Bulk energy systems (BESes) are interconnected power-generating and -transmission systems that power cities, businesses and homes. Many operators and providers in this space inherit these complex systems as part of their business model. But today, many in technical roles within the energy space do not think about the layers that make up these critical pieces of infrastructure. Daily operations naturally drive the narratives around managing a bulk energy system. However, the interconnectivity and interdependencies of BES components are vitally important to mitigate power disruptions or rising concerns of cyberattacks.

Today’s cyber climate warrants a clear understanding of interconnected BES components. This can be approached from a functional level or dysfunctional level, depending on the desired lens (e.g., engineering versus hacking). Threat modeling as a process provides an opportunity to do both, particularly when using an end-to-end approach that looks at both use and abuse cases in BES components.

Rapidly applying the first two stages of the Process for Attack Simulation Threat Analysis (PASTA) as the risk-centric threat-modeling methodology, operators and engineers can begin to understand inherent risk, functional components and basic call flows. All of these functions are beneficial to any operator, engineer, architect or security practitioner commissioned to operate, enhance or defend a bulk energy system.

Offensive or defensive measures begin with the understanding of function. Therefore, it’s interesting to leverage a threat-modeling methodology that builds and maps a series of libraries—from inherent risk and objectives libraries to component listings to feature sets and all the way to more nefarious-minded lists of vulnerabilities, attacks and countermeasures.

Stage One of this approach highlights the criticality of these systems and, as a result, the main objectives: ensuring continuity of service to local businesses and homes and ensuring the security of a bulk energy system due to the dangers of power surges.

These are inherent business objectives and non-negotiables for any BES. They provide an understood level of importance or criticality that we can leverage when using PASTA’s Stage Two: Defining the Attack Surface.

Building on the initial understanding of what’s important or impactful for these proprietary, interconnected, monolithic systems, practitioners can understand how these objectives in Stage One are supported by components within the BES.

Stage One focuses on enumerating ICS components that make up a bulk energy system for the purposes of deriving functional use cases, trusts and privilege models to better apply to the level of inherent objectives and criticality in Stage One. Even leveraging the CIA Triad (confidentiality, integrity and availability) can provide a simple means to reconcile components to importance to apply cybersecurity countermeasures that are commensurate to risk or objectives; hence, the term “risk centric.”

Components may vary amongst BESes, but the following are commonly found in most:

Supervisory control and data acquisition (SCADA) systems. As the name suggests, these systems provide monitoring capabilities and help control the performance of devices within the BES. As such, the control aspect of this component automatically warrants some precautionary concerns for abuse patterns to unfold. Where there is control, there is possible abuse, and therefore, there lies the opportunity to consider attacks that negate control use cases in SCADA components. The availability of the CIA Triad reconciles well with SCADA systems for abusive administrative cases and/or misconfigurations that lead to any level of service continuity breaks.Programmable logic controllers (PLCs). These are small computing devices often governed by SCADA systems. PLCs launch processes that interact with one another across a bulk energy system. They can control simple tasks, such as device switching and controlling energy-level flows. Inherently, implicit trust exists amongst many PLC components, thereby allowing for rogue interfaces to be more successful than in other environments. It is important to reconcile possible abuses with threats that most impact the availability and integrity of data. The integrity of data values in SCADA systems is also important because they could be maliciously altered to introduce disruptive and dangerous results.Remote terminal units (RTUs). These components are used to connect to sensors and other devices within the BES. Often located in remote locations, RTUs’ key functions are to collect and send data back to central control systems. A longer-term play for APT threat actors would be to alter the integrity of data reported back to the central SCADA components.Human-machine interfaces (HMIs). These typically consist of graphical displays and touchscreens that allow operators to view real-time data and make changes to the system.Networking equipment or gateways. These network- and transport-layer devices are responsible for the routing of traffic within a system environment. Network equipment includes routers, switches, firewalls and other devices that are used to connect the various components of the BES. Always a separate set of manufacturers from those of other BES components, they are often plagued by poor configuration, management and, in some cases, supply chain weaknesses. Given their role in transmitting essential network traffic, they play a large part in the continuity or availability of the overall BES.Security equipment. Many of these components are of the network security genre (e.g., firewalls, intrusion-detection systems and network access control). They help provide, govern and enforce network security permissions around Ethernet-based traffic to and from interconnected components of the BES.Power supply and backup systems. These components help govern power to the BES and are represented by things like generators, batteries and other power-storage mechanisms that fuel the uptime of the overall BES. These components play a critical role in sustaining power to the BES during power interruptions.

Each of these general components support features, use cases and even more embedded components that make up the attack surface of the BES. The list above not only reveals the attack surface for many BESes but also sheds some light on which components of the attack surface could undermine the objectives of the overall system (previously mentioned in Stage One). Using simply two of the seven stages of PASTA provides for some discernable association of impact to be revealed with some simple analysis and correlation.

As an example, some of the above-mentioned components support features for network communication, 802.11 wireless transmission and Bluetooth/NFC interfaces. The below list shows how some of the embedded functionality could be ripe for system-wide or even isolated attacks that focus on associated weaknesses of these embedded features if not properly protected or configured. The important principle to focus on is how these observations undermine the objectives defined in Stage One so that any risk-remediation considerations are done by a risk-led approach for remediation priority and countermeasure development. These are some common embedded features or components from the above generic list of components (revealed as part of Stage Two of PASTA), which often reveal use cases commonly depicted under PASTA’s Stage Three (Application or System Decomposition), in which use cases start to come alive in the threat model:

SCADA systems often use Ethernet networks to communicate with devices and sensors within the BES. These systems may also use wireless interfaces, such as Wi-Fi, for remote monitoring and control. As such, from a risk perspective, it’s important to consider how delayed or stifled Ethernet traffic could lead to various use cases of the SCADA features.Similarly, PLCs may also use Ethernet or Wi-Fi interfaces to communicate with other components of the BES or even with external systems. Some PLCs also support Bluetooth or NFC for local programming and maintenance. Beyond continuity, concerns around the integrity of messaging must begin to develop when thinking about the overall threat model using PASTA.No differently, RTUs and HMIs find themselves leveraging Ethernet, Wi-Fi or cellular networks to transmit data to the central control system. Some RTUs also support Bluetooth or NFC for local configuration and maintenance. Additional concerns that would extend beyond denial-of-service (DoS) attacks are the threats of persistence and privilege escalation in the BES based on the functionality of RTUs.Routers, switches and other networking assets, along with the security equipment integrated into the system environment, typically use Ethernet interfaces to connect the various components of the BES. Some of these devices may also support wireless interfaces, such as Wi-Fi or cellular, for remote access and management. These “gateways,” as they are often referred to in NERC CIP terms, are prime components of the BES where a myriad of threats could develop into a threat library as part of Stage Four of PASTA.

Overall, knowing the components and functionality of the BES is pivotal to overall system protection. Knowledge of the attack surface and reconciling these components is essential to the overall function of the BES. Drawing up adversarial plans to test the viability of threat patterns that ultimately are part of a threat library for the BES is one of the key goals of risk-centric threat models.

In terms of security testing, BESes and their respective components are always a challenge on which to perform adversarial penetration tests. There is no stage or UAT environment, and downtime is non-negotiable. For this reason, threat modeling, combined with relevant threat intelligence on the BES attack surface components as well as relevant threat campaigns, provide a blueprint for attack trees to be simulated as part of an adversarial tabletop or highly specialized penetration tests that factor in the risks for downtime to a science. This extends beyond a canned approach that the industry has unfortunately been subscribing to for over a decade.

CREST, an international not-for-profit membership body representing the global cybersecurity industry, is pushing for more information-led exercises to substantiate traditional cybersecurity activities. Its global program aims to push for a higher degree of context, and embracing threat-modeling themes is a great means by which threat intelligence or business use cases can serve as a pretext to defense or offense.

What’s interesting about PASTA is that although it’s a seven-layer course of threat-modeling activities, many companies have found creative ways to modularize the stages while preserving the power of its risk-centric approach.

It will be interesting to see which players in the energy operations space mature by following these methods to further secure the bulk energy system and the nested technology components.

This article was originally published on EE Times.

Tony UcedaVélez is CEO of VerSprite.