Cyber Security in Distribution Networks is Broken: It's Time for Change!

Introduction

Have you heard the phrase "a chain is only as good as the weakest link"? The phrase was coined hundreds of years ago when people were probably referring to actual chains. Fast-forward to the 21st century and whilst the phrase remains unchanged, we now talk about blockchain, supply chain and the cyber security chain. The adage "only as good as the weakest link" still stands strong, particularly in the context of cyber security. It has been proven time and time again that humans are the weakest link in the cyber security chain because we are fallible by nature. Many of us struggle to remember passwords and roughly 40% of people write them down, making them vulnerable and increasing cyber risk. This begs the question; given the rise of social engineering, ransomware, espionage and other cyber attacks in the industrial space, why do utilities and billion-dollar infrastructure operators trust humans with passwords for their control systems?

"sharing passwords amongst multiple stakeholders is inconvenient, insecure and eliminates accountability"

The more secure a password, the harder it is to remember and the more likely to be written down. Many industrial companies never change passwords in their control system networks because they could be forgotten, resulting in catastrophe. Worse yet is the practice of sharing passwords among multiple stakeholders, which is inconvenient, insecure and eliminates accountability, leaving nothing but a process to blame should a breach occur. These processes and policies would never be seen on the corporate side of Australian utilities, however it is commonplace in their control systems/networks and it is time to mandate change.

A Very Realistic Example...

An Australian utility manages 1000 assets connected over public cellular infrastructure and uses subcontractors to procure, configure and install LTE/4G/5G routers on their behalf.

"When contracts expire and the subcontractors change, the utility transfers the same passwords and configurations to another contractor to manage"

The subcontractor first procures LTE routers from the cheapest vendor they can find. They configure the routers through a point and click GUI using shared configuration files, static passwords and SIM cards provided by the utility. Lastly the subcontractor must physically install the hardware and check a SCADA system to ensure the site is up and communicating at that point in time. Because the subcontractor is not a network "guru" and did not design the network there is a potential for misconfiguration. If a cellular router fails (eg lightning strike or misconfiguration), the contractor must go to site, locate the specific configuration for that site and manually enter it into the router while under pressure of time of potentially stressful conditions. When contracts expire and the subcontractors change, the utility transfers the same passwords and configurations to another contractor to manage.

The Problems with this Example

The assumption that people will always get things right is the main problem with this example, however here's a more complete list:

• Manual configuration assumes contractors are networking experts and introduces risk of human error and disparate configuration, accentuated when using a GUI.
• No control measures to enforce configuration integrity. What happens if it stops working and how can you run a standard diagnostic procedure without control?
• Poor password management. What is the purpose of having password if it's not strong, secure, dynamic and revocable? The current process continually increases business risk.
• Lack of audit logging and accountability, resulting in potential legal or insurance nightmares
• Utility transmits unencrypted data over public infrastructure, opening up potential for 'main in the middle' attacks. IPWAN does not employ encryption/VPN to protect SCADA traffic.
• The utility has no control of the supply-chain and therefore no guarantee of hardware source

Governance and Compliance

It's fairly unlikely that the above processes would be recommended by a responsible government when referring to their critical infrastructure.

The Australian Government Information Security Manual provides a set of guidelines and for operators of critical infrastructure. The ACSC Advice for industrial control systems demands better password management and auditing processes. In addition, ACSC recommends utilities consider advice from ICS-CERT (published by the Department of Homeland Security) to configure and managing remote access for industrial control systems. These documents also recommend the use of encryption/VPN over public infrastructure.

Whilst these are currently recommendations, the Australian Government is heavily investing in cyber security and in the near future there will be a drive to mandate better practices. Don't despair, the solution can be easier than one may think. By simply committing to implement good security practices, introduce automation and take control of supply chain, most of the above problems can be completely avoided.

Introducing Automation for LTE and NBN Connectivity

Below we explore how Garderos, a manufacturer of secure industrial remote access solutions addresses these problems for utilities in Australia and around the world.

Automation and centralised management is the key to solving most of the abovementioned problems. Distributed automation networks are complex and are best configured by a telecommunications team with experience, authority, oversight and accountability for the whole network.

Garderos empowers utilities through a high-availability, on-premise automation platform called the Garderos Configuration Server (GCS). GCS automates the following to help utilities be compliant with the Australian Cyber security Centre Frameworks.

• Router Provisioning - Garderos routers auto-deploy configurations "out of the box" without the need to individually configure routers, train field/maintenance staff or share passwords. This is called "zero touch" configuration. By introducing zero-touch, the utility maintains the integrity of their network settings and eliminates opportunities for human error.
• Configuration management - GCS validates and enforces "authorised" configurations based on group or individual configuration templates. No more "oddball" configurations input by a field worker doing 2AM emergency maintenance in a thunderstorm.
• Rapid replacement - When using Garderos routers, the configuration can be determined by the SIM card. If a router is damaged, simply move the SIM card to a new router and it will configure itself, no field programming required. In addition, the configuration is automatically deleted from the old router, making it virtually impossible to reverse engineer or steal VPN certificates/keys.
• Certificate management - enable sophisticated and secure certificate-based authentication for VPN's without having to manually log in to each site and re-issue certificates across the network (ie when certificates expire or if there is fear of compromise)
• Firmware management - auto-synchronise, distribute, validate and enforce approved firmware versions across the entire network with a few button clicks.?
• Audit trail and security logging - automate log integration with modern intrusion detection systems (eg Tripwire), Syslog (Splunk), etc.
• Inventory management and network health monitoring - for better operational visibility

Taking Control of Supply Chain

Dealing directly with an authorised manufacturer representative reduces risk of being supplied counterfeit hardware and delivers superior business value. Authorised representatives with skilled technical support teams can help clients realise the maximum potential of the product, provide operational training and increase return on investment. IPD has a highly knowledgeable technical sales and support team and is the authorised agent for Garderos in Australia. Our experts will identify the optimal technical and business solutions on behalf of Garderos in Germany, and being the direct importer, IPD ensures that compliance with local authorities such as ACMA is maintained.

Summary

It's time to be ready for the next iteration of compliance and cyber governance. With a little finesse and automation it is possible to reduce the potential for human error, streamline communications and improve cyber security posture.

For those operating large numbers of remote assets which need to connect via LTE, CAT-M1 or NBN (VDSL or Fibre), the solution from Garderos is well proven in Australia and provides a solid pathway to improve cyber security and eliminate the need to give out the keys to your kingdom.

About Garderos and the IPD Group

Garderos is a medium-sized communications company based in Germany that originated in 2002, as a spin-off from Siemens’ Information Communications Networks (ICN) division. Garderos design and manufacture tailored routing solutions for the special requirements of large organisations (utilities, telecommunications and transport sectors to name a few). Garderos clients strive for the highest cyber security standards and the best manageability and reliability harsh environments.

IPD is an Australian operated, ASX-listed electrical product distributor with over 70 years’ of heritage and experience. Our team has the knowledge and experience to deliver our market-leading range of electrical products and innovative end-to-end solutions that benefit our customers and the industries we serve. Our core focus is power distribution, power monitoring, industrial control, renewables and service provision across a range of verticals including power generation distribution and transmission, water, resources and infrastructure. Since the acquisition of Control Logic in 2020, IPD has become the master distribution, support and engineering partner for Garderos across Australia.