1. Executive Summary
Cybersecurity is more critical than ever, because of an increasing number of smart gadgets connected to the cyber world, and the Internet of Things (IoT) is becoming more extensive, so security for all these connected devices is essential. Taipower issued the "Information and Communication Security Promotes System" and "Directions for Operations of Information and Communication Security" since 2001 and obtained the ISO 27001/ BS7799 security certification in 2004 and the certification remains valid so far.
In the Smart Grid operation and management, reliability of information and real-time communication networks play a critical role. The threats of cybersecurity in the ICT(Information and Communication Technology) also affect Smart Grid. Since there are more and more cyber attacks on CII (Critical Infrastructure Information), Taipower is developing the "Smart Grid Security Deployment Plan" by referencing to IEC62443, NIST SP 800 and "The Guideline of CII Cybersecurity Protection" issued by Executive Yuan. The project is ongoing and has been improved continuously.
As for the Advanced Meter Infrastructure (AMI) of smart grid, the risk of cybersecurity threat is getting higher because of its large mumber of devices, wide distribution in geometry, and its remote location. Therefore, we have to estimate the potential risk of whole AMI device. Based on the estimated result, we take the protection steps for the physical device, network, and applications.
Taipower Company sticks to the promise of customer’s privacy data protection. With the development of the smart grid, more data are generated as time goes by. Following laws and the commitments to the customer, Taipower Company implements various protection methods to ensure customer’s privacy data and information will not be leaked.
Cybersecurity information analysis and sharing are the core of the whole cybersecurity defense mechanism. Except for the enhancement of various cybersecurity strength, Taipower also acquires cybersecurity information rapidly in advance to increase the protection ability. Taipower Company establishes ISAC (Information Sharing and Analysis Center) to exchange the intelligence with the government energy ISAC platform. By sharing the cybersecurity information, we achieve the goal of joint defense and avoid potential security threats.
2. Promoting Cybersecurity History
With the rise of the Internet, Taipower has also caught up with this trend. To prevent and avoid potential network security threats, Taipower has implemented firewalls, proxy servers, DMZs (Demilitarized Zones), Intrusion Detection System(IDS), Intrusion Prevention System(IPS), antivirus software, and the Web Application Firewall(WAF). Taipower’s application security is improved by using not only white-box testing in the software development process but black-box testing before applications go live. In addition to Defense-in-Breadth, Taipower also uses Defense-in-Depth as part of the company’s security architecture to keep the network safer.
With the rapid development and popularization of information and communication technology and the Internet, Cybersecurity has become a critical issue related to public safety and national security. Therefore, the Government promulgated the "Information Security Management Essentials of the Executive Yuan and its Organs" on September 15, 1999, and "Management specification of Information Security of the Executive Yuan and its Organs" on November 16, 1999. It is the starting point that the government leads its organizations to establish a general awareness of security and carries out security protection mechanisms together.
Taipower issued the "Information and Communication Security Promotes System" and "Directions for Operations of Information and Communication Security" as the regulation when developing and applying information technology on November 14, 2001. Furthermore, Taipower established the task force that implements information and communication security plans and assists major departments to obtain the ISO 27001/ BS7799 security certification. Moreover, all departments have established the corresponding task force. Since 2004, the security certification has been obtained by related departments, and they are devoted to the validity of the certification.
In order to strengthen the security and resilience of critical infrastructure, U.S. President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in 2013. After that, the generally accepted term "Information and Communication Security" is replaced with "Cybersecurity".
Many years ago Taipower set up the Security Operation Center (SOC) to effectively prevent hacker’s attacks and intrusions. The Government Information Sharing and Analysis Center (G-ISAC) was officially launched in November 2009. Beginning with information exchange from G-ISAC platform, early warnings and solutions of Cybersecurity are developed. The National Information Sharing and Analysis Center (N-ISAC) has officially operated since January 2018 to effectively manage and deliver interdisciplinary security information and achieve the goal horizontal collaboration on the joint defense of Cybersecurity. Taipower is a member of them.
Cybersecurity covers a wide range of topics including Information Technology (IT) and Operational Technology (OT). And OT is about power generation, transmission, and distribution facilities, which are kept operating normally by automation and computerization. Because Taipower is an essential part of National Critical Infrastructure, the principle using physical isolation between IT and OT operation is strictly required to comply with guaranteeing stable electricity supply.
Taipower's cybersecurity activities include establishing and maintaining appropriate protection facilities, scheduled disaster recovery, and incident response drills, and regular audits. With the development of information and communication technology and changes in Taiwan regulatory requirements, such as applications of the smart grid and smart meters, the promulgation of the "Personal Information Protection Act" on December 30, 2015, and the promulgation of the "Cybersecurity Management Act" on December 21, 2011, the relevant practices of Cybersecurity are adjusted simultaneously.
Recently, the Ministry of Economic Affairs issued "Regulations of Cybersecurity Management of specific non-public organizations under the Ministry of Economic Affairs". Based on it, the participants of National Critical Infrastructure are required to submit "Cybersecurity Maintenance Plan" every year and execution results in the following year. Taipower’s "Cybersecurity Maintenance Plan" is being drawn up right now. Ministry of Economic Affairs plans to select the providers of National Critical Infrastructure to conduct on-site audit yearly. They audit the execution results of the provider’s "Cybersecurity Maintenance Plan".
In February 10, 2020, Taipowr company issued “Cyber Security Maintenance Plan” after cross-section discussion and meeting for several times, and its content not only estimate the risk of company’s core business in detail but also plan the cyber security event reporting mechanism and how to manage the performance of its execution process. In the cyber security of OT area, Taipower company will follow regulation law issued by Ministry of Economic Affairs, and which will become the baseline of ICT system cyber security regulation rule in Taipower company. According to the regulation rule, Taipower company keeps on focusing the cyber security defense mission of infrastructure in power line system and smart grid development.
In 2020 by estimated, local smart grid distribution center maintained by power supply department and new equipment of power generator in power plant will be prompted their cyber security level with the increasing of its important role. With the following cyber security regulation law requirement, Taipower company has plan to fulfill it, for example, by applying for ISMS in 2 years after cyber security level assigned and acquiring for ISO 27001 validation in 3 years.Currently, the power substation department (Taichung) and department of telecommunications have passed ISO 27001 validation in 2019.
All of Taipower’s protection practices aim to make sure that the information and communication facilities can operate safely and make personal privacy better protected. The most important thing is that the customers are satisfied with the services of Taipower and give positive feedbacks.
3. Smart Grid Security Deployment Plan
In line with government policies, Taipower hopes to be a builder of smart grids. In addition to growing performance for power generation, the organization gradually improves power transmission and distribution efficiency. Also, Taipower aims to power technology innovation by promoting automatic power distribution and construction of power-loop supply. Planning and constructing a smart grid further increase the reliability of power supply. During the construction process of the smart grid, in addition to ensuring the security of the transmission and distribution network, it is essential to provide the security of AMI data transmission that belongs to the scope of OT security. Taipower has built the system architecture of the smart grid based on international security regulations (ISO/IEC 62443, NERC CIP and NIST SP 800-82) to ensure compliance with security assurance levels.
The ISO/IEC 62443 standard specification defines a series of security requirements and introduces security into four levels. Except for the top level, which concerns national security, the other three levels are described as follows: Security Level 1 (SL1) is designed to prevent accidental or incidental violations. Security Level 2 (SL2) contains the specifications of SL1 and adds 23 extended specifications. The Security Level 3 (SL3) specification includes the specifications specified in SL2 and adds 30 extended specifications. Besides, the IEC 62443-3-3 specification defines approximately 37 general safety requirements and is comprehensive information for critical infrastructure equipment.
3-1 System Architecture
Based on the ISO/IEC 62443 standard specification mentioned above, the primary task of the security protection designed for Taipower's smart grid system architecture is to protect the integrity of the company's IT/OT assets and risk management by developing the company's cybersecurity policy. The following describes the steps in the system architecture design:
I. Develop an Enterprise Security Policy:
In the enterprise security policy, all devices connected to the network are reviewed in detail, the network topology of all connected devices is well-designed, the device security configuration is regularly checked, and potential system vulnerabilities are evaluated. The cybersecurity policy has an impact on the on-site units, employees and company operations. Before any changes of the operational procedures, it is necessary to re-examine the procedures changed is in compliance with the security policy. Otherwise, the system may be mistaken for security and not aware of the potential hacker attack possibilities.
II. Establish an Independent Network Segment
After developing the company's cybersecurity policy, the network segment can be divided by corporate headquarters, power plant, electric distribution field, and project site field area. The security solution enhancement is deployed against those different network segments according to the cybersecurity policy.
III. Inter-network Connection Protection
In this step, the connection channel between the network segments is adequately protected. This part focuses on data transmission and remote connection protection. At the same time, it also strengthens the protection mechanism for ICS devices to improve their ability to resist cyber attacks and reduce the possibility of device damage in the event of a security incident.
IV. Monitoring Facilities and System Updates
In addition to detecting potential security breaches by actively monitoring network activities, it is essential to regularly perform software updates and hardware device replacement to address the security issues caused by security vulnerabilities. The risk of security has always existed even though the program-controlled equipment can provide the function as it is designed. For example, if the system uses older program-controlled devices and lacks some of the necessary security features, placing a firewall in front of the PLC can meet the protection requirements.
Taipower’s smart grid cybersecurity architecture includes five parts:
(1) The overall information system: in the internal IT environment of the enterprise, all the devices are connected through the firewall and the Internet. In this area, the employee computer, database and various devices such as printers and Wi-Fi are included, and others like Virtual Private Network (VPN) connections are also protected by firewall.
(2) Operation management system: in the SCADA/HMI device, two sets of firewall devices are used for physical network segmentation. The network architecture is designed as an independent physical network segment because the operations need to read data from the OT device and then transmit data to the IT/OT DMZ area. Therefore, the SCADA/HMI can simultaneously engage OT devices in different fields and control the central data then backhaul to the IT/OT Zone.
(3) On-site real-time monitoring: firewall provides the overall security protection, including the sensor, PLC control unit, computer room, and engineering areas are all divided by the firewall and its virtual network segment protection area.
(4) Security Operation Center (SOC): in addition to monitoring each device and service, the SOC also provides the release of security rules that instantly updates the protection functions of each endpoint.
(5) TPC-Information Sharing and Analysis Center (TPC-ISAC): Taipower has founded the ISAC Center within the company to exchange security incident with SOC. TPC-ISAC also reports and updates corresponding event information to the higher-level agency, N-ISAC.
Figure 1 The TPC-ISAC Architecture
For the IT/OT cybersecurity of smart grid, there are three lines of cybersecurity defense and information sharing mechanism.
The first line of defense: firewall or unidirectional gateway(data diode)
• Because the OT network is possible to connect with the Internet, the industrial-grade firewall equipment is the first line for network segmentation and security protection.
• To avoid being infected by malware like ransomware and the spreading to different OT field.
• Unidirectional data transmission: Transfering data from the OT network to the IT network in oneway to avoid high-risk Internet packets or malware attacks.
The second line of defense: IDS
• Even with the network segmentation, it is still possible for the hacker to penetrate the network and access the inside OT systems. So the passive intrusion detection mechanism (IDS) becomes the second line of defense.
• To estimate the feasibility of IDS system in OT network operation, Taipower company has set up a demonstration site for smart grid network in Kingmen county, to make sure the staff can find the extraordinary status immediately when the power plant and IEC61850 auto power substation didn’t follow the baseline operation、unauthorized plug-in equipment or detect malicious network packet or data, by which staff can accelerate the examination of event verification and get rid of it. In the middle of 2020 estimated, we will establish the whole system in complete and SOC center will monitor the it as well.
• Except for IDS demonstration site for smart grid network in Kingmen county in 2020, Taipower company will extent the scale of OT IDS in sequence at power plant (Taichung), power substation department (Taichung) and power distribution department (Yulin). Basically, it provides information assets, network topology, Purdue model for the OT maintenance unit to establish the function of baseline operation and SOC center will start to monitor it as well in the end of 2020.
Figure 1-2 Intrusion Detection Mechanism (IDS) as the second line of defense
The third line of defense: application white-list
• It is applied because it is difficult for OT equipment to maintain system updates like a virus pattern or service patch that may affect system stability.
• The main idea is to maintain a white-list that allows the designed application or service component like new control workstations, HMI human-machine interfaces or program-controlled equipment to operate.
• It works as the last line of defense and keeps the system from implanted malware or infected viruses that could damage system availability.
• In Nov 2019, we have finished the research project of Application Whitelist Mechanism, which will apply its function requirement for smart grid cyber security relative system by reference the project report.
• Department of Power System Operations in Taipower company has planned to update EMS (Energy Maintain System) by applying Application Whitelist Mechanism function requirement. Those function requirements satisfy the regulation of network firewall, network segmentation and IDS. In EMS cyber security meeting, we have share Application Whitelist Mechanism function requirement with constant company which planning for the regulation rule establishment of EMS, by which they agree it to enforce the new EMS cyber security strength and adopt it for this case. With the new EMS establishment schedule, we will keep on addressing the importance of Application Whitelist Mechanism function requirement.
Figure 1-3 EMS (Energy Maintain System) function requirement.
Cybersecurity Information Sharing
• Cybersecurity information sharing and analysis mechanisms are based on the characteristics of the Smart Grid: cross-regional, mixed network (wire/wireless) architectures, and 365 days of full-time operation. The external information sharing and internal real-time monitoring are the joint defense which enhances the cybersecurity.
3-2 Overview of Key Function
In addition to the ISO/IEC 62443 standard, the company also takes the control measures for ICS security protection proposed by NIST SP 800-82 into consideration. It enhances the network and environmental protection based on Taiwan cybersecurity protection benchmark. ICS includes SCADA, DCS, PLC, Programmable Automation Control (PAC), HMI and Instrumentation & Control (I&C). Taipower's smart grid security protection specifications are divided into 11 categories such as "Industrial Control System Network Architecture", "Access Control", "Audit and Responsibility", "Contingency Planning", "Identification and Authentication", "System and Communication Protection", "System and Service Acquisition", "Physical Protection", "System and Information Integrity", "Configuration Management", "Organization Management", and emphasize the integrity of ICS related systems and data usability.
1) ICS Network Architecture
The industrial control system network is vulnerable at the edge between the ICS network and the IT network. Based on the difference between the industrial control system and the IT network, the industrial control system should plan the network architecture and enhance the boundary protection according to its characteristics.
Due to business operation requirements, ICS data must be accessed and monitored through the Internet and via IT device. After the two heterogeneous systems are connected, they are linked to each other to increase mutual security threats and hidden dangers if there is no appropriate security protection mechanism. Based on the above reasons, the company has set up a firewall separating different network segments:
-Demilitarized Zone, DMZ
The DMZ is set up between the internal IT network and the ICS control network. The data in this zone, like a historical database, must be available for both two network segments. The design keeps equipment or machines in two network segment from directly accessing each other, thus reducing the risk of industrial control systems being attacked.
The firewall must have two or more network packet filtering functions such as HTTP and Modbus, and it must have the capability to control the connection among the ICS control network, the DMZ, and the internal network.
The boundary protection device controls and filters the traffic of the ICS control network.
2) Access Control
In the ICS field, there are security vulnerabilities such as low password complexity, remote connection to the system for remote maintenance or control management, and excessive system authorization. As a result, user account management, restricted remote access, and access control to wireless network facilities, and unauthorized access are the primary concerns. It mainly focuses on the following subjects.
- Account Management
- Remote Access
- Least Privilege
- Wireless Management
3) Audit and Accountability
When the industrial control system has a security incident, it is merely impossible to handle it due to the missing details that may lead to repeated occurrence of similar security incidents. Based on this issue, relevant recommendations and information are collected for audit. In most industrial control systems, the auditing function and auditing tools are not supported. However, for those accountability systems, it has to provide audit events, audit record contents, audit storage capacity, and audit failure processing time to meet the audit requirements. It mainly focuses on the following items:
- Audit Events
- Content of Audit Records
- Audit Storage Capacity
- Response to Audit Processing Failures
- Time Stamps
- Protection of Audit Information
4) Contingency Planning
Industrial control systems have fixed-position physical components. When a component suddenly fails to work, the provided service can be interrupted if there is no immediate replacement backup solution. At this point, the organization should initiate the emergency response plan to the recovery of the operation. It mainly focuses on the following items.
- Contingency Plan
- Safe Mode
- Control system backup
- The characteristic specialty of the ICS
5) Identification and Authentication
Authentication matters because industrial control systems often have security issue like unauthorized access from users, or multiple people share a group of system accounts. When establishing identification and its corresponding protection measures, it is necessary to consider if the countermeasure affects the system performance, and then adjust the security solutions according to the target environment. The scope of identification and authentication system includes user, device, and authentication information feedback. It mainly focuses on the following items.
- Organizational Users Identification and Authentication
- Device Identification and Authentication
- Authenticator Management
- Authenticator Feedback
6) System and Communications Protection
There are common vulnerabilities in ICS environments, such as plain-text transmission, lack of integrity check and missing configuration backup. Considering the performance and the availability of the system, protection of communication, it requires the confidentiality and integrity of data transmission/storage, along with the adjustment according to the target environment. The main includes the following items.
- Transmission Confidentiality and Integrity
- Protection of Data storage
7) System and Services Acquisition
The cyber threats may be caused by the incomplete provision of external service providers. The scope of cyber defense includes external system service and corresponding documents.
- External System Services
- System Documentation
8) Physical and Environmental Protection
ICS's common security threats in physical environment include lack of backup power, temperature and humidity control, and human entity access. Therefore, it should provide advice for entity access authorization, physical access control, physical access monitoring, emergency power, temperature and humidity control, water, damage protection and access by third parties/accompaniers. Listed below are the main focuses.
- Physical Access Authorizations
- Physical Access Control
- Monitoring Physical Access
- Emergency Power
- Temperature and Humidity Control
9) System and Information Integrity
The ICS system features lack of security countermeasures such as malware protection, bug fixes, updates, and system monitoring. Consequently, the ICS is exposed to cyber threats when it connects to the Internet. Therefore, bug fixes, malware protection, system monitoring, and protection of predictable fault are proposed to improve both the system and information integrity. Its main focuses are:
- Flaw Remediation
- Malicious Code Protection
- System Monitoring
- Fault Tolerance
10) Configuration Management
Common security vulnerabilities include control of configuration change and the authority of system administration. The main items are listed below.
- Configuration Change Control
- Least Functionality
11) Organization Management
Common organizational management weaknesses in the ICS domain include lack of security-awareness training, inadequate management plans, and incomplete security procedures. This control classification provides recommendations for outsourcing management, employee management, risk management and incident response at the business management level. Its main focuses are the following items.
- Outsourcing Management
- Personal Management
- Risk Management
- Incident Response
3-3 Cyber Threat Monitoring and Analysis (Security Operation Center, SOC)
3-3-1 Functional Architecture
At present, the SOC monitoring center of Taipower Company collects the logs by the front-end log collector (FSA) from each security device and then sends to the Security Information Event Management (SIEM) for real-time monitoring.
Figure 2 The monitoring architecture schematic
3-3-2 Monitor Scope
We collect the devices types, including mainly firewall, WAF, intrusion detection system (IDS), various servers, routers, and so on. The list of quantities is as follows:
3-3-3 Rules Design
The basis of rule development comes from the judgment of the front-end devices monitoring the behavior of the attackers. In addition to the accurate and in-depth analysis of the results obtained from a single device, for subtle or high-risk attack patterns, the SOC uses active learning with automatic analysis mechanisms to correlate multiple sources of devices logs to discover hidden threats. In the meantime, it provides 7x24 non-stop active detection mechanism and alert service which helps block the connection behavior at the first moment to minimize the possible damage.
Table 1 notification type description list
3-3-4 Concept of Rules
The design of rules is according to the methodology of attack, the level of influence, and the type of security devices. The concept to identify the attack is described as follow.
(1) Denial-of-Service attack: it means a large number of continuous external connections to internal hosts in a short period. Besides, the same port for different hosts or different ports for the same host can be distinguished as Port Sweep or Port Scan behavior respectively. The SIEM platform is able to develop the rules and leverage the power of the front-end security devices to detect this kind of attack.
(2) Virus/Worm: this type of attack is usually launched from malicious intra-network neighbors by using specific NetBIOS protocols to transmit malware. Therefore, the rule focuses on those specific transmission ports and correlate the alert derived from anti-virus or APT (Advanced Persistent Threat) tools to discover this attack.
(3) Abnormal network behavior: not all unusual behaviors of network connections are malicious. Some of them may be caused by users violating the corporate security policy or the system misconfiguration. The rule should be designed more carefully and take the various factors into account, just like streaming audio may be treated as different results in two separate units with the different network policy.
(4) Intrusion attack: comparing to abnormal network behavior, the alert is usually generated from security devices instead of end-user. The front-end security devices can examine the network transmission packets and identify the malicious connections, such as penetration toward system vulnerabilities or misconfiguration. The explanation of rule design is clear, and the alert is generated with details like event name and CVE number.
The real-time rule means it has been well designed, test and debug before go-live. However, the intrusion methodology is sophisticated, and there is always a 0-day attack on the Internet. So the SOC has to pay attention to the latest announce and never stop fine-tune the real-time rules. All the developed rules are considered as a foundation building block, and they can be used to design the new generation of monitoring rules. In the meantime, the SOC continuously collects information on the security incident and profiles its attacking methodology to enhance its defense coverage. Besides, the existing rule optimization is essential to increase accuracy and thus avoid the excessive false alarm.
4. The Security Deployment Project of AMI
4-1 Project Overview
Advanced Meter Infrastructure (hereinafter referred to as AMI) is one of the smart grid construction of Taipower, and the whole system is composed of modular intelligent electronic meter with computing and storage capabilities (hereinafter referred to as smart meters), communication systems for data transmission (hereinafter referred to as communication systems), and Meter Data Management System (hereinafter referred to as MDMS system) responsible for huge meter data management, storage, verification, and analysis(Figure 3).
Figure 3 The system architecture of AMI in Taipower
In Taiwan, the high voltage (above 11.4KV) smart meters were completely installed in 2013 for users over 24,000. For the low-voltage users, up to the end of 2018, Taipower has achieved the smart meter establishment of 200,000 households and will attain the goal of 3 million households at the end of 2024. The following will be described for the planning, implementation, and management of AMI security protection.
4-2 Risk Assessment
For the security evaluation of the AMI system, Taipower has conducted the risk assessment on the use cases. Each use case was reviewed from a high-level, overall functional perspective which includes assets identification, vulnerabilities, threats and the specification of potential impacts. The output was used as the baseline for the selection of security requirements and the identification of gaps in guidance and standards related to the security requirements.
The risk assessment focuses on how meter data are handled through the AMI system end to end, from the smart meter to the MDMS system. Both the bottom-up and top-down approaches were used in performing the risk assessment. The bottom-up approach focused on well-understood problems that need to be addressed, such as authenticating and authorizing users or device to access the meter data, key management for meters, and intrusion detection for the MDMS system. In the top-down approach, logical interface diagrams were developed for the three functional areas (smart meter, AMI communication system, MDMS system) that are the major components of the AMI system. From the functional perspective, it is reviewed to see how the security measures shall be applied.
Taipower uses the methodology described above to evaluate the appropriate security measures that can be applied to the three major components of the AMI system. In Sec. 4.3 detail measures will be described.
4-3 Security Architecture of AMI
4-3-1 Smart Meter Security Protection Measures
The cover side of the smart meter has a seal point for seal lock to maintain the confidentiality of the meter data, avoiding illegal opening of the smart meter (Figure 4). From the outside of the smart meter, the data can only be transmitted through the optical communication port, and the optical communication port is designed according to the national standard of CNS 15593.
Figure 4 The Smart Meter Body Structure
In the smart meter acceptance test, Taipower has performed data reading and transmission testing, to ensure the integrity and availability of the meter data transmission. If the external cover of the smart meter is detected, the smart meter will immediately generate a "meter cover open" warning message and pass through the communication system back to the back-end system, in order to facilitate the proper event handled by Taipower personnel. The only way to reset "meter cover open" warning is through the back-end system or using the handheld device to send the reset instruction through the optical communication port. If the whole smart meter is disassembled, smart meter can still use the internal backup power to return "power outage" message to the back-end system in the case of loss of power, and since the entire disassembly of the smart meter will cause the household to lose power, the user will also report to the Taipower customer service system, whereby the dual reporting mechanism allows the personnel of Taipower to handle the abnormal event in time.
Smart meters are designed in accordance with the IEC 62056 standard, with a sound data transmission and confirmation mechanism to ensure the integrity of the meter data. Internal firmware, data and transmission operations are used in accordance with the NIST IR7268 standard of high-strength key technology for encryption processing. The smart meter has used different encryption key in the field area network (FAN, connected to AMI communication system), home area network (HAN, connected to the Home Energy Management System) and the local side, any reading or writing to the meter must use the correct key, otherwise the meter will not respond, to ensure the overall confidentiality of the meter software. The optical communication port of smart meter has the design of continuous retry times threshold, after a certain number of malicious accesses, internal security mechanism will initiate non-response, so as to avoid the possibility of violent cracking, to ensure the availability of meter system data. The smart meter also has a software security gateway to perform firewall function, flow control and log store for the FAN and HAN connection respectively.
4-3-2 Communication System Security Protection Measures
The transmission of meter data from the smart meter side is mainly through the telecommunications system, and use the fiber-optic line access to the Taipower Information Center. By using the VPN mode to separate the general public use of the Internet to ensure the AMI communication system security planning.
The security protection features of the AMI communication system are as follows:
1) It shall have the security monitoring, incident or alarm reporting to protect the network.
2) The transmission path in any part of the communication system shall be consistent with confidentiality, integrity (including data integrity and ACK mechanism), and reliability of secure two-way communication, to ensure the security of end-to-end communications.
3) The encryption mechanism between devices must have at least AES-128 level or above, or in compliance with NISTSP 800-131A Specification.
4) The communication system shall have encryption security management, store data encryption processing, software/firmware management, remote disconnect, equipment network management, and a backup system.
5) Communication equipment should be remotely maintained and have security measures for permissions and password management to prevent unauthorized personnel from operating.
6) It shall have the ability to protect against DDoS or man-in-the-middle attacks.
4-3-3 MDMS System Security Protection Measures
The MDMS system plays as the role of AMI data gatekeeper, Taipower has applied high safety standards to plan the relevant security measures, and should be in accordance with the laws released by the Executive Yuan of the ROC government, "Information System Classification and Security Protection Baseline Operation Provisions", "Secure Software Development Process Guidelines ", "The Development of RFP Security RequirementsTemplate for Information System Outsourcing", and other requirements that a high safety system should be compiled. The following will focus on the implementation of the relevant measures in the order of network boundary protection, internal network protection, host protection, application protection, and data protection.
I. Network Boundary Protection
Based on the network perspective, the external connections of the MDMS system with the AMI communication systems and Intranet are equipped with the next generation firewall, and Intrusion Detection and Protection System (IDPS), in order to monitor incoming and outgoing traffic and network services in real time, and to avoid malicious access or blocking service attacks (such as DoS attacks).If it is necessary to have data transmission with the power system control system(OT system), the MDMS system shall use the one-way data diode to establish the connection, and the requirements of physical isolation can be achieved, so as to block the majority of intrusion and malicious attacks relying on the two-way communication scenario. MDMS system client service only provides general transaction operation functions, and for the development and maintenance operations (such as program version updates, system management, and other system maintenance operations, etc.) must be operated through the monitored Virtual Desktop Infrastructure (VDI), in order to reduce the likelihood of data leakage. The firewall, IDPS, unidirectional one-way data diode and VDI used in the MDMS system are certified by the international authority (such as Common Criteria EAL, FIPS 140-2 or NSS Lab, etc.)(Figure 5).
Figure 5 The MDMS system network boundary protection
II. Internal Network Protection
For the data transmission related operations of the Internal network, the MDMS system fully adopts the Secure Communication Protocol (SSL/TLS) and follows the NIST SP800-57 recommendation to build the internal network protection, avoiding information counterfeiting or man-in-the-middle attacks.The implementation of public key infrastructure (PKI),including the management of certificate application, issuance, extension, and cancellation, etc. and the use of the hardware encryption module to generate the relevant private key can enhance the security level.
To mitigate the impact of network attacks or intrusions on the entire system, the internal network of the MDMS system is partitioned based on the functionality, and the application access network and system management network are physically separated. This kind of isolation can effectively reduce the infected area, and can also be conducive to the rapid recovery services after infection removal.The MDMS system has the security information and event management system (SIEM) and network management system (NMS) to collect a variety logs and events of hardware and software, equipment and customization program and other data sources, to perform big data analysis of real-time malicious behavior, and then to link automation mechanism to timely configuration adjustment, so advanced persistent threat (APT) and other malicious acts can be detected effectively and abnormal compromised devices could be automatically isolated .
III. Host Protection
MDMS system uses the design of host redundancy to ensure the high system availability. The host design is based on the software-defined data center(SDDC) architecture, provides the high elasticity information infrastructure which can automatically expand (shrink) capacity, and all the equipment has the high-availability architecture, in order to avoid the possibility of a single point of failure. The physical and virtual hosts of the MDMS system use the active endpoint protection scheme to protect the system from APT and ransomware intrusion. In addition, the MDMS system regularly handles the security update patching of the whole system software/firmware, and entrusts the professional team with black box tests such as vulnerability scan for vulnerability assessment and penetration test every year, in order to review and strengthen improvements on a regular basis for various security measures.
IV. Application Protection
MDMS system uses the full identity access management (IAM) scheme to improve user authentication and authorization of security management. In the human-machine interface, account password has adopted with two-factor authentication, application programming interface (API) access is regulated by an API key or access token, and the mechanism is achieved through the mainstream confederate single sign-on protocol, such as SAML 2.0 and OAuth 2.0, to enhance application access security and avoid the possibility of account password theft. The MDMS system has the user position data synchronization with human resource information system of Taipower, it will automatically disable/remove user account whenever the user position is changed, suspended or user is resigned or retired.
V. Data Protection
For sensitive data, the MDMS system will first apply de-identification (or encrypted) and then store data. Users can obtain restored data, partially shielded data, or de-identifying data according to the authorized rule. The backup principle of the MDMS system is designed to retain at least 3 generations, the system recovery point objective (RPO) is to allow the loss of data within 1 hour after failover, the system recovery time objective (RTO) is within 15 minutes (inclusive) after the failure, and the redundant host shall complete the take-over operation. The disaster recovery exercise and review shall be performed every year to ensure the effectiveness of business continuity management (BCM).
In addition to the security measures described above, Taipower also builds the management mechanism to ensure AMI security measures effectively applied, including the computer room security management, personnel safety management, AMI meter key management, meter program handheld device management, etc. The MDMS system also follows the company’s "Security Incident Emergency Response Plan and Operation Processing Procedures" for event classification, notification channels, etc.
In the future, Taipower will continuously review the technical and regulatory developments of AMI related domain to ensure the timely improvement of the high-level security requirements of the AMI system.
5. Customer Privacy and Data Security
5.1 Commitment to Maintain Customer Data Security
Taipower has established policies, controls, and procedures in place to protect every customer’s personal identifiable information and applicable energy usage data. For maintaining customer data security, high-level data protection and privacy strategy cover the data protection strategies for Smart Grid as more new types of data, such as 15-minute usage through the meter and billing information summary is generated and made available to customers.
Based on Taipower information security management system(ISMS) and Taiwan government’s information security requirement, six levels of perspectives ranging from business process, application system, database management system, operating system, network environment, and physical environment, are needed to strengthen in the area of information security strategy, policies, management, deployment, monitoring, and system development, in order to meet the standard of protecting customer data and privacy.
Moreover, based on Taipower regulation, all customer data are required to be classified into groups for all application system, in order to distinguish the life cycle of data information which is of the nature of agility. According to the requirement of data access security management procedure, different roles of duty and importance should be assigned in regard to user’s different access rights, in order to design an effective security access control principle for agility information. Throughout a top-down design application system will need to strengthen the ability in information security access control from the get-go, subject matter such as application system role authentication, system function access right design, agile data usage track record, and other non-business oriented task are essential for security requirement and should all be included in evaluation category.
5-1-1 Collection and Application of Customer Data
Personal information that Taipower collects:
• Street addresses
• Telephone numbers
• Email addresses
• Account numbers (including utility account numbers, credit card numbers, bank account numbers)
• Meter identifier and meter interval/electricity use data that are released in combination with any information included in items above
Taipower uses personal information to:
• Establish and provide ongoing service
• Communicate with customers
• Verify identity and protect against error or fraud
• Manage invoicing and customer services
• Monitor customer satisfaction with our programs and services
• Provide aggregate information for government agencies & open data
• Comply with legal and regulatory requirements
• Tailor recommendations that help customers save energy
• Administer our websites
• Gather management information to form statistical and trend analysis
• Open data
5-1-2 The Policy of Security that Taipower Obeys
I. Taipower ISMS Policy
Using information technology actively to strengthen the operational management of the company and let the company can grow and operate in a stable and secure environment. Therefore Taipower should establish a comprehensive ISMS mechanism to implement the idea that "ISMS is Everyone's Responsibility". Therefore this specific policy is set to ensure the integrity, confidentiality, availability, and legality of critical information assets and information infrastructure.
(1) Information assets and key information infrastructures should be regularly enumerated, classified and graded. Risk assessment should be conducted for important information assets and key information infrastructure, and appropriate protective measures should be implemented accordingly.
(2) The act of collecting, processing and using customer data should conform to the "Personal Data Protection Act".
(3) Unit leaders should pay attention to confidentiality, identification, and control of sensitive information, for funding through security policies, regulations and norms of the work to follow should bear responsibility monitoring, enforcement and auditing of, and the exact implementation of routine operations in all units and staff in daily work.
(4) A complete notification and contingency measures are required for the ISMS incidents, and regular security exercises are held to ensure the continued operation of the business.
(5) All employees should fully understand the purpose and responsibilities of the ISMS policy.
(6) Regularly review the effectiveness of the safety management system.
(7) This policy and related operating practices should be appropriately revised based on business changes, information technology development, and risk assessment results.
• Scope of application
All employees who use the company's information assets, key information infrastructure and supplemental workers should comply with this policy.
In accordance with the "ISMS Implementation", "ISMS Operational Manual", "ISMS Safety Teaching Manual", "ISMS Internal Auditing Operation Key Points ", " ISMS Emergency Response Plan and Operation Processing”, "Personal Data Protection Management Key Points", and"Personal Data File Security Maintenance Plan and Personal Data Processing Method after Business Termination", Taipower ISMS Policy is implemented.
• The website collects personal data from users and complies with the laws of Taiwan on the Protection of Personal Data. Without user consent, the user's personal data will not be collected by the website.
• The website automatically records the pages requested by the users and collects addresses from visitors, and uses the information as the basis of system improvement, and evaluation of policy announcements. That information is only used for statistical analysis of data and does not involve personal data of users.
• When the user browses the website of Taipower, the website will place a cookie (a small descriptive text file) on a user's personal computer or smart device. This cookie does not contain enough information to identify the user's personal identity. Instead, it records the personal services and other information that the user sets on this page. The Taipower website server can only read the activity record of the user’s cookie on the website, and cannot read the user’s activity record on other websites.
• This privacy protection statement will take effect from now on. However, in response to changes in the social environment and laws and regulations, and the advancement of science and technology, the Taipower has the right to modify this statement and update and announce it as soon as possible.
III. Security policy
• Network Security Measure
To protect this website and to ensure that this service is provided to all internet users, this website has taken the following security measures:
(1) Utilization of the network intrusion detection system to monitor the network traffic and capture any unauthorized attempt to upload, change or destroy website content.
(2) Employing firewalls to prevent any unauthorized intrusion, destruction or theft of the information in order to protect the website from any illegal access and to protect the website users’ rights.
(3) Installation of anti-virus software. The system is scanned for virus periodically to provide a safe web browsing environment.
(4) Drills of hacking attacks to the website are held on an indefinite schedule to test the system recovery process in times of a real security breach and to provide a proper protection level.
(5) Daily data backup makes a copy of all the data to the redundant server every day.
(6) Acts in accordance with the suggestions provided by any notice from the system and software developers and takes proper action such as the installation of the latest security patches.
• User Privacy Protection Measures
Customers should be taught to keep their password or any personal information from anyone else’s access.Do not provide any personal information, especially their password, to anyone else. After users finish online registration, email reading or any administrative functions, they have to remember to log out. If they are sharing a computer with anyone else or using a public computer, they have to remember to shut down the browser after they complete their tasks to prevent any other users of the computer to access their personal information, email or entering the administrative area of the website.
• Revision of the Security Policy
To fulfill our objective of providing our customers the best network security, Taipower will improve the security measures on our website to adapt to the technological advancement, revision of relative regulations and unforeseeable environmental changes. Any change to our security measures will be announced on our website immediately with bold headlines to capture customers’ attention.
• Security Measures Q&A
If our customers have any questions concerning our network security measures, Taipower have a website for them to contact us at any time.
5.2 Data Protection Best Practiced in Taipower
Employ a firewall to keep criminals out and sensitive data in.
With the latest security software, web browser and operating system are the best defenses against viruses, malware, and other online threats. Following our policy automatically connect and update to defend against known risks for software programs.
5-2-2 Implementing a Robust ISMS Awareness Program for Employees
Employees are often the handlers of customer data. They, therefore, need to be kept up-to-date on how to protect that information to make sure it does not accidentally land in the wrong hands. Our employees are periodically educated about the newest security attack and defense schemes and urged to employ best practices such as not responding to or opening attachments or clicking suspicious links in unsolicited email messages.
5-2-3 White-box Testing
Web applications are our center of business innovation and provide services for our customers, but they are also the primary attack vector for malicious individuals seeking to reach your organization’s defenses. For application security must be a priority, we use white-box testing technology to find common and potential vulnerability like an SQL injection in applications.
5-2-4 Database Activity Monitoring
We follow reasonable security measures to ensure that customers’ and employees’ personal information is protected from inappropriate and unauthorized access. Identifying and reporting a database's activities by database activity monitoring tools, we use real-time security technology to monitor and analyze configured activities independently and without relying on the DBMS auditing or logs.
While the wide range of useful information is accessible through the web, outside access to data is controlled through authentication, authorization, and audit mechanisms, such as dbAegis(Database Activity Monitoring)(Figure 6).
Figure 6 Database activity monitoring architecture in Taipower
5-2-5 Transmittal of Data
Taipower uses SSL (Secure Sockets Layer) as the encryption algorithm. SSL at the transport layer encrypts the HTTP traffic coming from the application layer. It adopts public-key cryptography to keep an internet connection secure and reliable,safeguarding any sensitive data that is being sent between customer and server, and preventing criminals from reading and modifying any information transferred, including potential personal details. Current websites and browsers generally combine HTTP with SSL to attain safe communication.
When a user is accessing data, the SSL encryption packet will be used to transfer data. Even if the packet is intercepted by people with bad intention, they still cannot decrypt it or read it.
On authentication, with the account lockout mechanism, after a user’s account fails to login to verify the identity for 3 times, the account and the source IP are not allowed to continue trying to login for at least 30 minutes. Besides, when the password is concatenated by a random number (Salt) and processed with a hash function, the random number and the resulting output (but not the original password) are stored separately to safeguard passwords in storage. We also use the CAPTCHA mechanism for authentication and important transaction behavior to prevent attempts by automated programs. When users need to reset their password, or the system has to interface with an external system, they will be asked for re-identification, and afterward, we will send them a one-time and timeliness token. After receiving and checking the returned token, they are allowed to reset their password or connect to the external system.
5-2-7 Encryption for the confidential data
In the foreseeable future database columns which consist of confidential information such as personal identification number, bank account, and user address will all be encrypted. Encryption poses little to no effect on system performance, thus essentially transparent. After encryption even if the data is fetched from the physical database, without the correct decryption the data will remain unreadable, thus incomprehensible. As for users who are given the legal access rights, decryption will be executed in the background automatically.
The mainframe uses a resource access control facility (RACF) to protect resources by granting access only to authorized users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources.
To accomplish access control, RACF provides the ability to:
• Identify and authenticate users
• Authorize users to access protected resources
• Log and report various attempts of unauthorized access to protected resources
• Control the means of access to resources
• Allow applications to use the RACF macros
5-2-9 Sensitive Information and Privacy Data Protection Policy with AMI System
Table 2 security policy with AMI syatem
5.3 Policies & Compliance
For the sake of enabling the corporation to operate efficiently and grow in a secure and stable environment, we follow our company's ISMS policies, actively applying information technology, strengthening operational management, and implementing the concept of "Cyber Security is Everyone's Responsibility", thereby attaining the confidentiality, integrity, availability, and legality of the information assets and critical infrastructures.
Annually, our ISMS execution group convenes the meeting to determine the priority of the risk management information assets and acceptable risk values based on the results of the risk assessment. It follows the "Asset Categories and Weaknesses, Threat Correspondence Table", "Weakness Vulnerability Score Table", and "Threat Probability Table" to identify the actual risks and measure the existing controls of information assets. The group formulates a risk management plan to check whether the existing controls are sufficient for reducing the risk to an acceptable level. If not enough, safety control measures must be added. After the proposed new control measures are formulated, the person in charge and the due date of the improvement plan should be assigned according to the "Procedures for the Safety Precautions Management Procedure".After the improvement is completed, the residual risk is assessed and the above content is filled in the risk management plan. Taipower also has complete notifications and contingency measures for the security incidents, and holds security exercises regularly to ensure the continued operation of the business.
A good control describes the organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) is reviewed independently at planned intervals or when significant changes occur. In addition to holding an internal audit of important information assets and critical infrastructure security at least once a year, annually Taipower also gets an independent review of security risks and controls through external agencies like BSI to ensure impartiality and objectivity as well as benefit from fresh eyes, and benefit from another colleague reviewing policies besides the main author/administrator. These reviews are carried out at planned, regular intervals and when any significant, security-relevant changes occur – ISO compliance reviews regularly to be at least annually.
The collecting, processing and utilizing personal information shall comply with the provisions of the Personal Information Protection Act. Taipower only shares customer information with the public in compliance with the Personal Information Protection Act. As a public utility, Taipower will seek to protect the privacy of our customers’ personal information in complying with public records requests. Penalties for violations of the Personal Information Protection Act may be a fine of NT$20,000 to NT$500,000.
In order to lessen the likelihood of a cyber attack, Taipower puts the right people and processes in the right place. Furthermore, Taipower develops the security education and training programs to let staff fully understand the risks of non-compliance, the purpose and responsibilities of the safety policy and what they need to do to avoid it and exploit the available technology to support these changes.
Taipower also coordinates with government agencies and stakeholders to best protect our energy grid and technology systems, share information and develop protective standards. Working with industry partners and vendors, the company ensures it's taking steps to protect systems and data.
Taipower has detailed cybersecurity reporting requirements and strong partnerships to prevent and respond to threats. Our company's businesses have mandatory and enforceable cybersecurity standards to protect critical infrastructure. These extensive measures help keep networks safe and prevent those wanting to do harm.
New security policies will be developed, and existing policies modified, to address emerging personal privacy issues. Privacy protection measures are designed into Smart Grid solutions and standards as part of the solutions delivery cycle. Taipower will continue to develop and deploy personal privacy training and awareness programs, and also will introduce new data protection measures such as data encryption tools.
Taipower implements the "Information Security and Personal Data Protection about Outsourcing Service Providers Audit Plan" each year, which is involving the Legal Affairs Office and the Department of Civil Service Ethics. In addition, the higher authorities, the Bureau of Energy, of the Ministry of Economic Affairs, will also form a special audit team to check the personal data protection situation of each unit of the Taipower Company each year.
6. Smart Grid Penetration Testing Platform
6-1 Project Overview
Smart grid has been promoted by Taipower for several years. For the power operation data collection purpose, the operation technique (OT) network needs to be connected with information technique (IT) network, e.g. intranet. Additionally, the proprietary information system environment of smart grid is gradually replaced by the open system; thus the cybersecurity has become a big issue.
Apparently, penetration testing is an adequate solution for solving a complicated information system, e.g. smart grid, cybersecurity problem. Taipower has therefore planned to develop an effective penetration testing platform for finding out the cybersecurity vulnerabilities of smart grid.
Refer to “https://lp3.com/tips/5-benefits-of-penetration-testing/” web pages, numerous benefits are founded for employing penetration testing.
6-1-1 Detect and Arrange Security Threats
A penetration testing estimates the ability of an organization to defend its applications, networks, users and endpoints from internal and external attempts to dodge its security controls to achieve privileged or unapproved access to protected assets. Penetration testing results confirm the threat posed by particular security vulnerabilities or faulty processes, allowing IT management and security experts to arrange remediation efforts. Organizations can more efficiently anticipate emergent security threats and avoid unauthorized access to crucial information and critical systems by executing regular and complete penetration testing.
6-1-2 Circumvent the Rate of Network Downtime
Penetration testing supports an organization to evade these financial setbacks by proactively detecting and addressing threats before security breaches or attacks take place.
6-1-3 Protect Customer Loyalty and Company Image
Even a single occurrence of compromised customer data can destroy a company’s brand and negatively impact its bottom line. Penetration testing helps an organization avoid data incidents that may put the company’s reputation and reliability at stake.
6-1-4 Service Disturbances and Security Breaches are Expensive
Security faults and any associated disruptions in the performance of applications or services may cause debilitating financial harm, damage an organization’s reputation, grind down customer loyalties, generate negative press, and incur unanticipated fines and penalties. Frequent employment of penetration testing avoids these expenses of the organization.
Penetration testing helps Taipower avoid smart grid invasions. It is better for Taipower’s business to proactively maintain its security than to face extreme losses, both to its brand equity and to its financial stability.
Furthermore, penetration testing should be carried out whenever there is a change in the smart grid information infrastructure by highly experienced experts who will scrutinize internet connected systems for any weakness or disclosure of information which could be used by an attacker to compromise the confidentiality, availability or integrity of the network.
In order to cope with the challenges of information security issue derived from the smart grid as well as to gain the above benefits, Taipower created a research project for developing a platform for the penetration testing of smart grid information system. This project focused on IEC 61850 using the specified scenarios and aimed at understanding the current international smart grid funding through the security-related standards and regulations, and contains the standard of industrial control systems used to validate the information security functions.
Currently, The IEC 61850 standard substation automation information system is pushed forward as long asTaipower smart grid policy is decided. A typical configuration of Taipower ‘s IEC 61850 substation automation system will be formed as shown in Figure8 and Figure9.
Figure 7 Taipower’s IEC 61850 substation automation information system
In Figure7, great numbers of IT devices are used as well as the TCP/IP networks. The cybersecurity must be considered in this situation. A penetration testing platform is then imported for testing the vulnerability and cybersecurity holes of Taipower’s IEC 61850 substation automation system.
Practically, the IEC 61850 substation automation system is truly installed in a physical isolation network area. The conventional cybersecurity attacks, such as DoS, do not seem to be possible happen in this system. However, along with the use of open information technology system, the corresponding risk of vulnerability and virus may be raised. Also, with the requirements of data exchange between IT and OT system, a data transfer route is possibly created. This data transfer route may result in a hacker attack. Thus the cybersecurity of the substation automation system becomes a main issue. The penetration testing, therefore, is an indispensable means for this issue.
Penetration testing is an authorized and proactive effort to assess the security of an IT infrastructure by carefully running tests to exploit vulnerabilities of the system, comprises in an operating system, misconfigurations, service errors, and even unsafe end-user behaviors. These evaluations help confirm the effectiveness of defensive mechanisms and adherence of end-users to security procedures. Hence, for the sake of avoiding the hacker attacks as well as the possible vulnerability in the smart grid, a smart grid penetration testing is needed to carry out at the stage before the commercial operation.
Taipower outsourced a smart grid penetration testing platform development project to Onward Security Corporation by 2015. This project has developed a platform for testing both IEC 61850 and DNP3.0 over TCP/IP SCADA systems, refer to Figure 8 and Figure 9.
Figure 8 Penetration testing platform for IEC 61850
Figure 9 Penetration testing platform for DNP3.0 over TCP/IP
Onward Security has also proposed an analysis result for up to date cybersecurity standards that include IEC 62351, NERC CIP 002-009, NISTIR 7628, IEEE 1686 and ISO 27019. Additionally, this analysis result states which of these cybersecurity standards are adequate for Taipower applying.
For the IEC 61850 cybersecurity purpose, Onward Security provides a recommendation for the mapped portion of IEC 62351 to Taipower. This recommendation also proposes the procedures for adopting cybersecurity in IEC 61850 and DNP3.0 over TCP/IP SCADA systems.
The content described in this section refers to two documents for industrial control system penetration testing method. They are "Cyber Security Assessments of Industrial Control Systems Good Practice Guide" issued by the United StatesDepartment of Homeland Security in 2011 and "Guide to Penetration Testing for Electric Utilities", Version 3, issued by National Electric Sector Cybersecurity Organization Resource (NESCOR). The project for developing the penetration testing platform will evolve and analyze a tailored penetration testing procedure based on the above methodology for Taipower smart grid.
The critical information infrastructure protection (CIIP) was included in the national security policy of every country after 911 events. In 2013, Fifty percent of cybersecurity attack events, counted by DHS ICS-CERT, were focused on energy facility. In The United States, National SCADA Test Bed, NSTB, was set for resolving the intrusion and cybersecurity problems of ICS in critical infrastructure by 2003. The test bed provided the corresponding system test and developed the relative risk assessment method as well as the use cases for ICS in every application realm. The brief penetration testing methods are stated as the following sections:
6-2-1 The Penetration Testing Methods Used by the United States Power Company
I. Security Evaluation Methods
The Department of the United States Homeland Security announced"Cyber Security Assessments of Industrial Control Systems Good Practice Guide" in 2011. This document proposes the test procedures for the assessment of ICS. The test procedure includes:
• The Test Plan:
It is mutually beneficial for the assessment team and the asset owner to create a test plan before testing begins so that both entities know how the assessment will operate, including the rules of engagement, attack vectors and points of contact. However, the level of effort put into the test plan is a grey area that has to be decided by the asset owner. The asset owner may be more comfortable if there are a lot details included in the test plan so that this document can act as a contract with the assessment team. However, the assessment team does not need great detail in this document, the exception being the rules of engagement. In fact, it may be a hindrance to the assessment team for the test plan to include many details (discussed in the next section). Ultimately, the time and money spent creating the test plan may be subtracted from the testing operations budget. This fact could potentially restrict the assessment team from accomplishing some portion of the desired testing.
• Choosing the Assessment Team:
The asset owner chooses the testing organization or provider but may have little control over the actual members of the assessment team. Information about the team members should be provided by the organization hired to perform the assessment. This information may include certifications, experience, skills and confirmation of background checks. ICS cyber security assessments differ significantly from standard IT-type assessments. It is imperative that members of the assessment team have experience with assessing ICSs and are aware of the limitations and challenges associated with testing in a production environment. The asset owner should validate the team’s references to ensure that the team has adequate ICS experience. The testing organization should provide the asset owner with a methodology of how assessments are performed in a production ICS environment. The methodology should include a list of typical tools used by the team and indications of when and how the tools will be used.
The roles and responsibilities of each team member should be clearly defined and communicated to the asset owner. If the assessment is to include a network analysis, at least one team member should have qualified networking experience and possibly network certifications such as those available from Cisco. At least one team member should be familiar with a number of the network protocols unique to ICS (e.g. DNP3, the Modbus suite, PROFINET, PROFIBUS, ICCP, OPC, etc.). This individual is responsible for analyzing network traffic and assessing the configurations of network devices such as firewalls, switches and routers. Other team members should be proficient in coding, reverse-engineering, protocol analysis and exploit development. The team members should be familiar with multiple languages such as C, C++, Python, Perl and assembler. Many ICSs have non-Windows operating systems and the asset owner should ensure that team members are familiar with the operating systems used on the target system.If possible, the asset owner should request individuals familiar with the protocols, programming languages, applications and operating systems used by the ICS.
As the assessment team will have access to sensitive information, the asset owner should be provided with confirmation that appropriate background checks have been performed. The control methods for the information acquired during the assessment may be defined in a legal document such as a non-disclosure agreement.
• Selecting the Attack Vectors:
One of the pre-assessment meeting tasks is to establish a set of initial attack vectors to include in the test plan. Many criteria may be used to select these items, but use caution in the level of detail specified. A detailed test plan prescribes exactly what to test, which will ensure that the assessment team covers the items identified. However, all the testing hours might be consumed filling in the details in the test plan without uncovering easily accessible vulnerabilities in other areas not included in the plan. An example might be that the asset owner wants to know if an attacker can take control of the front end processor (FEP) based on the communications allowed from the remote terminal unit (RTU). While this may be a valid concern in this particular installation, it might be overshadowed by the privileges extended to the ICS vendor maintenance connection. The alternative is to specify functions or transitions (discussed below) that present a potential attack vector. An example might be to test whether an attacker can make a network transition from one of the DMZ servers to a server inside the control network.
The most important part of planning a cybersecurity assessment is that the plan should not constrain the assessment team to approach a problem from only one direction. The test plan should loosely define what to test and never how to test it. This allows the cyber team to use all their skills to accomplish the goals. After all, by definition, a potential attacker is not going to follow the rules of engagement.
The general ICS assessment process overview is summarized in Figure 10 below.
Figure 10 Cyber security assessments of ICS process flow chart
II. Vulnerability Assessment (VA) and Penetration Testing
Generally, Vulnerability Assessment (VA) means analyzing the security of the target system by means of an automatic tool. This process cannot take advantage of system vulnerability. Nor detecting some cybersecurity problems, e.g. DoS.However, Penetration Testing (PT) is focused on obtaining the authorization and privilege of the target system. Several kinds of PT tool are utilized simultaneously based on the knowledge and experience of cybersecurity. Practically, it should be much careful and attendant to progress VA and PT on an ICS system.
Penetration testing should be performed on a periodic basis depending on the criticality of the targeted system. This can be performed as a broad penetration test encompassing several control systems (such as an entire testing or staging control network), a targeted penetration test with a restricted scope of a single control system (management server to its controlled devices), or to test a single component of a larger system, such as a historian or a reclosure. It is recommended that performing this type of assessment in testing or staging environments on an annual basis or after any major systems upgrades or changes to the systems in question.
Penetration tests should start with a review of the target architecture to help the testing team gain a deeper knowledge of the target system. This will help the testing team understand the intended functionality of the targeted system, its expected security posture from an architectural perspective, and the security risks that vulnerability could pose to the organization. This is best performed through interviews with knowledgeable experts from both the product’s vendor and the utility or asset owner deploying the target system.A practical process flow for smart grid penetration testing planning and processing is shown as Figure 11.
Figure 11 The practice procedure for electric utilities penetration testing
All penetration tests should start with proper planning and scoping of the engagement. Once that is complete, the penetration testing tasks can be broken into the four distinct task categories displayed in Figure 11. Each of these task categories also requires different skill sets from the testing team. If there is sufficient staff, these four penetration task categories can be performed in parallel. Once these tasks are completed, the team should perform a gap analysis to verify all desired tests have been performed and all goals met. Finally, the team should generate a report documenting their findings, interpret these findings in the context of the utility’s deployment, and develop recommendations to resolve or mitigate these vulnerabilities.
The color difference between these four penetration task categories in Figure 11 represents the relative likelihood that a utility should consider performing these tasks. These recommendations are based on a combination of trends that NESCOR has seen in the industry and the level of expertise needed to perform these tests. To some degree, this also represents the relative risk target systems represent to the utility, as the compromise of the control servers is generally considered higher risk than the compromise of a single embedded field device or its network communications.
The colors in Figure 11 can be interpreted as:
• Green: Tasks that should be performed most frequently, require the most basic of penetration testing skill, and can often be performed by internal security teams.
• Yellow: Tasks that are commonly performed and require moderate penetration testing skill.
• Orange: Tasks that are occasionally performed and may require higher levels of expertise.
• Red: Tasks that are infrequently performed and require highly specialized skills not often found inhouse.
The methods introduced here provided a security test basis for the organization in the United States. According to the practice experience, the methods of penetration testing are almost the same. The unequal test results are mainly caused by different executor.
6-2-2 Fuzz Testing Method
Fuzz testing was used to be the main skill of the software black box test. It is always vastly used to test the limitation value of the functions in the IT system as well as SCADA and ICS environment. The main purpose of fuzz testing is to find the possible fault existing in software as well as the limit violation of the input values. The core skill of fuzz testing is based on the whole input data that do not always comply with the system logic. Fuzz testing does not care or expect which of the data will cause an abnormal situation. It only sends a large number of random numbers to the test target in order to observe the responses.The main usage of fuzz testing is testing the communication protocol security of ICS. The random number data will cause the input field to receive an abnormal value. The abnormal response procedure and the stability of the network application system could be tested by means of the input data varies based on a random number. A general fuzz testing procedure is shown in Figure 12.
Figure 12 Fuzz testing procedure
Figure 13 illustrates the whole procedure of fuzz testing test plan.AT the first stage, the communication protocol should be studied completely in order to determine the input field, data type, and varying rule. The quantity of test sample and test time for each sample should be evaluated for scheduling purpose. The test data are created at the next stage. Meanwhile, the test samples should be inputted or the test sample rules should be formulated. Based on these test samples and rules, the fuzz testing could be carried out subsequently in order to collect the responded status and parameter values of the test target. The test result is then analyzed to find the test samples which cause an abnormal situation. Finally, The test report is created.
Figure 13 Stages of fuzz testing
6-3 Platform Architecture
The test platform is composed of a notebook computer with the necessary operating system and testing software. The notebook should be connected to the network with the test target in order to create a valid connection. User commands of the test are given via a web browser interface. The test result could be checked at the test platform.
The configuration of the test environment is shown in Figure 14.
Figure 14 Penetration testing environment
All the devices of the test targets are connected by a network switch. The corresponding internet protocol (IP) addresses are created by network address translation (NAT) of the switch. Windows operating system and Elipspower Ver.4.5 Build 210 SCADA system software are installed on SCADA Client desktop computer. The IEDs have been tested are GE T60, GE F650 and SEL 351 correspondingly. The network switch is Moxa PT-7710.
The test software installed on the test platform includes Hercules SecDevice that is developed by Onward Security. Several security and vulnerability test tools and the packet recording application program are also installed.
Hercules SecDevice is a security assessment tool designed for connected products, and provides automated features from test environment configuration to security assessment. Test targets include web and wireless security. The content covers known and unknown security vulnerabilities, as well as user-friendly design to help users to quickly get started. Most common vulnerabilities listed in OWASP TOP 10 and SANS TOP 25 are also covered. Onward research team provides quick test project updates to ensure coverage of the latest security issues. The testing methods are shown in Table 3.
Table 3 Hercules SecDevice testing methods
7. Taipower TPC-ISAC Platform Development Use Case
7-1 Project Overview
With the development of Internet technology, network security threats to critical infrastructure have increased year by year. Based on the critical infrastructure security obligations, Taipower has cooperated with the government's top management to actively promote the national policy of "Cyber Security, National Security" and the "Fifth National Security Development Program (106-109) of the Executive Yuan". The Information Sharing and Analysis Center (ISAC) is built in tandem with the E-ISAC platform currently being built by the Ministry of Economic Affairs (MOEA). To build a security mechanism for emerging information technology, Taipower enhances the security management and continuous operation of critical infrastructure by strengthening the security protection of critical infrastructure through the analysis and sharing of security information.
7-1-1 Build Range
The system is built in the Taipower intranet, and any Taipower employees can apply for the TPC-ISAC platform member account to share the information. TPC-ISAC system is connected to the ISAC of Ministry of Economic Affairs (E-ISAC) as shown in Figure15.
Figure 15 E-ISAC platform architecture
7-1-2 System Functions
I. Alert Release
The user of this operation accesses the web server of the system through the web browser of the Taipower enterprise website (Single Sign-On system) through a WEB browser and reads the relevant public information stored in the database of the system.
II. The Security Information Sharing
The member account permission module of this operation includes the system account management and can set its associated account group and authority. Besides, when the user account is logged into the system through the account rights management module, user appropriate permissions is shown as Figure 16.
Figure 16 Information management process
III. Public Information
Users use the browser to access the web server system by the Single Sign-On system of the Taipower enterprise website and read the relevant public information stored in the database of the system.
IV. Data Enquiries and Statistics
Managers can use the "Classification Enquiry" function to query specific/unspecified fields for security information or incident notifications, such as specific period inquiries, specific field content, and specific classification queries, etc. The information is to comply with N-ISAC affair and event categories. Follow the N-ISAC definition of interest to ensure that the exchange of benefits is healthy.
V. Unified Information Format
Through the system automation and standardized format for information sharing, and refer to the N-ISAC information exchange specification of the Executive Yuan, conduct related information exchanges with the relevant domestic E-ISAC (such as the Ministry of Economic Affairs) to provide information on the incidents of the security incidents, web threat information and contingency measures.
• STIX (Structured Threat Information eXpression) Information Format
• CybOX (Cyber Observable eXpression) Standard word
• TAXII (Trusted Automated eXchange of Indicator Information)
The information content is described and packaged using CybOX and STIX, and data are exchanged through TAXII. Refer to Figure 17.
Figure 17 ISAC information format
VI. Working environment
All systems of this platform run on the virtual server in the Taipower intranet, and are connected to the E-ISAC platform currently being built by the Ministry of Economic Affairs. The system uses a three-tier architecture design, which is a general application of web server, web application, and database. At the same time, to access the TPC-ISAC platform through a personal computer or mobile device, the front-end display mechanism of the platform uses Responsive Web Design (RWD), which automatically determines the type of device used by the user and select the appropriate display. The working environment is planned as shown in Figure 18.
Figure 18 ISAC three tiers architecture
7-2 Security Requirement
The Taipower TPC-ISAC service platform has the following security considerations:
7-2-1 Comply with the "Safety Software Development Life Cycle" Specification
According to the development needs, we write various standard development documents and conduct system threat analysis in the system design stage, and design appropriate security measures based on the analysis results to improve system security. This platform is based on the SSDLC process and focuses on the security requirements of the information system. It includes "Confidentiality", "Integrity", "Availability", "Authentication", "Authorization and Access Control", and "Log" depending on the type of software. It records "Talk Management", "Error and Exception Handling", "Configuration Management", etc., to check the security level of the system platform.
7-2-2 Platform System Vulnerability Scanning
Before the platform is launched, the vulnerability scanning and source code detection are performed to ensure that the delivered application system has no backdoor or Trojan horse programs, and all the issues are addressed before going online. Regarding source code detection, this platform uses the white box source detection tool to provide two security tests at the beginning stage and after the repair, and cooperates with professional security consultants to analyze the source code test results, and provides suggestions for improvement on the discovered security breaches. Program developers understand system application vulnerabilities and analyze their risk severity based on vulnerability scan reports, which can effectively reduce the barriers and cognitive gaps in system application patching and improve the effectiveness of vulnerability patching.
7-2-3 The User Establishes an Audit Authorization System
When logging in to the platform, the high-privilege account needs to input a graphic verification code (CAPTCHA) and a one-time verification password (OTP) sent by the platform to the mobile phone as a second login credential other than the password. After the user logs in successfully, the default is the minimum privilege. If you need to obtain a higher privilege, you need to be authorized by the system administrator. The TPC-ISAC authorization system is shown in Figure 19.
Figure 19 TPC-ISAC authorization system
7-2-4 Data Backup
The platform automatically backs up the database file and application configuration files every day and conducts disaster recovery exercises to ensure that the backup mechanism works perfectly.
7-3 Cyber Threat Warning Mechanism
Threat lights are based on a variety of objective environmental factors, after a process evaluation and calculation procedures, showing the quantitative risk indicators of potential threats to the underlying system. The primary purpose of the threat signal is to reflect the overall risk profile of the system security, with a simple and easy-to-understand indicator to show the degree of risk at a glance and to take action. The platform's OT and IT threat rating is based on the US Department of Homeland Security's threats to physical security, terrorist attacks, and security threats. These threat lights are based on the threat level of terrorist activities or criminal activities, and set five threat levels, including green light (low alert), blue light (start alert), yellow light (alarm alert), orange light (high alert), and red light (severe alert).
Referring to the definition of the lights as mentioned earlier, when the platform encounters a security situation, it first needs to determine the scope and object of the threat, and secondly, it needs to determine the source, scale, certainty, and level of the threat. Consider IT-related information security threat warnings, malware statistics, vulnerability database, OT entity security, personnel security, security incidents based on various objective environmental factors. After specific evaluation and calculation procedures, the IT and OT targeted systems are subject to potential threats, quantified risk indicators, showing the overall risk and threat status of system information/network security. The establishment of image-based security threat lights, making it easy for viewers to use easy-to-understand indicators. Determine the degree of risk and take appropriate action accordingly. The illustration of threat light is shown in Figure 20.
Figure 20 ISAC threat light
In order to effectively achieve the sharing of security information, the Taipower TPC-ISAC platform needs to communicate effectively with other critical infrastructure members and the competent authority ISAC, such as regular meetings or questionnaires to obtain feedback to improve the sharing mechanism continuously.
In the past two years, the Executive Yuan has vigorously promoted the provision of critical infrastructure units to build their ISAC platform, consider non-technical aspects of security protection, adopt information sharing methods, and automatically share security threats and messages in various fields to achieve rapid integration of information. The purpose of sharing and practical application is to enhance the overall response and protection capabilities of security information and achieve the goal of cybersecurity.