Technical Controls

Technical controls consist of the hardware and software components that protect a system against cyberattack. Firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms are examples of technical controls.

Technical controls are the hardware and software components that protect a system against cyberattacks. Firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms are examples of technical controls (Harris and Maymi 2016).

Importance

Technical controls perform many critical functions, such as keeping unauthorized individuals from gaining access to a system and detecting when a security violation has occurred. Because they are so critical, some people think of technical controls as being the entirety of cybersecurity, ignoring other essential elements (those captured in the other building blocks).

Technical controls must be organized in such a way that they provide protection for both data at rest (e.g., data stored on a hard drive) and data in motion (e.g., data moving across a network). A common approach for deploying controls is defense-in-depth, where controls are layered. In such an arrangement, if an attacker breaches one control, controls at the next layer continue to provide protection.

Intersections With Other Building Blocks

The organizational security policy building block defines objectives for the technical controls building block. Decisions regarding which controls to deploy and how the system of controls will work together (the security architecture) are made by the staff in charge of technical controls. Because of the complexity involved in deploying technical controls, it is not uncommon in small and under-resourced utilities to see security controls overbuilt in some areas and underbuilt in others (Ingram and Martin 2017). This problem is avoided by having the organizational security policy set technical control objectives based on risk management needs, compliance needs, and governance strategy (see the building blocks for risk management, compliance, and governance). This provides a more balanced, organization-wide perspective on security, which can then be addressed by selectively deploying security technical controls.

TechnicalControls.pngFigure 8. Information passed to the technical controls building block

Process and Actions

Deploying technical controls involves many types of technology and skills, making it difficult to point to any one action as the definitive “first step.” Nonetheless, network security is often at the forefront of many efforts to improve security. In 2020, when India issued new security mandates for the power sector, it called out firewalls as an example of the type of protective devices that would be required (T&D World 2020). This was in part a response to a malware infection at India’s monopoly atomic power producer (Singh 2019).

A modern utility is likely operating multiple networks simultaneously, including an enterprise network—supporting business and office functions (e.g., accounting and email)—and a supervisory control and data acquisition (SCADA) network—which controls and monitors grid equipment (e.g., remote terminal units). As advanced metering infrastructure, smart meters, and distributed energy resources (such as customer-owned solar) are deployed in greater numbers, utilities will need to extend wide area networks further into the field to gather data and monitor the state of the grid.

Network security involves many different functions (more than can be covered in these building blocks). However, two are particularly worth mentioning: access control and network monitoring. Access controls are those technologies that determine who can connect to a network or system and what they can do once they are connected. A password is an example of access control; specifically, passwords address authentication, which verify that person, device, or application that wishes to connect to the network is indeed who they claim to be. Only you are supposed to know your password, so anyone who knows your password is assumed to be you. Access control is taken for granted on enterprise networks (you log in with your password every day for work). But as SCADA and wide area networks push outward and closer to the grid edge, access control becomes an issue there as well.

Network monitoring tools detect suspicious activity or traffic on a network. These tools generally operate through either signature detection or anomaly detection. Signature detection looks for data that is known to be associated with a particular piece of malware, while anomaly detection looks for anything out of the ordinary that “looks suspicious.” While there are many commercial network monitoring tools on the market, there are also high-quality open source alternatives (Drolet 2018). Below are three examples:

  • Snort is highly configurable. Users can tell it what to look for on the network and what actions to take when a threat is detected.
  • Bro uses an analysis engine, making it very powerful. Bro can automate more of the work of responding to threats but has a steeper learning curve relative to Snort.
  • Kismet detects intrusions on wireless networks, including Wi-Fi and Bluetooth. It can be used to track down unauthorized access points, which helps with access control.

SCADA networks have security needs that are somewhat different from enterprise networks. Because they control devices and processes in the physical world, special care must be taken when responding to suspected cyber intrusions so that the response does not cause unintended consequences in the real world. (For instance, before disconnecting a generation station that might be affected by malware, consider whether doing so might cause a cascading outage.) Utilities should study the special requirements associated with SCADA security.

The items below are selected and adapted from 21 Steps to Improve Cybersecurity of SCADA Networks. More details are provided in that document, and many of the 21 steps not included here are covered in other building blocks. Many items on the list also apply to enterprise networks.

  • Isolate the SCADA network as much as possible. Find all touchpoints between the SCADA network and the utility’s own local area networks, the internet, or networks operated by other entities. These might include wireless routers, satellite links, or dial-up modems. Shut down as many of these touchpoints as possible. For instance, if a touchpoint is used infrequently and exists only to make it convenient for certain employees to connect, consider eliminating it. The remaining touchpoints should be strengthened with firewalls, IDS, or other similar protections.
  • Remove unnecessary devices and services from the SCADA network. More devices mean more points for a cyberattacker to target. Shutting down or removing unneeded services and devices is a low-cost way of protecting the network.
  • Use whatever security features exist on devices or systems. Some devices and systems may have built-in security features (such as encryption or authentication), but these are not always used because doing so may require more staff effort. Reviewing technical documentation of these devices and—if feasible—activating them is another low-cost way to improve security.
  • Deploy IDS. IDS scan for known malware or monitor network traffic for anomalies. Snort, Bro, and Kismet are all examples of open-source network IDS, while OSSEC is an example of an open-source “host-based” IDS (Drolet 2018).
  • Have “red teams” identify possible SCADA attack scenarios. “Red team” refers to a group tasked with finding vulnerabilities in a system. Red teams may be contractors (such as those hired to do a penetration test) or employees from another department within the organization. Ideally, red teams should not include anyone responsible for the security of the system—the idea is to get a fresh perspective on the security posture of the system.
  • Review the physical security of remote sites connected to the SCADA network. Physical access to a device or a site can provide opportunities for cyber compromise. If a would-be attacker has unsupervised physical access to a device, they have a good chance of eventually bypassing its cyber defenses.

Essential Data

Utilities seeking to improve the technical controls for their SCADA networks should collect the following information:

  • Details of touchpoints between the SCADA network and other networks, including the utility enterprise network and the internet
  • Physical security details of remote sites with SCADA access
  • Asset management data regarding devices on the system and the services they run
  • Information about the security features built into devices connected to the SCADA network
  • Repositories of valuable data on both enterprise and SCADA networks and the technical controls used to protect them.

Recommended Reading

Gaither, Andy, Scott King, Darren Bennet, Joshua Carlson, Shane Markley, Patrick Norton, SANS Institute ICS Curriculum Team, Ted Gary, and Cody Dumont. Implementation Guide for Industrial Control Systems Version 7. Center for Internet Security.

Obregon, Luciana. 2015. Secure Architecture for Industrial Control Systems. SANS Institute.

PCIPB, DOE. 2002. 21 Steps to Improve Cyber Security of SCADA Networks. President’s Critical Infrastructure Protection Board and U.S. Department of Energy, Offfice of Energy Assurance.

Additional Resources and References

Harris, Shon, and Fernando Maymi. 2016. CISSP All-in-One Exam Guide 7th ed. New York: McGraw Hill Education.

Stouffer, Keith, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn. 2015. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800-82. National Institute of Standards and Technology.