Smart Grids Need a Secret Identity—Here’s Why

November 27, 2018 Rich Nass

For years, experts have been pointing out that smart grids are susceptible to network attacks and other vulnerabilities. Yet efforts to remedy the situation are progressing slowly, and conventional IT solutions struggle to secure these systems.

Just look at energy providers. When deploying smart grid technology, they must connect and segment a mix of modern and legacy SCADA systems across geographically distributed locations. Typically, each site has different management interfaces and hardware, all with specific network configuration limitations. As a result, providers find it difficult to secure, support, and sustain their critical infrastructure.

They also faced the problem of having different pieces of equipment at different sites with overlapping IP address spaces, which made configuration, monitoring, and support even more complicated. In addition, certain areas could be connected only by radio, where interference can create reliability issues.

One potential solution comes in the form of identity-defined networking (IDN). Before we get into that specific solution, let’s identify why traditional IT technologies can’t meet the demands of scalable and secure smart grids or other key deployments.

OT Versus IT Techniques for Scalable, Secure Smart Grids

Historically, most industrial systems have lacked basic security controls like authentication and encryption. Instead, operational technology (OT) and information technology (IT) systems were isolated, using separate network protocols. In addition, OT systems couldn’t run endpoint security software like IT endpoints.

As smart-grid deployments and other critical infrastructure environments are seeing a convergence OT and IT, the main challenge is how to securely connect and segment these systems. Common IT technologies such as such as firewalls, virtual private networks (VPNs), access control lists (ACLs), virtual LANs (VLANs), and cellular modems aren’t up to the task. They simply weren’t designed for OT systems, and are too complex and costly to deploy and manage. This leaves the grid vulnerable due to insufficient security and segmentation.

In addition, many organizations have highly distributed remote sites in extreme environments, where connectivity options are limited. Purchasing and deploying a combination of firewalls, VPNs, cellular modems, or microwave radios for these remote sites is not feasible in many cases – the acquisition cost is too high and it would take too long to configure segmented connectivity across all sites.

Enter Identity-Defined Networking

These challenges stand in the way of scalable and secure smart grids. To address these obstacles, IDN delivers instant overlay networks that connect, cloak, and secure any endpoint over any transport – with no modifications to the underlying infrastructure.

Instead of using a complicated mix of tools and technologies, IDN allows energy organizations to achieve cloaked LAN and WAN micro-segmentation using end-to-end encryption (Figure 1)It provides the ability to quickly connect and revoke remote access to specific systems, such as cellular, Ethernet, or Wi-Fi.

Figure 1. An identity-defined network (IDN), which can operate from the edge to the cloud, can isolate and conceal each of the components in a network. (Source: Tempered Networks)

IDNs can eliminate outdated radio transmissions, costly MPLS lines, and private APNs by using standard Internet, while removing IP addressing issues and conflicts. Finally, it simplifies a traditionally complex networking with centralized point-and-click network management.

IDN technology was originally developed for Boeing to secure the connections of mobile tooling networks within its manufacturing facilities. The tooling systems were controlled by ICS/SCADA systems and communicated over Wi-Fi, an easy attack vector. The company developed a solution based on the Host Identity Protocol (HIP), an open network security protocol ratified by the IETF.

HIP separates the endpoint identifier and locator roles of IP addresses and introduces a more flexible networking and secure host identity namespace. This brings native security and mobility to networking without having to change existing infrastructure. In addition to being inherently secure with end-to-end encryption, it’s both backward and forward compatible with any IP-based network, application, or resource.

The Benefits of Cloaking for Critical Infrastructure Security

The cloaking aspect of IDN is particularly notable. Organizations can cloak critical systems and endpoints by requiring authentication and authorization based on trusted machine identities before TCP sessions are established. Therefore, untrusted devices without verifiable machine identities can’t discover and communicate with cloaked devices on the network.

Because authorization and authentication occur before transport is established and any data is exchanged, hosts and machines protected by HIP services are effectively cloaked and undiscoverable from unauthorized machines. A scanning tool like Nmap can’t discover any listening ports, meaning attackers can’t initiate Step 1 in the cyber kill chain (Figure 2).

Figure 2. Step 1 of the Cyber Kill Chain can’t take place on identity-defined networks because they make endpoints invisible to the underlying network. (Source: Tempered Networks)

As a result, IDN users can cloak critical infrastructure from threat-action reconnaissance, which protects against distributed denial-of-service (DDoS), man-in-the-middle (MiTM), command and control, IP spoofing, and other types of network and transport-layer attacks.

This type of segmentation is different from what you could achieve on a private LAN, and can include north-to-south and east-to-west data traffic in physical/virtual/cloud environments. IDN delivers segmentation based on verifiable machine identities rather than spoofable IP addresses. A HIP service can be deployed as close to a resource as possible, either in-line or installed directly on the host, and delivers segmentation across north/south and east/west directions.

Contrast this to the way firewalls and software-defined networks (SDNs) attempt to prevent north/south and east/west lateral movement by defining access restrictions based on IP addresses, VLANs, and/or ports. These solutions define policy enforcement and segmentation based on ephemeral IP address ranges, which exposes organizations to IP spoofing and VLAN traversal. And, with thousands of IP resources constantly being added, moved, and changed, ports are often misconfigured or forgotten and left enabled. This makes it difficult to maintain hardened firewall and SDN segmentation, especially at scale.

The response from many vendors and consultants is to drive more firewalls deeper into the network, whether as a standalone unit or as part of an SDN solution. The cost of this approach in terms of purchase, personnel, and complexity can be significant.

Integrating IDN and HIP in Critical Infrastructure Cybersecurity

Tempered Networks has a better approach. Its solutions commercialize IDNs in a platform that emphasizes ease of use to overcome IT complexity. The HIPswitch* Series, for example, are network switching platforms that establish an identity-defined perimeter around sensitive network resources. They are deployed in-line to prevent unauthorized discovery and communication with protected systems from north/south and east/west channels.

For edge applications like the smart grid, the HIPswitch portfolio includes the industrial-grade HIPswitch 100 Series edge gateway with Ethernet or Ethernet-plus-cellular connectivity. The 100 Series supports 1:1 or 1:many configurations for machines that cannot protect themselves, and is available as a pre-provisioned system for deployment by nontechnical staff (Figure 3).

Figure 3. The HIPswitch 100 Series of Industrial IoT edge gateways support Ethernet or Ethernet and cellular connectivity to establish in-line encryption and segmentation for vulnerable smart grid systems. (Source: Tempered Networks)

For data center segmentation of smart grid systems, the product line also features HIPswitch 500 Series that can function as an IDN-enabled aggregation point (Figure 3). The 500 Series supports high-availability (HA) and SFP/SFP+ expansion modules for scalability and failover in critical applications (Figure 4).

Figure 4. The HIPswitch 500 provides encryption and segmentation for physical and virtual servers, while also doubling as an identity-defined networking (IDN) aggregator. (Source: Tempered Networks)

These platforms are supported by the Tempered Networks Conductor, an orchestration engine that manages policy for all distributed HIP services and provides simple control over networks.

Beyond OT and SCADA

In conclusion, IDN doesn’t suffer from the limitations of using IP addresses to identify and define which systems can communicate with another. HIP solves the two fundamental flaws that afflict all other competitive networking and security products: the inability to authenticate and authorize network connections between two or more endpoints before data is exchanged, and the use of spoofable IP addresses as the device identity that defines LAN/WAN connectivity, segmentation, and access.

But IDN solutions can clearly support more than OT and SCADA networks. They provide a consistent way to micro-segment and secure machines and devices, from the IoT edge up to cloud platforms. Hence, security can span all environments with a single fabric-based network architecture across an on-premises data center, the cloud, just about any client device, and IoT elements such as robots, IP cameras, or sensors.

About the Author

Rich Nass

Richard Nass’ key responsibilities include setting the direction for all aspects of OpenSystems Media’s Embedded and IoT product portfolios, including websites, E-newsletters, print and digital magazines, and various other digital and print activities, including the recently launched IoT Design website. He was instrumental in developing the company’s online educational portal, Embedded University. Previously, Nass was the Brand Director for UBM’s award-winning Design News property. Prior to that, he led the content team for UBM Canon’s Medical Devices Group, as well all custom properties and events in the U.S., Europe, and Asia. Nass has been in the engineering OEM industry for more than 25 years. In prior stints, he led the Content Team at EE Times, handling the Embedded and Custom groups, and the TechOnline DesignLine network of design engineering websites. Nass holds a BSEE degree from the New Jersey Institute of Technology

Follow on Twitter Follow on Linkedin Visit Website More Content by Rich Nass
Previous Article
Why Containers Are the Future of the IoT
Why Containers Are the Future of the IoT

Containers used in agile software development also enable flexible and responsive IoT solution development.

Next Article
Collaborate Without Complexity Using Smart Video Displays
Collaborate Without Complexity Using Smart Video Displays

More than ever, communication and collaboration are critical for business success. Solutions that streamlin...