A wind farm operator has successfully implemented the Dragos Platform. Here we consider the specific challenges faced by renewable energies – specifically wind – and examine how the Dragos Platform provides visibility and facilitates triage, detection and response across the operator’s network.
Dragos focuses on arming organisations with the resources required for comprehensive network security. Threat behavioural analytics and playbooks are deployed and routinely updated, along with a built-in case management system, to help organisations optimise resources and operate as though each had a senior, dedicated network security team.
The operator implemented the Dragos platform which consisted of nodes at each wind farm and a central monitoring node at its corporate headquarters. The Dragos Platform now monitors all wind farm networks and Energy Management System (EMS) networks.
Challenges and solutions
Industrial Control System (ICS) networks are unique in topology, design and workflow. Each ICS sector has specific requirements producing unique security implications. Visibility of the network and host behaviours are critical to identifying what protections are required and detecting intrusions. These challenges are not unique to renewable energy, or even ICS networks, and deserve consideration by others looking to improve their security posture.
Large geographical footprint
The wind farm operator, like other ICS organisations, has subnets across multiple geographic locations, potentially hundreds of miles from one another. This physical footprint makes continuous monitoring a direct challenge, as data needs centralised aggregation for analysis.
The operator deployed the Dragos Platform to each US subnet, including all EMS, wind farm (SCADA) and production networks. Traffic from each subnet was aggregated to a centralised data store. This data store facilitates data correlation for analysis between sites, as well as triage and incident response, if the Dragos Platform detects a compromise. Analysts can now review traffic across the operator’s ICS and business enterprises through a single platform.
Sparse monitoring timeframes
Some subnets do not have sustained connections and may only generate network traffic periodically. Triage and analysis of these networks is time-consuming, due to collection of samples over a longer period.
This challenge is mitigated through continuous monitoring at strategic capture points across the operator’s domain. While comparing baselines can be an effective way to isolate changes within the environment, there is a risk of the baseline including existing adversary communications and data.
The Dragos Platform enables the analyst to combine changes to baseline with threat behaviour analytics, ensuring that even ‘low and slow’ attacks are detected.
Management of vendor devices
Vendor devices, specifically those used for wind assets, are used to monitor and perform actions (such as turbine resets). These devices interact with company assets in the ICS network as a part of their warranty services. This workflow presents two significant challenges:
1. The endpoints are poorly managed for user authentication and verification (generic logins, repudiation or non-attributable actions by individuals who have access). This vulnerability results in the potential for legitimate functions to be abused by adversaries if those systems are compromised. If authentication is not a valid verification of approval, differentiation between appropriate versus adversarial actions is convoluted and requires several additional data points to investigate.
2. These same endpoints extend to or straddle many other customer sites and assets with unknown levels of security, which significantly expands the attack surface.
The operator’s continued network operation and warranties require these vendor devices. Improvements to the authentication of users or processes against the devices require external vendor support. The Dragos Platform passively monitors device communications across the network. This traffic can be organised into custom network zones, as defined by each organisation.
Vendor access
In some cases, vendors have direct access to their equipment, but the ICS organisation may not monitor these communications.
This lack of monitoring is not an oversight or immaturity, but rather a requirement from the vendor and part of a contractual agreement. While these are additional ingress points to the ICS network, organisations may not be able to support them with the same security controls or manage dedicated switches and firewalls. The Dragos Platform monitors three of the operator’s US network segments’ ingress and egress points of presence, as well as core traffic. Through the platform, the operator was able to reveal direct, vendor-to-device communications not previously monitored. Analysts can now review details about the communications (frequency, protocols and device pivoting) for signs of malicious activity.
Asset inventory
Because networks grow with the business, it is not uncommon to lose awareness of asset inventory, subnet behaviours, or how data moves throughout the network. In these situations, it is very arduous to identify and catalogue assets, traffic load and the flow of information.
Asset management is handled within the Dragos Platform by parsing traffic for unique source and destination information. All devices can then be graphically represented in a mapped view and organised based on custom zones, so analysts can view a device’s history, last time seen, protocols used and create alerts for any new device seen on the network.
Anomaly detections alone are ineffective
The entire network supporting a wind farm is constantly spinning up and down based on natural elements, so everything appears as an anomaly. Security devices monitor turbine speeds and apply braking as necessary. These events can be tracked through device communications but cannot be accurately predicted or parsed for anomalies without simultaneously considering natural, environmental variables. For instance, if an avian watch tower operator identified a protected species of bird approaching a wind turbine, she may use a secure wireless device to remotely disable that turbine. This network event would appear as an anomaly in most other toolsets, but it is a part of managing and curtailing the plant based off of environmental considerations.
While Dragos can detect on anomalies or signature matching, our primary detection is based on the tradecraft used by known threat actors. The Dragos Platform applies custom analytics that watch for a series of events, rather than a single atomic value. These are considered Threat Behavioral Analytics (TBA). As an example, an analytic may aggregate detections of a machine reaching out to the Internet, downloading a binary file, or remotely shutting down a turbine within some time window. Additional verifications may also be considered, such as users logged into the box or source/content of the binary file.
Processing all available data and providing context to alerts prevents analyst fatigue and allows resources to be directed to activity of concern, given the specific environment.
Limited resources, vast network
Every organisation faces resource constraints. Staffing is the most critical component of protecting any network; however, the market for experienced ICS cybersecurity professionals is low. Some organisations cannot fund dedicated security staff, so the roles are split between operations. For energy providers, customer charge rates can be limited, due to regulatory law, so revenue is not completely based on the open market. The resulting mission is to do more with less.
Through constant and passive monitoring, the Dragos Platform brings visibility of assets and network communications to a single platform for analysis. Additionally, the Dragos Platform offers playbooks and case management, where an analyst can leverage industry experience and notes can be tracked with evidentiary files. The goal is a single pane of glass for data analysis, so responders can perform their tasks without bouncing between multiple tools or gathering data from multiple sources.
Conclusion
As a leader in sustainable, compliant, renewable energy, the wind farm operator is also focused on protecting its assets and operations. Implementation of the Dragos Platform allows the operator to monitor for adversaries, optimise internal resources and assume a proactive security programme. The operator can continue to focus on energy generation and delivery, while being confident its infrastructure is protected.
Click below to share this article
