Navigant Research Blog

Unisys Plunges into Smart Grid Security

— September 10, 2014

Unisys recently entered the smart grid cyber security market with a white paper, titled Innovatively Evade Energy and Utility Cyber-Assaults, which introduces its cyber security offering, Unisys Stealth.  Unlike many other mainstream security companies that have attempted to enter utility cyber security, Unisys appears to understand that control systems are different and need to be thought about differently.

The paper lists six threats that smart grids face.  One is modernization – although, without modernization, there is no smart grid.  It is a necessary evil.  This section begins, “Paradoxically, modernization within the industry is also introducing new vulnerabilities.”  Of course.  When you replace an electromechanical device with an IT-enabled device, it’s a given that the IT threat vectors will increase substantially.  As I pointed out in a recent blog, there are indeed new risks, but they are more than offset by new benefits.

The same paragraph continues by explaining that these industrial control systems (ICSs) are “often subject to periodic patches and firmware upgrades.”  There is a common misconception among enterprise IT security practitioners that control systems are patched in the same way as enterprise IT systems – but that’s not the case.  Many control systems have one maintenance window every 2 years, and that’s the only time they will be patched.  We don’t do Black Tuesday in the control system world.

Insecure Legacy

Unisys accurately states that many existing cyber security technologies are reactive and, therefore, are useless against unknown (zero-day) attacks.  However, this is not news to the ICS community, and application whitelisting and behavior-learning security tools that observe anomalous traffic have been in place for some time now.

I would also like to know if Stealth runs on its own hardware, and, if it runs in line with the control network, what kind of latency it adds to communications.

The white paper claims, “The primary reason for maintaining status quo regarding improved security is the concern that any new measure may introduce instability in highly reliable systems.”  I disagree; the primary reason that the status remains quo is lack of funding.  Whether that’s due to utilities being cash-strapped or security officers being unable to create a compelling business case for the funding is an open question.  The second reason for the status quo is that many devices are too old to have any security onboard but still have remaining service life and aren’t going anywhere.

Wide Screen

The strongest point that Unisys makes is that the main obstacle to winning the cyber war is a patchwork strategy.  This is the crux of control system cyber security.  My research in the past 18 months has uncovered a marked increase in the number of utilities asking for security architectures, for a single approach to security for their control systems.  Whether those architectures will translate to implementations is unclear.  But at least utilities are asking to see the big picture.  It would be good if Unisys offered to be part of that large-scale solution, but the conclusion of this white paper seems to say that Stealth is the solution.  All security vendors can be part of the solution.  None of them are the solution.

 

New Federal Standard Mandates Physical Grid Security

— August 12, 2014

The North American Electric Reliability Corporation (NERC) is currently drafting a physical security standard for approval by the Federal Energy Regulatory Commission (FERC).  This much needed proposed standard will eventually prescribe physical security for transmission stations and substations operating above 500 kV, and in some cases operating as low as 200 kV.  Say hello to NERC CIP-014-1.

The stated purpose of NERC CIP-014-1 is: “To identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an interconnection.”

CIP-014-1, or “Sip Fourteen,” requires each transmission operator to perform an initial physical security risk assessment and periodic subsequent physical risk assessments.  Effective security proceeds from a thorough risk assessment – this is the right starting place.  Each risk assessment then requires an audit by a third party.  The plan goes on to require operators to define risk mitigation plans, to have those plans audited by a third party, and to then implement the plan.  Finally, a third party must validate that the plan has been properly implemented.

Not So Wide

This sounds like a long, drawn-out process, but it’s the right pathway: assess the risk, plan the mitigation, and then execute the plan.  Each step audited by a non-affiliated third party.  Security done right.

The FERC liked NERC’s proposal except for one word: widespread.  Where the FERC had directed NERC to develop a plan that requires “identification of facilities whose loss could result in instability, uncontrolled separation, or cascading failures,” NERC modified the requirement to prevent widespread instability.  The FERC rejected this: “The term ‘widespread’ is undefined and could potentially render the Reliability Standard unenforceable or could lead to an inadequate level of reliability by omitting facilities that are critical to the reliable operation of the Bulk-Power System.”

In other words, the FERC is nervous that any given utility may choose to define widespread instability as a total global blackout, making anything less severe outside the scope of this standard.  There’s a precedent for this: the original deployment of NERC CIP standards resulted in 77% of U.S. utilities claiming that they had no critical cyber assets and were therefore automatically NERC CIP-compliant without taking any action.  It’s not exactly back to the drawing board for NERC, as the FERC praised much of NERC’s proposed standard, but it is one more go-round of comments, proposals, and approval.  And to the FERC: Good catch!

Plan B

One other much welcomed bit of goodness in the proposal is resiliency.  The FERC writes in its comments, “Resiliency is as, or even more, important than physical security given that physical security cannot protect against all possible attacks.”  Amen and hallelujah!  As we learned with the Metcalf Substation in April 2013, some kinetic attacks cannot be prevented.  But Pacific Gas and Electric (PG&E) had enough network resiliency in place that even the loss of a large substation resulted in not one outage.  PG&E knew: you can’t hold off all the attackers, but you can have a Plan B in place to deal with their damage.  And if that Plan B is automated, so much the better.

 

Security Risks of Smart Meters Not New

— August 5, 2014

Recently, the Insurance Journal weighed in on the threats introduced by smart meters.  While I agree that smart metering presents risks both cyber and financial, I submit that many of those risks are merely new flavors of risks that have existed for decades.  And smart meters also introduce benefits that more than offset those threats.

The article seems to equate smart meters with the Internet, though we have yet to find any utility that is actually connecting its meters to the Internet.  (There are utility control systems connected to the Internet, most of which are known to hostile nation-states.)  And it also conflates a number of unrelated topics.  For example, the author cites the recent Havex Trojan, which attacks SCADA systems, not smart meters.  Likewise, the article mentions Stuxnet, which was directed at uranium enrichment centrifuges.  Stuxnet is a cautionary tale for anyone managing a control system, but smart metering networks are not control networks.  Still, the Insurance Journal explores situations worth considering.

Uneasy in the Islands

The successful meter attack described, citing Brian Krebs’ excellent analysis (written 2 years ago), occurred in Puerto Rico.  In that case, former employees of a local utility offered to reprogram residents’ smart meters via the meters’ optical diagnostics port.  For a fee ranging from $300 to $1,000, the technicians would reprogram the meters to under-report energy usage, resulting in a lower electricity bill every month.  This attack had nothing to do with the Internet.

The key to dealing with cyber risks is taking a big picture view of the situation.  In Puerto Rico, the fraud would have been easy to detect.  Utilities can put an additional smart meter at each transformer to measure total energy distributed to the customers on that transformer’s circuit.  When the total energy metered for all the individual customers is less than the total measured at the transformer, clearly something is wrong.  It may or may not be fraud, but it can be identified quickly by the technology described in Navigant Research’s report, Meter Data Management.  The $400 million lost in Puerto Rico indicates that the fraud may have persisted for months or years.  That sum is about 10% of Puerto Rico Electric Power Authority’s (PREPA’s) annual revenue – which seems awfully large to fly under the radar.

Finding Walter White

Smart meters provide other fraud detection capabilities that their electromechanical forebears do not.  One example is credit and collections.  Smart meters typically report energy consumption every 15 minutes.  So, for a customer who is already delinquent and is currently having a large spike in energy consumption (this is a common attribute of illegal activity, such as meth labs), smart meters enable utilities to detect these situations and initiate collection or disconnect activities immediately.  This approach is impossible with monthly-read electromechanical meters.  Plus, remotely disconnecting criminal activities is safer for the utility workforce.

For sure, smart meters introduce attack vectors that did not exist before.  This is a common byproduct of new technology.  Identity theft was much more challenging before we had the Internet – yet, there are few, if any, movements to shut down the Internet because of identity theft.

The Insurance Journal article does quote Navigant Research’s market forecast for global smart meter deployment.  The 1.1 billion smart meters expected to be deployed by 2022 should indicate that it’s time to stop worrying about smart meter security and just get on with it.

 

Cloud Security Reaches New Heights

— June 12, 2014

I have consistently taken the contrarian position that cloud computing is more secure than in-house deployments.  That’s only contrarian in terms of public opinion – to me it makes perfect sense that a cloud service provider will be more attentive to cyber security than a utility.  For a cloud provider, cyber security is a core competency.  For a utility, it is not.

This week I stumbled upon what I hope will be compelling evidence that cloud computing is secure enough for utilities.  Namely: a complete do-it-yourself cybercrime service, which even includes 1 year’s hosting.  That means: the criminal activities run in a cloud.  And don’t worry, clicking on that link will only take you a story about the DIY service, not the service itself – so you won’t end up on an FBI watchlist.

Cybercrime marketplaces have been around for years.  What strikes me about the current DIY offering is that it includes cloud-based hosting.  Now, utilities may have worries about the security of cloud computing, but criminals have much bigger worries.  While I would never say that utility control systems are completely defended, there is an awful lot of resiliency built into transmission and distribution networks.  Those networks can withstand powerful attacks, as we all learned with the Metcalf Substation Attack in 2013.  On the other hand, criminals have to worry about being caught.  Not only by law enforcement agencies, but also by other criminals, who typically have a different set of operating principles than law enforcement agencies.  So when a cloud is offered as bulletproof to this audience, we may assume that it really is strongly protected.

Good Enough for Crooks

And that’s the crux of the issue: if cloud computing can be made secure enough that criminals will use it, then it can be made strong enough for private industry – which at least has the law on its side.  Meanwhile, some of the more recent developments in smart grids, especially data analytics, almost require cloud computing to work.  In-house deployments of petabyte- and exabyte-sized databases are impractical, even before wondering where a utility would find qualified staff to maintain those databases.

So could we finally answer the question: Is cloud computing secure enough?  If it’s secure enough for criminals to risk their lives and their families’ lives with it, then maybe it will work for utilities too.  Just maybe.

I should point out that a number of the links in this blog are the work of Dancho Danchev, one of the best respected security researchers in the industry.  He will go where angels (and the rest of us) fear to tread.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Electric Vehicles, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author


{"userID":"","pageName":"Bob Lockhart","path":"\/author\/blockhart","date":"9\/18\/2014"}