Ignoring critical infrastructure security problems is no longer acceptable.
January 4, 2012 By Larry Karisny
Editor’s Note: Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.
Security attacks are real, validated, and are becoming more costly. According to security expert John McNabb, electric utilities assume they suffer about 10 percent losses to theft each year. The Edison Electric Institute estimates that in 2009, electric power companies earned more than $352.5 billion. That puts electricity theft alone at more than $35 billion, and doesn’t include the cost of peak production premiums and power outages that cost an additional $80 billion annually. All this could be curtailed by making the power grid intelligent and secure.
Adding intelligence to just the demand side of the power grid could produce savings estimated to be as high as 26 percent — a finding announced last month that came from a smart grid contest in Texas. Even with the cost of smart-grid upgrades estimated at $1.5 trillion by 2030, the efficiencies of adding secure intelligence to the power grid seem cost-effective. But none of this will happen without effective security.
Power grid security isn’t just about money. Personal security and national security are at stake. Appearing before the Senate Armed Services Committee in June, then-CIA Director Leon Panetta said, “The next Pearl Harbor could very well be a cyberattack that cripples our government, security and financial systems.” Power companies are beginning to take these threats seriously and are even beginning to disclose these threats in SEC filings. Con Edison isn’t the first utility to disclose cybersecurity as a serious threat in SEC filings, but it’s perhaps the first to describe cyberattacks as a stand-alone risk category. Failure to disclose such breaches or to follow North American Electric Reliability Corp. (NERC) compliance can cost power companies a million dollars a day in mandated penalties.
The threat of endangering personal data from hacked smart meters was recently demonstrated by Tony Flick and Justin Morehouse in a presentation at Defcon 18, which is available in its entirety on YouTube. Flick earlier wrote “Securing the Smart Grid: Next Generation Power Grid Security”, warning of these projected breaches. Threats to personal security and the national power grid are reaching critical mass.
Smart-Grid Security Chaos, Compliance and Collaboration
So how are we doing on securing power infrastructure? The latest Pike Research report on grid security said, ”Utility cybersecurity is in a state of near chaos.” With concerns about the chaos of vendors and regulations, Pike Research also observed a dawning awareness by utilities and vendors during the past 18 months of the importance of securing smart grids with architecturally sound solutions. But correcting these problems might be slowed down by spending billions of dollars on meeting federally mandated security compliance — rather than investing in the development and testing of security solutions.
There are signs, though, of a focused collaboration from the public and private sectors in methodologies to rapidly deploy grid security. A new demonstration project will be conducted jointly by partners Sensus, EnerNex and the Department of Energy’s Oak Ridge National Laboratory addressing this critical need for security. The three partners will collaborate on the project, dubbed the Automated Vulnerability Detection (AVUD) system. The system uses function extraction (FX) — a disruptive new technology platform that can detect and fix software-hardware issues before they become big problems. The system is designed to keep a step ahead of security threats rather than playing catch up as we are now doing.
Intrusion Prevention and Detection Are Key
Complexity within the smart grid boils down to several points. The “smart” part of the grid is a sensor talking to a communication link connected to a database. This is further simplified by the sensor and database information being basically a machine-to-machine application passing consistent data though the network.
In the simplest terms, security breaches occur basically for two reasons. The network wasn’t secure to begin with or someone got in that shouldn’t have. The industry separates these categories into two separate security solutions: One is called Intrusion Prevention Systems (IPS), and the other is called Intrusion Detection Systems (IDS). The two capabilities, combined in a security system, can pretty much keep the bad guys out.
The problem is we can no longer look at IPS and IDS solutions of the past when trying to secure the enormous amount of data now in the grid data. The old way of doing this is just too expensive, too complex, too slow and frankly doesn't get the job done. We must look for ways to simplify and improve security solutions.
New Applications Require New Thinking
Adding security solutions to the smart grid likely will be a massive task. With predictions of 1 trillion intelligent devices connected by 2015, we must learn quickly. These devices are no longer just computers or telephones. There are now billions of microchip devices with small processors offering specific “Internet of things” functionality that often doesn’t require any human intervention. These machine-to-machine devices are the new nerve endings of networks and applications; these devices offer intelligence to a variety of venues, from national critical infrastructure to intelligent home systems. The difference today is that we now have moved the demarcation of network intelligence from typical communication radios or gateways to intelligent microprocessing chips within smart devices. With this type of volume and small processing power, we need to look at new ways of adding security to intelligent networks and applications. Large companies like IBM, Lockheed Martin and Accenture are positioning themselves for a piece of this new $40 billion smart-grid security market. They are spending millions on development and are looking for partners and acquisitions in support of their solution product portfolios.
TLC Secure Inc., a company focusing on intrusion prevention in smart-grid security, looked at the potential complexity of managing Public Key Infrastructure and decided to offer a Layer 2 vendor and protocol-agnostic solution. Phil Smith CEO of TLC Secure Inc. said, "Sensors and their internal communication ports have been defined as the new point of breach in smart meters, as have SCADA operations in the smart grid. By encrypting at Layer 2, we secure everything above it and solve a lot of the vulnerabilities —and the problem of too much diversity and overcomplicated Layer 3 solutions with too little interoperability. This yields stronger blanket security, and greatly simplifies it as well.”
A white paper by John McNabb and companies like InGuardian and IOActive have already verified breaches in smart meters. Layer 3 network security alone is no longer the defining demarcation point of network security. Realizing this, TLC developed a security solution “offering true end-to-end IPS by securing the weakest link of smart networks, from database to the smart meter chipset."
Smart Networks Require Real-Time Detection
With many smart-grid database feeds now being real time, even Intrusion Detection System security needs to be looked at differently. A recent white paper written by Dr. David Chalk presented a new way of looking for real-time data anomalies, in a detection technique called “cyber forensics.” Rather than waiting for an unknown virus to be recognized by a massive global database, Decision Zone's approach historically mirrors what the smart application should be doing and then detects in real time any changes in these defined anomalies. Smart-grid sensor data is relatively simple and consistent, so these application parameters can be securely checked in control systems while flagging any changes in the defined application.
Chalk said, “Just the smart grid alone will collect massive amounts of data. With this much data being collected, typical IDS data-centric approaches for protection of the smart grid won't work. A paradigm shift to ‘process-based audit’ is needed. Decision Zone uses a discovery technology to generate the underlying process then adds a live causal audit application that can then identify any anomalous event to the underlying process prior to failure.“
We are trying to use older security technologies to secure more networks and network applications than we ever have. There is a rule of thumb in security that must be addressed if we are to move forward in protecting these massive intelligent networks: If we make the security solutions too expensive, too difficult to operate or too slow, people won't use them.
We must find simpler and more economical ways of addressing these critical needs in intelligent security. Securing the smart grid will be the defining proving ground for the new security solutions that will safeguard intelligent applications today and in the future. We need to focus on the funding and development of these critical security technologies if we are to enjoy the benefits of the future’s intelligent network applications.