Pacific Northwest National Laboratory (PNNL) researchers are taking new approaches to solve cybersecurity vulnerabilities for utilities and other industries that use process control technologies. These connected devices are used in operational technology settings and tend to be more vulnerable to cyberattacks than information technology equipment. Working with utility advisors and companies that specialize in identifying vulnerabilities, PNNL researchers have developed two web-based tools to assess and mitigate threats inside and outside the firewall.
The first solution is an easy-to-use software application that helps utilities quickly identify control system devices connected to the internet and their known vulnerabilities. Another web-based tool offers a nondisruptive and safe way to detect vulnerabilities in energy delivery systems that can arise inside a utility’s firewall.
Both technologies were developed at PNNL for the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response. Both software tools are low cost, can be used together, and are designed for ease of use by control room operators and utility staff who are not cybersecurity experts.
Identifying vulnerabilities in the field
Mitigation of Externally Exposed Energy Delivery Systems, or MEEDS for short, monitors and identifies internet-connected energy delivery system devices, usually located in the field, that are vulnerable to cyberattack.
“Threat actors can exploit these devices to gain control of critical networks and systems,” said PNNL principle investigator Sri Nikhil Gupta Gourisetti. “MEEDS offers a solution to mitigate externally exposed energy delivery systems without degradation or disruption of services.”
These control system devices include remote terminal units, protective relays, switch gear, and other sensing equipment that collect data and receive commands from grid operators to initiate physical actions and ensure reliable and efficient operation of the power grid. Devices and systems in this operational technology (OT) environment are often internet connected, putting them at greater risk of attack from cybercriminals.
MEEDS provides an affordable and easy-to-use cyber-risk management system to find exposed and vulnerable networks and devices before attackers do. Designed specifically for critical infrastructures, such as energy utilities and connected facilities or buildings, MEEDS safely queries devices to identify risks. It operates by distilling data from large, online cyber-vulnerability databases to quickly assign a limited potential relative risk severity to those exposed devices.
Upon discovering cyber vulnerabilities, MEEDS provides security alerts on a dashboard. It also provides recommended risk mitigation actions, relative vulnerability risk grades, and relative risk scores. MEEDS incorporates detailed best practices about select common OT protocols and will generate recommendations based on the detected exposures.
PNNL developers worked closely with utilities during development and recently demonstrated a prototype to other utilities and the National Rural Electric Cooperative Association.
“Their initial response to the demonstration was positive, and we’ve implemented their feedback to assure the software design meets end-user needs,” said Bev Johnson, MEEDS project manager.
The MEEDS app is available for licensing for use in the utility sector. MEEDS features both basic and advanced features, so both novice-cyber and cyber-savvy users can use MEEDS to safely understand the cyber-risks their electric delivery systems are exposed to and act on that information.
The development team is also expanding the tool for use in assessment and mitigation of cyber vulnerabilities in any critical infrastructure dependent on operational technologies, including in buildings where many functions are regulated by control systems.
Cybersecurity from the inside out
While MEEDS protects the outward edge of an energy delivery system, another new tool from PNNL protects and identifies vulnerabilities inherent inside the firewall. The Safe, Secure Autonomous Scanning Solutions for Energy Delivery Systems, or SSASS-E, helps utilities manage their cyber risk by tracking and reporting on devices on an internal network.
“Current approaches to vulnerability assessment don’t provide continuous scans, so a new approach is needed,” said Thomas Edgar, a PNNL cyber researcher, who specializes in securing operational technologies.
An “IT-like approach” to OT systems
Devices used in OT environments are very different from information technology systems. Traditional active scans search IT networks to find vulnerabilities. But in OT environments, active scans can cause faults in control devices. So, PNNL researchers developed an IT-like approach to safer, passive scanning using intelligent active and passive probes that won’t cause failures or down time.
SSASS-E nearly eliminates the operational problems with active scans and provides improved vulnerability discovery compared to passive scans. The sensors and scanners distributed across the energy delivery system let utilities know exactly what devices are in their targeted operational technology systems.
The SSASS-E tool also helps utilities confirm what devices have been added or removed between scans and manage their vulnerabilities. PNNL researchers teamed with Tenable Inc. to transform their active vulnerability scanners for the OT environment. The prototype has been tested and is able to identify energy delivery-based devices and discover vulnerabilities without disrupting operation of those devices.
The monitoring tool helps validate that a system is configured based on operating policies or best practices and hasn’t been inadvertently exposed through reconfiguration. The active scans for device identification and vulnerability discovery are triggered based on the passive evidence being observed, policy settings, and an action-based decision tree algorithm. The policy settings allow the utility user greater control over deciding which category of scans are safe to be applied to the devices. The devices identified and vulnerabilities discovered in the device configurations, along with suggestions for mitigating those vulnerabilities, are reported via a web interface.
In developing SSASS-E, PNNL teamed with utility and industry partners to gather requirements for a better approach to cyber scanning. PNNL researchers are now seeking more utility users to deploy the technology in additional pilot tests of the SSASS-E platform.