One of the pillars of the success of SeConSys is to try to develop a valid professional position by reconciling – or even clashing – different views on new and/or complex challenges. It is particularly rewarding to be able to inform a wider professional community of the ideas that emerge on a challenge.
My 5 August post on strengthening the protection of technology-enabled devices was responded to by my colleague icscybersec on 14 August and appeared as a guest post on 16 August here on the SeConSys blog. The post also gave me further thoughts.
1. Reflections on the answer to question 1
Question 1: “What are your views on the outlined concept of strengthening near-technological protection?”
1.1. Purdue model
The Purdue model is often buried. It is true that the “classic” model is less and less “vertically” representative of today’s conditions. But it may be too early to bury it.
The electricity system is undergoing a paradigm shift from a purely hierarchical ‘generation, transmission, distribution, consumption’ scheme to a distributed system in which almost any function can be interpreted in conjunction with any other function, with ‘storage’ as a new function.
As an interesting analogy, the former – largely hierarchical – OT systems are also increasingly being replaced by networked solutions. In this sense, we can perhaps also speak of a paradigm shift in OT. The changes may justify updating rather than burying the Purdue model for this new situation.
1.2 “Sidebar”-1: Need for conceptual clarification
It is my understanding that we often do not fully understand the similarities and differences between IT and OT, or OT and ICS.
These are worth addressing in the context of the increasingly overdue update of the handbook.
1.3 “Sidebar”-2: “Who guards the guardians?”
The Latin phrase comes to mind in response to my first question from my colleague icscybersec. As he writes, “a solution from SIGA OT Solutions can be as good as any OT network security product“. In my view, in terms of their function, these products perform a kind of “safety” function, as they are responsible for the integrity of the protected system(s), and thus for its proper functioning. In this sense, they act as guards.
Well, it is worth remembering that the attack on Saudi Aramco was carried out against the very system that performs the safety function. Successfully. In the end, it was not the attacker’s fault that the attack did not lead to a chemical disaster…
The attack is an unfortunate practical example of how no system, even one with a safety function, can be ruled out from a (successful) cyber attack.
But then again, it is legitimate to ask: “Who guards the guardians?”
2. Reflections on the answer to question 2
The question is: “Would such protection really reduce the urge of an extortionist attacker?”
2.1. Security of supply enhancing/reducing impact of a paradigm-shifting electricity system
No mistake: the new electricity system model that is emerging will both (!) increase and decrease the security of supply.
It will increase, insofar as distributed generation (and overtime storage), microgrids will increasingly increase the resilience of the electricity system.
At the same time, the increase in the scale of the digital devices and systems required to do this significantly increases the attack surface (especially if the attacker exploits the vulnerability of a mass deployed device/system).
The two effects operate in parallel and are not mutually exclusive. It is not possible to predict at this stage whether either will become dominant over time and if so, which.
2.2 “The computer is a good tool to solve problems that would not arise without it”
Let’s not forget that there was electricity before the advent of digital devices and systems. In the 1950s, the country’s electricity supply was managed from the Castle, from a multi-storey basement system under the old apartment building at 72 Úri Street. Initially, network status data were collected and operating orders issued by telephone, and the current network status was recorded manually on a wooden board. And it really worked in practice!
A serious step was the high-frequency transmission of the most important measurement data over the transmission lines. The number of pulses sent indicated the specific value of a measurement. This rudimentary signal transmission made it possible to build the first luminous, active control panel using analog technology.
It should be remembered that in power stations and substations, the automatic protection functions were performed by relay-type devices. In other words, they also worked on the analog principle! Not bad! And “by the way” without the slightest chance of hacking!
One more additive. In both the 2015 and the 2016 attacks in Ukraine, the power supply was restored by manual switching of the operators sent to the affected substations, by order, i.e. verbal instructions from the plant manager. In other words, in an analogous way to the procedure used in the 1950s.
Having recovered from the ‘digital foam steam’ that has also affected the electricity system after the attacks, it is worth considering the necessary and sufficient analog solutions and the procedures based on them to ensure that supply is sustainable. It is a different matter that the (not small) cost of (re)developing them has to be borne by someone – the consumer, in the end.
2.3. “Sidebar”-3: Certain conditions for the restoration of service in the event of a blackout
The basic condition for a shutdown by command is that there is voice contact with the electricians in the field. This used to be done by means of VHF radiotelephones, but nowadays it is more likely to be done by means of mobile telephones or, in substations, by means of shop telephones.
The 2015 attack also partially affected the uninterruptible power supply, which caused a partial switchboard outage. However, in the event of a prolonged power outage, over time, the mobile phone network’s base station breakers may also fail, gradually making mobile communication impossible. In the event of a permanent blackout, communication in at least two directions must be maintained in this case:
- with the system operators in the surrounding countries. This is a key issue, if the electricity system is intact in one or more countries, it can be used to start restoring the Hungarian system;
- If one or more countries have a grid in place, it is possible to restore the system in one country or another. We talk about a black-start when there is a widespread blackout abroad, i.e. when there is no possibility of inter-country assistance. In this case, a pre-designated black-start-capable (gas turbine) power plant has to supply electricity to restart the Paks nuclear power plant units via designated system components. A precondition for black start capability is that all the service locations concerned must have reliable voice communication in the event of a blackout.
In my view, regardless of ransomware attacks, it is necessary and possible to strengthen the resilience of the electricity system. An indispensable element of this is the provision of complex personnel and material conditions for emergency operation, demonstrating the ability to maintain operations, which would indicate to a potential attacker, for example, that a ransomware attack could only have limited results.
At the same time, achieving credible resilience is a time-consuming and resource-intensive process, which is a political choice in the security of supply vs. price debate because of its impact on consumer prices.
In the end, this post of mine has become the longest, most complex post on the SeConSys blog to date. But as we know from Murphy, “there are always simple, easy to understand, wrong answers to complicated problems.” And I myself was striving for the right answer.
I/we would be delighted if others would join the debate!
We welcome messages either agreeing or disagreeing with the above. For example, by responding to them in a new post, substantive professional exchange of views could be initiated.