Technical Operations

3 of 5

A small installation such as an electricity substation might have 100-200 programmable devices attached to a substation LAN, including transformers, circuit breakers, reclosers and meters. Traffic on the LAN is not encrypted or authenticated, as there are stringent latency requirements, so anyone with access to the wiring could disrupt operations. Anyone with physical access could do this anyway by operating manual override switches, so the issue is whether an attacker might get remote access to a device on the LAN. Security at present depends on a station controller, which is on the LAN, and a gateway which is attached to the controller and also to WAN communications (typically over the Internet to a network operations center, protected by TLS). It is critical that these devices not be vulnerable to remote software attack, and that they provide effective protection to internal devices.

In effect, the security architecture is one of re-perimterisation. It is not generally feasible to retrofit authentication or other security mechanisms because of the variety of equipment whose service life is generally measured in decades rather than years. Work is underway to agree new versions of control system protocols that do support authentication; perhaps within five years new equipment will support this. However it is likely to be decades before most systems are replaced.

The same applies to larger installations such as power stations and network control centres. Here however the re-perimeterisation is much more complex. A power station may have communications at five different safety integrity levels:

• The safety systems will typically be at SIL 3, and must not be vulnerable to interference or servicedenial attacks from any lower level. The safety systems prevent failures leading to loss of life of catastrophic damage to plant; for example, by closing down a nuclear reactor if the reaction exceeds specified limits.
• The control systems will typically by at SIL 2, and also must not be vulnerable to interference or attacks from below.
• Monitoring systems will typically be at SIL 1. Although they cannot affect higher levels directly, the loss of monitoring systems can make control systems unusable leading to a precautionary plant shutdown. So they too must be protected from problems at lower levels.
• Below this are the plant's executive information systems and business processes such as invoicing and payroll. Although these systems lie below the mandatory access control framework of the SILs, there may be abusiness case for further network segregation, for example to protect internal financial systems from Internet-facing web and mail servers.

As in the airport case, the applications at these levels have differing requirements for latency, bandwidth, resilience, virtualization, and flexibility. There is nothing like the diversity of organisations, but there is some: the vendors of various pieces of equipment will have maintenance access, as will control-systems contractors. Here the issue is not so much the management of a complex high-bandwidth network with some separation requirements, as the maintenance of high-quality separation between critical networks in a complex environment where separation can easily break down - as we shall now discuss.

Previous Continue