Discussion about security in utilities tends to be threat-oriented. Here we will look at potential operations and infrastructure topics.
1. The Big Green Elephant in the Room
First, let’s examine the big green elephant in the room. Integration of renewable energy in to the electrical grid requires more distributed sensing and computing, simulation, precision 4-D weather prediction and faster coordination of grid components. This alone is cause for additional grid security concern, because the attack profile will grow larger, be more distributed and be less under the utility’s control.
There are secondary aspects, such as renewable energy microgrids designed to make the grid more resilient. This can defend against acts of Mother Nature and cybercriminals. However, grid problems have also occurred because the system could not handle certain rapid changes in solar and wind power, taking us back to the challenges of faster grid automation to accommodate renewable energy successfully.
2. Network Security
Think about network security in general. The root problem may not be that a threat actor is on your network — it may be that your network contains too many soft targets. A soft target cannot defend itself. Theoretically, should you be able to invite a cybercriminals in to your office and let them connect to the network? You would think not. However, since each system’s authentication is supposed to be secure and the software applications do not have vulnerabilities, there is, theoretically, no need to worry.
It is almost like saying a house cannot be on a public road, since a criminal could drive up the street just as easily as your neighbor. The point is to defend the house with locks and alarm systems, not to place a guard at the entrance to the road. Thinking about security in this manner may aid in focusing on effective remedies.
3. Regulations and Compliance
Given that utilities are a regulated industry, it’s easy to imagine that at some time an agency might forbid state public utility commissions (PUCs) to decline funding for grid security. In a way, this is like the line item veto in politics. Should those who operate the enterprise choose how their allocated budget is spent? The grid is highly interconnected, so grid security could be seen as analogous to public health. Certain trade-offs should not be made in the interest of the nation as a whole.
Imagine if a federal agency issued directives to manufacturers about the certification process for smart grid equipment security. What entity would operate a testing lab that charges a nominal fee to certify equipment? Electric utilities are responsible for their North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) compliance, yet others provide most of their operational technology (OT) equipment and software.
Of course, utilities can use the power of their requests for proposal to purchase only certified equipment. Now, equipment purchasers are mostly on their own for cybersecurity and physical security assurance testing, not to mention evaluating the communications infrastructure connecting the equipment and the quality of internally produced software.
4. IoT: Internet of Trust?
It is reasonable to say that the smart grid was the industry’s first Internet of Things (IoT) project. It is also reasonable to say, however, that the more sensors you have, the more sensors you have to trust. It might be easier for a cybercriminals to commit data falsification near the sensor than to attack the central analytics system that the sensors feed.
As utilities consider incorporating sensors and data from outside their private supervisory control and data acquisition (SCADA) systems, the notion of trust builds up. Eventually, there may need to be trust brokers rather than per-instance digital certificate exchanges.
5. You Shall Not Pass
U.S. currency features the phrase “In God We Trust.” A cynical security professional might say that all others need authentication.
Products that check for simple passwords to powerful accounts may not be enough. Security really requires password expiration, integrated revocation, logon event alerts and, for more extreme sectors such as nuclear, physical tokens.
The converse is true, too. In today’s digital society, you are a biological container of passwords. If someone knows enough of your passwords, they are you. As mentioned above, trust propagates from individual sensors to data services, such as high-precision weather forecasts and market bids. This is where blockchain is gaining traction in the industry.
6. Smart, Smarter, Smartest, Surprised
The academic area known as systems science contemplates the interactions of smart systems. Demand response coupled with sudden loss of load detection for turbine overspeed might yield a bad result if not coordinated sufficiently, for example. In academic circles, this bad behavior is not called Murphy’s Law, but emergent behavior.
Uncoordinated intelligent systems can do things that are locally correct but contribute to a systemwide failure. This may not fall under the umbrella of security per se, but it is an issue for someone in risk management due to the ever-increasing amount of automation in many utilities.
7. Pulverized Programming
In the good old days, there were fewer application programming interfaces (APIs), microservices and distributed intelligence offerings. When software was more monolithic and less object-oriented, the code was more directly connected to what was in the compiled and linked executable file.
But in today’s DevOps environment, IT professionals must ask:
- What is the trust chain of the source code?
- Where did the code come from?
- How do functionality changes propagate? Become authenticated?
- How do delayed API responses from third-party software components not interfere with production?
This can boost the quality of the source code portfolio’s value in cybersecurity.
Note that cloud itself is not problematic for this security-centric point of view. Cloud security may arise when the utility assumes its own corporate security is better than the cloud provider’s. This is where IT professionals can consider the layers of internet isolation and obfuscation in cloud internal networks, look at infrastructure-as-a-service (IaaS) and hybrid cloud, investigate internal managed security services (MSS) and think of cloud resiliency as a reduction of cyberthreats.
In some cloud offerings, security professionals can add their own monitoring and better control their security software. There are also differences in internet connectivity between providers’ data centers. It may even be interesting for a chief information security officer (CISO) to visit a major cloud provider’s data center. If the provider has its own network and is not running intercloud traffic over the internet, the level of security of data is kicked up a notch.
Note that the Institute of Electrical and Electronics Engineers (IEEE) Power and Energy Society General Meeting featured a cloud panel in 2015 and 2016. This surely indicated an OT interest. On both panels, the rooms were full and questions ran until the sessions ended.
8. Physical Grid Security
Cybersecurity is cool, but physical grid security has a more practical boundary for protection. There are no summer camps on physical security, and corporate sponsorship for university education in physical security is scarce. However, in an asset-intensive industry, physical security is vital.
When cognitive computing capabilities are applied to surveillance cameras, for example, Watson vision technology actually “looks” at each frame, while a human could merely glance at hundreds of windows on a large monitor in a security office.
Image processing has come a long way. The familiar Department of Homeland Security (DHS) mantra — “connect the dots” — is applicable to the automation of physical security, too. This includes connecting the substation gate card access control computer to check with the work order dispatch computer, for example. If there is no open work order at a certain substation, why would someone try to get in? Is there a back door that is only used for rare maintenance operations? The bad guys don’t know that limitation.
The importance of physical security staff is not to be diminished. People are very observant, and random patrol visits can help discourage crimes of opportunity. Remember that real locks and keys are still critical. If you can buy it at a neighborhood hardware chain store, it is probably insufficient. In today’s digital world, however, those responsible for physical security have to know the difference. Not everything is password protected.
What if SCADA systems featured an acoustic sensor to detect a bullet’s impact, sonic signature and location, for example? IBM collaborated with a police department on a project in which sensors listened for gunshots and quickly triangulated the location of firing.
9. Accountability
There is another set of software vulnerabilities to consider in the management arena as opposed to the computer science space. Who owns the problems of buffer overflows, remote code execution and failure to properly validate inputs? What about detection, defensive action and reporting these issues to the software developer? These responsibilities could fall to either IT or security. Purchasing might even involve itself in the supply chain validation of software libraries for critical programs.
With more APIs and microservices, the supply chain is dynamic. It used to be that if you bought software, that was it. With software now reaching to cloud-based components, who keeps those pieces secure? In other words, who is maintaining the trust chain?
10. Big, Bad Data
Of course, not all problems come from within the software. Data-induced failures can occur if the sensor data is corrupted between the field and the analytics. Corrupted data can cause a secured system to take the wrong actions. Call it big, bad data, if you will.
Mitigation steps include constructing algorithms and analytics to perform input validation before computation. Cross-sensor physics principles can be applied to common sense-checking algorithms, for example. This would be done in the data lake, not repeated in individual components.
Sometimes employees cause problems, even with no malicious intent and with no adverse external factors, such as if a new smart grid system is installed without sufficient user training. Even something as simple as a new user interface in front of legacy software can cause a problem. Security teams should avoid anything that increases the chances of operator error and use software that takes advantage of programming error detection tools.
Your system will be penetration tested, either by the utility, an outside, impartial, trusted security company or potential attackers. The probing will be done — it’s just a question of who finds the vulnerabilities first. But these 10 areas are ideal places to start when improving security and locking down critical systems.
Chief Technology Officer of the Energy and Utilities, IBM