Operational Technology (OT) Implications of the Recent SolarWinds Compromise

Jan 12, 2021 | Blog

Operational Technology (OT) Implications of the Recent SolarWinds Compromise

Brian Smith
bsmith@enernex.com
865-770-4853

 

 

The recent SolarWinds Orion compromise is a wakeup call to the very real threat that supply chain attacks present. While much of the attention and discussion about this compromise has focused on traditional IT environments, the implications of supply chain threats are just as relevant to utility Operational Technology (OT) environments. So much so that FERC and NERC have focused on establishing supply chain security standards for the bulk electric system with CIP-013-1 for the last several years. What makes the SolarWinds exploit particularly worrisome is the potential impacts within an OT environment that this type of attack presents. To start with, it is extremely difficult to prevent similar attacks given the current practices employed within most security programs.  Further, because the SolarWinds compromise was targeted at a system which is typically given elevated privileges within most IT and OT environments, similar attacks pose a serious risk.

Many details of the compromise are still emerging, especially the ultimate objectives of the adversaries once the malicious code was successfully installed inside the target environments.  What we do know however is that a highly skilled adversary was able to insert malicious code into the SolarWinds Orion software build process which ultimately “trojanized” software updates that the vendor then provided to its customers. Since these software updates were digitally signed and provided by a trusted source, most customers had no reasonable cause to suspect that they posed a risk and therefore installed them within their environments. The SolarWinds Orion product appeared to be specifically targeted as it is typically configured with elevated privileges within many environments because of its use in network and application monitoring and management. Once the malicious code was inside the target environments, it utilized its elevated privileges along with activities such as mimicking legitimate network traffic and user impersonation to avoid detection. In some cases, it went unnoticed for several months. In the short term, organizations affected by this compromise should already be following the guidance provided by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in Emergency Directive 21-01.  While some of this guidance is only appropriate for U.S. federal agencies, it does provide a detailed set of instructions that are specific and applicable for all potentially impacted users of the SolarWinds Orion platform.

A good way to relate the potential impact of this or similar compromises to a Utility’s OT environment is to look at things from the Industrial Control System (ICS) Cyber Kill Chain concept outlined in The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee – October 5, 2015. From the ICS Cyber Kill Chain perspective, the SolarWinds Orion compromise can be considered a successful Stage I attack providing the foundation for Stage II activities targeted at loss, denial, or manipulation of view, control, or safety. These activities become the basic building blocks that can be used by an adversary in an attack on an OT environment to achieve a desired outcome such as disrupting operations and/or damaging equipment.

If this type of attack is difficult to prevent, what should utilities do to mitigate the associated risks? First, employing a cybersecurity architecture that provides for fundamental functions such as robust inbound and outbound firewall rules, network segmentation, and lateral movement protections is essential. Next, these events also stress the importance of establishing a system baseline along with monitoring and logging within OT environments. While this level of visibility into OT environments has been difficult to achieve in the past, commercial monitoring and anomaly detection solutions tailored for OT environments have become available over the last few years making this a realistic goal for most utilities.

Want to know more about how EnerNex can support your OT cybersecurity efforts? Feel free to contact me at bsmith@enernex.com to discuss. EnerNex is uniquely qualified to assist you as our staff has extensive experience in NERC CIP, cyber security, utility automation, IT, OT, and communications systems.


Brian Smith, CISSP, is a Principal Consultant and has over 25 years of experience in the electric utility field with an extensive background in cyber security, utility communications, utility automation systems, integration, networking, Supervisory Control and Data Acquisition (SCADA), Energy Management Systems (EMS) and tele-protection applications.

 

 

Smart Metering (SM) and Advanced Metering Infrastructure (AMI)

Smart Metering and AMI is a transformational process addressing multiple business and technical needs of the utility enterprise. This is more than just smart meters and communications networks; it includes all of the back end applications that can leverage the meter assets, such as outage notification, demand response, call center optimization, disputed billing process handling, pre-payment opportunities, and service connection management methods and procedures, to name a few.

Implementing SM and AMI faces the same business, engineering, and operational challenges as any other across-the-utility information technology endeavors – most notably risk associated with embracing proprietary technology, missing functionality and early obsolescence. Effective SM and AMI development, implementation, and operation relies on a marriage of electric power engineering with information technology expertise: a key component of EnerNex’s expertise and experience.

EnerNex provides an array of engineering and consulting services geared towards intelligent and effective implementation of SM and AMI. This covers all phases of project development, starting with capturing system requirements where our experts leverage a “Use Case” centric view of activities needed to be accomplished and their interaction with systems and other users. Subsequent project steps typically examine other critical areas, such as: modeling of business cases, building inter-department consensus, assembling and assessing system functional requirements and non-functional requirements, developing a system design, hardware and software specifications and standards, complete procurement services including RFI and RFQ process support, supplier rating system, response evaluation methodology, deployment management, and training of office and field personnel.

Demand Response (DR)

Demand response can be as simple as load interruption directed by the energy supplier in response to severe demand requirements, to complex customer defined load management in response to price signals. DR is one of the components of a “Non-Wires Alternative” that many utilities are effectively using to avoid expensive distribution fortification or upgrade.

 

Often the success and/or failure of demand response programs can be linked to program implementation challenges such as rate/tariff design rate structures communication (e.g. price signals) or ineffective incentives used by utilities to encourage customers to accept operational change. The issues of program design, rate structure and customer impact have a tremendous influence on the success or failure of load management initiatives. Demand response has traditionally been used as a tool of the energy industry to ensure system stability. However, the introduction of microelectronics, communications, home automation and the Internet of Things (IoT) has led to the development of cost effective solutions that have the capability to allow the consumer to take control of managing their energy load and ultimately, the price they pay for energy.

EnerNex has the experience and skills to turn your DR program into a successful operational asset and customer engagement process that can deliver value to all parties.

Energy Assurance Planning

Natural and man-made disasters cause an estimated $57B in average annual costs for all parties; large single events have resulted in losses of $100B or more. Events, such as the World Trade Center disaster, Hurricane Katrina, and most recently Hurricane Helene, have demonstrated an acute need to revisit, revise and implement an effective energy assurance plan. Energy assurance plans assess the functionality and interdependencies of buildings and infrastructure systems and the role they play in sustaining service and rapidly restoring critical services to a community following a hazard event.

 

EnerNex assists our clients in developing comprehensive energy assurance plans that mitigate and minimize the impact of energy disruptions. Our experts assess critical infrastructure risks and evaluate appropriate mitigation strategies and can help in developing an effective business continuity/disaster recovery (BC/DR) plan for utilities and your customers.

Microgrid Development

As the electric grid becomes more distributed and interactive, microgrids are playing an increasingly important role in our energy future. Decision makers at military bases, corporate and institutional campuses, residential communities and critical facilities across the world are exploring and implementing microgrids to meet economic, resiliency and environmental goals. Utility-grade microgrids are being deployed to meet transmission constraints, reliability requirements and safe-havens in the event of a significant storm event.

Microgrid_development Graphic steps to support grid modernization

Bringing together a portfolio of distributed energy resources into a controllable, islandable microgrid comes with its own set of challenges. The key to solving these challenges is in architecting a system to support information exchanges between components across well-defined points of interoperability (interfaces) in a technology independent manner. This interoperability ensures that the system is resilient to technology change. Modern systems engineering techniques must be employed to ensure that individual sub‐systems are clearly identified, their functions enumerated, their data requirements known, and the points of interoperability clearly specified, along with the commensurate monitoring, command and control that is needed to ensure grid stability. With such architecture, we can apply best of breed technology available today to support those information exchanges at interface boundaries but be free to upgrade / change the implementation technology later without causing a ripple effect throughout the system.

Enterprise Architecture

Enterprise Architecture focuses on aligning an organization’s business strategies with its anticipated, desired and planned technology enhancements. Enterprise Architecture provides a framework to cost-effectively transition from a current “as-is” technology to future enterprise-wide technological solutions. An effective Enterprise Architecture program aligns business investments with long-term business strategies while minimizing risk and providing superior technological solutions. EnerNex’s key asset is its highly skilled and experienced staff who are closely connected to both the smart grid and EA standards and practices. We provide clients with the insight necessary to operate a fully functioning smart grid, which is flexible, scalable, and vendor independent.

Grid Modernization Roadmap

Utility companies across the globe are continually modernizing their grid. Each company often has different rationales, objectives and priorities. Frequently, smart grid plans are developed for individual, incremental initiatives, rather than as a part of a whole, intelligent and interoperable infrastructure. Planning may be developed around technology choices rather than business and technical requirements. The result of incremental and flawed planning leads to increased cost and risk, lost opportunities, disconnected expectations and dead ends.

 

EnerNex’s approach to grid modernization roadmap development follows a proven, industry-standard approach to grid modernization planning by collaboratively working with the utility to develop a set of prioritized and time-phased grid modernization initiatives unique to its business strategy and objectives. The roadmap developed is holistic, requirements-based, business value driven and actionable. It often builds on and leverages existing applications and infrastructure, and incorporates industry standards to ensure interoperability, flexibility and reduced cost and risk.

Utility Communications

Utility communication and control systems are increasingly interconnected to each other and to public networks and as a result, they are becoming increasingly more susceptible to disruptions and cyber attacks. EnerNex has experience with the various issues relating to development, implementation and optimization including feasibility analysis, design, software development and customization, project management and acceptance. Our expertise extends from being involved in the development of the fundamental standards that support utility communication and automation, through deployment and securing of those resources. EnerNex personnel were heavily involved in development of such standards and protocols as IEC 61850, IEC 60870-5 and DNp3. Our staff played a key role in the EPRI Utility Communication Architecture (UCA) project and the IntelliGrid Architecture effort.

Related Articles

Related

Grid Modernization & Grid Architecture

Helping our clients implement and integrate grid modernization technologies and processes that are aligned with tomorrow’s utility. A Grid Modernization program frequently includes many complex utility engineering and operational topics, many times the scope of these...

read more

Grid Modernization with Artificial Intelligence

_______________________________________________________________________________________________________________________ Introduction The electric power industry is undergoing a transformative era, driven by digitalization, renewable energy integration, and increasing...

read more
X