A typical best-practice configuration is to isolate an intercontrol center communications protocol (ICCP) server with firewalls from the control system from which it receives data, and links to neighbor and partner utilities. In such a configuration, communications between the ICCP server and partner utilities very likely employs a routable protocol (for example, TCP/IP). This means the local control system does, in fact, depend on those partner utilities for at least some small part of its security. If a partner utility’s control system is compromised, the attack surface of the local control system does increase somewhat.

A typical ICCP server configuration.

It is incumbent for a utility not only to configure the two firewalls in a least-privilege manner, but also to closely monitor attempts to create connections through those firewalls. One perfectly valid way to do this is to configure the firewalls to create a syslog message when a connect attempt is denied, route those messages to a log manager, or security information and event management (SIEM) tool, and configure the log manager to issue alerts or alarms, perhaps sending messages to support personnel. CSM can enhance this process as follows:

  • CSM is configured to receive syslog messages (either directly from the firewalls or from a log manager/SIEM tool).
  • CSM is configured, using something called security event criteria, to parse those messages.
  • Security event criteria contain information that specifies how to parse the messages using regular expression processing, as well as information about how many rejected messages are required to generate an alert to a network support analyst or possibly an alarm to a system operator.
  • CSM can be configured optionally to create an alarm on the control system itself.