Continued from technical article: Detecting Cyber Intrusion in SCADA System
The Three R’s As Response
The “three R’s” of the response to cyber intrusion are:
- Reporting, and
Theoretically, it would be desirable to record all data communications into and out of all substation devices.
In that manner, if an intruder successfully attacks the system, the recordings could be used to determine what technique the intruder used, in order to modify the system and close that particular vulnerability. Secondly, the recording would be invaluable in trying to identify the intruder.
In addition, if the recording is made in a way that is demonstrably inalterable, then it may be admissible as evidence in court if the intruder is apprehended.
However, due to the high frequency of SCADA communications, the low cost of substation communications equipment, and the fact that the substations are distant from corporate security staff, it may be impractical to record all communications.
In practice, although theoretically desirable, system owners will probably defer any attempts to record substation data communications until:
- Storage media are developed that are fast, voluminous, and inexpensive or
- SCADA-oriented IDSs are developed, which can filter out the non-suspicious usual traffic and record only the deviant patterns.
But even if the communications sequence responsible for an intrusion is neither detected nor recorded when it occurs, nevertheless it is essential that procedures be developed for the restoration of service after a cyber attack.
It is extremely important that the utility maintain backups of the software of all programmable substation units and documentation regarding the standard parameters and settings of all IEDs (Intrusion Detection Systems). These backups and documentation should be maintained in a secure storage, not normally accessible to the staffs who work at the substation.
It would appear advisable that these backups be kept in a location other than the substation itself to lower the amount of damage that could be done by a malicious insider.
After the utility concludes that a particular programmable device has been compromised (indeed, if it just suspects a successful intrusion), the software should be reloaded from the secure backup.
“If the settings on an IED had been illicitly changed, the original settings must be restored.”
Unless the nature of the breach of security is known and can be repaired, the utility should seriously consider taking the device off-line or otherwise making it inaccessible to prevent a future exploitation of the same vulnerability.
Resource: Electric Power Substations Engineering – J. D. McDonald