The SCADA/DMS InfoSec model at the Load Dispatch Centre deploys all 8 components recommended by Vietnam Electricity (EVN): Unidirectional Security Gateways (USG), Bidirectional Security Gateways (BSG), Next-Generation Firewall (NGFW) for core networks, Centralized Logging solution (Logger), Privilege Identity Management (PIM) solution, Physical Access Control system (PACS), Two-Factor Authentication (2FA), and Endpoint Security (EPS) solution for servers and workstations.
This provides broad-spectrum protection for the SCADA/DMS system, realized by contributions from each solution:
- Unidirectional Security Gateways integrate a one-way firewall solution (Digisafe Data Diode) to separate and enforce one-way data flow, ensuring no concurrent in and out data movements on the SCADA/DMS system.
Digisafe Data Diode diagram
- Bidirectional Security Gateways are security solutions to support security checks in network protocols; namely, DNP3, IEC 60870-5-104, IEC 60870-6 (ICCP), IEC 61850, Modbus, OPC... BSG deployed at central points will check any in/out data flows to servers and related network areas.
- Next-Generation Firewall is a solution that uses the Intrusion Prevention System (IPS) and is combined with BSG to protect central servers.
- Centralized Log Analysis (Logger), a solution provided by LogRhythm, consisting of LogRhythm XM and LogRhythm NM appliances. The LogRhythm XM appliance is connected with two switches under High Availability (HA) configuration to collect logs sent from servers and devices. The LogRhythm NM deploys SPAN to analyze network traffic through the two switches and send monitoring data to the LogRhythm XM appliance.
- Privileged Identity Management: The information security system for SCADA/DMS deploys this solution to manage privileged identities and admin access to devices such as servers and switches, which helps monitor and minimize harm to the system when admin accounts are compromised.
- Physical Access Control: The SCADA/DMS system is placed at EVNHCMC’s Data Center, where access is monitored by the Center’s Physical Access Control System.
- Two-Factor Authentication: the network access authentication solution deployed to ensure only official operators listed on approved work schedules can login at SCADA workstations.
- Endpoint Security: this security solution is deployed on SCADA/DMS servers and workstations to protect against virus and malware attacks. The EPS system is centrally managed with regular offline updates to the virus signature and definition database, which helps prevent and eliminate virus/malware spreading within the SCADA/DMS system.
Adding to these solutions, EVNHCMC currently deploys a dedicated anti-malware system with prominent features to protect all data in the SCADA system against outside exploitation: running multiple anti-malware engines concurrently (Multiscanning), removing malicious code from data (Deep CDR), scanning for vulnerabilities (Vulnerability Assessment), data loss prevention (DLP).
Dedicated anti-malware solution connection diagram
EVNHCMC will continue its research to utilize advanced solutions in safeguarding its OT information security. In the meantime, the Corporation is also exploring the ISO/IEC 27019:2017 standard to expedite its implementation.