There would be no way to do reporting on any of the devices in the field without some form of network connection. This delays response time if, for example, a recloser failed to operate, nobody would be aware unless someone physically checked the device. With networked SCADA systems, this becomes an immediate notification to the control room.
I'm a fan of manual systems, but within reason though. The point is, you're never going to be 100% protected. People can still break into substations and compromise the grid rather easily.
Lets take my example and say you had a recloser that is stuck, but could be fixed by sending a command that would perform a manual close. Or maybe, you wanted to set the time threshold for the closing.
a) Would you send a lineman out to the recloser and have them manually configure it, spending probably hours doing so?
b) Or would you have some operator press a button in a piece of software to engage the recloser (thus, ultimately, writing whatever register in the device to perform the closing)?
Now multiply that scenario to the potentially hundreds/thousands of reclosers in the field.
Yes, I agree, which is why regulation is crucial to ensure a balance is struck between operational efficiency and security.
If you want to interrogate recloser behavior remotely (real time and for historical logging), entirely reasonable. If you want to reclose manually or update trip and reclose thresholds, your commands or setting updates must be authenticated, logged, and cryptographically signed. If the ACR encounters lockout, you roll a truck (which you're probably going to do regardless, as lockout indicates a non-transient fault).
Alright, your response is a lot clearer now. However, this is how it currently is with NERC CIP, so I fail to see how having legislation that facilitates more manual devices really solves anything.
Why are you reading something if you're not going to take action based on that data? Reads are de-facto writes elsewhere, so they need to be authenticated.
Integrity of the monitoring apparatus isn’t out of scope, but simply too long of a discussion to be captured in this thread (vs “button that makes it break set to public”).
The "analogue control" may be some dude rolling up in a truck and doing the work. The "analogue control" is operated via radio or a ticketing dispatch system.
possibly, but what do you consider “write ability”? someone mentioned in another comment that if you control enough high power devices that report status to the grid (eg car chargers) so that the grid can take action (so read only but some other system uses it to take action) you can do plenty of damage
they don’t really have write access, but they kinda do?
Write access, in my opinion, is where you have enough control to remotely override life critical or physical control systems that could cause death and/or significant physical damage to infrastructure and related failsafe systems can be bypassed or their thresholds exceeded intentionally.
An Internet rando should not have the ability to disconnect your 700kva interconnect over the public internet. If you breach Tesla and can command enough vehicles to charge in a constrained area to overload local distributed infrastructure, failsafes should kick in and physically segregate loads from the local grid.
Disclaimer: This is only my opinion as an infosec practitioner having done some infosec/GRC consulting for investor owed and coop utilities for FERC compliance.
But... airgapping doesn't stop damages from Aurora type of attacks. So even with top-level grid controls airgapped, if the attacker is at the switch for enough vulnerable lower-level consumers and can synchronize enough switches (car chargers, solar inverters, local substations, etc) the potential damages can still be very significant. As we saw in the Ukraine power grid attacks, you don't even need to go after critical systems. Quantity has its own quality, as the saying goes.
I think you’ve got this backwards. This is exactly what is done _in theory_. In practice many of these systems are not. When I was working as a consultant, I saw so many exposed SCADA systems.
Typical SCADA system from the eighties will have an open port listening to UDP traffic, if you're really lucky without any kind of checksum where each bit in a packet will toggle a relay and reply with the state of all its input channels in an ACK packet. Given the state of these systems it is amazing that they are not compromised spectacularly every other day. Or maybe they are but it does not make the news. Plenty of this stuff is running on BASIC stamps and such (no kidding) used to network systems that are even older.
Maybe there are still benefits to have a network, but not using internet. Couldn't we build a network with a subset of internet features but which are all formally proved, and let humans take care of the rest ?
Internet is fine as a network, it is resilient to damage. What is sufficient to make it secure is to restrict the network features of the facility server software to one command, SHOW_STATUS. Control of operation over network should be impossible.
My spidey sense tingles every time someone uses the S word in regards to system design or security.
A system which "should" only allow read access is a system that will most likely have flaws which allow for far more, especially given the governments tendency to underspend on salaries for the people responsible for implementation.
It does stop attacks. It just doesn’t stop all attacks. Just because a security measure, by itself, isn’t perfect doesn’t mean it isn’t worth implementing.
