Professional Documents
Culture Documents
Original Russian Text © Y.S. Vasiliev, P.D. Zegzhda, D.P. Zegzhda, 2016, published in Izvestiya Rossiiskoi Akademii Nauk, Energetika.
Abstract—This article suggests the concept of a cyberphysical system to manage computer security of auto-
mated process control systems at hydropower engineering facilities. According to the authors, this system
consists of a set of information processing tools and computer-controlled physical devices. Examples of cyber
attacks on power engineering facilities are provided, and a strategy of improving cybersecurity of hydropower
engineering systems is suggested. The architecture of the multilevel protection of the automated process con-
trol system (APCS) of power engineering facilities is given, including security systems, control systems, access
control, encryption, secure virtual private network of subsystems for monitoring and analysis of security
events. The distinctive aspect of the approach is consideration of interrelations and cyber threats, arising when
SCADA is integrated with the unified enterprise information system.
Keywords: computer security, hydropower engineering facilities, cyber attacks, APCS, SCADA
DOI: 10.1134/S0040601516130073
948
PROVIDING SECURITY FOR AUTOMATED PROCESS CONTROL SYSTEMS 949
dows platform, use different database control systems Industrial facilities in Iran have been regularly
and application program interfaces (APIs), and support attacked by the Stuxnet worm and its modified ver-
various remote control protocols. This aspect ensures sions since 2010 onwards. The data stream between
such strong points of APCSs as high control and Siemens Simatic Step 7 programmable logic control-
response rates, simple structure, etc. However, it also lers and Siemens Simatic WinCC workstations of the
determines the tight hierarchy and cascadeness of SCADA system is intercepted and modified. Thus, a
APCS segments, which consists in the complicated means has been used to attempt unauthorized data
procedure of replacing APCS components and ava- acquisition and subversions in APCS of Iranian indus-
lanche-like response from components in case of emer- trial enterprises, power station, and airports. The pro-
gencies that determine the security of APCSs, safety at gram’s uniqueness was that it had been the first ever
industrial production facilities, and sectoral safety in case of purposeful destruction of sectoral infrastruc-
general. ture in history [8].
The specific solution of this problem is determined A major role in the list of APCS security threats is
by technical characteristics of APCSs, such as played by threats to infrastructure and operation sys-
tems of SCADA systems [6]. Most APCS software
(1) distributive nature of components and hetero- components are based on the MS Windows platform
geneous (nonuniform) information and software con- that has traditionally contained mistakes leading to
stituents, which shows in the diversity of used opera- security violations. However, whereas exposures on
tion systems (OSs), communications, hardware, soft- general-purpose computers are eliminated by regular
ware and user interfaces; software updates from the manufacturer, this is
(2) geographical remoteness of informatization and impossible in SCADA systems because system updates
control objects and segments; suspend process activities and may negatively affect
further operation of SCADA [5]. In addition, there are
(3) active role of the human element amplified by problems solved for information systems but without
criticality of controlled objects or industrial cycle any required solution for APCSs; these problems
technology; and include errors in automated control software, vulnera-
(4) absence of any universal approach and solu- bilities in system configuration setting, vulnerabilities
tions tailored for a specific task of controlling a partic- in data transmission media, vulnerabilities in con-
ular process, sector, or production site. trolling network protocols, and absence of required
protection for data transmission lines.
Thus, the security of APCSs is an urgent task
3.1. Safety and Security at Power Engineering APCSs: requiring a prompt solution.
Problem Urgency The facts of security violations in power engineer-
The Sayano-Shushenskaya power station accident ing and hydrosystem APCSs are given in Table 1.
happened in 2009. It had been caused by a number of According to the analysis, the main cause of the
factors, including the disordered operation of the reg- increasing number of security violations in APCSs is
ulating system that varied the loading of hydropower integration with corporate systems, little consideration
sets with regard to the current workload of the electric given to security maintenance systems, and disregard
power system [7]. of network security components.
Process facility
(2) potential spoofing or blocking of control com- trolling network protocols, and absence of enciphering
mands; for data transmission paths.
(3) human factor because, sometimes, the decision As shown in Table 2, APCSs have already gained
to disable the ECS is taken specifically by the operator; widespread use in Russia.
(4) threats of purposeful information onslaught on Typical protection systems developed for APCSs
the system and applied software of the ECS; based on such SCADA as WinCC, inTouch, etc.
include protection against cyber attacks, separation of
(5) in terms of security, the ECS can be considered access to APCS elements, communication path con-
the ACS of some part of the process. trol, etc.
Security provision for power facilities includes a set However, when carried over to differently config-
of specific problems aimed at protecting the informa- ured APCSs, these solutions require adaptation; more-
tion components of the electric power system and its over, they do not assure protection against all threats.
whole architecture, integrating ECSs, APCSs, operat- Thus, the primary phase of power facility protection
ing units, and communication systems as required by must be to recognize security threats to APCSs.
the hierarchy of the information networks of the power
facility (Fig. 5).
One should take into account that there are some 5.1 Recognition of Security Threats to APCSs
problems solved for information systems but with no of Electric Power Systems
coherent solution for APCSs. These problems include APCSs include hardware and software constitu-
errors in automated control software, vulnerabilities in ents. Typical hardware tools are the Master Terminal
system configuration setting, vulnerabilities in con- Unit (MTU) installed in the control center, commu-
WinCC Diagnostics and information system of the turbine generator set at the Samara CHP plant
Citect SCADA APCS of the power generating set at the Stavropol SDPP
inTouch APCS of boilers and turbines at OAO (OJSC) Novosibirskenergo
iFIX APCS at CHP plant 13 of OAO (OJSC) Permenergo
nication equipment, and Remote Terminal Unit The reality is that the SCADA must be connected
(RTU) or PLC that control mechanical drives and/or to the corporate-wide network. This connection is a
sensors. The MTU stores and processes information serious security threat, and due attention should be
from the RTU inputs and outputs, whereas the RTU given to its development and actualization. If the net-
or the PLC are responsible for local process control. works must be connected, we recommend introducing
Communication hardware makes it possible to trans- a minimal number of connections passing through the
mit information and data between the MTU and the firewall (FW) and the demilitarized zone (DMZ). The
RTU or the PLC. The software is configured to give DMZ is a separate network segment directly con-
the following commands to the system: what query is nected to the FW. The servers with the APCS data, the
necessary to make and when, what are acceptable access to which must be gained from the corporate-
value ranges for certain parameters, and how to react wide network, are placed in this network segment;
to variations in external parameters. SCADA systems however, these systems must be available from the cor-
are usually developed as failsafe systems with signifi- porate network. The minimal access through the FW,
cant redundancy embedded in the system architec- including the opening of only those ports that are nec-
ture. Specific threats typical of industrial systems are essary for certain means of communication, are
largely determined exactly by their architectural char- allowed for any external relations (Fig. 6) [2, 12, 14].
acteristics. The main trend in the development of APCSs is
Security threats typical of APCSs of electric power consolidation of industrial and corporate-wide net-
systems can be classified by: works. The fact that APCSs have a long service life of 15
(1) used types of vulnerabilities, such as organiza- to 20 years, use specialized means of communication
tional, configuration, software, network edge, and (consequently, a lot of different protocols), and were
communication system vulnerabilities; designed without taking account the required informa-
(2) types of consequences, such as information dis- tion security provision attests to increased risks of secu-
closure, service denial, access denial, control denial, rity violations of APCSs integrated with corporate-wide
presentation denial, presentation substitution; IT systems. Technologies for protection of initially
unprotected control systems are based on network seg-
(3) threatened objects, such as SCADA, PLC, OS regation, logical separation of the control network from
and infrastructure, transport protocols. the corporate-wide network, and use of firewalls.
We should mention such typical industrial threats Industrial equipment manufacturers do make attempts
as presentation denial and presentation substitution: to embed security functions (authentication, password
they are usually fulfilled by user substitution (spoof- protection of PLC); without additional protective
ing) attacks, and the result is either that the APCS means, however, these APCS components remain
operator loses control of the system or receives unreli- unprotected because of their architecture designed
able information and does not notice occurrence of without regard to IS requirements.
emergencies. The main areas of security provision for APCSs at
There are several basic standards that combine power facilities must include [3, 5, 16]:
industrial protocols describing network interfaces and (1) Security provision arrangements, such as
bus field requirements (ANSI/ISA-50.02, IEC 62026,
IEC 61158, IEC 61784, IEC 61918); however, there is (a) elaboration of security policies and procedures;
no common standard. Almost all the described proto- (b) evaluation of risks and exposures;
cols are required to function in real-time mode, which (c) personnel training and advanced employee
is why most of them have no embedded security pro- training in security matters.
vision tools, neither enciphering, or digital signature. (2) Control network security provision measures,
such as
5.2 General Layout of the Security Architecture (a) determination of external network communica-
of APCSs Used in Electric Power Systems tion paths of APCSs;
To resist the foregoing threats while designing the (b) control of all communication paths via firewalls;
network architecture, we recommend separating the (c) distinguishing of several demilitarized zones;
SCADA network from the corporate-wide network for (d) logical separation of the control network.
sweeping the APCS. The strict control of changes in
(3) APCS security control, including
the network equipment operation, configuration, and
software is inappropriate in the corporate-wide net- (a) user identity check;
work. The SCADA network traffic flowing in the cor- (b) access control;
porate-wide network can be easily intercepted or (c) information auditing;
exposed to DoS attacks. In case of separate networks,
(d) enciphering;
the SCADA network must remain unaffected by secu-
rity and capacity problems of the corporate-wide net- (e) virtual private network (VPN).
work [3, 12, 17]. (4) Monitoring:
(a) comprehensive monitoring of system events, 5. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and
security event recognition and analysis; A. Hahn, “Guide to industrial control systems (ICS)
security. Revision 2,” (Available from National Insti-
(b) system security testing.
tute of Standards and Technology, Special Publication
800-82 Revision 2, 2015). http://dx.doi.org/. doi
CONCLUSIONS 10.6028/NIST.SP.800-82r2
6. F. B. Schneider, “Blueprint for a science of cybersecu-
Security tools can be efficiently integrated with rity,” The Next Wave 19 (2), 47–57 (2012).
APCSs at hydropower engineering facilities on the
7. Report on Technical Investigation on Causes of the Acci-
condition that a comprehensive program is developed dent that Occurred on August 17, 2009 at the Filial
and implemented from a definition of goals and oper- Branch of the OJSC “RosHydro” — P. S. Neporozhny
ations up to full-scale audit and improvement plans. Sayano-Shushenskaya Hydroelectric Power Plant,
An efficient security strategy for APCSs must include (Fond Nats. Energ. Bezop. (FNEB), 2009). http://
deep protection and hierarchically structured security www.energystate.ru/news/files/Sayano-Shushenskaya-
tools and means to minimize effects of breakdowns of GES–akt-rassledovaniya.pdf.
any mechanisms whatever. 8. Stuxnet Code Analysis (ESET, 2010; Symantec, 2011;
Nauchn. Tsentr “NATsILUS”, 2011). http://aroundcyber.
REFERENCES files.wordpress.com/2012/11/stuxnet-codeanalys-rus.pdf.
9. UTsSB — Ural Center of Security Systems.
1. K. Andersson, Cybersecurity: Public Sector Threats and http://www.ussc.ru/about/.
Responses (CRC, Boca Raton, FL, 2012).
10. Yu. S. Vasil’ev, D. P. Zegzhda, P. D. Zegzhda, and
2. Critical Infrastructure Protection II, Ed. by M. Papa and T. V. Stepanova, “Towards technological indepen-
S. Shenoi (Springer-Verlag, New York, 2012). dence of Russian cybersecurity branch,” in Probl. Inf.
3. Y. S. Vasiliev, P. D. Zegzhda, and V. I. Kuvshinov, “Mod- Bezop. Komp’yut. Sist., No. 4, 17–29 (2014).
ern problems of cybersecurity,” Nonlinear Phenom. 11. Yu. S. Vasil’ev and D. P. Zegzhda, To the Question of
Complex Syst. (Minsk, Belarus) 17 (3), 210–214 (2014). Cyber Security of Autonomous Control Systems in Power
http://www.j-npcs.org/online/vol2014/v17no3p210.pdf. Engineering (S. Peterb. Gos. Politekh. Univ., St. Peters-
4. R. Axelrod and R. Iliev, “Timing of cyber conflict,” Proc. burg, 2015) [in Russian].
Natl. Acad. Sci. U. S. A. 111 (4), 1298–1303 (2014). 12. R. R. R. Barbosa, R. Sadre, A. Pras, “Difficulties in
www.pnas.org/cgi/doi/10.1073/pnas.1322638111. modelling SCADA traffic: A comparative analysis,” in
Proc 13th Int. Conf. “Passive and Active Measurement” Tools of Information Security,” June 29–July 2, 2015
(PAM 2012), Vienna, Mar. 12–14, 2012 (Springer-Ver- (S.-Peterb. Politekh. Univ., St. Petersburg, 2015),
lag, Berlin, 2012), pp. 126–135. pp. 16–20.
13. B. Zhu, A. Joseph, S. Sastry, “A taxonomy of cyber attacks 16. Yu. S. Vasil’ev and P. D. Zegzhda, “Information secu-
on SCADA systems,” in Proc. 2011 Int. Conf. on Internet of rity in hydropower engineering,” in Abstracts 9th Sci.-
Things and 4th Int. Conf. on Cyber, Physical and Social Pract. Conf. “Hydropower. New Developments and Tech-
Computing (iThings/CPSCom), Dalian, China, Oct. 19– nologies,” St. Petersburg, Oct. 22–24, 2015 (Vseross.
22, 2011 (IEEE, 2011). http://www.researchgate.net/ Nauchno-Issl. Inst. Gidrotekh. B. E. Vedeneeva,
publication/254049910. doi 10.1109/iThings/CPSCom. St. Petersburg, 2015), Part 1, p. 31.
2011.3410.1109/iThings/CPSCom.2011.34
14. P. D. Zegzhda, T. V. Stepanova, and A. I. Pechenkin, 17. S. Baker, N. Filipiak, and K. Timlin, In the Dark: Cru-
“Security of power system ICS, which implement cial Industries Confront Cyberattacks (McAfee Rep.,
industrial network communication protocols,” Izv. 2011). http://www.mcafee.com/us/resources/reports/
Ross. Akad. Nauk, Energ., No. 5, 59–64 (2013). rp-critical-infrastructure-protection.pdf.
15. P. D. Zegzhda, “Modern state of cyber security,” in
Proc. 24th Sci.-Pract. Conf. “Methods and Technical Translated by S. Kuznetsov