Network Security Monitoring Needs | IEEE Computer Society

By Michael Sanchez, CEO of Itegriti

Protecting the nation’s critical national infrastructure (CNI) is a tall order, and the electric industry—one of sixteen CNI sectors—has had its share of challenges. In 2020, an international conglomerate of over 42 electricity transmission operators reported a successful cyber attack on its network – a network spanning 35 countries. Sometime between 2014 and 2015, the industry saw a 380% increase in attacks, and in 2021 was reported that as many as two-thirds of active groups (AGs) targeted electric utilities within the nation’s critical infrastructure.

Problems like those brought from the past NOPR for January (Notice of Proposed Rulemaking), which seeks to require the North American Electric Reliability Corporation (NERC) to make some policy updates related to internal network security for Bulk Electric System (BES) cyber systems. These “rules” relate to the protection of critical infrastructure (CIP) Reliability standards that currently do not mention network security monitoring.

When you consider that the nation’s power grid operates with cybersecurity protocols that still “protect the perimeter,” you can understand why improving visibility into network threats is long overdue.

So why doesn’t one of the most heavily attacked critical national infrastructure sectors just switch to the latest technology? This article will examine the barriers—and benefits—to implementing cutting-edge network security monitoring in one of the nation’s oldest living architectures. And why is it necessary.

Want more tech news? Subscribe to ComputingEdge Newsletter today!

State of the Electric Industry

The US power grid is a massive entity that stretches everywhere 600,000 miles of transmission wires and with a capacity of more than 1 million watts of generating capacity. As we move away from fossil fuels to renewable energy sources, they must also connect to the grid (think solar farms, wind turbines, hydroelectric plants and your electric vehicle). The infrastructure built over the past 70 years is being stretched to capacity and the drive to upgrade to a Smart Grid system is strong (though far from complete). With the load it already has to bear, plus severe weather events leading to outages and damaged equipment, combined with climate change leading to erratic water, solar and renewable energy, today’s grid maintains reliability by a tenuous thread. Now add cyber attacks.

The energy sector is on the front lines of attack for nation states seeking to undermine critical US infrastructure. As stated in political documents to one U.S. senator, “The U.S. electric grid is vulnerable to cyberattacks that could lead to catastrophic, widespread, prolonged blackouts and other losses of electric service.” This is not good news. And “Russia, North Korea, Iran and China currently have the capability to launch cyberattacks that can disrupt critical infrastructure.” We all know this, but the confirmation should be sobering. It is on this basis that the recent NOPR was established. When even online retail stores have basic network monitoring capabilities (via affordable SaaS solutions), it’s alarming at best that the US network is operating on antiquated perimeter security models. It’s time to upgrade.

First principles: Know what’s in your environment

This NOPR seeks to upgrade the protections of bulk electrical systems. What are these? According to Nercipedia, they consist of “all Transmission Elements operating at 100 kV or higher and Real power and Reactive power resources connected at 100 kV or higher’, excluding local distribution facilities. In other words, the Big Boys. To do this, the directives given to NERC build the security methods of the energy sector based on first principles. The first principle of cybersecurity is to know what’s in the environment. You can’t protect something if you don’t know it’s there. Network security starts with knowing what’s on that network.

When we discuss substations, we often hear utilities comment that they want to know what assets are in these environments. Some utilities have already begun to explore (in some cases deploy) passive grid monitoring at low-impact facilities with the primary goal of validating asset inventories. This is a great place to start and a good base for testing the work to be done within the medium to high impact facilities described in the NOPR.

The passive monitoring approach typically inherent in network monitoring solutions is an appropriate approach for a substation environment. Active link approaches can compromise the operational mission and provide visibility only to devices capable of routed communication. Passive approaches, on the other hand, can specify the presence of serial or backplane-connected assets.

Challenges to implementing network security monitoring in the electricity sector

Several technical barriers prevent the energy sector from simply switching wholesale from perimeter protection to borderless network oversight. They include:

• Maturity of the entity’s cybersecurity posture
  • Has VLAN segmentation already been implemented (where applicable)?
  • Is there a centralized and standard network configuration?
• Degree of infrastructure unification
  • Is the grid layout the same for every site?
  • Is the substation equipment a diverse collection of vendor devices or is it more similar from site to site? Uniformity makes planning and testing easier and provides greater confidence.
• The logistics
  • Different owners for multiple substations means renegotiation of access and performance plans
  • Scattered Geography – Are the locations within one city or hundreds of miles apart?
• Adopting a virtual infrastructure
  • Many network monitoring offerings are virtual only. We hear from many entities that they have not yet implemented virtual infrastructure because virtual infrastructure may not be eligible for a CIP audit.
• Connection to substations
  • Many utilities have a legacy architecture of keeping substations isolated, either because of the cost of networks or because air-gapped networks are perceived as safer. The “cost” of this approach is the manual effort involved in infrequent site visits and the inconvenience of manual monitoring.

Although these are significant challenges, they can be overcome by a motivated individual.

Benefits of extending protection beyond the perimeter

The more you know, the more you can provide. Everything on the web, anywhere, from any source is the new perimeter, as malware can penetrate VPN, identity and API, unauthenticated application. Internal network surveillance is necessary for a zero-trust environment, and it’s high time federal agencies catch up.

Network monitoring solutions typically involve asset discovery based on deep packet inspection, an approach well-validated for OT environments. When network monitoring is integrated with a solution, baseline change monitoring and configuration assessment (already introduced for CIP requirements) are readily available. The system works well to incrementally expand already existing cyber security processes for CIP auditing and cyber security.

As NERC follows the guidance of this NOPR to make internal grid security monitoring part of Bulk Electric Systems, many boxes will be checked on the path to modernizing the US electric grid to 21st century capabilities. Malware isn’t getting any less sophisticated or staying put, so neither should US cyber defenses. What’s the next frontier? Critical infrastructure protection requirements for distribution infrastructure of essential services such as hospitals, fire stations and police headquarters. While this NOPR is encouraging, we hope there are many more to come.