When you think of critical infrastructure, the first thing that comes to mind is the electric grid, where a single cyberattack has the potential to disrupt all areas of civil life. Power transmission co-ops, just like their larger consolidated counterparts, are constantly threatened by an ever-increasing number of threat actors, either politically motivated and nation-state sponsored or cyber-criminals using ransomware for purely financial gains.
Transmission co-ops, who traditionally serve households and small businesses in rural and ex-urban areas in the US, add an additional layer of complexity and susceptibility to attacks due to their much larger attack surface. This was the main motivation behind the decision of a large transmission co-op in the US, which delivers power to distribution coops through a network of over 120 substations spread across two states, to upgrade its OT security operation and bring its cyber-posture up to par.
Objectives and Challenges
One of the initial decisions made by the co-op upon initiating the project was to bring in a third-party vendor to conduct a thorough cyber-risk assessment of their networks, to determine the threat actors and risk level that affect different operational units, and prioritize the most effective mitigation measures to minimize risk based on each network’s unique characteristics and needs, accounting for budget and specific needs.
The decision to conduct a risk assessment was also in line with established cybersecurity best practices, as outlined in NIST-CSF’s guidelines and the IEC62443 standard. And while most of their facilities fell below the BES (Bulk Electric Systems) level for mandatory NERC-CIP compliance, the co-op also wanted to ensure their system-wide alignment with NERC-CIP regulations.
To provide the cybersecurity risk assessment and associated consulting services, the co-op chose InfoSight, Inc., an MSP who provides a variety of advisory and managed services for both IT and OT/ICS networks. As InfoSight operates as a vendor-neutral consultant, the co-op was assured that any solutions or technologies recommended by InfoSight would be based solely on the best interest of their client.
Following a rigorous cybersecurity assessment, InfoSight concluded that the client had a generally sufficient cyber-posture on the IT side of the house. Suggestions and guidelines were issued for improving some security gaps.
In reviewing the OT networks, InfoSight particularly recommended adding monitoring on the ICS/SCADA network, to complement the co-op’s already-installed IT network monitoring operation.
For a monitoring solution InfoSight recommended Radiflow’s iSID intrusion detection system (IDS) which, as noted by InfoSight, was highly rated by industry sources like Gartner. Additionally, iSID had been incorporated into a test-bed set up at NIST’s NCCoE labs, and was included in the NIST publication SP 1800-7, Situational Awareness for Electric Utilities.
iSID was able to provide the co-op with the architecture flexibility they needed. This included the use of iSAP Smart Collectors at remote locations for cost-effective, bandwidth-efficient transmission of network data to a single instance of iSID at the corporate SOC for analysis, eliminating the need to install iSID at smaller substation. Standalone iSID installations were used at certain primary locations, all centrally monitored at the SOC using Radiflow’s iCEN management platform.
Outcome and Current Status
After vetting possible solutions and partners, the co-op selected the Radiflow solution and InfoSight Professional Services to help implement it. Radiflow’s team worked closely with the InfoSight staff and a team from the co-op, comprised of IT and SCADA personnel.
Within 24 hours of deploying the first iSAPs in substations and transmitting network traffic back to iSID, unwanted traffic was detected on the co-op’s OT LAN. Further investigation revealed that traffic from attached co-ops’ external networks was leaking onto their OT network, adding to the network load and creating another attack vector for potential attack. These vectors and traffic were subsequently eliminated by tightening of ACL rules on the firewalls segmenting the transmission co-op from the distribution co-ops.
One of the added benefit the co-op expressed appreciation for was the network and asset visibility provided by iSID. While previously they had a good understanding of the assets in substations, they now could see them clearly in map form, along with all their hardware, firmware and vulnerability properties. They also now had a map of all communication paths and protocols involved, providing insights into appropriate firewall rules. And while previously they had no way of verifying whether a controller or other device was off-line at a remote substation, iSID now provided visibility into each device’s operational status and activity.