https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Energy/Utilities


Getty Images

Image shows Chicago illuminated at night.

Energy Grid Security Gets More Challenging With IoT

With thousands of connected devices and broad geographical reach, energy grid security threats have multiplied.
  • Written by Rich Castagna
  • 18th August 2020

Key takeaways from this article include the following:

  • Power grids have turned into security minefields as utilities’ connected footprint expands. 
  • Utilities are susceptible to both cyber and physical threats.
  • To reduce risk, utilities should establish an accurate asset inventory and use internal training and education to offset lack of security expertise among staff. 

Today, IoT networks in the power utilities sector are besieged by myriad security threats. These assaults come from an assortment of malicious sources and target virtually every element of grid-based operations. And by their nature, the complex and wide-reaching networks that deliver power to billions of endpoints are perhaps among the most vulnerable. If that sounds dangerous, it should.

Grid operators are well aware of the perils that could disrupt their network operations and the reams of data they collect daily. Regardless of your enterprise’s vertical, if your infrastructure includes an IoT network, the challenges of securing it are usually exponentially greater than those associated with securing a traditional networked environment.

In a Siemens and the Ponemon Institute survey on utilities and cyberthreats 64% of responding utilities cited “sophisticated attacks” as a top challenge for their operational infrastructure. More than half of the respondents — 54% — glumly predicted that they expected “an attack on critical infrastructure” within 12 months.

The 1,700-plus respondents  had good reason for their concern and pessimism: 56% said their organizations had suffered at least one attack in the past 12 months that resulted in a loss of private data or that created an outage. Adding to their uneasiness is the estimate that 30% of cyberattacks on operational technology (OT) go undetected.

Yet another survey by 451 Research bolsters the premise that security is front of mind for utilities. Asked what they consider the biggest challenges related to deploying IoT technology, 42% ranked security concerns No. 1. 

Energy Sector Is More Threatened Than Ever

Various developments have turned energy environments into security minefields and are directly related to the changing nature and growing sophistication of utilities’ IoT-enabled grids.

“We see not just IoT but IIoT as presenting challenges for what was the traditional conceptual approach to thinking about cybersecurity, which was the concept of having a perimeter — and if you secured the perimeter and you did everything you could to make that as hard and robust and resilient as possible, then you were confident that your assets and your data inside of that network were protected,” noted Christine Hertzog, a principal technical leader focused on cybersecurity  at the Electric Power Research Institute (EPRI). 

But the concept of creating a secure network perimeter has lost relevance for energy utilities and other organizations given the rise of IoT connectivity, remote working and other factors. 

Grids also have a greater reach than just a few years ago, so they connect to more devices, partners and customers to both provide power and share data. These capabilities increase vulnerability, or what information security professionals refer to as a wider “attack surface.”  

“Five, ten years ago, you had a network that was not really instrumented with any digital devices, so it was all static and  physical security was really all they’re worried about,” said Mike Kelly, senior research analyst at Guidehouse. “But when you have billions of devices — whether on the power lines, at the substation, in the homes — you essentially have this entirely new network of devices that are vulnerable to attack.”

If there were any doubt about the dangers of proliferating devices, respondents in the Siemens/Ponemon survey underscored the issue when asked, “What makes the management of OT security challenging.” Three out five respondents noted an increase in sophisticated attacks as a chief concern while 55% singled out isolated and fragmented systems.  

With more consumers connecting to power grids via bidirectional smart meters, the utilities are collecting more user data than ever, so there needs to be greater focus on safeguarding customer information. But while smart meters are a relatively new technology, other components on the IoT networks hosting them might be older technology with less built-in security.

“That legacy equipment is either noncompute or compute-constrained in many cases and  …  and modern information security practice is 50 years ahead of when that device was installed,” said Christian Renaud, a research director at 451 Research. “The concern is the legacy brownfield of installed-base equipment and the rate at which it’s being refreshed.” Renaud notes that recent developments in the energy industry compound this old-gear/-new-threats situation: “Here’s this train that’s coming towards us at full speed [with] renewables, distributed energy, distributed storage, microgridding.”

Another factor that adds complexity to security efforts in energy is the increase in required network integrations. In addition to linking to smart meter-enabled customers, energy companies today are likely to interconnect with other utilities and distributed energy resources (DERs), as well as other entities in their supply chains. These represent a dual security responsibility — blocking threats that may originate in connected partners’ networks and ensuring that any internal attacks aren’t propagated to partners. 

Threats May Be Cyber or Physical

Energy companies are susceptible to the same types of destructive attacks that other businesses contend with, including ransomware, denial-of-service attacks and trojans that seize control of key management systems. A particularly destructive trojan might hijack the supervisory control and data acquisition (SCADA) application that provides the underlying management of grid activities. Insider threats must also be considered, whether intentional, socially engineered or accidental.

With enormous amounts of expensive equipment spread out over distances, physical security is still the principal concern for most energy outfits. Consider that a targeted sniper attack on a California grid caused an estimated $15 million in damages in 2013. In addition to vandalism, attempts to disrupt service, materials theft and natural disasters represent direct threats to continued operation.  

The NERC CIP Standards

After the great northeast blackout of 1965, a failure that created a chain reaction that plunged most of the northeastern U.S. and parts of Canada into darkness, the North American Electric Reliability Corporation (NERC) was formed to coordinate efforts to avoid another crisis of that magnitude.

NERC is a nonprofit that oversees large energy producers — the Bulk Electric System or BES — in Canada, Mexico and the U.S. It has developed a set of Critical Infrastructure Protection (CIP) standards that the BES community is expected to follow to protect the electrical grid. NERC promotes hundreds of standards, many which are mandatory and are backed by NERC’s ability to assess fines if a BES fails to comply.

The latest CIP installments, due to go into effect in 2020 and 2021, include four standards addressing cybersecurity related to the following:

  • Supply chain risk management.
  • Electronic security perimeters.
  • Configuration change management and vulnerability assessments.
  • Incident reporting and response planning.

The NERC CIP is a helpful framework, but like most standards intended to apply to a broad industry, they typically lack specificity but still takes time and money to ensure compliance. 

“Utilities spend a lot of manpower and a lot of capital … for compliance and reporting with NERC CIP,” said Guidehouse’s Kelly. “It takes a lot for them to comply and report, but it’s still insufficient if you actually look at the threat landscape.” 

451 Research’s Renaud notes that there’s a lot of “gray space” in the NERC CIP standards, but still considers them essential. “I would be more afraid of a world without that spec.” 

Integrating OT and IT

In some energy organizations, the traditional separation of operations technology personnel from information technology staff can exacerbate security efforts. Still, both groups rate security as a priority. When 451 Research’s survey asked what was most required from IT vendors to support IoT efforts, more than 48% of respondents cited security. On a similar question about OT vendor support for IoT, security was the top choice at slightly less than 47%. 

“The IT side has in years past received the lion’s share of attention around cybersecurity,” said Guidehouse’s Kelly. “But I would say that the convergence of IT and OT is forcing an increased look at the OT space.”

Overcoming traditional barriers to cooperation is essential to an effective security program. Activities such as updating operating systems, software and firmware, virus definitions and other threat metrics must be coordinated between IT and OT. 

Contributing to the coordination issues, the variety of physical devices in an energy IoT environment can lead to the implementation of specialized security applications, which complicates maintaining a secure environment. This is a major concern for energy organizations.

“Utilities may opt to just go for a bundled solution instead of trying to find the best of breed solution or tool in each category,” noted EPRI’s Hertzog. “They’re looking for who’s got more of a unified platform.”

Steps to Address Modern Security Issues

Ultimately, you need to know what you have installed and what it’s doing.

The day-to-day data from sensor technology and edge processing can create baselines for security apps. Once a baseline is in place, detecting anomalies that may indicate a breach in network defenses is feasible.

”The ideal,” said 451 Research’s Renaud, “is you start out with a really robust inventory. You have a lot of intrusion detection so you can see that rogue devices are not popping up on the network.”

The use of operational analytics to detect anomalies is the basis of artificial intelligence (AI) based automated threat mitigation (ATM) systems that can pore through reams of data and make nearly instantaneous decisions based on a security threat to operations.

ATM systems are leading-edge security technologies that have just emerged in the market. Their deployment may require a relatively sophisticated network environment. “I would call it a future state vision at this point in time,” Hertzog said, “and there will be many components involved in achieving that future state.”

ATMs thrive on vast amounts of data to make accurate decisions. 

“There is a huge increase in the volume and the velocity and the variety of data that’s  out there — more than humans are capable of managing and processing with our puny little brains,” Hertzog said. “So we really will need to rely on machines to help with validation and determining the veracity of that data.”

Newer technologies also provide built-in security capabilities, such as Wi-Fi’s device provisioning protocol, 5G broadband and application programming interfaces that ease app integration and security.

Avoid User Errors

Regardless of the degree of automation that may be achievable, human factors will always be a determining factor in the efficacy of security efforts. Energy firms, like organizations in most other industry sectors, often suffer from a shortage of security expertise, both among current staff and who’s available in the job market. Investments in internal training can develop internal security expertise; those investments include instructional costs and the cost of retaining newly trained personnel.

Education is also required among the nontechnical community so that users can routinely recognize threats such as phishing schemes and social engineering exploits. Multifactor authentication can help avoid security slip-ups that less comprehensive password protection may not prevent.  

Given the multitude of threats and the high stakes involved, energy utilities should ensure their cybersecurity program ensures resilience. Achieving the objective requires keeping pace with the evolving threat landscape while keeping tabs on their growing assets and their staff’s cyber savviness. Power utilities should also develop contingency plans for how to respond to successful attacks on their infrastructure. While it may not be possible to always stay one step ahead of malicious actors targeting the power grid, it’s certainly worth trying to do so.     

Tags: Remote monitoring Network security Energy/Utilities Other Content Features

Related


  • IoT platform for green energy
    IoT in Utilities Market Brings Resilience in Wake of COVID-19 Pressure
    On day two of IoT World Today, utility providers and experts discussed the pressures the industry has sustained in the wake of COVID-19.
  • Smart Grid Security Will Get Boost from AI and 5G
    The energy grid is poised for major change through such technologies as AI and 5G. But with advancements come new cybersecurity challenges.
  • Dark skyline
    Electric Grid Stability Assailed by Growing Challenges
    The twin threats of distributed energy resources and cyberwarfare threaten electric grid stability.
  • Image shows an abstract representation of solving problems using artificial intelligence to increase reliability and reduce losses and accidents during the transmission of electrical energy.
    Smart Energy Grids Become More Compelling
    As public utilities undergo fundamental shifts, intelligent technologies can help them address risks.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • IoT Salary Survey Report
  • Energy Asset Performance Management to Take on Automation
  • Three Ways AI Is Creating Smarter Energy Operations
  • IoT-Based Monitoring Networks’ Role in Oil and Gas Industries

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

The eSIM Cookbook – Towards the Next Generation of Connected Devices

22nd February 2021

eSIM Delivers Greater Freedom for OEMs – by Beecham Research and Truphone

22nd February 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD sponsor, @aicas_IoT — a flexible, more efficient approach to embedded realtime application… twitter.com/i/web/status/1…

4th March 2021
IoTWorldToday, IoTWorldSeries

Microsoft Ignite 2021: Innovation in COVID-19 Era Signals Future Trends dlvr.it/RtwYcg

4th March 2021
IoTWorldToday, IoTWorldSeries

At Microsoft Ignite: How IoT and Robotics Are Driving Industry 4.0 dlvr.it/Rttgwj

3rd March 2021
IoTWorldToday, IoTWorldSeries

🎙️ Introducing #EIOTWORLD speaker, Obinna Ilochonwu, Industrial IoT Architect at Schlumberger. 📅 Join his session… twitter.com/i/web/status/1…

2nd March 2021
IoTWorldToday, IoTWorldSeries

#Smartbuilding technology lays the foundation for #energyefficiency efforts but also new COVID-19 goals, such as… twitter.com/i/web/status/1…

2nd March 2021
IoTWorldToday, IoTWorldSeries

IoT Remote Monitoring Helps Enterprises Traverse COVID-19 and Beyond dlvr.it/RtZ3K5 https://t.co/owJXYf1gkO

26th February 2021
IoTWorldToday, IoTWorldSeries

Securing the Industrial Internet of Things dlvr.it/RtYfYk https://t.co/khUn79dvQD

26th February 2021
IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD sponsor, @BluetoothSIG — the global standard for simple, secure wireless connections. ➕ Le… twitter.com/i/web/status/1…

26th February 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X