Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • Replies 21 replies
  • Subscribers 23 subscribers
  • Views 2018 views
  • Users 0 members are here
Options
You may also be interested in

Retrofitting Legacy Control Systems to Tackle Evolving OT Cyber Threats

Taimur

Hi everyone,

I’m new to the EngX community and looking forward to learning from you all. I’d like to start a conversation about something I think many of us face and that is updating legacy control systems in power plants and other critical infrastructure, especially when it comes to growing OT cyber threats.

Lot of these systems were designed decades ago, with reliability in mind but little thought given to cybersecurity. Today, they’re exposed to new risks that weren’t imagined back then. The challenge is finding a way to retrofit these systems efficiently and without tearing everything apart or causing long periods of downtime.

In the UK, where our energy and infrastructure systems are heavily relied upon, even a small disruption can create big problems. So how do we make these updates both secure and practical?

I’m particularly interested in hearing how others have approached efficient retrofitting and what worked, what didn’t, and how you balanced the iron triangle of cost, time, quality and scope. Are there certain strategies or tools that helped modernize your systems without overhauling them completely.

Would love to hear your thoughts and experiences.

Thanks,

Taimur | MIET 

  • in reply to Bruno Silveira

    What is your threat model and what does it include? Are we talking about a teenage script kiddie in his bedroom scanning for open ports and running exploits or are we talking about sophisticated state-sponsored actors?

    As others have pointed out, some diodes are glorified packet filterers or firewalls and you're putting trust in a single company. This may or may not be a good idea than using open-source solutions that have a decentralised verification model.

  • in reply to Bruno Silveira
    Bruno Silveira said:
    Updates are done via an air-gapped cloud infrastructure(on a separated connection only open at specific time slots). Basically we effectively "trip the breaker" between our office environment and our power controls.

    Is your network of sufficient importance to attract Stuxnet-type attacks?  If so, be aware that they might sit and wait for you to reconnect the network.  Or even piggy back on whatever data transfer device you use even if you never connect the network.

  • in reply to Tim Boler

    Hello,

    a data diode is a piece of hardware that enforces a one-way flow of data using physics. It relies on a transmitter (like an LED) on the sensitive side and a receiver (like a photo-sensor) on the corporate side.

    Which means stream operational data out to the corporate network, but it is physically impossible for a hacker to send malicious commands in, because there is no transmitter on the receiving end to send data back.

    In our case the cyber vectors are mainly:

    • IT-to-OT Pivoting: Attackers compromise the corporate IT network , then pivot into the OT network due.
    • Exploiting the Decentralized Edge: The rapid integration of millions of decentralized renewable energy sources drastically expands the attack surface. 
    • Legacy OT Protocols: Similar to the rest of the world, older substations still rely on industrial protocols designed without modern encryption or authentication.
    All of this in a energy grid highly decentralized. Managed by four major Transmission System Operators (TSOs) and hundreds of regional and municipal DSOs.
    Who normally is attacking?
    • Nation-State Actors (APTs)
    • Cybercriminals
    • Supply Chain Threats
    Cheers,
  • in reply to Simon Barker

    Hello,

    there is any alternatives to TPM 2.0 and Secure Elements(In our case we use Titan security chips) ?

    Cheers,

  • in reply to Bruno Silveira
    Bruno Silveira said:
    there is any alternatives to TPM 2.0 and Secure Elements(In our case we use Titan security chips) ?

    You're getting beyond my knowledge there.

    But if it's a nation state attacker, assume they can get anything securely signed that needs to be. And that they know all the security flaws that haven't been publicly disclosed yet.

  • in reply to Bruno Silveira

    I'm no expert but my understanding is that not all such hardware use one-way physical channels (see Owl_Talon_one_Card_Datasheet_V7.pdf). Even if a fiber optic cable is used, can it be independently verified that no 2-way transceiver is installed e.g. hardware backdoor?

    The concept sounds reasonable but just making the point that with security-specific customised hardware you're putting putting a lot of trust in one vendor which is potentially a target for supply-chain attacks. Same for so-called "secure element" chips.

  • in reply to Tim Boler

    no 2-way transceiver is installed e.g. hardware backdoor?

    well, in some shall we say, ' quite important'  places the fibres run from place to place in clear trunking or conduit throughout their whole length so they can be visually  inspected by security guards , who know what the installation  is supposed to look like from their previous rounds. Any extra wires or boxes would trigger the process for discovering an incident.

    Fibres can be 'tapped' unbroken by carefully bending them around a tight radius close to the snapping point, so that some of the light is scattered from the core into the cladding. This can be detected if it is over done by the reduced signal level at the far end. 


    The idea of the fully inspectable length is that any such equipment would be spotted.

    Regards,

    Mike

  • in reply to mapj1

    But even with a very short length of FO, how can you tell it's really only transmitting in one direction?

  • in reply to Tim Boler
    Tim Boler said:
    But even with a very short length of FO, how can you tell it's really only transmitting in one direction?

    Buy extras of the equipment at each end. Strip it down and see what is inside. If it's got a receiver on the transmit side, or a receiver on the transmit side, it's not a proper data diode, but something programmed to act like one.

  • in reply to Tim Boler

    Gosh, 

    this is what we have in a substation. And if I am not mistaken this is from 2019 (first generation). 

    We have "KRITIS operators" that are legally mandated to deploy specialized OT Intrusion Detection Systems.

    If a utility supplies more than a specific threshold of people, their facilities are classified as Critical Infrastructure (KRITIS). They must implement state-of-the-art security and pass strict, biennial audits by the BSI(Bundesamt für Sicherheit in der Informationstechnik).

    I would never guess that a data diode would generate so much interest... 

Community Rules & Guidelines