Smart grid security inadequate, threats abound

Near chaos. That's the current state of security for smart grids, according to Pike Research. A recent report by the research firm finds that a lack of security standards, a hodgepodge of products and increasingly aggressive malicious hackers will make 2012 a challenging year for securing smart grids. (A smart grid uses IT and smart meters in an effort to make electric utilities more efficient, reliable and sustainable.)

"After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended," says Bob Lockhart, an analyst at Pike Research.

But he adds: "There is hope." Lockhart says there's a "dawning awareness by utilities during the past 18 months of the importance of securing smart grids with architecturally sound solutions."

Smart-grid pioneer Andres Carvallo, a former CIO at Austin Energy and co-author of The Advanced Smart Grid: Edge Power Driving Sustainability (Artech House, 2011), says security is a complex situation. He notes that a fully secure smart grid requires secure edge devices, secure networks, secure data centers and secure applications.

Looking at the current state of affairs, Carvallo says "security from the application data center to the utility sub-station is pretty good." However, he says "security from edge devices back to the sub-station and/or data center needs a lot of work."

The hackers aren't waiting. "Development of cybersecurity solutions and standards has somewhat stalled, while the attackers are steaming ahead at full speed," Lockhart says. "While we do have lots of good point solutions available," he says, "they are just that: point solutions." The problem is that hackers find the gaps between those products.

Lockhart says that, outside of defense agencies, it's rare to find a utility with a well-planned smart grid security program that integrates those products into a working whole.

There's also a danger of overlooking the insider threat. "Most people believe smart grid security is for only viruses and worms from hostile governments and terrorist groups," says Joshua Flood, an analyst at ABI Research. "However, one of the main reasons for increased spending on smart grid security software and management systems is simply to make sure the correct people have access to the equipment and systems they should have access to." Among other things, this means protecting systems from disgruntled employees or others who might commit internal sabotage, Flood says.

Security Standards Need Teeth

The Pike Research report suggests that the lack of enforceable security standards or regulations for power distribution grids "leads to a scene of mass chaos in utility cybersecurity" and will cause utilities to take a wait-and-see approach to significant security investments.

So far, most utilities are focusing on the North American Electric Reliability Corp.'s 69 (NERC CIP), which applies only to generation and transmission and is the only current standard that has "the teeth to result in fines for noncompliance," the report says.

But utilities should look beyond regulatory compliance and take a more holistic, risk assessment approach, analysts say. Utilities need to establish (and continually refine) an "organization-wide risk management program, policies and processes to prepare for, react to, and recover from adverse cybersecurity events," says Marianne Swanson, senior advisor for information system security at the National Institute of Standards and Technology (NIST).

NIST and other government agencies have written useful documents about power grid security and risk management, but the Pike Research report notes that they are merely recommendations.

To complicate matters further, there are differences between the security standards in the U.S. and the rest of the world, Flood says.

"We need similar standards worldwide, and although organizations such as the European Union's Smart Grid Coordination Group are working with NIST closely, we still need greater progress in Europe on smart grid security," he says. "However, with current economic problems in the euro zone, less effort and time will be spent on the smart grid than needed."

Securing industrial control systems such as SCADA (supervisory control and data acquisition) also remains a challenge for utilities, according to Lockhart, but there is little agreement about what to do about it.

A major factor, Lockhart explains, is that many SCADA systems were deployed without any security whatsoever in the mistaken belief that SCADA would always be isolated from the Internet.

"Even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread," he says. He adds that SCADA networks can have many old serial protocol devices that have no hope of running any security software, let alone producing event logs for forensics.

Technical Fix for Security Risks?

"There are lots of good technologies available now but none is a silver bullet," Lockhart says. "As with any environment, security requires risk assessment, policies, and an architecture before you start specifying products."

That said, Lockhart lists five promising technologies for utility cybersecurity over the next few years:

Multi-factor authentication: This will help ensure that a stolen password is not enough to allow an attack against a grid or a control console from the other side of the world.

Control network isolation: A firewall can make sure that enterprise IT traffic does not end up on the utility's control network.

Application white-listing: White-listing prevents the execution of malware by identifying "a list of permitted actions on a host and allows nothing else," says the Pike Research report.

Data encryption at rest and in transit: This approach not only protects data confidentiality, it also helps ensure the integrity of data from devices such as smart meters, temperature sensors and flow meters.

Event correlation: This can be especially useful for identifying the source of attacks and in some cases preventing them.

People Biggest Security Problem

Perhaps the biggest security hurdle facing utilities is the cultural divide between IT teams and utility operations teams, says Lockhart.

"One side understands how enterprise IT networks operate," he says. "The other side understands how distribution and transmission grids function. There is not that much overlap between the two, but each has the opportunity to make the other's life truly miserable."

Lockhart observes that the most progressive utilities have realized that cybersecurity discussions must include both IT experts and operations experts, but other utilities are lagging in this regard.

"From my research, there are still some utilities where those two teams are not on speaking terms," he says. "Many security vendors tell me that when they visit utilities, they are only seeing the CIO or chief security officer."

Join the CSO newsletter!

Error: Please check your email address.

More about SmartTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Rowh

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place