Energy Grid Security Gets More Challenging With IoT
Key takeaways from this article include the following:
- Power grids have turned into security minefields as utilities’ connected footprint expands.
- Utilities are susceptible to both cyber and physical threats.
- To reduce risk, utilities should establish an accurate asset inventory and use internal training and education to offset lack of security expertise among staff.
Today, IoT networks in the power utilities sector are besieged by myriad security threats. These assaults come from an assortment of malicious sources and target virtually every element of grid-based operations. And by their nature, the complex and wide-reaching networks that deliver power to billions of endpoints are perhaps among the most vulnerable. If that sounds dangerous, it should.
Grid operators are well aware of the perils that could disrupt their network operations and the reams of data they collect daily. Regardless of your enterprise’s vertical, if your infrastructure includes an IoT network, the challenges of securing it are usually exponentially greater than those associated with securing a traditional networked environment.
In a Siemens and the Ponemon Institute survey on utilities and cyberthreats 64% of responding utilities cited “sophisticated attacks” as a top challenge for their operational infrastructure. More than half of the respondents — 54% — glumly predicted that they expected “an attack on critical infrastructure” within 12 months.
The 1,700-plus respondents had good reason for their concern and pessimism: 56% said their organizations had suffered at least one attack in the past 12 months that resulted in a loss of private data or that created an outage. Adding to their uneasiness is the estimate that 30% of cyberattacks on operational technology (OT) go undetected.
Yet another survey by 451 Research bolsters the premise that security is front of mind for utilities. Asked what they consider the biggest challenges related to deploying IoT technology, 42% ranked security concerns No. 1.
Energy Sector Is More Threatened Than Ever
Various developments have turned energy environments into security minefields and are directly related to the changing nature and growing sophistication of utilities’ IoT-enabled grids.
“We see not just IoT but IIoT as presenting challenges for what was the traditional conceptual approach to thinking about cybersecurity, which was the concept of having a perimeter — and if you secured the perimeter and you did everything you could to make that as hard and robust and resilient as possible, then you were confident that your assets and your data inside of that network were protected,” noted Christine Hertzog, a principal technical leader focused on cybersecurity at the Electric Power Research Institute (EPRI).
But the concept of creating a secure network perimeter has lost relevance for energy utilities and other organizations given the rise of IoT connectivity, remote working and other factors.
Grids also have a greater reach than just a few years ago, so they connect to more devices, partners and customers to both provide power and share data. These capabilities increase vulnerability, or what information security professionals refer to as a wider “attack surface.”
“Five, ten years ago, you had a network that was not really instrumented with any digital devices, so it was all static and physical security was really all they’re worried about,” said Mike Kelly, senior research analyst at Guidehouse. “But when you have billions of devices — whether on the power lines, at the substation, in the homes — you essentially have this entirely new network of devices that are vulnerable to attack.”
If there were any doubt about the dangers of proliferating devices, respondents in the Siemens/Ponemon survey underscored the issue when asked, “What makes the management of OT security challenging.” Three out five respondents noted an increase in sophisticated attacks as a chief concern while 55% singled out isolated and fragmented systems.
With more consumers connecting to power grids via bidirectional smart meters, the utilities are collecting more user data than ever, so there needs to be greater focus on safeguarding customer information. But while smart meters are a relatively new technology, other components on the IoT networks hosting them might be older technology with less built-in security.
“That legacy equipment is either noncompute or compute-constrained in many cases and … and modern information security practice is 50 years ahead of when that device was installed,” said Christian Renaud, a research director at 451 Research. “The concern is the legacy brownfield of installed-base equipment and the rate at which it’s being refreshed.” Renaud notes that recent developments in the energy industry compound this old-gear/-new-threats situation: “Here’s this train that’s coming towards us at full speed [with] renewables, distributed energy, distributed storage, microgridding.”
Another factor that adds complexity to security efforts in energy is the increase in required network integrations. In addition to linking to smart meter-enabled customers, energy companies today are likely to interconnect with other utilities and distributed energy resources (DERs), as well as other entities in their supply chains. These represent a dual security responsibility — blocking threats that may originate in connected partners’ networks and ensuring that any internal attacks aren’t propagated to partners.
Threats May Be Cyber or Physical
Energy companies are susceptible to the same types of destructive attacks that other businesses contend with, including ransomware, denial-of-service attacks and trojans that seize control of key management systems. A particularly destructive trojan might hijack the supervisory control and data acquisition (SCADA) application that provides the underlying management of grid activities. Insider threats must also be considered, whether intentional, socially engineered or accidental.
With enormous amounts of expensive equipment spread out over distances, physical security is still the principal concern for most energy outfits. Consider that a targeted sniper attack on a California grid caused an estimated $15 million in damages in 2013. In addition to vandalism, attempts to disrupt service, materials theft and natural disasters represent direct threats to continued operation.
The NERC CIP Standards
After the great northeast blackout of 1965, a failure that created a chain reaction that plunged most of the northeastern U.S. and parts of Canada into darkness, the North American Electric Reliability Corporation (NERC) was formed to coordinate efforts to avoid another crisis of that magnitude.
NERC is a nonprofit that oversees large energy producers — the Bulk Electric System or BES — in Canada, Mexico and the U.S. It has developed a set of Critical Infrastructure Protection (CIP) standards that the BES community is expected to follow to protect the electrical grid. NERC promotes hundreds of standards, many which are mandatory and are backed by NERC’s ability to assess fines if a BES fails to comply.
The latest CIP installments, due to go into effect in 2020 and 2021, include four standards addressing cybersecurity related to the following:
- Supply chain risk management.
- Electronic security perimeters.
- Configuration change management and vulnerability assessments.
- Incident reporting and response planning.
The NERC CIP is a helpful framework, but like most standards intended to apply to a broad industry, they typically lack specificity but still takes time and money to ensure compliance.
“Utilities spend a lot of manpower and a lot of capital … for compliance and reporting with NERC CIP,” said Guidehouse’s Kelly. “It takes a lot for them to comply and report, but it’s still insufficient if you actually look at the threat landscape.”
451 Research’s Renaud notes that there’s a lot of “gray space” in the NERC CIP standards, but still considers them essential. “I would be more afraid of a world without that spec.”
Integrating OT and IT
In some energy organizations, the traditional separation of operations technology personnel from information technology staff can exacerbate security efforts. Still, both groups rate security as a priority. When 451 Research’s survey asked what was most required from IT vendors to support IoT efforts, more than 48% of respondents cited security. On a similar question about OT vendor support for IoT, security was the top choice at slightly less than 47%.
“The IT side has in years past received the lion’s share of attention around cybersecurity,” said Guidehouse’s Kelly. “But I would say that the convergence of IT and OT is forcing an increased look at the OT space.”
Overcoming traditional barriers to cooperation is essential to an effective security program. Activities such as updating operating systems, software and firmware, virus definitions and other threat metrics must be coordinated between IT and OT.
Contributing to the coordination issues, the variety of physical devices in an energy IoT environment can lead to the implementation of specialized security applications, which complicates maintaining a secure environment. This is a major concern for energy organizations.
“Utilities may opt to just go for a bundled solution instead of trying to find the best of breed solution or tool in each category,” noted EPRI’s Hertzog. “They’re looking for who’s got more of a unified platform.”
Steps to Address Modern Security Issues
Ultimately, you need to know what you have installed and what it’s doing.
The day-to-day data from sensor technology and edge processing can create baselines for security apps. Once a baseline is in place, detecting anomalies that may indicate a breach in network defenses is feasible.
”The ideal,” said 451 Research’s Renaud, “is you start out with a really robust inventory. You have a lot of intrusion detection so you can see that rogue devices are not popping up on the network.”
The use of operational analytics to detect anomalies is the basis of artificial intelligence (AI) based automated threat mitigation (ATM) systems that can pore through reams of data and make nearly instantaneous decisions based on a security threat to operations.
ATM systems are leading-edge security technologies that have just emerged in the market. Their deployment may require a relatively sophisticated network environment. “I would call it a future state vision at this point in time,” Hertzog said, “and there will be many components involved in achieving that future state.”
ATMs thrive on vast amounts of data to make accurate decisions.
“There is a huge increase in the volume and the velocity and the variety of data that’s out there — more than humans are capable of managing and processing with our puny little brains,” Hertzog said. “So we really will need to rely on machines to help with validation and determining the veracity of that data.”
Newer technologies also provide built-in security capabilities, such as Wi-Fi’s device provisioning protocol, 5G broadband and application programming interfaces that ease app integration and security.
Avoid User Errors
Regardless of the degree of automation that may be achievable, human factors will always be a determining factor in the efficacy of security efforts. Energy firms, like organizations in most other industry sectors, often suffer from a shortage of security expertise, both among current staff and who’s available in the job market. Investments in internal training can develop internal security expertise; those investments include instructional costs and the cost of retaining newly trained personnel.
Education is also required among the nontechnical community so that users can routinely recognize threats such as phishing schemes and social engineering exploits. Multifactor authentication can help avoid security slip-ups that less comprehensive password protection may not prevent.
Given the multitude of threats and the high stakes involved, energy utilities should ensure their cybersecurity program ensures resilience. Achieving the objective requires keeping pace with the evolving threat landscape while keeping tabs on their growing assets and their staff’s cyber savviness. Power utilities should also develop contingency plans for how to respond to successful attacks on their infrastructure. While it may not be possible to always stay one step ahead of malicious actors targeting the power grid, it’s certainly worth trying to do so.