Don’t be Fooled: Utility Fiber Outside the Substation Isn’t as Safe as You Think
In the last two years the discussion on cyberattacks and cybersecurity has seen an increased focus on critical infrastructure, specifically on overlooked network-related security aspects such as updating legacy systems and handling critical control points. Overall, I believe this attention is a good thing, and probably long overdue as part of the national cyber discussion. While not without challenges, the big picture goal of hardening and protecting our nation’s critical infrastructure at the cyber level is something that is being accomplished.
Yet let me pose a question: How confident are you in the security of your utility fiber outside the substation? Do you think your in-flight data is safe from cyber attacks?
Think again.
Let me set the stage a bit more. What we’re all trying to ensure is the stability and security of our national grid, whether it be avoiding a major blackout like this one in 2003 (not caused by a cyber breach) or an even more devastating deliberate act of terror. Regardless of the reason, defending our nation’s infrastructure couldn’t be more important, everyone agrees with this. However, utilities face their own unique challenges since they own their own fiber over their own poles and are categorically separate in the eyes of the government due to their vital services.
The reality is that a mid-range hacker with Internet access can easily shop online for a fiber-coupling tool and, after watching a few YouTube videos about the tapping process, can quickly learn how to steal sensitive data from a fiber optic cable and remain undetected for days, months, or even years.
Being considered “critical national infrastructure,” means that the rules are different (and the stakes higher) as compared to R&E, entertainment, etc. This definition implies that these provider’s services are so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health, or safety.
No pressure, right?
Yet even with these high stakes, there continue to be some blind spots, one being the lack of focus on securing in-flight data. Many utility CIOs do not fully appreciate the fact that, once data leaves the substation or data center, it is basically outside of their control. Given all the efforts to lock down data at rest with firewalls, anti-virus software, and intrusion detection, cyber criminals are increasingly turning their attention to intercepting the data as it travels across the network.
The reality is that a mid-range hacker with Internet access can easily shop online for a fiber-coupling tool and, after watching a few YouTube videos about the tapping process, can quickly learn how to steal sensitive data from a fiber optic cable and remain undetected for days, months, or even years.
The damage to infrastructure can be severe, even for a seemingly “small” breach as mentioned above.
Enter in-flight encryption for critical infrastructure to close this gap in the armor. A comprehensive security approach must encompass not just ‘data at rest’ including data residing in databases, files, and storage systems, but also in-flight encryption to ensure data is protected from unauthorized discovery as it traverses the network. Today’s in-flight encryption techniques can camouflage traffic so it cannot be read or manipulated, and even disguise the fact that there is traffic flowing at all.
One reason utility CIOs have been reluctant to deploy in-flight data encryption is a concern about decreased network performance and cost. Utilities must have a very high performance network to prevent outages, something that requires extremely low latency (much lower than service providers) as a power surge can occur much faster than we see in the telecom world and must be acted on with a delay of less than 10ms to avoid propagating the outage.
In addition to addressing latency, state-of-the-art encryption solutions for utilities must align to North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC_CIP) standards and withhold to a specific network management approach for handling encryption keys. The importance of this optical layer in-flight approach cannot be understated and it’s something that the Ciena team has invested in heavily with our WaveLogic encryption solution. With nearly 70% of critical infrastructure providers reporting at least one security breach that led to the loss of confidential information or disruption, the need couldn’t be clearer.
Interested in learning more? Watch Ciena’s encryption expert Patrick Scully and me in this on-demand webinar on Securing Critical Infrastructure at the In-Flight Level and learn just what it takes to address the gaps in your critical infrastructure network defense.