Part of the innovation driven by IP communications technologies in utility
companies must include better forms of cyber security. Transitioning
from one-way power grids to bi-directional smart grids to improve
operational and customer service performance can only make sensitive data
and programming that controls processes more vulnerable.
As part of a nation's critical infrastructure, utility companies are prime
targets for cyber attack. A January audit report by the Federal Energy
Regulatory Commission on its Monitoring of Power Grid Cyber Security
concluded that security "remains a critical area of concern."
A report by Pike Research on Smart Grid Cyber Security, which identifies key
issues that require attention if smart grids are to become secure, noted that
"many Industrial Control Systems have seemed secure simply by being isolated
from IT networks. The Stuxnet attacks demonstrated that USB memory sticks
give attackers a convenient workaround for that lack of connectivity."
In fact, devices used for air-gap data transfer can be misplaced, stolen, or
infected with malware such as the Stuxnet worm and transferred to a critical
network, intentionally or accidentally. Even when connected systems and
networks are fully compliant with the latest security standards, they are limited
to DCOM-based access permissions and firewalls which, through human error
and malicious intent, can be wrongly configured.
Data diode technology offers an effective solution to achieve both the systems
interoperability envisioned for smart grid and the cyber security needed to
protect sensitive systems and data. A data diode is a security system for
connecting networks with different security levels. It allows data to be sent from
a process control network for information updates but physically prevents
electronic access to that network.
Just as a diode in basic electronics allows current to flow in only one
direction, data diode technology allows data to flow safely in one direction to
connect the sensitive part of smart grid infrastructure with less secure systems
and networks.
Data diode security does not contain decision logic, software or firmware that
could compromise infrastructure. It eliminates opportunities for software
malfunctions, malware, tampering and online attacks. It cannot be
misconfigured, eliminating the potential for human error.
This technology can be easily implemented at OPC servers that connect data
from PLCs, RTUs, meters, sensors, analyzers, distributed control systems and
improvised devices for smart grid systems interoperability. It improves
connectivity between process networks and back-office systems by eliminating
the delays in information transfer associated with air gap procedures, which are
neither continuous nor real time.
Information can be exchanged
between a high-security network and
less-secure information management
systems in real-time for up-to-date
business visibility and decision
making affecting financial,
operational and customer service
performance-without exposing the
bulk electric grid to cyber threats.
A European-based provider of data
diode security has had its technology
certified for the highest level of
computer security (Evaluation
Assurance Level 7) in compliance with
the internationally recognized
Common Criteria for Information
Technology Security Evaluation
(ISO/IEC 15408). The technology has
been approved for connection of
networks up to and including NATO
secret and, in Europe, is increasingly
used to upgrade the security of
government networks. Security
standards similar to those mandated
by governments are needed for smart
grid as well. This particular data diode
technology supports all standard
SCADA protocols including OPC,
ICCP, DNP3 and Modbus.
The data diode technology is
implemented with a hardware data
diode, proxy servers, and software that
provides data integrity (error
detection and correction), data
transfer synchronization, event
logging and SNMP traps (on both sides
of the data transfer), and a user
interface for administrators and
security auditors.
A one-way physical connection is
made between the two servers to
prevent data leakage and guarantee
the security of the process control
network. Each server has an easy-touse
web interface that allows
authorized users to configure what
information is to be transferred. As the
physical connection between networks
is one-way (hardware), malware will
never compromise the security of the
grid. One data diode can support
transfers from multiple OPC servers.
The basic solution can be augmented
with additional application servers to
add specific functionality to the oneway
data transfer.
A leading provider of data
connectivity software for SCADA
networks now offers data diode
technology as another layer of security
for power companies' overall Defensein-
Depth strategies. When used with
advanced OPC server software, data
diode technology supports complete
control over information browsing,
reading, and writing on a per-user,
per-access basis in smart-grid
environments. Instead of relying
only on global, DCOM-based,
"all-or-nothing" system access
permissions, power companies can
have granular, role-based control over
security to prevent unauthorized
access to process data and
programming controls, whether
accidental or intentional.
(The author is Chief Executive
Officer, Fox-IT)