In June this year, new EU rules on cybersecurity aspects of cross-border electricity flows came into force. The new regulation should contribute to strengthening the power system’s resistance to cyberattacks, i.e. what is known as cyber resilience. Now all businesses in the electricity sector need to review how to strengthen their cyber resilience and an effective way is to use data diodes in their security solution.
New rules for cyber resilience in the electricity sector
On 13 June this year, new EU rules on cybersecurity aspects of cross-border electricity flows came into force. The new regulation should contribute to strengthening the electricity system’s resilience against cyberattacks.
There are many reasons why a cybersecurity regulation is now in place. Among other things, that the management of cybersecurity risks is important for establishing a secure electricity supply and a high level of cybersecurity in the electricity sector. But also that digitalisation and high cybersecurity are crucial for providing socially important services that are of strategic importance for critical infrastructure.
What is cyber resilience and why is it so important in the electricity sector?
Cyber resilience is a somewhat broader concept than cybersecurity. The concept encompasses not only the prevention of cyber incidents, but also the ability to adapt, recover and continue operations despite cyber disruptions or incidents. The concept of cyber resilience recognises that no defense is perfect and that incidents can still occur despite the best cyber security measures. The primary goal of cyber resilience is to ensure that an organisation can continue its critical operations and that the impact on its overall business objectives is minimised even when the organisation faces cyber disruptions.
Today, our society is highly dependent on electricity to function. To ensure that all socially important services continue to function as optimally as possible, even in the event of a possible cyberattack, cyber resilience in the electricity sector needs to be strengthened.
How to build cyber resilience with data diodes
To strengthen your cyber resilience, there are several things you can do. Two of these important things are:
- Make sure all software is up to date
- Use appropriate network segmentation
Make sure all software is up to date – and securely up to date
One of the easiest ways to protect yourself is to update all software, and especially if it’s security updates that address known vulnerabilities. This need is because complex software often contains bugs that should be fixed to ensure system stability. But in addition to correcting bugs, the manufacturers behind operating systems and applications drive a function growth that means that operating systems and applications gradually become obsolete if they are not updated.
However, it is important to ensure that the updates do not pose a security risk, as an update can mean that information is imported or added to the system, and this in itself can lead to the introduction of unwanted malware into the system. Integrity and availability of the systems must be maintained, and most system updates are normally not sufficiently evaluated in the environment they are used in or in combination with the applications that are running. In order to maintain the integrity and availability of the systems, special solutions are required.
One solution is to use a data diode that ensures unidirectional communication. The data diode is connected in a way that ensures that information can be imported into the system, but since no traffic can be transmitted in the opposite direction, information leakage is prevented.
Another solution to further ensure that the update has not been manipulated is to import update packages with file sanitisation consisting of two data diodes and a server for antivirus scanning, such as Advenica’s File Security Screener. The file sanitation conducts an independent control making sure the update is valid. But even in this case, it is best to let the receiving WSUS Import Server verify the signature and thereby get another control over the accuracy of the update.
Read more about secure updates in our use case!
Use appropriate network segmentation
To protect your sensitive systems and information you need to use network segmentation. Network segmentation reduces the risk and limits the damage of a cyberattack. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly. Attackers do not normally take the direct path to the target, such as electricity distribution. Instead, they worm their way in via weak points far out in the architecture, via email or customer service, to reach their goal. State-funded attackers are also equipped with patience, prepared to work long-term doing everything in small steps, and are unfortunately often one step ahead. The harsh reality is that industrial control systems may have been attacked without anyone noticing.
There are a few different types of network segmentation:
1. Physical separation (independent computers)
A stand-alone computer is a computer that is not connected to any network or equivalent. In simple terms, it is about creating an isolated island with no connection to the outside world. This method is not very practical and you should only use it for the information that is the most valuable.
2. Airgap (isolated networks)
Some very strict environments require the zones to be completely separated by air gaps, meaning there is no physical connection between the zones. The only way to transfer data to and from an airgapped system is via a portable media. Practically, this is done by people, which means that you become dependent on well-trained staff who would probably rather have worked on other more qualified and stimulating tasks and who can make mistakes.
So these two methods are not very practical, but there is an alternative:
Data diodes as an alternative to physical separation and airgap
A data diode is placed between two networks and acts as a check valve whose function only allows data to be sent in one direction while blocking all data in the opposite direction. Since the security is not based on software, there are no vulnerabilities in the form of software bugs, nor can it be attacked by malicious code. Hardware-based security means that you can be sure that correctly designed data diodes meet their security requirements with a high level of assurance.
A hardware-based data diode is equivalent to an airgap in the reverse direction, which means that if you have requirements for airgap separation, it can actually be fulfilled (in the reverse direction) by a data diode, but at the same time enable a network connection in the forward direction.
3. Logical separation
Logical separation is a way of dividing your network into different zones, but allowing different zones to be co-allocated on the same hardware or network. The separation consists of software logic that determines when, where and how machines and applications are allowed to communicate with each other – less obvious and with lower assurance of the strength of the separation mechanism than physical separation or air gap. You can use logical separation everywhere because it complements physical or airgap separation well. In the end, it’s about balancing communication needs, administration and security.
Logical separation allows you to reuse the same hardware infrastructure (i.e. cables, switches, routers, etc.) for different zones. Information stored in the various zones is still only available in that zone, meaning that only the people who need the information can access it. Provided that the logic is without vulnerabilities and correctly configured.
However, when high assurance is required, you should not mix traffic from different security zones in the same hardware or cables. To achieve really high security, you need to use different hardware for the different zones. However, you can usually connect these zones with dedicated cross-domain security products, such as data diodes and guards. In this way, information exchange can take place with a high degree of control over the zone boundaries. There are several different solutions you can use for either one-way communication or two-way communication – or both.
Learn more about these different forms of network segmentation and about data diodes on our website.
If you need help getting started with network segmentation or secure updates, please contact us.
