Securing the Intellectual Property of Smart Grid Security

Theodore Wood

A unique view to the realities of cybersecurity.

August 25, 2011 By

Theodore Wood's job, at D.C.-based Sterne Kessler Goldstein & Fox, is the discovery and protection of intellectual property in things like smart-grid security. From international cyber security espionage to plain old American ingenuity, Wood offers a unique view to the realities of cybersecurity.

Karisny: Your Grid Industry Group responsibilities for Sterne Kessler Goldstein & Fox include an interesting intellectual property focus, especially in light of the recent cybersecurity attacks. I am beginning to wonder which IP we are protecting, Intellectual Property or Internet Protocol. How serious do you see these attacks and is our critical infrastructure like the power grid a target?

Wood: Our Grid Industry Group focuses on companies that innovate to protect and enhance the resiliency of our power grid. And cybersecurity is one of the primary areas where companies are heavily innovating. Therefore, we follow the cybersecurity challenges, technologies, and guidelines pretty closely. With respect to the cybersecurity attacks, I think you're referring to recent attacks on the IT (information technology) systems of targets such as Sony's online gaming site, various government sites like the senate and the CIA, companies such as Google, a host of credit card companies and several others. We absolutely see these attacks as extremely critical, primarily because they seem to demonstrate a level of success, persistence and an increasing level of organization by the attackers. Fortunately, it doesn't appear that our critical infrastructure has been attacked in the same way as these other sites. But there is little question that critical infrastructure, like the grid, will eventually be targeted. And a successful attack on the grid would be totally devastating, with national security implications.

We all are familiar with former CIA Director Leon Panetta's comments stating that the next Pearl Harbor could be a cyber attack that cripples our electric grid. I'm also reminded of a recent story by Good Morning America, relying on a report from the Department of Homeland Security. This story noted the possibility that sabotage by insiders at a major utility facility could provide Al Qaeda the opportunity for a massive September 11 anniversary attack. And Richard Clarke, in his new book entitled Cyber War, states that the "clearest example of vulnerability brought on by computer controls happens to be the one system that everything else depends upon: the electric power grid." These are just a few examples of recent public comments about vulnerabilities of our critical infrastructure.

Karisny: The words Cyber, Internet, IT and IP sometime get blurred when they are actually very different especially when it comes to security. Can you give some examples that may differ?

Wood: A big part of the reason for the increased risk is due to the Internet Protocol based networks that interconnect our critical infrastructure to global networks. The interconnected systems may be an IT system, or an industrial control system (ICS). Traditional IT systems include components such as routers, network interface controllers and servers. A traditional ICS includes components such as distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs), all of which are used in industries like water, transportation, manufacturing, oil and natural gas, and electricity. These ICS components do things like facilitate data collection from remote locations, control valves, trip breakers, operate relays, monitor alarms etc. Many of these ICS components are integrated with various legacy systems that were not developed with security in mind. The Internet Protocol considerations play a big role because most often the underlying protocol provides the extensive connectivity by which unauthorized and/or malicious persons, machines, or code gain access to these critical systems. But cybersecurity must also consider factors that are unique to each type of system, whether IT or ICS, to ensure that even if unauthorized access is made, damages can be minimized.

Karisny: Knowing networks are different, where should we be focused in protecting critical infrastructure security?

Wood: In my view, the IT/ICS distinction I just mentioned is significant to the discussion of where to focus cybersecurity solutions. Here is the significance: There is a growing recognition that cybersecurity solutions designed for IT systems may not apply to an ICS. Additionally, ICS have different performance and reliability requirements that typical IT support personnel may be unfamiliar with. On the other hand, there are some similarities between ICS and IT systems that create an overlap with some of the cybersecurity solutions. For example, many of the lower-cost IT solutions are now being applied to ICS. But many of these IT solutions fail to provide the security isolation needed by an ICS. As I mentioned earlier, ICSs are employed extensively in our critical infrastructure which creates these sorts of unimaginable consequences if attacked successfully.

A recent Homeland Security Newswire story ... pointed out that the large number of high profile cyber attacks on major corporations and government entities has driven a sharp increase in cybersecurity spending. I would submit, however, that the majority of this spending has been on IT cyber security and not necessarily critical infrastructure ICS cybersecurity. Therefore, we still need something to spur or trigger R&D, innovation, and investment in critical infrastructure ICS cybersecurity. I believe the trigger for this additional R&D, innovation and investment is quality intellectual property (IP). By providing creative incentives, the U.S. Patent and Trademark Office (PTO) can play a pivotal role in the development and protection of IP related to ICS cybersecurity. And if done correctly, this would help ensure that cybersecurity innovations and technologies are more commercially attractive for vendors to develop and for investors to fund.

Karisny: You come from a military background that addressed security on a "need to know" basis and we now live in an age of social networking. Is there some common-sense approach to protecting Intellectual Property in this very open world we live in?

Wood: When I was active duty Air Force, we would simply stamp everything as "secret" and ask questions later. I'm of course exaggerating, but only just a little. For very good reasons, many innovations related to cybersecurity and encryption have been kept by companies as "trade secrets." And there are still a lot of good reasons for protecting IP in this manner. The problem today, however, is two words: "social networking." Twitter, Facebook, LinkedIn discussion groups, and professional blogs provide excellent forums for in-depth technical discussions. I participate in many of these discussions and monitor many others. But when you read the content of these discussions carefully you can't help but wonder how much of the information being discussed, perhaps unknowingly, is some company’s trade secrets. And once publicly disclosed, a trade secret is no longer proprietary and can be used by a company's competitors. Social networking also, unfortunately I might add, provides a convenient way for a disgruntled employee to easily and maliciously disseminate large amounts of proprietary information. Therefore, the tendency to rely only on trade secret protection for all cybersecurity and encryption innovations may be too risky. So wherever possible, companies should protect their key IP by filing for patents early in the development process. Once you file for patent protection of your idea, most of the issues related to trade secret protection, such as those noted above, disappear.

Having said that, the military’s "need to know" based policy was directed at national security concerns. Some of the innovations for cybersecurity, even in the defensive sphere, may be considered as important to national security. The PTO has a procedure to filter such applications and process them separately, striking a balance between protecting national security and protecting inventor rights.

Karisny:. Do you think the stimulus funds directed towards smart meters and not security may be the cart before the horse?

Wood: Don’t want to go that far, but there is certainly an imbalance that must be corrected. Smart meters serve an important consumer function enabling a much more efficient use of electricity, which benefits electricity producers and consumers. As you may be aware from a recent Forbes article, about 75 percent of 2009 stimulus dollars were directed to smart meters. I'm not advocating reducing the amount of spending on smart meters. But I do believe that we need to increase the amount of spending in ICS cybersecurity. As I stated a little earlier, we need to create more incentives for companies and individuals to innovate and invest at the infrastructure end (ICS) rather than, or as well as, at the consumer (IT) end. Grid security used to be exclusively the concern of the power generation companies. But this is no longer true with the expansion of smart grid. A lot of new players are in positions to play a role in securing the grid. So healthy competition can also be used to trigger innovation in this field. Increased spending can certainly help this process.

Karisny:. If we are to address security in areas like the smart grid, how should you protect the Intellectual Property that in turn will protect the network? Power companies are saying who are you, come on in, lock the door, sign this very enforceable non-disclosure and don't expect to get your tested equipment back. What are your suggestions for Intellectual Property protection in this sensitive area of critical infrastructure security?

Wood: I believe the answer to this question is creativity and innovation. Before addressing the IP aspect of your question, I would like to comment on what I mean by creativity and innovation. This past June, I had the privilege of attending the annual conference for a group called the National Electric Sector Cyber Security Organization Resource (NESCOR), managed by the Electric Power Research Institute (EPRI). I think that NESCOR is a pretty creative and innovative concept. NESCOR is the research and analysis arm of National Electric Sector Cyber Security Organization (NESCO) which is a public-private partnership that serves as a focal point to bring together utilities, federal agencies, researchers, vendors and academics. And from what I understand, they're kind of a think tank that helps focus cybersecurity R&D priorities, collect and analyze critical infrastructure vulnerabilities and threats, as well as collaboratively develop solutions in real-time. This group was established by Congress and is funded by the Department of Energy to act as a quick reaction solutions oriented group of super smart people. I believe that groups like this public-private partnership will be crucial to the development of ICS cybersecurity. I also believe that groups like NESCOR make it easier for power companies to discuss potential vulnerabilities in a forum that focuses on solutions instead of penalties.

In my opinion, IP professionals should be involved in these public-private partnerships. By partnering with groups such as NESCOR, at a very early stage of the innovation and technology development process, the IP professionals can help companies develop effective IP strategies that identify and protect the correct IP -- IP they can [use] to facilitate early-stage funding.

Answering the question from a different perspective, the old power company model may have been adequate for earlier times. Then, threats to the grid were low and didn’t originate from all corners of the world. Also, the relevance of our economy and national security on the grid was much less than now. As mentioned earlier, in addition to the relative increase in threats to the grid, with smart grid, the number of stakeholders, or entities in a position to protect the grid, has increased. So while for some innovations, plain and simple secrecy and a non-disclosure agreement will do, I would suggest that a large portion of innovation should be protected not only by U.S. patents, but by international patents as well.

The U.S. is in a position to lead in this sector because we have to innovate now to protect our networks and grid, whereas other countries have nowhere near the same threat at the moment. The rest of the world, however, will eventually face the same problems. With this said, U.S. companies that innovate now may be in a better position to leverage their IP internationally.

Karisny:. There have been some reports of China breaching our power grids. When you have people like this who are not going to play by the rules what good is a legal IP document?

Wood: I'm aware of reports that claim hackers from China, and other nation states, have breached our power grid. You are right in that IP is not the answer to those elements. In fact in many of those cases, the goal of the hackers is the theft of IP. IP rights are designed to incentivize companies and individuals to innovate. A properly calibrated IP system, where companies or individuals can acquire IP rights in a timely manner, and be rewarded for their innovations, is what is needed to jumpstart critical infrastructure cyber security in resiliency-enhancing innovations. This process will ultimately help securitize our nation’s critical infrastructure. So, although IP rights are not a direct answer to hackers and other cyber criminals, as the threats get more frequent and more serious, the companies with IP rights in various solutions can stand to benefit tremendously from monetization of this IP.

Karisny: We are beginning to see the need for interoperable security all the way from DOD to someone's house. Living in Florida I have witnessed hurricane infrastructure destruction that makes it absolutely necessary for all government agencies and the private sector to securely and interoperably communicate. Could the smart grid be the beginning of this locally needed smart secure wireless IP infrastructure?

Wood: I think we have seen again and again that increased interconnectivity and interoperability produces huge benefits in efficiencies. So that is where we should go. The smart grid, as envisioned, will be an extensive part of this interconnectivity -- ultimately increasing the grid’s resilience to natural or other disasters (e.g., multiple built in redundancies). So, it stands to reason that the smart grid is a part of the extensive secure communication medium, such as you mentioned.

Karisny:. We are entering into a massive wireless device market with the majority of these wireless connections being machine to machine. Should machine to machine security and person to machine security be looked at differently?

Wood: There may be differences in the physical security measures. But, other than that, we should not make assumptions about whether the malicious infiltration is by a person or a machine. The massive growth in wireless devices, many of them directly or indirectly connected to the grid, dramatically increases the potential entry points through which malicious elements (rogue machines, malicious code, or persons) access the grid. The threat of massive denial of service attacks will increase. Harmful code can propagate to numerous entry points, making the defense against such harmful code difficult. These entry points will also make difficult the eventual cleanup of the harmful code. Each of these entry points should be monitored and protected against malicious machine as well as human access. In addition, the network perimeters around the critical infrastructure should ideally be protected in a layered manner. The critical systems themselves may be protected by restricting the entry points and implementing stringent access monitoring. These systems may also be protected by taking additional steps that may be necessary to protect the particular control systems.

Karisny: We are beyond media hype with the recent cyber security attacks. What should be our immediate response strategy be to these cyber breaches as it relates to your focus in our nation’s critical infrastructure.

Wood: Clearly we need to use the full force of our laws to track down and punish cyber criminals who attack our critical infrastructure. We also need to close the technical holes through which these attacks happen. In the short term, perhaps steps such as physically separating critical infrastructure networks may be part of the answer. However, in the long term, and from an efficiency standpoint, we want enhanced interconnectivity. In order to maintain this extensive interconnectivity we must have adequate monitoring, along with systems and strategies to protect, detect, and defend with respect to cyber threats.

Karisny:. You are based in the Washington, D.C., Metro area. Is DC listening as it relates to cyber attacks and if you could get your message all the way to the top, what would it be?

Wood: Washington already recognizes the urgent need for effective cybersecurity. But we must more efficiently harness American ingenuity to address the challenges we are facing in defending our critical infrastructure, especially the power grid, from cyber threats. One of the best ways to ensure proper ingenuity is focused on cybersecurity is to facilitate the protection of IP rights so that innovators can be rewarded for their work in this area.

Theodore Wood is a key member of the firm's Grid Industry Group, where he focuses on helping innovators involved with ensuring power grid resiliency in an evolving smart grid infrastructure. Wood's work before the United States Patent and Trademark Office includes patent application preparation and prosecution, reissue, reexamination, and appeals before the Board of Patent Appeals and Interferences. He has served the role of virtual in-house IP counsel for several high technology emerging companies, where he developed programs to identify, protect, manage and commercialize IP assets. Wood has worked on intellectual property matters involving many technologies, including electronics, computer graphics, computer architecture, networks, and network protocols, telecommunications networks, wireless communication systems, e-commerce and Internet applications, GPS location-based services, intelligent vehicle systems, automotive systems, and medical devices.

Larry Karisny is the Director of Project , a smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.


Cyber Wars Start, is the Power Grid Next?

Smart Grid Security

August 4, 2011 By Larry Karisny

Recent reports have clearly demonstrated that cyber wars are real and happening. So what are the implications and when are people going to at last take notice? Forbes reported recent attacks included an unprecedented series of cyber attacks on the networks of 72 organizations globally -- including the United Nations, governments and corporations -- over a five-year period. The White House as of yet has not disclosed the organizations effected by this most recent attack dubbed "Operation Shady RAT."

So what are people who live, eat and breathe this stuff every day saying? I am part of a group that has been discussing this in a Smart Grid Security group headlined, "The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems." The discussion started 14 days ago and with the recent events I thought some of the comments are very appropriate and I would like to share them.

Theodore Wood, Partner and Patent Lawyer at Sterne Kessler Goldstein & Fox
"I believe we have to direct more of our immediate attention and grid-related stimulus spending toward enhancing the resiliency of the existing grid. William Pentland’s article in Forbes this past May, discusses his finding that about 75 percent of the 2009 federal stimulus dollars have been directed to advanced metering infrastructure (AMI). Our own research and analysis of IP in these areas supports this contention. However, in order to have a more direct impact on grid security, we need more direct investment in cyber resiliency strategies (hardware and software), including things such as strong encryption and key management techniques, network access control, intrusion response systems, rootkit detection, etc. I believe that an infusion of federal spending into these areas will spur R&D, facilitate development of quality IP, and help ensure that cyber security innovation and technology are more commercially attractive from both the vendors' and investors' perspectives."

Andrew Wright, CTO at N-Dimension Solutions

“I agree with Ted regarding the need for more economic stimulus for grid resiliency and cyber security. Of the $4.3 billion ARRA funding, most of it went to smart meters, MDMs [Meter Data Management], and consultants, and relatively little to real security. And in any case, that was 100 out of 3,300 utilities in the U.S. We need to change the economic equation so that utilities do not have to prioritize security against other technologies, and the best way to do that is to build security in. But that needs economic incentives for manufacturers to spend time on security functions rather than others. IP protections for grid resiliency is one way to do this.”

Joe Weiss, Managing Partner at Applied Control Solutions, LLC
"As an engineer, there is no doubt it is technically possible to do this -- I am not a threat analyst and so cannot say why it has or has not happened. Stuxnet should be a glaring example of its potential. I had this specific discussion with Richard Clarke many years ago and provided several reasons why it could happen and yet not be public. There are minimal control system cyber forensics so when there have been major infrastructure failures, it is generally not possible to determine if cyber was involved. There already have been numerous significant control system cyber incidents in the U.S. that have killed people, caused major electric outages, shut down nuclear plants, etc. When a critical infrastructure incident does occur, there is a reticence by the government to acknowledge it is a cyber incident. I believe the lack of control system cyber forensics and end-users unwillingness to report has stifled progress on securing industrial control systems."

Stacy Bresler at National Electric Sector Cybersecurity Organization

“Reporting cyber incidents or potential incidents is an issue. Being a former cyber security manager at a large asset owner, I understand the lack of willingness to report. Currently the mandate to report a cyber incident is to the ES-ISAC which is essentially the regulator despite claims of dividing lines within their organization. That alone is a deterrent for more reporting. I'm with Joe on this ... I don't think our intelligence agencies always have the facts put together before they make blanket statements. We do need better tools to help in forensic efforts but that needs to be coupled with proper training for those in the field. There are forensic experts out there and I believe ICS-CERT has a jump team on the ready ... but I don't think that is enough. We definitely do not have an aggregated view of what is really going on and we can't manage what we can't measure!"

Robert Cragie Consultant for HAN/Smart Energy/Security at Pacific Gas & Electric
"The 80/20 rule applies here. With a relatively small amount of effort you would get a huge improvement in security. ICS manufacturers and implementers have to wake up to the fact that their ancient systems need to be brought up-to-date using security procedures (business process, physical and cyber) commonplace in IT and telecoms infrastructures. The INL SCADA evaluation report highlights the woeful lack of security in electricity T&D substations, e.g. adding dial-up modems with no cyber security protection to substation equipment still using default passwords so a maintenance operator can control remotely. Stuxnet was clever but still propagated by the practice of passing USB flash drives around with the virus on. Back in the day, it was floppy disks which spread viruses in this way. Do we never learn?"

This is what the people who work on these issues are seeing. There is always some hype but there is also some things that are not disclosed. From simple fixes to a clear need to invest into new cyber security solutions, the war is on and the war is real. God bless our military and their efforts in securing our country but if our national power grid goes down our losses could be much greater.

Larry Karisny is the Director of Project, smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure. Reprint courtesy of MuniWireless