Keywords
Federal Agency for Information Security, BSI, network-based intrusion detection, host-based intrusion detection, substation automation, NIDS, IEC 61850
Summary
Klaus Hunsänger from the German Federal Agency for Information Security (BSI) explains how to implement an intrusion detection system in electrical substations in accordance with the BSI recommendation BSI-CS “Station automation”. Being a long-time practitioner, he sheds light on the background of the BSI document and where a network-based IDS (NIDS) is best placed within a substation OT.
Takeaways
The document BSI-CS 153 “Station automation” focuses on OT security at the periphery of energy infrastructure, the electrical substations.
Old security strategies for substations have become inadequate in the light of the current geopolitical situation, changed attack vectors and modern technical frameworks.
Having cybersecurity control in the control room is not enough to detect attacks in modern substations.
IT staff and technical staff may come from different planets, but there is common ground to work together.
The first step to intrusion detection (still) is visibility and documentation, the second step is getting your hands on the net-based and host-based logs.
IEC 61850 systems without an .scd file are prone to failure in case of malfunctioning or incidents.
The .scd file is also a treasure trove for training the NIDS.
Many companies still rely too heavily on service providers when it comes to visibility and incident response.
In a typical electrical substation, an NIDS brings the fastest results.
Workstations and modern IEDs are great sources for host-based intrusion detection and log files. Old-generational IEDs should be treated with caution though.
The OT generally can handle extra traffic for security information if established information paths are utilized.
While many attacks signatures are documented for IT, it’s quite a different picture in OT.
Within the deterministic communication in OT networks, an anomaly detection is the best solution for identifying security-relevant events.
An NIDS should not be run completely isolated, but needs to be connected to the SOC and responsible staff. Operators who fear disturbance of their OT have many simple solutions at hand to handle that.
Sound Bites
The attack vectors have moved to the remote control network and even to the station bus.
I think, the energy sector [in Germany] is pretty well prepared compared to other sectors, even to other critical sectors.
In some cases, we still see utilities that too heavily rely on their service providers when it comes to documentation.
Network-based intrusion detection is best in networks where I can’t simply add another security software on all the IEDs and RTUs.
APTs are pretty individual in how they attack. Signature-based detection is lacks the agility.
There is no point in having an [isolated NIDS] box in your substation, that screams and wails when you only check it every few days.
Chapters
00:00 Introduction
01:28 Background to the BSI document BSI-CS 153 “Station automation”
04:19 How the technical baseline has changed in electrical substations
06:25 Steps to implement OT security in electrical substations
07:05 How to connect the security staff with the technicians
08:26 The relevance of documentation in cybersecurity
10:11 The relevance of the .scd file in IEC 61850 infrastructure for error detection, intrusion detection and visibility
12:20 Where to place a network-based intrusion detection system (NIDS) in your electrical substation
14:26 Where is a host-based IDS worthwhile?
15:34 Are IEDs good information sources for cybersecurity?
17:10 Passive vs active intrusion detection
19:00 How does a NIDS with anomaly detection detect a supply chain compromise?
22:10 The question of vendor agnosticism and isolated integration of NIDS
25:14 How to work together with service providers
