This is an interview with Bob Lockhart, industry analyst at Pike Research, about smart grid security. In this interview, I delve deeper into the challenges facing utility companies to secure the smart grid.
* * * * * *
Q: Is there a reason you decided to focus just on security in a separate study?
A: Pike Research is a clean technology market research firm and we thought that Smart Grid Cyber Security would make a sufficiently large market to justify a study. Our conclusion of $6.5B investment through 2015 validates that. Additionally, the people who invest in and provide Security to the Smart Grid are often not the same people who produce or install the smart grid components themselves, so our earlier reports on Smart Grid as a whole might not be as useful for the security interested parties.
Q: Who do you see as the responsible party for securing the smart grid: power companies, third party security vendors or government entities?
A: It depends on geographic location. In countries where the power grid is a government monopoly it’s pretty straightforward. In the US however there is no responsible party for securing the grid. Lots of organizations have a say but no one “owns” security of the smart grid. Some have tried to put the North American Electric Reliability Corporation (NERC), the association of US electric grid operators, in that role but NERC covers Generation and Transmission. Most of what constitutes the smart grid happens in Distribution, which is outside NERC’s scope.
The National Institute of Standards and Technology (NIST) has published good standards for smart grid security including the recent NISTIR 7628 series but they remain only standards. The Bulk Electric System has nothing analogous to HIPAA for Health Care Information or PCI DSS for payment card processing. Compounding the issue, there is a fair amount of Personally Identifiable Information flowing through Smart Grid management systems. That PII comes under the jurisdiction of Personal Data Privacy laws, but we have no national privacy legislation – each State has its own laws.
Q: Where are we today when it comes to securely adding intelligent infrastructure to our utility and power grids?
A: Behind and losing ground. As with nearly every technology, the focus in the smart grid has been to get it working, then later realize that security is an issue. Two things make this worse: first, many security providers have equated smart grid with smart metering, ignoring the major innovations necessary in Distribution Automation and Substations; second, there has been precious little attention paid to security in Industrial Control Systems, such as SCADA, some of which are so old that they are still analog. Since most Information Security experts have an IT background, they do not understand that IT Security solutions may not work and may actually disrupt an ICS network.
Q: With billions already awarded in federal grants and billions more put in by the power companies, where are all the smart grid projects?
A: In my analysis I only looked at smart grid cyber security projects of which there are precious few being funded by the American Recovery and Reinvestment Act (ARRA), though there are some. In the case of cyber security it is often difficult to credibly forecast an ROI. After all an effective security program is one that you never see. So given funds to invest and an enterprise’s need to justify the investment via some measurable return, many are going to minimize security spending unless it’s necessary to comply with a regulation such as NERC CIP.
Q: What is the best start for securing the grid network infrastructure today or is it just a process of add as you go?
A: It’s the same as securing any other environment. You start with an assessment of risks against most valuable assets and prioritize security investment based upon the results of that assessment. Some of the quantitative risk assessment methods can take years to complete, and are not realistic for the current situation, but there are qualitative techniques that yield useful analysis in a relatively short time. The keys to success are getting a complete asset list and fully understanding risks to each. Again there can be problems if no one involved in the assessment truly understands Industrial Control Systems.
So it’s not really possible to say, for example, that every utility should immediately upgrade its Identity Management capability or deploy Security Event Management. Each situation will be unique and requires someone to seriously think about what is at risk and what needs to be done.
Q: Some people are saying we should be addressing the Transmission and Distribution side of the grid before the demand side. What do you think as it relates to security?
A: Well ideally security would be integrated as part of whatever smart grid projects are undertaken by a utility. If it’s smart metering, then securing consumer data and resiliency in the networks should be part of the project. Those are much more expensive to bolt on later. Likewise if it’s updates to the Distribution Grid, maybe smarter transformers, then secure communications and other measures should be built into those projects as well. So the ideal situation is that security rides along with smart grid projects as undertaken by the utility. When that doesn’t happen, then you have to go back to the security risk assessment discussed above, and address the risks as prioritized, maybe taking some low hanging fruit early on – simple measures that can be implemented quickly and with little expense. Early success in a security program can bolster it immensely within an enterprise.
One area of security that gets too little attention in smart grids is employee awareness. It is critical for employees of utilities, systems integrators, and other involved entities to understand what security is implemented, why it is there, and their responsibilities to support it. This requires a proactive education program. Whether we’re talking emails, web courses, or stand up instruction matters less than that the points are gotten across to the workforce.
Q: Is here one-size fits all security approach or is layer security going to be the rule of thumb for the grid?
A: Again, countries with a government monopoly grid can take a one-size-fits-all approach. On the down side for them, that implies that a single attack against their entire national grid could be successful and there is probably a single point of attack for that grid. Here in the US we have over 3,200 utilities – some with millions of customers, others with a few thousand. So obviously they are not going to all be running on the same infrastructure and therefore the same security approaches will not work for all. It is not unthinkable that some smaller utilities will end up clients of service providers running cloud computing environments. Those will probably be private clouds, but still a centralized, third-party cloud. Personally I think that’s a good thing because small enterprises cannot afford as sophisticated security as a large-scale integrator of clouds will implement.
In either case, layered security or defense-in-depth will be the preferred solution. In my studies and work with clients, I’ve been emphasizing not only the need for well-known network and endpoint security controls but also that networks need to be resilient. Whether we’re talking smart metering or ICS, endpoints and central systems need to be able to survive several days or maybe weeks out of contact with each other.
Q: Are there already some mistakes made from which lessons can be learned and some solutions found?
A: What I’ve seen is more an evolution of increased protection rather than a grand disaster followed by a step change in the level of smart grid security. There is still quite a bit of disunity in the smart grid community as to how bad things are or are not. That suggests to me that nothing truly terrible has happened to galvanize the industry. In my research when I ask how bad things are, answers range from no problems at all to critical.
But most of the lessons learned are straightforward: better ways to identify and prevent fraud, nearly everyone understands the importance of encryption, and there is a slowly dawning awareness that the security-by-obscurity approach that protects most SCADA deployments is not going to be effective. But I do see more targeted point solutions than overarching grid security programs.
Q: Is Stuxnet the harbinger of more cyber attacks? Just how bad could things in our power grid?
A: Slammer and Blaster, each 7 to 8 years ago, should have been warning enough – even if they were not directly aimed at grids. I recently blog about Stuxnet and I think the security community has its head in the sand. If my analysis is correct, then Stuxnet was developed late in 2007 or early in 2008. We security experts call Stuxnet state-of-the-art because we arrogantly think we know everything that’s happening, but we don’t. The Stuxnet code and attack could be three years old – that’s two iterations of Moore’s Law. If true, then things probably have already gotten much worse than we understand. We’re just blissfully ignorant of how bad.
Q: In summary, where we are today as it relates to the smart grid? Where do we need to be in a fast track short-term solution and what do you think the future of smart grid security will look like?
A: If Stuxnet is any indication, then the serious attackers are way ahead of us and can pretty much operate with impunity. Less sophisticated attackers may be able to hold a grid to ransom if it is not well protected. Some security vendors seem focused on finding problems that suit their existing offerings rather than seeking how to protect our grids, although there are some exceptions. One utility complained to me, “If one more security vendor walks into my office and asks me what keeps me awake at night…”
Here in the US, our patchwork grid may protect us for some time to come. I’ve asked several utilities and smart grid experts if an attack could wipe the entire US electrical grid. The common answer has been something like, “If only we were actually that well integrated. But no.” Still, any one grid could be successfully attacked, so no one can really rest.
It’s hard to prioritize remedies outside the context of a risk assessment, and that’s going to be unique for each utility. But if I had to prioritize anything in general I’d look at better resiliency throughout networks – both IT and ICS. And I would like to see IT and operations staff at utilities work together more effectively. I can’t see any other way to get a whole-picture view of the grids and what really needs to be done.
Unfortunately we may see continued selling of point solutions for quite some time to come. There are people taking a holistic view of smart grid security, including some utilities’ chief security officers, systems integrators, and even some of the smart meter manufacturers with their bundled solutions. However there is quite a bit of point selling going on out there. Utilities expect a meter – smart or otherwise – to have a service life of 20 years. What is going to happen in smart metering when that expectation collides with Moore’s Law? Certainly that could drive another round of point solution selling.
* * * * *
About the author
Larry Karisny is the Director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and network security platforms. ProjectSafety Business and Technology Cluster researches and deploys leading-edge standards based technologies supporting secure migration paths to current and future wireless networks and network applications.