Foreword  NaturEner implemented the Dragos platform in July of 2017, which consisted of nodes at each wind farm and a central monitoring node at its corporate headquarters inSan Francisco. The Dragos Platform now monitors all wind farm networks and Energy Management System (EMS) networks.

We immediately saw value as the platform showed us in detail what was running on all of the networks.  This was known information on the EMS network, but we had not been doing inventory scans on the wind farm ICS networks.

Challenges and Solutions Industrial Control System (ICS) networks are unique in topology, design, and workflow. Each ICS sector has specific requirements producing unique security implications. Visibility of the network and host behaviors are critical to identifying what protections are required and detecting intrusions. These challenges are not unique to NaturEner,renewable energy, or even ICS networks and deserve consideration by others looking to improve their security posture. Shared ICS Challenges •System and subsystem configuration (patch level, best practices, etc) are restricted by vendor and warranty •Distributed networks impede ease in central monitoring •Reliability and safety often take priority over cyber security Wind-Specific Challenges •Many individual units to keep up to date (firmware, configurations, etc.), which is challenging and time consuming •Each unit also acts as a mini substation, introducing additional complexity •Often no secondary or tertiary monitoring systems for safety shutoffs and monitoring •Multiple external remote connections are common (turbine vendor, 3rdparty services, etc.) Large Geographical Footprint NaturEner deployed the Dragos Platform to each US subnet, including all EMS, wind farm (SCADA), and production networks. Traffic from each subnet was aggregated to a centralized data store. This data store facilitates data correlation for analysis between sites, as well as triage and incident response, if the Dragos Platform detects a compromise. NaturEner analysts can now review traffic across the NaturEner ICS and business enterprises through a single platform. Sparse Monitoring Timeframes This challenge is mitigated through continuous monitoring at strategic capture points across NaturEner’s domain.  While comparing baselines can be an effective way to isolate changes within the environment, there is a risk of the baseline including existing adversary communications and data.  The Dragos Platform enables the analyst to combine changes to baseline with threat behavior analytics, ensuring that even “low and slow” attacks are detected. Management of Vendor Devices Vendor devices, specifically those used for wind assets, are used to monitor and perform actions (such as Turbine resets). These devices interact with company assets in the ICS network as a part of their warranty services. NaturEner’s continued network operation and warranties require these vendor devices. Improvements to the authentication of users or processes against the devices require external vendor support. The Dragos Platform passively monitors device communications across the network. This traffic can be organized into custom network zones, as defined by each organization.

We've been able to track who is talking to whomover what ports,and most importantly, see traffic from our warranty vendor's various sites and systems.

Asset Inventory Because networks grow with the business, it is not uncommon to lose awareness of asset inventory, subnet behaviors, or how data moves throughout the network. In these situations, it is very arduous to identify and catalog assets, traffic load, and the flow of information.Asset management is handled within the Dragos Platform by parsing traffic for unique source and destination information. All devices can then be graphically represented in a mapped view and organized based on custom zones, so analysts can view a device’s history, last time seen, protocols used, and create alerts for any new device seen on the network. Limited Resources, Vast Network Every organization faces resource constraints. Staffing is the most critical component of protecting any network; however, the market for experienced ICS cybersecurity professionals is low. Some organizations cannot fund dedicated security staff, so the roles are split between operations. For energy providers, customer charge rates can be limited, due to regulatory law, so revenue is not completely based on the open market. The resulting mission is to do more with less. Conclusion NaturEner operates 399MW of wind power for North America and is expanding into Alberta, Canada. As a leader in sustainable, compliant, renewable energy, NaturEner is also focused on protecting its assets and operations. Implementation of the Dragos Platform allows NaturEner to monitor for adversaries, optimize internal resources, and assume a proactive security program. NaturEner can continue to focus on energy generation and delivery, while being confident its infrastructure is protected.

Introduction

A mid-sized electric utility in the US that serves morethan one million customers adopted  the Dragos  Industrial  Cybersecurity  Platformin  early  2018.  This  utility generates  electricity  across  low-sulfur  coal,  natural  gas,  wind  farms,  and  solar farms.Dragos  deployed  16  sensors  across  the  utility’s  two  data  centers  to  monitor communications in the Energy Management System (EMS) and Demilitarized Zone (DMZ),  four  gas  plants,  two  coal  fire generationplants,  three  wind  farms,  and  its solar farms across the region.

Challenges

The electric grid can, at a high level, be categorized into three functions: generation of electricity at power plants, transmission from the power plants across typically long distances at high voltage, and lower-voltage distribution networks that power customers. Along these long transmission and distribution systems are substations that  transform  voltage  levels,  serve  as  switching  stations and feeders,  and  fault protection. Many industries feed into the electric grid, and those differences require an  in-depth  understanding  of  the  different  systems  and  communications–which means,  there  is  no  one-size-fits-all  security  approach  to  protecting  them  and  it requires comprehensive understanding of the highly heterogeneous nature of their environments. The challenges  expressed  by the electric utility include: :•Lack of visibility of ICS environment and asset management •Lack of resources for a dedicated ICS security team •Lack of insights into OT-specific threats and how to respond to these events

Solution: Lack of ICS Visibility & Asset Management

The  Dragos  Platform’s  in-depth,automated passive  asset  discovery  capabilities, coupled  with  unique  mapping  and  zoning  abilities,  allow  this  utility’s  analysts  to gain a comprehensive understanding of their assets beyond simply understanding the  protocols  transmitted  and  provides   them  the   ability  to   see   their   assets represented   in   an   easy-to-categorize   map   view.   Analysts   can   quickly   and automatically  organize  their  different  assets  by  custom  zones,  as  well  as  view  a particular  device’s  history,  the  last  time  seen,  the  protocols  used  including  deep packet inspection of ICS protocols, and create alerts for any new device seen on the network.

Solution:Lack of Resources for a Dedicated ICS Security Team

To combat these challenges, the Dragos Platform empowers this utility’s analysts with our team’s ICS-specific knowledge, so they can independently function, learn from our practitioners who have decades of hands-on ICS security experience, and rely on our team’s experience to supplement where theirs may lack.Threat behavior analytics, characterized by the Dragos Intelligence team and based on the ICS-specific adversaries they track, are codified into the platform to provide analysts with context-rich alerts and pinpoint malicious activity accurately.

Solution:Lack of Insights into Specific OT Threats and How to Respond

The  first  step  we  took  to  solve  these  challenges  for  this  utility  was  providing visibility  of  the  ICS  adversaries  targeting  the  ICS  industry,  specifically  electric-facing.  The  Dragos  Threat  Intelligence team  currently  tracks  eight  ICS  activity groups,  with  four  publicly  known  to  specifically  target  electric  utilities: RASPITE, ELECTRUM, COVELLITE, and ALLANITE. Each month, our intelligence team releases private intel reports to this utility  via its WorldView subscription, so they not  only have  visibility  of  any  threats  or  vulnerabilities  specifically  facing  the  electric industry,  but  they  are  provided  with  recommendations  to  identify  and  respond  to them. In order to effectively respond to threats if they occur, the Dragos Platform provides this utility’s analysts with unique step-by-step  investigation  playbook  inside  of  a workbench and case management tool to aid their investigations, reduce dwell time, and   offer   insights from   our   team   as   to   how   to   best   investigate   incidents. Investigation  playbooks  are  custom-authored  by  our  threat  operations  team  and include  step-by-step  guidance  to  this  utility’s  analysts  to  start  down  the  correct (and efficient) path to respond to potential threats. Because our threat operations team  has  first-hand  experience  hunting   and  responding  to   ICS  threats,   their guidance not only supplements this utility’s team, but helps reduce their time to act and increases effectiveness of their response.