Security Requirements for EPU Remote Services

Author: Dennis Holstein, USA

Information technology (IT) and operational technology (OT) cyber-physical security protection for remote services is a complex subject that requires equal attention be given to local laws and regulations, operating constraints, and organizational constraints imposed on an electric power utility (EPU).

In response to these constraints an EPU employs both technical and non-technical controls to securely operate and manage remote services. Figure 1 shows a typical topology for an EPU system of interest (SoI).
Two assumptions are critical for this article: 1) remote access is provisioned through one or more untrusted networks and 2) the end-point at the remote site is untrusted. The depicted reference architecture is a logical representation. Components such as network segments, network and security devices as well as power automation and control systems and devices may vary in number, features and implementation characteristics. The objective is to have an artifact and representation in place as baseline for more granular definitions, policy decisions and for the mapping to standards and regulations.

Who is the Stakeholder and What is Needed?
Our first task is to identify the stakeholders and describe the CPS capabilities for remote services that they need. In Table 1 our focus is on the EPU users and four factors that influence the deployment of an acceptable solution: 1) legal compliance, 2) governance framework, 3) remote service security, and 4) remote service security solution. We will address items 1, 2, and 4 at a high-level. More technical detail will be offered for item 3.

The need for an Adaptable Cyber-Physical Security Solution

Given the emerging privacy protection laws and regulations, the evolving critical infrastructure protection (CIP) requirements, and the use of modern technologies (such as cloud services) creates a complex landscape of challenges that must be addressed (SN-1.1).  In response to this situation, EPUs need to solicit the support of subject matter experts (SMEs) with legal, technology, and human behavior expertise to establish a governance framework (SN-1.2). In the context of remote services, a model-based systems engineering (MBSE) methodology is used in this article. We start with Figure 2, the use case to identify applicable laws and regulations the impact CPS (cyber-physical security) solutions for remote services.
Navigating the complexity of security requirements from applicable laws, regulations, standards, and guidelines is the first challenge addressed by this article. One approach used in this article, is to identify and characterize the fundamental CPS requirement objectives (not context) imposed on implementation and operation of EPU remote services.

To formalize this approach, we use a modern technique called model-based systems engineering (MBSE), which requires an introduction to the System Modelling Language (SysML) notation developed by the Open Management Group (OMG).

At this level, some relationships between requirement objectives are identified. For example, in Figure 3, EPU security policies, procedures and organizational directives (PP&ODs) should trace to local laws and regulations. Both the EU's GDPR (General Data Protection Regulation) and the NERC CIP regulations that address remote services must be satisfied. The motivation for these regulations is quite different.

  • GDPR is focused on protection sensitive personal identifiable information (PII) that is commonly used for remote service log-on verification. More on this later
  • NERC CIP is focused on protecting the bulk electric system from cyber-physical attack that impacts the reliability of the system

Interpretation of the GDPR and the CIP are significant challenges. Countries that have adopted these regulations have their own unique interpretations that are described in their governing specifications. A good example is wide variation of applying the GDPR in more than 80 countries. This situation is made more complicated in the United States where several states have applied additional constraints and enforcement regulations.
To address this issue, one approach is to look to international standards for interpretation guidance. A good example is the use of IEC 62443, a multipart standard. Figure 5 identifies two parts of this standard that are particularly important for remote services. Part 3-2 focuses attention on segmentation requirements (called zones) to isolate control systems from direct connection to a remote service terminal. Security is enabled by a modern gateway (Id=4.1.1) for cybersecurity protection. The gateway is shown as a component contained in the security zone, which is sometimes referred to as an edge device.

Requirements for the security zone should be addressed in the PP&OD, which is indicated by the containment symbol on the association. Part 2-4 includes multiple remote service requirements that are imposed on the solution provider. Both parts are well-written and should be implemented to ensure that all entities (human and device) granted access to the EPU's network have been authenticated as a trusted entity.

The center point for the model shown in Figure 4 is the remote service security objective. (Id 5). Everything is built off this security objective, which requires that all entities granted access to the EPU's networks to be authenticated as a trusted entity. Remote service CPS objectives must satisfy all applicable requirements in the PP&OD. Most importantly, the approach is to use language that can be applied to both technical controls and non-technical controls (e.g. personal staffing). This requires the analyst to pay careful attention to the relationships between fundamental CPS objectives.
Authenticating a remote user is a challenge because we assume that all users are treated as an observer untrusted until authenticated.

Figure 5 shows that an unauthorized remote user, called an observer, is commonly categorized as hacker simply trolling the network, or an agent of criminal organization seeking to steal intellectual property or disrupt the operation, or an agent of a nation state. Publications in the open literature has described many of these examples.

CIGRE study committees B5 and D2 have published several technical brochures that address the issue of an 'insider threat". If the remote user has been authenticated to access the network, the authentication includes the role authorized. For example, a role may only allow the remote user to "read" data, not to change data or initiate an operational command. Furthermore, the role may be restricted to changing selected set point values. Other roles have more extensive "read/write" privileges that can initiate an operational action.
If the authenticated remote user is trusted, but compromised, the risks are significant because the user knows the detailed operation of the system or system function. With such knowledge it is possible to interfere with, disrupt, or disable a critical function.
For this reason, all actions performed on the network need to be logged and securely reported to a defined interface for post event forensic analysis. The CPS solution deployed is responsible for logging and reporting. CIGRE technical brochure #698:2017 includes an extensive discussion on this issue in clause 2.4.

Let?s start with organization in protection testing