready to work, now any “disturbance” in the network can be compared with the “normal” model and a verdict can be reached. Is funny Of course it is ridiculous, technological control systems are in themselves safety features. They work on an event and the less standard (dangerous) the situation, the more non-standard the reaction of the system will be.
    The second, more advanced. This means modeling the technological environment, control systems and (ATTENTION) attack patterns on control systems. Products are launched on the market (for example: www.cybati.org , www.skybox.com ), the so-called Hack days are held on YouTube, a series of videos are analyzed with vulnerabilities of technological protocols and methods of their use. That is, under the guise of developing competencies, information is thrown onto the market, which in its essence stimulates the endless process of identifying vulnerabilities and means of protection against their use.
    Pupils and students. It’s boring, the games are tired, yesterday a friend opened access to some libraries, said that if you find the IP of a control device on the network, you can try to turn off the light in the whole microdistrict, but what if it works out? ..
    An interesting picture is taking shape, isn't it? To find a way out, I propose to look at the situation from a different angle. Most of the standards and technologies come to us from abroad. By joining the technology race, we obviously find ourselves in the role of lagging ones, since closing one problem, we get a new version with a dozen others. Stop progress, in turn, is also impossible. The solution suggests itself, but it is rather, as usual in this area, more technological than informational. First of all, clearly divide information flows into bidirectional and unidirectional. Moreover, not on the principle of “we are so used to it”, but strictly based on production needs and in accordance with regulatory and technical documents. Bidirectional flows form an operational control loop, unidirectional monitoring loop.www.onewaynetw.ru ). This also includes the tasks of organizing remote access for service companies and vendors. Even if the service regulations provide for configuration changes or other remote operations at the facility, the problem can be solved through the standard application process available at any technological enterprise. The equipment is taken out of operation, a full-fledged channel is turned on for a predetermined time, work is underway, the channel is turned off, changes are being tested, the equipment is put into operation. Inconvenient? But, I repeat again - this is not IT.
    Operational control loop. The most critical segment, the task is to ensure its performance in accordance with predetermined algorithms for any external and internal influences. Several solutions appeared on the market that analyze the protection algorithms and control systems for compliance with predefined rules (for example: www.secmatters.com), I recall the technological management is regulated in great detail. But for obvious reasons, these systems work exclusively in a "passive" mode. The reason is that the control system ensures the functional performance of the technology, and the IT analyzer is only responsible for the formal compliance of the rules. The use of the passive mode in providing “drop-out” in the early stages of a whole set of threats and errors, including operational ones. But at the same time, it is clear that such a solution will not save from a deliberate directional impact on the object, when the time is tens of milliseconds. One of the solutions, in this case, could be the use of such systems in the form of a kind of automatic transfer switch, received information about the mismatch of the equipment in the main control system, switched to the second (backup) control system, which is also tested by technologists and stands in a hot reserve, while normally disconnected from the information network. Then, again, the application procedure, analysis of the problems of the main circuit, etc., but technological reliability is ensured.
    Of course, the first question will be the cost of such a solution. I am sure that this in any case will be cheaper than participating in a constant race to build up defense-attack technologies and provide the result for the next 15-20 years, and not for two or three years, until the next change of the technological cycle in IT.
    For this to become a reality, it is necessary to ensure several factors:
    1. The state should formalize in more detail the requirements for the separation of networks related to critical infrastructure (the analogue is the NERC standard operating in the USA)
    2. Risk insurance should be a condition for attracting borrowed financing for business and corporations from cyberattacks (world practice)
    3. Technologists need a platform for discussing the development directions of technological management tools and information security of critical infrastructures (an example is the SGTech conference)
    4. The quality of services to consumers should become decisive in the formation of energy tariffs.
    The task is to systematize the work and move from empty disputes and complaints about the lack of understanding, to the systematic construction of a real threat model and a set of measures (methodological, organizational, technological and informational) to protect critical objects from intentional and unintentional cyber attacks. First of all, such work will be of interest to the technologists themselves, as it will allow them to put things in order with existing solutions, identify weaknesses, and justify the development of modern control systems. Leaders will be able to effectively use real tools (for example: www.wck-grc.com) risk management companies, and banks will receive additional guarantees of the reliability of investments. The state will solve the social problem, in terms of improving the quality of services provided to the population and the task of increasing the energy security of the country as a whole.

    Also popular now: