Near chaos. That's the current state of security for smart grids, according to Pike Research. A recent report by the research firm finds that a lack of security standards, a hodgepodge of products and increasingly aggressive malicious hackers will make 2012 a challenging year for securing smart grids. (A smart grid uses IT and smart meters in an effort to make electric utilities more efficient, reliable and sustainable.)
"After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended," says Bob Lockhart, an analyst at Pike Research.
But he adds: "There is hope." Lockhart says there's a "dawning awareness by utilities during the past 18 months of the importance of securing smart grids with architecturally sound solutions."
Smart-grid pioneer Andres Carvallo, a former CIO at Austin Energy and co-author of
Looking at the current state of affairs, Carvallo says "security from the application data center to the utility sub-station is pretty good." However, he says "security from edge devices back to the sub-station and/or data center needs a lot of work."
The hackers aren't waiting. "Development of cybersecurity solutions and standards has somewhat stalled, while the attackers are steaming ahead at full speed," Lockhart says. "While we do have lots of good point solutions available," he says, "they are just that: point solutions." The problem is that hackers find the gaps between those products.
Lockhart says that, outside of defense agencies, it's rare to find a utility with a well-planned smart grid security program that integrates those products into a working whole.
There's also a danger of overlooking the insider threat. "Most people believe smart grid security is for only viruses and worms from hostile governments and terrorist groups," says Joshua Flood, an analyst at ABI Research. "However, one of the main reasons for increased spending on smart grid security software and management systems is simply to make sure the correct people have access to the equipment and systems they should have access to." Among other things, this means protecting systems from disgruntled employees or others who might commit internal sabotage, Flood says.
Security Standards Need Teeth
The Pike Research report suggests that the lack of enforceable security standards or regulations for power distribution grids "leads to a scene of mass chaos in utility cybersecurity" and will cause utilities to take a wait-and-see approach to significant security investments.
So far, most utilities are focusing on the North American Electric Reliability Corp.'s critical infrastructure protection program (NERC CIP), which applies only to generation and transmission and is the only current standard that has "the teeth to result in fines for noncompliance," the report says.
But utilities should look beyond regulatory compliance and take a more holistic, risk assessment approach, analysts say. Utilities need to establish (and continually refine) an "organization-wide risk management program, policies and processes to prepare for, react to, and recover from adverse cybersecurity events," says Marianne Swanson, senior advisor for information system security at the National Institute of Standards and Technology (NIST).
NIST and other government agencies have written useful documents about power grid security and risk management, but the Pike Research report notes that they are merely recommendations.
To complicate matters further, there are differences between the security standards in the U.S. and the rest of the world, Flood says.
"We need similar standards worldwide, and although organizations such as the European Union's Smart Grid Coordination Group are working with NIST closely, we still need greater progress in Europe on smart grid security," he says. "However, with current economic problems in the euro zone, less effort and time will be spent on the smart grid than needed."
Securing industrial control systems such as SCADA (supervisory control and data acquisition) also remains a challenge for utilities, according to Lockhart, but there is little agreement about what to do about it.
A major factor, Lockhart explains, is that many SCADA systems were deployed without any security whatsoever in the mistaken belief that SCADA would always be isolated from the Internet.
"Even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread," he says. He adds that SCADA networks can have many old serial protocol devices that have no hope of running any security software, let alone producing event logs for forensics.
Technical Fix for Security Risks?
"There are lots of good technologies available now but none is a silver bullet," Lockhart says. "As with any environment, security requires risk assessment, policies, and an architecture before you start specifying products."
That said, Lockhart lists five promising technologies for utility cybersecurity over the next few years:
- Multi-factor authentication: This will help ensure that a stolen password is not enough to allow an attack against a grid or a control console from the other side of the world.
- Control network isolation: A firewall can make sure that enterprise IT traffic does not end up on the utility's control network.
- Application white-listing: White-listing prevents the execution of malware by identifying "a list of permitted actions on a host and allows nothing else," says the Pike Research report.
- Data encryption at rest and in transit: This approach not only protects data confidentiality, it also helps ensure the integrity of data from devices such as smart meters, temperature sensors and flow meters.
- Event correlation: This can be especially useful for identifying the source of attacks and in some cases preventing them.
People Biggest Security Problem
Perhaps the biggest security hurdle facing utilities is the cultural divide between IT teams and utility operations teams, says Lockhart.
"One side understands how enterprise IT networks operate," he says. "The other side understands how distribution and transmission grids function. There is not that much overlap between the two, but each has the opportunity to make the other's life truly miserable."
Lockhart observes that the most progressive utilities have realized that cybersecurity discussions must include both IT experts and operations experts, but other utilities are lagging in this regard.
"From my research, there are still some utilities where those two teams are not on speaking terms," he says. "Many security vendors tell me that when they visit utilities, they are only seeing the CIO or chief security officer."
Mark Rowh is a freelance writer based in Virginia.