POWER May 2016 - 49

INSTRUMENTATION & CONTROL
4. Risk of various remote access methods. Source: Michael Toecker
Individual, ad-hoc
remote access
Username and
password access
Two-factor remote
access
On paper, the physical key method looked
good. But when performing a walkdown, I
noticed a serial cable coming out of the key
box that led to a dial-up modem. This cable
allowed direct access to the internals of the
remote access router, which could completely
reconfigure the device to permit access.
This created a glaring hole, considering that
a phone call to the remote access router could
enable remote access just the same as an operator
turning a key, or could completely disable
the VPN to put the router directly on the
Internet.
Remote access by
external support
vendor
Control systems
connected to
Internet or
corporate network
Risk increases from left to right
working and had left it that way. Originally,
the remote access solution was decent, but
now it was completely open to compromise.
Needless to say, that remote access systemwas
disconnected swiftly.
An Action Plan for Secure Remote
Access
From my experience working at several
generators on multiple DCS and programmable
logic controller (PLC) systems,
once an attacker is within the perimeter,
the fight is over. It doesn't matter if you're
structure. There are many resources for
developing a good perimeter, and the NERC
CIP Version 5 standards require a perimeter
for all generation assets, regardless of whether
they are Low or Medium:
■ NERC: Guidance for Secure Interactive
Remote Access (bit.ly/1WUiQVd)
■ National Institute of Standards and Technology:
Guide to Industrial Control Systems
Security (1.usa.gov/1TgbSef)
■ SANS Industrial Control System: Defense
Use Case #5 (bit.ly/1WUjoub)
■ NERC: NERC-CIP-003 Version 6, See
Requirement 1.2 for Low Impact facilities
(bit.ly/1VRkQPJ)
Task 3: Use Two-Factor Authentica...once
an attacker is within the perimeter,
the fight is over. It doesn't matter if you're
fully compliant with NERC regulations either,
because the current state of security
capability in control systems is woefully
poor.
What's more, discussions with the vendor
on reviewing the configuration of the
device were unproductive. The device, the
VPN connection, and the dial-up modems
were all considered vendor property and
were off limits. This particular vendor has
come a long way recently in terms of remote
access, but the early days and conversations
were particularly difficult. Persuading
them that a malicious individual could
take advantage of these weaknesses was a
long process.
Situations like this still exist today. Not
more than nine months ago, I reviewed another
site's remote access system from a
different vendor. In this case, I was able to
conduct a full review of the vendor " remote
access solution " and was completely blown
away. In the course of installing the remote
access, a technician had completely disabled
most of the safeguards while trying to get it
May 2016 | POWER
fully compliant with NERC regulations either,
because the current state of security
capability in control systems is woefully
poor. The perimeter is the only effective
means of protecting these networks, and
many generators allow remote personnel to
come in from anywhere, at any time, for
most any reason.
Taking care of the following tasks will put
your plant in a more secure position.
Task 1: Get a Remote Access Policy
in Place. If remote access is critical to your
generating business, treat it as such. Place
limits on when remote access is allowed,
who has the capability, and by what method
access is obtained. If the generator does not
set the policy, individuals and vendors will
set their own policies, using their own individual
risk evaluations, which can leave a
plant vulnerable.
Task 2: Invest in a Reasonable Infrawww.powermag.com
tion.
Properly implemented, two-factor is
the best method of ensuring remote access to
the control system so that passwords cannot
be stolen via simple methods. Ideally, this
should be related to Task 4 by keeping the
two-factor token in the hands of operations
personnel and not giving it to the remote access
individual. Additionally, a remote access
timeout should be used; no personnel should
be able to stay continually connected to a remote
control system.
Task 4: Require Authorization by Operations
Personnel. When personnel with
remote access are performing work on the
system, operations personnel should not
only be aware, but should also be actively
responsible for authorizing each remote
access. This could be done by operations
holding the tokens used for authentication
and only giving PIN codes when the
requirements are met, or via some other
technical control.
Task 5: Configure and Respond to Remote
Access Alerts. Logs of remote access
attempts, both successful and denied, should
be reconciled against the remote access authorized
by operations personnel on a regular
basis. Discrepancies should be promptly investigated
as potential incidents.
Don't Turn a Tool into a Weapon
Generation facilities are important to the
stability of the grid, and they have a duty to
both the public and stakeholders to take reasonable
measures to protect themselves from
malicious actors. While remote access is important,
and often vital, to the bottom line, it
is also a means that can reduce profitability
and increase risk.
Do it right, or don't allow remote access
at all. ■
-Michael Toecker, PE (toecker@
context-is.com) specializes in the security of
industrial control systems, particularly those
in power generation and transmission.
49
http://www.bit.ly/1WUiQVd http://1.usa.gov/1TgbSef http://www.bit.ly/1WUjoub http://www.bit.ly/1VRkQPJ http://www.powermag.com
POWER May 2016

Table of Contents for the Digital Edition of POWER May 2016
