Utility Cyber Security in ‘Chaos’

Tuesday, November 8, 2011 @ 01:11 PM gHale

Chaos is the word to describe utility cyber security.

After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand, said a new report by Senior Analyst Bob Lockhart and Research Director Bob Gohn from Pike Research.

Whitelisting a Solid Security Tool
Multiple Causes to Southwest Blackout
Safety Systems Fire Up in Texas City
Utility Cyber Security Outlay to Grow

Despair does not reign; there is hope. Utilities and vendors over the past 18 months are getting a clearer understanding of the importance of securing smart grids with architecturally sound solutions.

The problem is security solutions remain challenging to implement, especially as attackers gain awareness of the holes between point solutions, the report said. Security vendors have finally found time to focus on industrial control system (ICS) security, not only advanced metering infrastructure (AMI) security – although a few security vendors have focused on ICS from the outset. The utility cyber security market will be a frantic race to gain the upper hand against attackers.

The report focuses on seven trends in smart grid cyber security:
1. One size doesn’t fit all: Regional deployments will shape cyber security investments.
2. Industrial control systems, not smart meters, will be the primary cyber security focus
3. Assume nothing: “Security by obscurity” will no longer be acceptable
4. Chaos ahead?: The lack of security standards will hinder action
5. Aging infrastructure: Older devices will continue to pose challenges
6. System implementation will be more important than component security
7. Top five most promising smart grid cyber security technologies

One Size Doesn’t Fit All. The smart grid cyber security threat is clearly a global issue, with potential attacks coming from virtually anywhere, targeting anyone, and for a wide range of possible intents. But the underlying technologies differ by region, by segment, and by segment within a region. To cite examples at the extremes, smart meter adoption rates in North America have been quite a bit more aggressive than electric vehicle (EV) adoption rates in the Middle East and Africa, representing different cyber threat surfaces. Both adoption rates are likely to change throughout the forecast period as new markets open or reach saturation.

Industrial Control Systems, not Smart Meters, the Primary CyberSecurity Focus. Industrial control system security will grow faster and will generate more investment than smart metering security. This makes sense because there will be more investment in smart grid control systems – transmission upgrades, substation automation, and distribution automation – than in smart metering. Once again, smart grid technology investment will directly drive smart grid cyber security investment.

Assume Nothing: “Security by Obscurity” No Longer Acceptable. The discovery of Stuxnet during the summer of 2010 demonstrated that control networks are no longer secure simply because they remain isolated from enterprise networks. Stuxnet also demonstrated that motivated attackers are willing to learn arcane technologies, such as the control sequences for a specific model of centrifuge.

Stuxnet was a mission and not simply a piece of malicious code. No one detected it until after it accomplished its mission and, most likely, evaded detection for more than a year after its release. Few utilities, vendors, or analysts are willing to discuss that even more sophisticated attacks may now be in process, which, so far, have completely evaded detection.

Chaos Ahead?: Lack of Standards Will Likely Hinder Action. No enforceable smart grid security standards exist anywhere in the world for power distribution grids. The greatly discussed U.S. NERC CIP standards only apply to generation and transmission, though some of this has leaked into stimulus-funded distribution network projects. Other regulations or legislation may apply to specific situations, such as data privacy laws or payment card industry standards to protect customers’ card data used in paying utility bills.

A number of well-written guidelines include the three-volume U.S. NIST Interagency Report (NISTIR) 7628, which covers smart grid cyber security strategy, architecture, high-level requirements, and data privacy. Additionally, NIST Special Publication 800-82 is a thorough examination of ICS cyber security issues. The U.S. and U.K. governments have co-published a document known in the United States as the Control System Security Program (CSSP) Recommended Practice: Improving Industrial Control Systems Cyber Security with Defense-In-Depth Strategies.

Aging Infrastructure: Older Devices will Continue to Pose Challenges. Smart metering systems are of recent enough vintage that all support modern communications protocols that protect information confidentiality and integrity. Whether proprietary or open protocols, most AMI systems have decent built-in cyber security.

However, some supervisory control and data acquisition (SCADA) systems have been in place much longer than smart metering and may still have many devices running serial protocols, such as MODBUS, which has no built-in security features.

It is nearly axiomatic that SCADA devices will undergo replacement when their service life expires, not sooner (although possibly later). Security assessments are unlikely to result in a large scale technology refresh, simply to replace old devices with better-defended modern devices.

System Implementation More Important than Component Security. It is possible to have a system in which 100% of the components are secure, but the system as a whole is not secure at all. Cyber security works to protect a whole entity and attackers look for holes. The strongest adversaries are not going to waste time attacking a component device known to be a fortress. One cyber defense expert said, “Do not fear hackers. Fear engineers who hack.” Security is only as strong as its weakest link and the best attackers know instinctively to look for that weak link.

Top Five Most Promising Smart Grid Cyber Security Technologies. Here are the five cyber security technologies that can be the keys to protecting smart grids:
• Multi-Factor Authentication
• Control Network Isolation
• Application Whitelisting
• Data Encryption
• Security Event Logging and Correlation

Leave a Reply

You must be logged in to post a comment.