1. Executive Summary
Cybersecurity is more critical than ever, because of an increasing number of smart gadgets connected to the cyber world, and the Internet of Things (IoT) is becoming more extensive, so security for all these connected devices is essential. Taipower issued the "Information and Communication Security Promotes System" and "Directions for Operations of Information and Communication Security" since 2001 and obtained the ISO 27001/ BS7799 security certification in 2004 and the certification remains valid so far.
The Executive Yuan, R.O.C. issued "Cyber Security Management Act" in 2018, based on it, the participants of National Critical Infrastructure are required to submit "Cybersecurity Maintenance Plan" with its execution results every year, and to pass ISO 27001 information security standard verification. Taipower company is the critical infrastructure provider of power facilities and acquired ISO 27001 verification in 2005. Taipower company also follow the regulations “The cybersecurity protection baseline of Critical Infrastructure ICS (Industrial Control System) in Energy and Water area” issued by Ministry of Economic Affairs, which has become the standard of ICT (Information and Communication Technology) system cyber security guideline in Taipower company. According to it, Feb 2020 Taipower company issued “Cyber Security Maintenance Plan” and fulfill cyber security procedures which not only protect Taipower company’s core IT system but also keep on focusing the cyber security defense mission of infrastructure in power line system and smart grid development.
“The cybersecurity protection baseline of Critical Infrastructure ICS in Energy and Water area” was edited by referencing international cyber security official document such as ISO 27001, ISO 27091, IEC 62443 and NIST SP 800-82. Taipower company followed the procedures required by government, issued “Cyber Security Maintenance Plan” for IT ( (Information Technology)/OT (Operational Technology) cyber security defense baseline, complied with international standards of IT and OT cyber security as well.
In the Smart Grid operation and management, reliability of information and real-time communication networks play a critical role. The threats of cybersecurity in the ICT also affect Smart Grid. Since there are more and more cyber attacks on CII (Critical Infrastructure Information), Taipower is developing the "Smart Grid Security Deployment Plan" by referencing to IEC62443, NIST SP 800 and "The Guideline of CII Cybersecurity Protection" issued by Executive Yuan. The project is ongoing and has been improved continuously.
As for the Advanced Meter Infrastructure (AMI) of smart grid, the risk of cybersecurity threat is getting higher because of its large number of devices, wide distribution in geometry, and its remote location. Therefore, we have to estimate the potential risk of whole AMI device. Based on the estimated result, we take the protection steps for the physical device, network, and applications.
Taipower Company sticks to the promise of customer’s privacy data protection. With the development of the smart grid, more data are generated as time goes by. Following laws and the commitments to the customer, Taipower Company implements various protection methods to ensure customer’s privacy data and information will not be leaked.
Cybersecurity information analysis and sharing are the core of the whole cybersecurity defense mechanism. Except for the enhancement of various cybersecurity strength, Taipower also acquires cybersecurity information rapidly in advance to increase the protection ability. Taipower Company establishes ISAC (Information Sharing and Analysis Center) to exchange the intelligence with the government energy ISAC platform. By sharing the cybersecurity information, we achieve the goal of joint defense and avoid potential security threats.
Implementation of IDS (Intrusion Detection System) in OT Field
Taipower had implemented IDS in OT field and integrated IDS data with Taipower SOC since 2020.
The primary purpose of our IDS is to identify and log incidents for OT network. It does this by analyzing data packets, detecting suspicious activity, and logging such activity. The benefit of the IDS is that it allows security professionals to detect and understand exploits and attacks on a network to achieve 7x24 non-stop monitoring. The IDS also allows security professionals to establish a baseline of expected traffic and to obtain a record and notification when protocols and traffic patterns deviate from that baseline.
ICSs (Industrial Control Systems), supervisory control and SCADA (Supervisory Control And Data Acquisition) networks are facing a growing number of threats, including malware of IoT based and Cyber attacks. As the power, automation, and industrial control industries transition from switched circuits to switched packet communications, SCADA and ICSs networks are becoming very popular targets of attacks.
The IDS monitors both inbound and outbound communications on OT network and among devices, and it records events such as unauthorized access attempts, port scans, probes, buffer overflows, OS (Operating System) fingerprinting, and other forms of attack.
An IDS of network has become a very important piece of the security framework in enterprise. It adds security controls not previously available and provides enhanced situational awareness within a single network segment. In addition to antivirus protection and firewalls on Taipower's supervisory control and SCADA networks, a properly deployed, configured, and managed IDS adds the ability to detect if a network has been breached.
2. Promoting Cybersecurity History
With the rise of the Internet, Taipower has also caught up with this trend. To prevent and avoid potential network security threats, Taipower has implemented firewalls, proxy servers, DMZs (Demilitarized Zones), IDS, IPS (Intrusion Prevention System), antivirus software, and the WAF (Web Application Firewall). Taipower’s application security is improved by using not only white-box testing in the software development process but black-box testing before applications go live. In addition to Defense-in-Breadth, Taipower also uses Defense-in-Depth as part of the company’s security architecture to keep the network safer.
With the rapid development and popularization of information and communication technology and the Internet, Cybersecurity has become a critical issue related to public safety and national security. Therefore, the Government promulgated the "Information Security Management Essentials of the Executive Yuan and its Organs" on September 15, 1999, and "Management specification of Information Security of the Executive Yuan and its Organs" on November 16, 1999. It is the starting point that the government leads its organizations to establish a general awareness of security and carries out security protection mechanisms together.
Taipower issued the "Information and Communication Security Promotes System" and "Directions for Operations of Information and Communication Security" as the regulation when developing and applying information technology on November 14, 2001. Furthermore, Taipower established the task force that implements information and communication security plans and assists major departments to obtain the ISO 27001/ BS7799 security certification. Moreover, all departments have established the corresponding task force. Since 2004, the security certification has been obtained by related departments, and they are devoted to the validity of the certification.
In order to strengthen the security and resilience of critical infrastructure, U.S. President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in 2013. After that, the generally accepted term "Information and Communication Security" is replaced with "Cybersecurity".
Many years ago Taipower set up the SOC to effectively prevent hacker’s attacks and intrusions. The G-ISAC (Government Information Sharing and Analysis Center) was officially launched in November 2009. Beginning with information exchange from G-ISAC platform, early warnings and solutions of Cybersecurity are developed. The N-ISAC (National Information Sharing and Analysis Center) has officially operated since January 2018 to effectively manage and deliver interdisciplinary security information and achieve the goal horizontal collaboration on the joint defense of Cybersecurity. Taipower is a member of them.
Cybersecurity covers a wide range of topics including IT and OT. And OT is about power generation, transmission, and distribution facilities, which are kept operating normally by automation and computerization. Because Taipower is an essential part of National Critical Infrastructure, the principle using physical isolation between IT and OT operation is strictly required to comply with guaranteeing stable electricity supply.
Taipower's cybersecurity activities include establishing and maintaining appropriate protection facilities, scheduled disaster recovery, and incident response drills, and regular audits. With the development of information and communication technology and changes in Taiwan regulatory requirements, such as applications of the smart grid and smart meters, the promulgation of the "Personal Information Protection Act" on December 30, 2015, and the promulgation of the "Cybersecurity Management Act" on December 21, 2011, the relevant practices of Cybersecurity are adjusted simultaneously.
Recently, the Ministry of Economic Affairs issued "Regulations of Cybersecurity Management of specific non-public organizations under the Ministry of Economic Affairs". Based on it, the participants of National Critical Infrastructure are required to submit "Cybersecurity Maintenance Plan" every year and execution results in the following year. Taipower’s "Cybersecurity Maintenance Plan" is being drawn up right now. Ministry of Economic Affairs plans to select the providers of National Critical Infrastructure to conduct on-site audit yearly. They audit the execution results of the provider’s "Cybersecurity Maintenance Plan".
In February 10, 2020, Taipowr company issued “Cyber Security Maintenance Plan” after cross-section discussion and meeting for several times, and its content not only estimate the risk of company’s core business in detail but also plan the cyber security event reporting mechanism and how to manage the performance of its execution process. In the cyber security of OT area, Taipower company will follow regulation law issued by Ministry of Economic Affairs, and which will become the baseline of ICT system cyber security regulation rule in Taipower company. According to the regulation rule, Taipower company keeps on focusing the cyber security defense mission of infrastructure in power line system and smart grid development.
In 2020 by estimated, local smart grid distribution center maintained by power supply department and new equipment of power generator in power plant will be prompted their cyber security level with the increasing of its important role. With the following cyber security regulation law requirement, Taipower company has plan to fulfill it, for example, by applying for ISMS in 2 years after cyber security level assigned and acquiring for ISO 27001 validation in 3 years.Currently, the power substation department (Taichung) and department of telecommunications have passed ISO 27001 validation in 2019.
All of Taipower’s protection practices aim to make sure that the information and communication facilities can operate safely and make personal privacy better protected. The most important thing is that the customers are satisfied with the services of Taipower and give positive feedback.
3. Smart Grid Security Deployment Plan
In line with government policies, Taipower hopes to be a builder of smart grids. In addition to growing performance for power generation, the organization gradually improves power transmission and distribution efficiency. Also, Taipower aims to power technology innovation by promoting automatic power distribution and construction of power-loop supply. Planning and constructing a smart grid further increase the reliability of power supply. During the construction process of the smart grid, in addition to ensuring the security of the transmission and distribution network, it is essential to provide the security of AMI data transmission that belongs to the scope of OT security. Taipower has built the system architecture of the smart grid based on international security regulations (ISO/IEC 62443, NERC CIP and NIST SP 800-82) to ensure compliance with security assurance levels.
The ISO/IEC 62443 standard specification defines a series of security requirements and introduces security into four levels. Except for the top level, which concerns national security, the other three levels are described as follows: Security Level 1 (SL1) is designed to prevent accidental or incidental violations. Security Level 2 (SL2) contains the specifications of SL1 and adds 23 extended specifications. The Security Level 3 (SL3) specification includes the specifications specified in SL2 and adds 30 extended specifications. Besides, the IEC 62443-3-3 specification defines approximately 37 general safety requirements and is comprehensive information for critical infrastructure equipment.
3-1 System Architecture
Based on the ISO/IEC 62443 standard specification mentioned above, the primary task of the security protection designed for Taipower's smart grid system architecture is to protect the integrity of the company's IT/OT assets and risk management by developing the company's cybersecurity policy. The following describes the steps in the system architecture design:
Figure 1 The TPC-ISAC Architecture
For the IT/OT cybersecurity of smart grid, there are three lines of cybersecurity defense and information sharing mechanism.
The first line of defense: firewall or unidirectional gateway(data diode)
The second line of defense: IDS
Figure 1-2 Intrusion Detection Mechanism (IDS) as the second line of defense
The third line of defense: application white-list
Figure 1-3 EMS (Energy Maintain System) function requirement.
Cybersecurity Information Sharing
Cybersecurity information sharing and analysis mechanisms are based on the characteristics of the Smart Grid: cross-regional, mixed network (wire/wireless) architectures, and 365 days of full-time operation. The external information sharing and internal real-time monitoring are the joint defense which enhances the cybersecurity.
3-2 Overview of Key Function
In addition to the ISO/IEC 62443 standard, the company also takes the control measures for ICS security protection proposed by NIST SP 800-82 into consideration. It enhances the network and environmental protection based on Taiwan cybersecurity protection benchmark. ICS includes SCADA, DCS, PLC, Programmable Automation Control (PAC), HMI and Instrumentation & Control (I&C). Taipower's smart grid security protection specifications are divided into 11 categories such as "Industrial Control System Network Architecture", "Access Control", "Audit and Responsibility", "Contingency Planning", "Identification and Authentication", "System and Communication Protection", "System and Service Acquisition", "Physical Protection", "System and Information Integrity", "Configuration Management", "Organization Management", and emphasize the integrity of ICS related systems and data usability.
1. ICS Network Architecture
The industrial control system network is vulnerable at the edge between the ICS network and the IT network. Based on the difference between the industrial control system and the IT network, the industrial control system should plan the network architecture and enhance the boundary protection according to its characteristics.
2. Access Control
In the ICS field, there are security vulnerabilities such as low password complexity, remote connection to the system for remote maintenance or control management, and excessive system authorization. As a result, user account management, restricted remote access, and access control to wireless network facilities, and unauthorized access are the primary concerns. It mainly focuses on the following subjects.
- Account Management
- Remote Access
- Least Privilege
- Wireless Management
3. Audit and Accountability
When the industrial control system has a security incident, it is merely impossible to handle it due to the missing details that may lead to repeated occurrence of similar security incidents. Based on this issue, relevant recommendations and information are collected for audit. In most industrial control systems, the auditing function and auditing tools are not supported. However, for those accountability systems, it has to provide audit events, audit record contents, audit storage capacity, and audit failure processing time to meet the audit requirements. It mainly focuses on the following items:
- Audit Events
- Content of Audit Records
- Audit Storage Capacity
- Response to Audit Processing Failures
- Time Stamps
- Protection of Audit Information
4. Contingency Planning
Industrial control systems have fixed-position physical components. When a component suddenly fails to work, the provided service can be interrupted if there is no immediate replacement backup solution. At this point, the organization should initiate the emergency response plan to the recovery of the operation. It mainly focuses on the following items.
- Contingency Plan
- Safe Mode
- Control system backup
- The characteristic specialty of the ICS
5. Identification and Authentication
Authentication matters because industrial control systems often have security issue like unauthorized access from users, or multiple people share a group of system accounts. When establishing identification and its corresponding protection measures, it is necessary to consider if the countermeasure affects the system performance, and then adjust the security solutions according to the target environment. The scope of identification and authentication system includes user, device, and authentication information feedback. It mainly focuses on the following items.
- Organizational Users Identification and Authentication
- Device Identification and Authentication
- Authenticator Management
- Authenticator Feedback
6. System and Communications Protection
There are common vulnerabilities in ICS environments, such as plain-text transmission, lack of integrity check and missing configuration backup. Considering the performance and the availability of the system, protection of communication, it requires the confidentiality and integrity of data transmission/storage, along with the adjustment according to the target environment. The main includes the following items.
- Transmission Confidentiality and Integrity
- Protection of Data storage
7. System and Services Acquisition
The cyber threats may be caused by the incomplete provision of external service providers. The scope of cyber defense includes external system service and corresponding documents.
- External System Services
- System Documentation
8. Physical and Environmental Protection
ICS's common security threats in physical environment include lack of backup power, temperature and humidity control, and human entity access. Therefore, it should provide advice for entity access authorization, physical access control, physical access monitoring, emergency power, temperature and humidity control, water, damage protection and access by third parties/accompaniers. Listed below are the main focuses.
- Physical Access Authorizations
- Physical Access Control
- Monitoring Physical Access
- Emergency Power
- Temperature and Humidity Control
9. System and Information Integrity
The ICS system features lack of security countermeasures such as malware protection, bug fixes, updates, and system monitoring. Consequently, the ICS is exposed to cyber threats when it connects to the Internet. Therefore, bug fixes, malware protection, system monitoring, and protection of predictable fault are proposed to improve both the system and information integrity. Its main focuses are:
- Flaw Remediation
- Malicious Code Protection
- System Monitoring
- Fault Tolerance
10. Configuration Management
Common security vulnerabilities include control of configuration change and the authority of system administration. The main items are listed below.
- Configuration Change Control
- Least Functionality
11. Organization Management
Common organizational management weaknesses in the ICS domain include lack of security-awareness training, inadequate management plans, and incomplete security procedures. This control classification provides recommendations for outsourcing management, employee management, risk management and incident response at the business management level. Its main focuses are the following items.
- Outsourcing Management
- Personal Management
- Risk Management
- Incident Response
3-3 Cyber Threat Monitoring and Analysis (Security Operation Center, SOC)
3-3-1 Functional Architecture
At present, the SOC monitoring center of Taipower Company collects the logs by the front-end log collector (FSA) from each security device and then sends to the Security Information Event Management (SIEM) for real-time monitoring.
Figure 2 The monitoring architecture schematic
3-3-2 Monitor Scope
We collect the devices types, including mainly firewall, WAF, intrusion detection system (IDS), various servers, routers, and so on. The list of quantities is as follows:
3-3-3 Rules Design
The basis of rule development comes from the judgment of the front-end devices monitoring the behavior of the attackers. In addition to the accurate and in-depth analysis of the results obtained from a single device, for subtle or high-risk attack patterns, the SOC uses active learning with automatic analysis mechanisms to correlate multiple sources of devices logs to discover hidden threats. In the meantime, it provides 7x24 non-stop active detection mechanism and alert service which helps block the connection behavior at the first moment to minimize the possible damage.
Table 1 notification type description list
3-3-4 Concept of Rules
The design of rules is according to the methodology of attack, the level of influence, and the type of security devices. The concept to identify the attack is described as follow.
The real-time rule means it has been well designed, test and debug before go-live. However, the intrusion methodology is sophisticated, and there is always a 0-day attack on the Internet. So the SOC has to pay attention to the latest announce and never stop fine-tune the real-time rules. All the developed rules are considered as a foundation building block, and they can be used to design the new generation of monitoring rules. In the meantime, the SOC continuously collects information on the security incident and profiles its attacking methodology to enhance its defense coverage. Besides, the existing rule optimization is essential to increase accuracy and thus avoid the excessive false alarm.
4. The Security Deployment Project of AMI
4-1 Project Overview
Advanced Meter Infrastructure (hereinafter referred to as AMI) is one of the smart grid construction of Taipower, and the whole system is composed of modular intelligent electronic meter with computing and storage capabilities (hereinafter referred to as smart meters), communication systems for data transmission (hereinafter referred to as communication systems), and Meter Data Management System (hereinafter referred to as MDMS system) responsible for huge meter data management, storage, verification, and analysis(Figure 3).
Figure 3 The system architecture of AMI in Taipower
In Taiwan, the high voltage (above 11.4KV) smart meters were completely installed in 2013 for users over 24,000. For the low-voltage users, up to the end of 2018, Taipower has achieved the smart meter establishment of 200,000 households and will attain the goal of 3 million households at the end of 2024. The following will be described for the planning, implementation, and management of AMI security protection.
4-2 Risk Assessment
For the security evaluation of the AMI system, Taipower has conducted the risk assessment on the use cases. Each use case was reviewed from a high-level, overall functional perspective which includes assets identification, vulnerabilities, threats and the specification of potential impacts. The output was used as the baseline for the selection of security requirements and the identification of gaps in guidance and standards related to the security requirements.
The risk assessment focuses on how meter data are handled through the AMI system end to end, from the smart meter to the MDMS system. Both the bottom-up and top-down approaches were used in performing the risk assessment. The bottom-up approach focused on well-understood problems that need to be addressed, such as authenticating and authorizing users or device to access the meter data, key management for meters, and intrusion detection for the MDMS system. In the top-down approach, logical interface diagrams were developed for the three functional areas (smart meter, AMI communication system, MDMS system) that are the major components of the AMI system. From the functional perspective, it is reviewed to see how the security measures shall be applied.
Taipower uses the methodology described above to evaluate the appropriate security measures that can be applied to the three major components of the AMI system. In Sec. 4.3 detail measures will be described.
4-3 Security Architecture of AMI
4-3-1 Smart Meter Security Protection Measures
The cover side of the smart meter has a seal point for seal lock to maintain the confidentiality of the meter data, avoiding illegal opening of the smart meter (Figure 4). From the outside of the smart meter, the data can only be transmitted through the optical communication port, and the optical communication port is designed according to the national standard of CNS 15593.
Figure 4 The Smart Meter Body Structure
In the smart meter acceptance test, Taipower has performed data reading and transmission testing, to ensure the integrity and availability of the meter data transmission. If the external cover of the smart meter is detected, the smart meter will immediately generate a "meter cover open" warning message and pass through the communication system back to the back-end system, in order to facilitate the proper event handled by Taipower personnel. The only way to reset "meter cover open" warning is through the back-end system or using the handheld device to send the reset instruction through the optical communication port. If the whole smart meter is disassembled, smart meter can still use the internal backup power to return "power outage" message to the back-end system in the case of loss of power, and since the entire disassembly of the smart meter will cause the household to lose power, the user will also report to the Taipower customer service system, whereby the dual reporting mechanism allows the personnel of Taipower to handle the abnormal event in time.
Smart meters are designed in accordance with the IEC 62056 standard, with a sound data transmission and confirmation mechanism to ensure the integrity of the meter data. Internal firmware, data and transmission operations are used in accordance with the NIST IR7268 standard of high-strength key technology for encryption processing. The smart meter has used different encryption key in the field area network (FAN, connected to AMI communication system), home area network (HAN, connected to the Home Energy Management System) and the local side, any reading or writing to the meter must use the correct key, otherwise the meter will not respond, to ensure the overall confidentiality of the meter software. The optical communication port of smart meter has the design of continuous retry times threshold, after a certain number of malicious accesses, internal security mechanism will initiate non-response, so as to avoid the possibility of violent cracking, to ensure the availability of meter system data. The smart meter also has a software security gateway to perform firewall function, flow control and log store for the FAN and HAN connection respectively.
4-3-2 Communication System Security Protection Measures
The transmission of meter data from the smart meter side is mainly through the telecommunications system, and use the fiber-optic line access to the Taipower Information Center. By using the VPN mode to separate the general public use of the Internet to ensure the AMI communication system security planning.
The security protection features of the AMI communication system are as follows:
4-3-3 MDMS System Security Protection Measures
The MDMS system plays as the role of AMI data gatekeeper, Taipower has applied high safety standards to plan the relevant security measures, and should be in accordance with the laws released by the Executive Yuan of the ROC government, "Information System Classification and Security Protection Baseline Operation Provisions", "Secure Software Development Process Guidelines ", "The Development of RFP Security RequirementsTemplate for Information System Outsourcing", and other requirements that a high safety system should be compiled. The following will focus on the implementation of the relevant measures in the order of network boundary protection, internal network protection, host protection, application protection, and data protection.
Figure 5 The MDMS system network boundary protection
In addition to the security measures described above, Taipower also builds the management mechanism to ensure AMI security measures effectively applied, including the computer room security management, personnel safety management, AMI meter key management, meter program handheld device management, etc. The MDMS system also follows the company’s "Security Incident Emergency Response Plan and Operation Processing Procedures" for event classification, notification channels, etc.
In the future, Taipower will continuously review the technical and regulatory developments of AMI related domain to ensure the timely improvement of the high-level security requirements of the AMI system.
5. Customer Privacy and Data Security
5.1 Commitment to Maintain Customer Data Security
Taipower has established policies, controls, and procedures in place to protect every customer’s personal identifiable information and applicable energy usage data. For maintaining customer data security, high-level data protection and privacy strategy cover the data protection strategies for Smart Grid as more new types of data, such as 15-minute usage through the meter and billing information summary is generated and made available to customers.
Based on Taipower information security management system(ISMS) and Taiwan government’s information security requirement, six levels of perspectives ranging from business process, application system, database management system, operating system, network environment, and physical environment, are needed to strengthen in the area of information security strategy, policies, management, deployment, monitoring, and system development, in order to meet the standard of protecting customer data and privacy.
Moreover, based on Taipower regulation, all customer data are required to be classified into groups for all application system, in order to distinguish the life cycle of data information which is of the nature of agility. According to the requirement of data access security management procedure, different roles of duty and importance should be assigned in regard to user’s different access rights, in order to design an effective security access control principle for agility information. Throughout a top-down design application system will need to strengthen the ability in information security access control from the get-go, subject matter such as application system role authentication, system function access right design, agile data usage track record, and other non-business oriented task are essential for security requirement and should all be included in evaluation category.
5-1-1 Collection and Application of Customer Data
Personal information that Taipower collects:
5-1-2 The Policy of Security that Taipower Obeys
1. Taipower ISMS Policy
3. Security policy
5.2 Data Protection Best Practiced in Taipower
Employ a firewall to keep criminals out and sensitive data in.
With the latest security software, web browser and operating system are the best defenses against viruses, malware, and other online threats. Following our policy automatically connect and update to defend against known risks for software programs.
5-2-2 Implementing a Robust ISMS Awareness Program for Employees
Employees are often the handlers of customer data. They, therefore, need to be kept up-to-date on how to protect that information to make sure it does not accidentally land in the wrong hands. Our employees are periodically educated about the newest security attack and defense schemes and urged to employ best practices such as not responding to or opening attachments or clicking suspicious links in unsolicited email messages.
5-2-3 White-box Testing
Web applications are our center of business innovation and provide services for our customers, but they are also the primary attack vector for malicious individuals seeking to reach your organization’s defenses. For application security must be a priority, we use white-box testing technology to find common and potential vulnerability like an SQL injection in applications.
5-2-4 Database Activity Monitoring
We follow reasonable security measures to ensure that customers’ and employees’ personal information is protected from inappropriate and unauthorized access. Identifying and reporting a database's activities by database activity monitoring tools, we use real-time security technology to monitor and analyze configured activities independently and without relying on the DBMS auditing or logs.
While the wide range of useful information is accessible through the web, outside access to data is controlled through authentication, authorization, and audit mechanisms, such as dbAegis(Database Activity Monitoring)(Figure 6).
Figure 6 Database activity monitoring architecture in Taipower
5-2-5 Transmittal of Data
Taipower uses SSL (Secure Sockets Layer) as the encryption algorithm. SSL at the transport layer encrypts the HTTP traffic coming from the application layer. It adopts public-key cryptography to keep an internet connection secure and reliable,safeguarding any sensitive data that is being sent between customer and server, and preventing criminals from reading and modifying any information transferred, including potential personal details. Current websites and browsers generally combine HTTP with SSL to attain safe communication.
When a user is accessing data, the SSL encryption packet will be used to transfer data. Even if the packet is intercepted by people with bad intention, they still cannot decrypt it or read it.
On authentication, with the account lockout mechanism, after a user’s account fails to login to verify the identity for 3 times, the account and the source IP are not allowed to continue trying to login for at least 30 minutes. Besides, when the password is concatenated by a random number (Salt) and processed with a hash function, the random number and the resulting output (but not the original password) are stored separately to safeguard passwords in storage. We also use the CAPTCHA mechanism for authentication and important transaction behavior to prevent attempts by automated programs. When users need to reset their password, or the system has to interface with an external system, they will be asked for re-identification, and afterward, we will send them a one-time and timeliness token. After receiving and checking the returned token, they are allowed to reset their password or connect to the external system.
5-2-7 Encryption for the confidential data
In the foreseeable future database columns which consist of confidential information such as personal identification number, bank account, and user address will all be encrypted. Encryption poses little to no effect on system performance, thus essentially transparent. After encryption even if the data is fetched from the physical database, without the correct decryption the data will remain unreadable, thus incomprehensible. As for users who are given the legal access rights, decryption will be executed in the background automatically.
The mainframe uses a resource access control facility (RACF) to protect resources by granting access only to authorized users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources.
To accomplish access control, RACF provides the ability to:
5-2-9 Sensitive Information and Privacy Data Protection Policy with AMI System
Table 2 security policy with AMI syatem
5.3 Policies & Compliance
For the sake of enabling the corporation to operate efficiently and grow in a secure and stable environment, we follow our company's ISMS policies, actively applying information technology, strengthening operational management, and implementing the concept of "Cyber Security is Everyone's Responsibility", thereby attaining the confidentiality, integrity, availability, and legality of the information assets and critical infrastructures.
Annually, our ISMS execution group convenes the meeting to determine the priority of the risk management information assets and acceptable risk values based on the results of the risk assessment. It follows the "Asset Categories and Weaknesses, Threat Correspondence Table", "Weakness Vulnerability Score Table", and "Threat Probability Table" to identify the actual risks and measure the existing controls of information assets. The group formulates a risk management plan to check whether the existing controls are sufficient for reducing the risk to an acceptable level. If not enough, safety control measures must be added. After the proposed new control measures are formulated, the person in charge and the due date of the improvement plan should be assigned according to the "Procedures for the Safety Precautions Management Procedure".After the improvement is completed, the residual risk is assessed and the above content is filled in the risk management plan. Taipower also has complete notifications and contingency measures for the security incidents, and holds security exercises regularly to ensure the continued operation of the business.
A good control describes the organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) is reviewed independently at planned intervals or when significant changes occur. In addition to holding an internal audit of important information assets and critical infrastructure security at least once a year, annually Taipower also gets an independent review of security risks and controls through external agencies like BSI to ensure impartiality and objectivity as well as benefit from fresh eyes, and benefit from another colleague reviewing policies besides the main author/administrator. These reviews are carried out at planned, regular intervals and when any significant, security-relevant changes occur – ISO compliance reviews regularly to be at least annually.
The collecting, processing and utilizing personal information shall comply with the provisions of the Personal Information Protection Act. Taipower only shares customer information with the public in compliance with the Personal Information Protection Act. As a public utility, Taipower will seek to protect the privacy of our customers’ personal information in complying with public records requests. Penalties for violations of the Personal Information Protection Act may be a fine of NT$20,000 to NT$500,000.
In order to lessen the likelihood of a cyber attack, Taipower puts the right people and processes in the right place.
Taipower also coordinates with government agencies and stakeholders to best protect our energy grid and technology systems, share information and develop protective standards. Working with industry partners and vendors, the company ensures it's taking steps to protect systems and data.
Taipower has detailed cybersecurity reporting requirements and strong partnerships to prevent and respond to threats. Our company's businesses have mandatory and enforceable cybersecurity standards to protect critical infrastructure. These extensive measures help keep networks safe and prevent those wanting to do harm.
New security policies will be developed, and existing policies modified, to address emerging personal privacy issues. Privacy protection measures are designed into Smart Grid solutions and standards as part of the solutions delivery cycle. Taipower will continue to develop and deploy personal privacy training and awareness programs, and also will introduce new data protection measures such as data encryption tools.Taipower implements the "Information Security and Personal Data Protection about Outsourcing Service Providers Audit Plan" each year, which is involving the Legal Affairs Office and the Department of Civil Service Ethics. In addition, the higher authorities, the Bureau of Energy, of the Ministry of Economic Affairs, will also form a special audit team to check the personal data protection situation of each unit of the Taipower Company each year.
6. Smart Grid Penetration Testing Platform
6-1 Project Overview
Smart grid has been promoted by Taipower for several years. For the power operation data collection purpose, the operation technique (OT) network needs to be connected with information technique (IT) network, e.g. intranet. Additionally, the proprietary information system environment of smart grid is gradually replaced by the open system; thus the cybersecurity has become a big issue.
Apparently, penetration testing is an adequate solution for solving a complicated information system, e.g. smart grid, cybersecurity problem. Taipower has therefore planned to develop an effective penetration testing platform for finding out the cybersecurity vulnerabilities of smart grid.
Refer to “https://lp3.com/tips/5-benefits-of-penetration-testing/” web pages, numerous benefits are founded for employing penetration testing.
6-1-1 Detect and Arrange Security Threats
A penetration testing estimates the ability of an organization to defend its applications, networks, users and endpoints from internal and external attempts to dodge its security controls to achieve privileged or unapproved access to protected assets. Penetration testing results confirm the threat posed by particular security vulnerabilities or faulty processes, allowing IT management and security experts to arrange remediation efforts. Organizations can more efficiently anticipate emergent security threats and avoid unauthorized access to crucial information and critical systems by executing regular and complete penetration testing.
6-1-2 Circumvent the Rate of Network Downtime
Penetration testing supports an organization to evade these financial setbacks by proactively detecting and addressing threats before security breaches or attacks take place.
6-1-3 Protect Customer Loyalty and Company Image
Even a single occurrence of compromised customer data can destroy a company’s brand and negatively impact its bottom line. Penetration testing helps an organization avoid data incidents that may put the company’s reputation and reliability at stake.
6-1-4 Service Disturbances and Security Breaches are Expensive
Security faults and any associated disruptions in the performance of applications or services may cause debilitating financial harm, damage an organization’s reputation, grind down customer loyalties, generate negative press, and incur unanticipated fines and penalties. Frequent employment of penetration testing avoids these expenses of the organization.
Penetration testing helps Taipower avoid smart grid invasions. It is better for Taipower’s business to proactively maintain its security than to face extreme losses, both to its brand equity and to its financial stability.
Furthermore, penetration testing should be carried out whenever there is a change in the smart grid information infrastructure by highly experienced experts who will scrutinize internet connected systems for any weakness or disclosure of information which could be used by an attacker to compromise the confidentiality, availability or integrity of the network.
In order to cope with the challenges of information security issue derived from the smart grid as well as to gain the above benefits, Taipower created a research project for developing a platform for the penetration testing of smart grid information system. This project focused on IEC 61850 using the specified scenarios and aimed at understanding the current international smart grid funding through the security-related standards and regulations, and contains the standard of industrial control systems used to validate the information security functions.
Currently, The IEC 61850 standard substation automation information system is pushed forward as long asTaipower smart grid policy is decided. A typical configuration of Taipower ‘s IEC 61850 substation automation system will be formed as shown in Figure8 and Figure9.
Figure 7 Taipower’s IEC 61850 substation automation information system
In Figure7, great numbers of IT devices are used as well as the TCP/IP networks. The cybersecurity must be considered in this situation. A penetration testing platform is then imported for testing the vulnerability and cybersecurity holes of Taipower’s IEC 61850 substation automation system.
Practically, the IEC 61850 substation automation system is truly installed in a physical isolation network area. The conventional cybersecurity attacks, such as DoS, do not seem to be possible happen in this system. However, along with the use of open information technology system, the corresponding risk of vulnerability and virus may be raised. Also, with the requirements of data exchange between IT and OT system, a data transfer route is possibly created. This data transfer route may result in a hacker attack. Thus the cybersecurity of the substation automation system becomes a main issue. The penetration testing, therefore, is an indispensable means for this issue.
Penetration testing is an authorized and proactive effort to assess the security of an IT infrastructure by carefully running tests to exploit vulnerabilities of the system, comprises in an operating system, misconfigurations, service errors, and even unsafe end-user behaviors. These evaluations help confirm the effectiveness of defensive mechanisms and adherence of end-users to security procedures. Hence, for the sake of avoiding the hacker attacks as well as the possible vulnerability in the smart grid, a smart grid penetration testing is needed to carry out at the stage before the commercial operation.
Taipower outsourced a smart grid penetration testing platform development project to Onward Security Corporation by 2015. This project has developed a platform for testing both IEC 61850 and DNP3.0 over TCP/IP SCADA systems, refer to Figure 8 and Figure 9.
Figure 8 Penetration testing platform for IEC 61850
Figure 9 Penetration testing platform for DNP3.0 over TCP/IP
Onward Security has also proposed an analysis result for up to date cybersecurity standards that include IEC 62351, NERC CIP 002-009, NISTIR 7628, IEEE 1686 and ISO 27019. Additionally, this analysis result states which of these cybersecurity standards are adequate for Taipower applying.
For the IEC 61850 cybersecurity purpose, Onward Security provides a recommendation for the mapped portion of IEC 62351 to Taipower. This recommendation also proposes the procedures for adopting cybersecurity in IEC 61850 and DNP3.0 over TCP/IP SCADA systems.
The content described in this section refers to two documents for industrial control system penetration testing method. They are "Cyber Security Assessments of Industrial Control Systems Good Practice Guide" issued by the United StatesDepartment of Homeland Security in 2011 and "Guide to Penetration Testing for Electric Utilities", Version 3, issued by National Electric Sector Cybersecurity Organization Resource (NESCOR). The project for developing the penetration testing platform will evolve and analyze a tailored penetration testing procedure based on the above methodology for Taipower smart grid.
The critical information infrastructure protection (CIIP) was included in the national security policy of every country after 911 events. In 2013, Fifty percent of cybersecurity attack events, counted by DHS ICS-CERT, were focused on energy facility. In The United States, National SCADA Test Bed, NSTB, was set for resolving the intrusion and cybersecurity problems of ICS in critical infrastructure by 2003. The test bed provided the corresponding system test and developed the relative risk assessment method as well as the use cases for ICS in every application realm. The brief penetration testing methods are stated as the following sections:
6-2-1 The Penetration Testing Methods Used by the United States Power Company
I. Security Evaluation Methods
The Department of the United States Homeland Security announced"Cyber Security Assessments of Industrial Control Systems Good Practice Guide" in 2011. This document proposes the test procedures for the assessment of ICS. The test procedure includes:
Figure 10 Cyber security assessments of ICS process flow chart
2. Vulnerability Assessment (VA) and Penetration Testing Generally, Vulnerability Assessment (VA) means analyzing the security of the target system by means of an automatic tool. This process cannot take advantage of system vulnerability. Nor detecting some cybersecurity problems, e.g. DoS.However, Penetration Testing (PT) is focused on obtaining the authorization and privilege of the target system. Several kinds of PT tool are utilized simultaneously based on the knowledge and experience of cybersecurity. Practically, it should be much careful and attendant to progress VA and PT on an ICS system.
Penetration testing should be performed on a periodic basis depending on the criticality of the targeted system. This can be performed as a broad penetration test encompassing several control systems (such as an entire testing or staging control network), a targeted penetration test with a restricted scope of a single control system (management server to its controlled devices), or to test a single component of a larger system, such as a historian or a reclosure. It is recommended that performing this type of assessment in testing or staging environments on an annual basis or after any major systems upgrades or changes to the systems in question.
Penetration tests should start with a review of the target architecture to help the testing team gain a deeper knowledge of the target system. This will help the testing team understand the intended functionality of the targeted system, its expected security posture from an architectural perspective, and the security risks that vulnerability could pose to the organization. This is best performed through interviews with knowledgeable experts from both the product’s vendor and the utility or asset owner deploying the target system.A practical process flow for smart grid penetration testing planning and processing is shown as Figure 11.
Figure 11 The practice procedure for electric utilities penetration testing
All penetration tests should start with proper planning and scoping of the engagement. Once that is complete, the penetration testing tasks can be broken into the four distinct task categories displayed in Figure 11. Each of these task categories also requires different skill sets from the testing team. If there is sufficient staff, these four penetration task categories can be performed in parallel. Once these tasks are completed, the team should perform a gap analysis to verify all desired tests have been performed and all goals met. Finally, the team should generate a report documenting their findings, interpret these findings in the context of the utility’s deployment, and develop recommendations to resolve or mitigate these vulnerabilities.
The color difference between these four penetration task categories in Figure 11 represents the relative likelihood that a utility should consider performing these tasks. These recommendations are based on a combination of trends that NESCOR has seen in the industry and the level of expertise needed to perform these tests. To some degree, this also represents the relative risk target systems represent to the utility, as the compromise of the control servers is generally considered higher risk than the compromise of a single embedded field device or its network communications.
The colors in Figure 11 can be interpreted as:
The methods introduced here provided a security test basis for the organization in the United States. According to the practice experience, the methods of penetration testing are almost the same. The unequal test results are mainly caused by different executor.
6-2-2 Fuzz Testing Method
Fuzz testing was used to be the main skill of the software black box test. It is always vastly used to test the limitation value of the functions in the IT system as well as SCADA and ICS environment. The main purpose of fuzz testing is to find the possible fault existing in software as well as the limit violation of the input values. The core skill of fuzz testing is based on the whole input data that do not always comply with the system logic. Fuzz testing does not care or expect which of the data will cause an abnormal situation. It only sends a large number of random numbers to the test target in order to observe the responses.The main usage of fuzz testing is testing the communication protocol security of ICS. The random number data will cause the input field to receive an abnormal value. The abnormal response procedure and the stability of the network application system could be tested by means of the input data varies based on a random number. A general fuzz testing procedure is shown in Figure 12.
Figure 12 Fuzz testing procedure
Figure 13 illustrates the whole procedure of fuzz testing test plan.AT the first stage, the communication protocol should be studied completely in order to determine the input field, data type, and varying rule. The quantity of test sample and test time for each sample should be evaluated for scheduling purpose. The test data are created at the next stage. Meanwhile, the test samples should be inputted or the test sample rules should be formulated. Based on these test samples and rules, the fuzz testing could be carried out subsequently in order to collect the responded status and parameter values of the test target. The test result is then analyzed to find the test samples which cause an abnormal situation. Finally, The test report is created.
Figure 13 Stages of fuzz testing
6-3 Platform Architecture
The test platform is composed of a notebook computer with the necessary operating system and testing software. The notebook should be connected to the network with the test target in order to create a valid connection. User commands of the test are given via a web browser interface. The test result could be checked at the test platform.
The configuration of the test environment is shown in Figure 14.
Figure 14 Penetration testing environment
All the devices of the test targets are connected by a network switch. The corresponding internet protocol (IP) addresses are created by network address translation (NAT) of the switch. Windows operating system and Elipspower Ver.4.5 Build 210 SCADA system software are installed on SCADA Client desktop computer. The IEDs have been tested are GE T60, GE F650 and SEL 351 correspondingly. The network switch is Moxa PT-7710.
The test software installed on the test platform includes Hercules SecDevice that is developed by Onward Security. Several security and vulnerability test tools and the packet recording application program are also installed.
Hercules SecDevice is a security assessment tool designed for connected products, and provides automated features from test environment configuration to security assessment. Test targets include web and wireless security. The content covers known and unknown security vulnerabilities, as well as user-friendly design to help users to quickly get started. Most common vulnerabilities listed in OWASP TOP 10 and SANS TOP 25 are also covered. Onward research team provides quick test project updates to ensure coverage of the latest security issues. The testing methods are shown in Table 3.
Table 3 Hercules SecDevice testing methods
7. Taipower TPC-ISAC Platform Development Use Case
7-1 Project OverviewWith the development of Internet technology, network security threats to critical infrastructure have increased year by year. Based on the critical infrastructure security obligations, Taipower has cooperated with the government's top management to actively promote the national policy of "Cyber Security, National Security" and the "Fifth National Security Development Program (106-109) of the Executive Yuan". The Information Sharing and Analysis Center (ISAC) is built in tandem with the E-ISAC platform currently being built by the Ministry of Economic Affairs (MOEA). To build a security mechanism for emerging information technology, Taipower enhances the security management and continuous operation of critical infrastructure by strengthening the security protection of critical infrastructure through the analysis and sharing of security information.
7-1-1 Build Range
The system is built in the Taipower intranet, and any Taipower employees can apply for the TPC-ISAC platform member account to share the information. TPC-ISAC system is connected to the ISAC of Ministry of Economic Affairs (E-ISAC) as shown in Figure15.
Figure 15 E-ISAC platform architecture
7-1-2 System Functions
Figure 16 Information management process
The information content is described and packaged using CybOX and STIX, and data are exchanged through TAXII. Refer to Figure 17.
Figure 17 ISAC information format
Figure 18 ISAC three tiers architecture
7-2 Security Requirement
The Taipower TPC-ISAC service platform has the following security considerations:
7-2-1 Comply with the "Safety Software Development Life Cycle" Specification
According to the development needs, we write various standard development documents and conduct system threat analysis in the system design stage, and design appropriate security measures based on the analysis results to improve system security. This platform is based on the SSDLC process and focuses on the security requirements of the information system. It includes "Confidentiality", "Integrity", "Availability", "Authentication", "Authorization and Access Control", and "Log" depending on the type of software. It records "Talk Management", "Error and Exception Handling", "Configuration Management", etc., to check the security level of the system platform.
7-2-2 Platform System Vulnerability Scanning
Before the platform is launched, the vulnerability scanning and source code detection are performed to ensure that the delivered application system has no backdoor or Trojan horse programs, and all the issues are addressed before going online. Regarding source code detection, this platform uses the white box source detection tool to provide two security tests at the beginning stage and after the repair, and cooperates with professional security consultants to analyze the source code test results, and provides suggestions for improvement on the discovered security breaches. Program developers understand system application vulnerabilities and analyze their risk severity based on vulnerability scan reports, which can effectively reduce the barriers and cognitive gaps in system application patching and improve the effectiveness of vulnerability patching.
7-2-3 The User Establishes an Audit Authorization System
When logging in to the platform, the high-privilege account needs to input a graphic verification code (CAPTCHA) and a one-time verification password (OTP) sent by the platform to the mobile phone as a second login credential other than the password. After the user logs in successfully, the default is the minimum privilege. If you need to obtain a higher privilege, you need to be authorized by the system administrator. The TPC-ISAC authorization system is shown in Figure 19.
Figure 19 TPC-ISAC authorization system
7-2-4 Data Backup
The platform automatically backs up the database file and application configuration files every day and conducts disaster recovery exercises to ensure that the backup mechanism works perfectly.
7-3 Cyber Threat Warning Mechanism
Threat lights are based on a variety of objective environmental factors, after a process evaluation and calculation procedures, showing the quantitative risk indicators of potential threats to the underlying system. The primary purpose of the threat signal is to reflect the overall risk profile of the system security, with a simple and easy-to-understand indicator to show the degree of risk at a glance and to take action. The platform's OT and IT threat rating is based on the US Department of Homeland Security's threats to physical security, terrorist attacks, and security threats. These threat lights are based on the threat level of terrorist activities or criminal activities, and set five threat levels, including green light (low alert), blue light (start alert), yellow light (alarm alert), orange light (high alert), and red light (severe alert).
Referring to the definition of the lights as mentioned earlier, when the platform encounters a security situation, it first needs to determine the scope and object of the threat, and secondly, it needs to determine the source, scale, certainty, and level of the threat. Consider IT-related information security threat warnings, malware statistics, vulnerability database, OT entity security, personnel security, security incidents based on various objective environmental factors. After specific evaluation and calculation procedures, the IT and OT targeted systems are subject to potential threats, quantified risk indicators, showing the overall risk and threat status of system information/network security. The establishment of image-based security threat lights, making it easy for viewers to use easy-to-understand indicators. Determine the degree of risk and take appropriate action accordingly. The illustration of threat light is shown in Figure 20.
Figure 20 ISAC threat light
In order to effectively achieve the sharing of security information, the Taipower TPC-ISAC platform needs to communicate effectively with other critical infrastructure members and the competent authority ISAC, such as regular meetings or questionnaires to obtain feedback to improve the sharing mechanism continuously.
In the past two years, the Executive Yuan has vigorously promoted the provision of critical infrastructure units to build their ISAC platform, consider non-technical aspects of security protection, adopt information sharing methods, and automatically share security threats and messages in various fields to achieve rapid integration of information. The purpose of sharing and practical application is to enhance the overall response and protection capabilities of security information and achieve the goal of cybersecurity.