Smart Grid Cyber Security: No Hype Allowed

By lkarisny on August 17, 2010 in Smart Grid

This is an interview with Mike Ahmadi, cyber security consultant and conference chairman of the Cyber Security Conference and Expo that took place last week in San Jose, California.

Issues to be addressed in smart grid security

Q: You opened the conference recognizing that smart grid security is only as strong as the weakest link, with more endpoints and more interconnected networks, meaning more ways for security problems to arise. With this in mind, what is your objective for the Smart Grid Security Summit?

A: Ultimately my objective is for stakeholders to become more educated. Security is a very dynamic environment, and keeping current with what’s going on in the world of security is no small task. This conference provides an opportunity for all involved to become current (no pun intended) about Smart Grid security initiatives, concerns, victories, and challenges.

Q: Scott Borg, Director and Chief Economist, US Cyber Consequences Unit had the daunting task of calculating the value of smart grid security compared to the catastrophic expense of a power grid security breach. What points did Borg make to convince us that smart grid security is not a luxury but a necessity?

A: Scott Borg gave what many thought was one of the best (if not THE best) presentation of the conference. First of all, despite what anyone may tell you, security is about economics. Ultimately the biggest driver for any organization to secure anything is to prevent getting hit in the pocketbook. Anyone who tells you otherwise is perhaps stretching the truth. The most striking point of his presentation was to emphasize the following points: 3-4 days without power is essentially inconsequential from an economic standpoint. Any organization can recover from this relatively short plunge into the dark ages. As you approach the 5th day, however, things change quickly. There is a precipitous drop in economic activity, and by the 7th day the economy is at 30 percent capacity. This was surprising to many in the crowd, and it emphasized the importance of not underestimating the consequences of a prolonged failure in electric.

Q: Pike Research has done a good job of evaluating the smart grid marketplace over the last few years. What systems, components and services did they see emerging as it relates to grid security?

A: I would strongly suggest those who are interested in a comprehensive look at how the Smart Grid will shape the security market to purchase their excellent report. Having had the pleasure of seeing this report first hand, I have to say it is extremely detailed and well researched. According to Pike Research, there will be opportunities for security component manufacturers, security software vendors, identity and authentication management solutions, and consulting services (just to name a few). What is commendable about their report is how it breaks down the opportunities into categories and presents data at a very granular level. I look forward to seeing how accurately they predicted the opportunities.

Q: The media has bombarded us with articles warning of cyber security threats. From hype to reality, what points did your best practices panel make for threat scenarios we should expect in the next few years?

Ai: Perhaps one of the most interesting points made during the panel discussion (by Matt Carpenter of Inguardians) was that the biggest threat will probably come from organized crime syndicates. They use the threat of exploits as a means of extortion. While the panelists acknowledged that random hackers may cause some trouble, they will probably not be as troublesome as some have postulated.

Q: There are those who fear that regulation could stifle smart grid security creativity. What points did your keynote speaker Commissioner Philip Moeller, Federal Energy Regulatory Commission make in striking a balance between regulation and creativity?

A: Commissioner Moeller was a great guy! Let me begin by stating that. He did not get on stage and speak like a bureaucrat, instead he delivered some straight talk. What he told the crowd was that they simply do not have all the answers yet, and despite all the work that has been done in Washington to address Smart Grid security they still have quite a bit of work to do until they are done (if that can indeed ever happen). He emphasized the importance of events like the Smart Grid Cyber Security Summit, and that FERC was seeking input from the people in the audience. All in all, I was pleased to hear someone at such a high level giving us straight talk.

Q: Our current power grid infrastructures have legacy control systems that frankly don’t fit today’s digital IP technologies. What are some of the unique issues with control systems, what can be done to secure them, and what shouldn’t be done to assure the proper migration to new secure digital technologies?

A: Joe Weiss always delivers a passionate presentation. Although he painted a rather gloomy picture, the takeaway from his presentation is that the world of ICS (Industrial Control Systems) and the world of IT (Information Technology) have to start working together to better understand the nuts and bolts of how each world operates. Today the world of ICS operates legacy equipment that is not well suited to have the world of IT merge with it. Both worlds need to better understand each other in order to succeed together. The other point that Joe brought up is that (according to Joe), the NERC CIP requirements potentially create a security environment that is worse for the ICS world because they exclude specific interfaces and protocols commonly found in ICS. He feels that FERC and NERC need to reexamine the requirements with more consideration being given to common ICS systems.

Q: There will be virtually millions of smart-nodes connecting to billions of smart grid network devices. Is there a simple, manageable and secure method of addressing such complexity in this massive security undertaking security?

A: The short answer is no, but there are various pieces and parts that can be put together to build a good system. Chris Hanebeck addressed the effects of traditional encryption algorithms on the extremely resource constrained devices at the edge of the Smart Grid (such as meters), and it was surprising to learn how challenging it will be to come up with solutions that will work efficiently in the environment. Although he proposed a proprietary low overhead algorithm that addressed some of these challenges, we still have quite a bit of work to do at the implementation level before we can call this a solution (and that is only if and when everyone agrees to what the pieces and parts should be).

Q: There are a lot of people concerned with the rights of privacy they may have to give up for smart grid security. Is there a balance we can strike?

A: I fully believe we can achieve a balance, but it depends upon how the public’s perception of smart grid security. While privacy is indeed important to everyone, we have proven time and again that we are all willing to face privacy challenges if we realize some real benefits on a personal level. We live in a world where anyone with a cell phone can be tracked anywhere, but we all seem to be willing to accept this invasion of privacy because of the benefits cell phones provide us. Since the Smart Grid represents an additional cost to the rate payer in the short term (we are all going to have to pay for building the Smart Grid), I believe privacy will be a rallying cry that will be heard for some time to come. I believe once the Smart Grid becomes something that helps the rate payer save money, the cry will be a bit softer. Not only because of the benefits, but also because those responsible for building and managing the Smart Grid will ostensibly have better security and privacy controls in place.

Q: NERC and other regulatory standards groups are trying to direct the path of smart grid security. How difficult it for power companies to meet these requirements while future requirements are already being drafted to reduce smart grid security risks?

A: Perhaps the most difficult task power companies face in meeting requirements is in fully understanding what requirements need to be met. Requirements are in a state of flux, and who has authority of what is still an open question.

Q: What are leading industry executives saying about the reality of cyber threats today and the cost/benefit of undergoing a review of security vulnerabilities?

A: The utilities represented on this panel stated that most of the threats are still quite theoretical. They fully believe that the threats are real, but have not experienced any of the malicious exploits. Despite not having suffered attacks, the utilities take security quite seriously, and they do not want to be perceived as not caring or not doing anything about security. They also do not want to face the potentially massive fines associated with failing a security review from NERC, and stated that NERC CIP has helped them become more secure.

Sensationalism in the media and real security threats

Q: There’s concern that we don’t have enough people with expertise to guild the smart grid. Can you give us some of Dr. Cohen’s thoughts on these challenges and how it will affect the smart grid moving forward?

A: Dr. Cohen gave a very good presentation of the issues. Dr. Cohen founded the California Sciences Institute, and offers PhD courses in National Security and Critical Infrastructure Protection (among others). Although the expertise falls short of need, he believes we can eventually achieve the requisite level, but it will take several generations to get there. How it will affect the smart grid in the short term does not necessarily look promising, since a lack of expertise usually means bad decisions. Only time will tell, I suppose.

Q: The Security Technologies and Components Round Table Discussion included vendors like, Itron, Eltser Solutions and Verisign. Was there something that stood out in this discussion?

A: The main takeaway from this session is that some AMI vendors have made some mistakes regarding security in the past, and are now working hard to make sure the same mistakes are not repeated. Some vendors believe that securing end points (meters) to the point they can be considered “trusted” may not be too important, and others asked the question “secured against what”. What I found most interesting is the assertion by some vendors that the meters have security features built in that utilities often choose not to implement for their own reasons. It is important to understand that security only works if those who are responsible for implementing security measures, actually do so.

The issue of meter authentication was interesting, and the vendors had differing opinions regarding what level of authentication was adequate. Regardless of their opinions, however, the most important point was that AMI vendors build what their customers (the utilities) demand, and if the utilities do not demand specific security features, they are not likely to be as important to the vendors.

Q: What are the advantage and disadvantages of PKI security? Could this be the one size fits all solution security solution for the grid?

A: The obvious advantage of PKI is that it has been around a long time and is well entrenched. PKI Is used in banking, the military, and everywhere strong authentication is necessary. The disadvantage is that it requires infrastructure and good key management, and creates additional overhead. What is great about the solution proposed by Renesas is that they have built a solution that includes the necessary security components (chips) and a key management solution to go with it. I am not sure if this can be considered a one size fits all solution, but it is indeed a good start.

Q: There is a lot of talk about microgrids and macrogrids when talking about smart grids. What are they and why are they such a security challenge?

A: Microgrids are small power systems managed outside of the larger utility network. An example of this would be a college campus that gets its power from solar panels on the campus. The advantage they offer is that a malicious attack on a microgrid is isolated from the larger power grid, so the impact is not nearly as devastating. The disadvantage is that if a microgrid is built with less concern for security, it could potentially create a weakness that could become problematical if the microgrid should ever become part of the larger macrogrid (i.e. if a utility buys the power system, or the needs become greater than the amount of power the microgrid can provide). The bottom line is that securing microgrids is as important as securing the smart grid.

Q: What is the true nature of a national smart grid security threat versus. the fear-driven marketing and media environment?

A: This was an entertaining session. The main takeaway from this is that the news media is indeed driven by sensationalist and entertaining stories. Elinor Mills of CNET stated that when she hears information about AMI security flaws, she tries to get information from the vendors, but they either do not respond at all or deliver somewhat canned responses. Robert Former of Itron said that his employers have instructed him to not share information without prior approval from his organization in order to avoid bad press. What was suggested (and well received) was for vendors and other stakeholders to build a relationship with members of the media in order for them to better understand each other, and that this would perhaps lead to less sensationalism. Hopefully this will pan out, but only time will tell.

Summary

As a contributing writer to MuniWireless covering smart grid security, I find it interesting that the conference ended by focusing on the concerns of potential of bad press or worse, press sensationalism. With the importance of moving forward in addressing real smart grid cyber security issues, we need to get beyond government and business “political correctness” and start addressing the real task at hand: securing the smart grid.

* * * * * *

About the author

Larry Karisny is the Director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and security platforms. ProjectSafety Business and Technology Cluster researches and deploys leading edge standards based technologies supporting secure migration paths to current and future wireless networks and network applications.

* * * * * *