For nearly 100 years the electric grid protected itself from catastrophic malicious attack by a combination of perimeter security, intelligent security procedures and the industry’s own, hardened electromechanical infrastructure. Then came the Digital Age.
Skilled software coders and programmers now work to enhance functionality within and communication between turbines, boilers, generators, high voltage transmission lines and electricity distribution systems. The Internet of Things (IoT) enables instantaneous safety alerts, streamlines SCADA management and automates load balancing.
With improved computerization and communication, we have become painfully aware that the Digital Age brings with it new threats, vulnerabilities and exposures—the specter of a cybersecurity attack is real and palpable. Terror is more than a lone gunman or a team of suicide bombers. We no longer live in the days when gates, guards, barbed wire enclosed substation transformers, locks and clever safety switches define an acceptable level of security in the critical infrastructures which comprise our energy and electricity system.
The new Digital Age reality means that computer networks and peripherals are under constant attack from a variety of adversaries—amateur hackers, “hacktivists” (hackers claiming a moral agenda), purveyors of commercial espionage, criminal syndicates, state-sponsored intruders and state actors—planning ways of bringing chaos and harm to our infrastructure.
In the Digital Age, we have to be able to detect known vulnerabilities in the software we run, because some 80% of successful attacks utilize a known vulnerability. And, only the best state-of-the art-tool even detects these known vulnerabilities. We need to be able to identify the gaps in our cyber maturity, identify the not-yet-fully defined exposures, address insider threats, and devise a holistic proactive cybersecurity protection system. We need to understand that hackers seek DATA—certain types of data that may require extra protection. And, we need to understand the attack methods used by our adversaries. Few innovative providers have conceptualized such profound solutions. But looking for state-of-the-art solutions and innovation belies an unfortunate truth.
Time itself may be the most relentless intruder on the traditional, pre-digital era electric grid. Much of the U.S. grid infrastructure is aging beyond projected life expectancy. SCADA systems were originally designed as a closed system, typically, with no external electrical interfaces. Thus, SCADA system developers were not faced with the same security emphasis as developers of other interconnected systems. As SCADA systems, rich with relevant data are increasingly integrated into the overall enterprise architecture and performance, the SCADA systems, themselves, may harbor increased cyber threats. And as the Internet of Things (IoT) empowers new SCADA systems, we see more threats and exposures—and the constant presence of known vulnerabilities lurking below the source code in these systems.
According to the U.S. Department of Energy (DOE), projected costs to modernize the grid with new components and digital intelligence through 2040 exceed $1 trillion. Add more to include those best-in-breed cybersecurity protections, which the DOE underestimated.
Yet, in an ironic twist, the very technologies thrusting the grid towards modernization are simultaneously opening grid assets to both external and internal intruder access. The desirable push to “add intelligence” – i.e., hardware and software components – to every segment of the grid, from generation to transmission to distribution, has unleashed a wildfire of largely IP-based digital technologies ripe with promise, but also rife with potential system vulnerabilities. Many of these technologies are automated and wireless, adding fertile intrusion opportunities to the electric grid’s threat landscape. Mobile communications compound the risks facing enterprise management.
Digital intrusion into the grid threatens not only electronic data assets but could potentially damage physical plant. In 2010, the Stuxnet malware attack on the Natanz uranium enrichment plant in Iran increased valve pressure inside computer-controlled centrifuges that resulted in devastating damage to equipment. Hacking into airline computer systems has been shown to auger a future of hijacked airplane controls in flight.
Aramco experienced a massive system shut down arising from the actions of an employee zealot who introduced a virus via a thumb drive into the enterprise system. Command and control, administration, drilling, refining and distribution were all adversely affected.
Further challenging the emerging digital grid, distributed energy resources (DER) such as solar, wind, and energy storage are adding digital complexity to grid infrastructure, introducing new layers of intelligence and cyber complexity. These multi-directional load-side generation technologies bring with them the likelihood of emerging transactional energy markets based on instantaneous, high volume digital information exchange. Prime examples of vigorous DER rollout can be found across the nation from New York State’s Renewing the Energy Vision (NY REV) initiative to similar efforts spearheaded by Commonwealth Edison (ComEd) in Illinois and the California Public Utility Commission (CPUC) in California.
Digital technologies introducing potential intruder access onto the grid include IoT devices, Application Programming Interface (API) apps, Internet Protocol (IP) addresses, Secure Sockets Layer (SSL) certificates, and smart phone remote energy management systems (EMS), among others.
These technologies function on top of steadily evolving operating systems and software applications that require regular upgrades and patches. For cost reasons, legacy systems flourish in some corners of the enterprise network. How do you cost-efficiently manage those legacy systems without massive recapitalization of the hardware and software? How do you know that a patch for one problem does not contain a known vulnerability in the software solution provided, thereby awakening a new problem? Electric utilities must document all change management procedures, including software versions and patch updates, in order to comply with federal regulations. Soon, regular scans for known vulnerabilities in the software at all levels of generation and transmission will be an industry expected norm. Scans of new patches and new versions of software will be necessary to satisfy regulators. Shortly thereafter, assessing threats, exposures and vulnerabilities will become standard operating procedure.
The U.S. National Institute of Standards and Technology (NIST) maintains a publicly-available database of known software vulnerabilities. Private cybersecurity firms maintain their own vulnerability data bases. As software evolves, so must strategies to discover known and unknown vulnerabilities. A known vulnerability lurking beneath the source code offers up a 24/7 attack vector for any malfeasor, sitting anywhere in the world.
Cybersecurity strategists must keep pace with – indeed, anticipate – the feverish pace of digital technology development. Each layer of the IP stack on which these technologies function offers hackers potential attack vectors into the emerging Smart Grid. Chip-laden computer boards integrated into a grid component – a transformer, a recloser, a circuit breaker – a represents a potential pathway into which hackers can gain entry to gather sensitive information or disrupt grid operations. Compliance with NERC and FERC regulations should be considered only a starting point toward true system security. In the ever-evolving digital age, regulations always lag behind rapid technology advancement and intensifying intruder strategies. Every power plant and interconnect now needs a brain trust which includes a lawyer, an insurance expert and a cybersecurity team.
The job for in-house cybersecurity experts such as Chief Information and Security Officers (CISOs) and Chief Risk Officers (CROs) is becoming overwhelming. New technologies need to be evaluated. More reporting is required. Compliance with federal regulations is mandatory. Who can be trusted to remediate the vulnerabilities which have been detected? Most CISOs and CROs know that they must move beyond mere incident response detection and triage to proactively identify and prevent data breaches and system disruptions before hackers can act. Vigilant automated and human system monitoring with sophisticated proactive cyber visibility tools should be a key component of every security strategy.
Equally vital to securing data and communication systems, organizations must recognize the wisdom of implementing a holistic approach to achieving their unique cybersecurity needs. Thinking in new ways about information flow, the data contained on the system, attack vectors arising from known and not yet fully documented vulnerabilities is essential. Genuinely proactive cybersecurity systems, not those which are mere marketing name-calling, may empower generation and transmission companies to defend against known vulnerabilities or threats, but also to use creative methods and products to reduce the overall attack surface presented to any bad actor. Policies, procedures, training, encryption and other tools are key elements of a holistic approach. Other advanced technologies are also available, but one needs a Sherpa to show the way.
For genuine cybersecurity: It takes a village—but the village leaders are discretely defined: a cybersecurity expert, an insurance professional and a skilled attorney. For the CISO’s, decision-making, defining access privileges based on trust levels which conform to an enterprise’s organizational structure are the new realities of life which allow companies to streamline and to establish effective internal controls, cyber task ownership, and cross-silo communication between management, business, IT and operations (IT/OT).
The question we face is whether The Digital Age will give rise to A Brave New World or simply to The Digital Age with Effective Cybersecurity.
*Vulnerable systems include: SCADA, Command and Control Centers, IT Enterprises, Third Party vendors, computer networks, telecommunications networks, peer networks, external status systems, etc.
Read the full article at energycentral.com.