April 18, 2012 By Larry Karisny
Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.
With former CIA director R. James Woolsey, Jr., wanting to attack smart grid security threats -- the FBI documenting low- and high-tech electrical theft, and Homeland Security reporting 86 attacks on computer systems in the United States that control critical infrastructure, factories and databases -- you would think that the deployment of smart-grid security would be put on the fast track to an immediate solution. Well let's see.
The Smart-Grid Security Circus
If you were to review where we are today in addressing the need for cyber security in our power grid you would find a lot of starts, changes, delays and even do-overs. NERC Critical Infrastructure Protection (CIP) is working on version 5 of its cyber security compliance, and release 2.0 of the NIST Framework that includes updates to many of the 75 standards from Release 1.0 while adding 22 more. To add to the confusion, there is a brand new organization creating new alliances to support the certification and promotion of an interconnect standard for wireless smart-grid devices. The cost and time of trying to become compliant with these guidelines and standards will put smart-grid security years off before it can achieve any agreed-upon security solutions. With immediate security needs evident, there must be a way out of what people in the security business are now calling the "smart grid security circus."
We can’t just throw something on the wall when it comes to critical infrastructure security, but business as usual isn’t going to help either. The bureaucracies and oversight groups are becoming so numerous that large organizations can't get anything done and small entrepreneurs -- that may be holding the solution in hand -- can't afford the time and cost of going through the endless oversight, compliance and standards processes. No one knows this better the EnerNex, a company that offers innovative and professional electric power research, engineering and consulting services to government, utilities, industry and private institutions. In a discussion with Erich Gunther, Chairman and CTO of EnerNex, he stated "simply being compliant with a security standard such as NERC CIP doesn't mean that your grid is secure."
“While I would never characterize the grids as bulletproof," said Pike Research Analyst Bob Lockhart, "I believe that the operations teams have built in safeguards at the physical level that we don’t understand. That still doesn’t excuse the behavior regarding cyber security. Also the lack of standards – other than CIP, which considers distribution grids out of scope – hinders almost everybody from making a decision. You might check out the white paper we just released – my section (trend #4) addresses that.”
Robert Former, head of security research and testing at Itron, said the smart grid security circus is "The sound of [a] paradigm shifting without a clutch,” Former -- quoted in a blog -- continued: “Utilities have to be more enterprise security-aware. With these incidents at organizations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we’re going to fix a security problem is to expose it.” The key words in this quote are "paradigm shift," "cover up," and "exposure." These words require drastic change in what and how things are currently done in addressing smart-grid security.
Change is a Security Requirement not a Luxury
There are those saying that power grid security could best be addressed by not changing and keeping legacy power grid-island security (standalone service centers not interconnected) or that smart meters should be kept dumb. I can assure you these are just not viable options. We need to first consider the tremendous benefits that would be lost and minimally the economic efficiency, stability and security that could not be achieved if we kept legacy systems in place. In security, for instance, both legacy electromechanical and digital smart meters can be breached by rather low-tech methods at the meter location. The only way the breach could be remotely detected is if the breach was realtime and intelligently connected to the smart grid. I referred to these new intrusion prevention systems (IPS) and intrusion detection systems (IDS) security capabilities in my last article, “Smart-Grid Security Will Force New Ways of Thinking.” Electrical theft including legacy meters in India is estimated at 40 percent and is the main reason they are adding intelligence to their power grid. From simple theft to international espionage, there are too many critical security benefits offered by power-grid intelligence to turn back to legacy operations that may seem secure. We must move forward in deploying the required changes to rapidly support current and future requirements in securing needed power-grid intelligence.
We Are Securing System Architecture
System security was the big disconnect that I saw on the smart grid. Coming from a network background, my initial discussions with power companies and meter companies were a little confusing at best. After many discussions and a few explanations, I at last found that today's power grid is just a bunch of sometimes connected operational islands. From the stand-alone power substation to the dumb power meters, in most cases nothing was connected to nothing. With this type of stand-alone system background it was no surprise to me that there was limited knowledge of network and system security and some rather different ways of addressing power grid security though physical operational security.
So we went from nothing to securely connecting sometimes real-time data from every home to a limited and sometimes non-existent power company network infrastructure. This was a bit much for power companies to address all at one time while looking at staged-system approaches in building both network and system security. Even meter companies merging with wireless mesh and modular gateway companies are just now starting work with security software and chip-set companies in addressing these new system architectures. In fact Pike Research has identified the "system architecture" approach as one of the top 10 smart grid trends to watch in 2012.
Can Current Legacy Security Technologies Secure the Smart Grid?
To properly answer this security question I think we need to look at two critical requirements that have changed in the smart grid. If the network demarcation is now the smart-meter optical-communication port, then what are you connecting your smart meter to? This new and previously undetected network edge point of breach is now the new end of true end-to-end smart-grid security. This now changes the end point of intrusion prevention system security and the technologies that can achieve it. Two, internal and external real-time network and business process security requires real-time intrusion detection system security.
This changes current IDS solutions that currently collect historical intrusion data and now requires the capabilities of addressing real-time anomaly detection and even predictive security breach capabilities. Few IPS and IDS security solutions even offer the capability of these true end-to-end and real-time data-security requirements. We are reaching a new need and maybe a new way to address these new security requirements.
As power company and communication companies go through their collaboration culture shock, security companies who historically never talk to each other are going through theirs too. They now must now all collaborate on new security requirements and open the doors on how to achieve them. Even current security solution companies must change their way of looking at security if they are expecting to address the unique security requirements of the smart grid.
Conclusion and Recommendations
I can't emphasize enough the importance of moving forward in addressing these critical smart-grid security requirements. After covering this security issue for a few years I have come to the conclusion that we are still fighting the uncomfortable issue of change rather than keeping our eye on what we are trying to accomplish. Sometimes we are dealing with more people than technology issues and sometimes too much technology and not enough people issues. To this I offer these suggestions in adjusting to change while staying focused on the goal.
1. Don’t surrender to complaints
People are normally suspicious of change especially when it involves big business and big government. From discredited wireless radiation concerns to personal privacy issues, the hype of these complaints many times outweigh the facts. The complainer and naysayer often do not have the whole or big picture. Given the opportunity they should be asked would they be willing to pay 4 times as much for electricity by not having the smart grid? Change is something that is difficult for both energy producers and energy users. With change comes complaints and suggestions, both of which have value in tweaking the proper goal without drastically changing or eliminating it.
2. Remember you are your history
The power generation and distribution companies have a tremendous history of innovation with safety and security always the top priority. This track record should be leveraged with the understanding it started with people complaining that electricity was too dangerous to distribute. These people and technical challenges were no different than the difficulties that power companies had to address in the beginning of electric power production, transmission and distribution in the past. Today’s electric power industry needs to be addressed with the same creative innovation and leadership that was done in the past.
3. Expect the unexpected
When deploying new technologies you should expect and be prepared for the unexpected. For instance when we put IPS and IDS security in the network, these technologies should be able to adapt rapidly (if not real time) to any needed changes that occur in the smart grid. If current security technologies do not offer these capabilities, do not underestimate that you may need a complete paradigm shift to achieve the needed security requirements. Paradigm shifts are not always comfortable or easily understood but are sometimes the only avenue of doing things right.
4. Know elements of victory
Government and communication companies invading the power companies space was at best uncomfortable. We should recognize the differences between government, companies and technology providers but never take a “are you for us or against us” attitude. People must work together, carefully listening with proper leadership in charge following the plan. That is when things get accomplished. That's when victory occurs.
5. Don’t fall short of your goal
I am shocked when I hear comments from the naysayers of the smart grid that think we can just stay at status quo. We need to focus on the goal and the tremendous benefits the smart grid will bring and address the critical security issues it now faces that could flat out just turn it off. Like power companies did in the past, they simply need to step up and try again.