Cleantech Market Intelligence
Cyber Security Community Finally Faces Reality
It’s springtime, so the Navigant Research team is on the road again, speaking at conferences. This spring’s cyber security conferences have confirmed what I’ve said in this blog for some time now: the hype is over; the hard work is here to stay.
At SMi’s European Smart Grid Cyber and SCADA Security conference in London, traditionally a showplace for vendors to hawk their wares, there was a decidedly more technical focus this year. Enel of Italy gave a detailed description on the various projects running in its lab in Pisa, describing how cyber security is integral to each. It was inspiring to see cyber security integrated at the outset of a project, rather than after a bad audit. Equally instructive was the description of Enel’s experimental area in Livorno, where many of the company’s new technologies first see public adoption. Other speakers at this conference continued the technical thread, with topics such as descriptions of self-learning network anomaly detection, and traditional devices such as firewalls and intrusion detection that have been specifically reengineered for control networks. The unmistakable message that I brought back from London: cyber security vendors have finally accepted that the utility industry is like no other.
Future at Risk
The SANS ICS Cyber Security Summit in Orlando, Florida offered similar but more technical fare. Adam Crain and Chris Sistrunk described their eponymous vulnerabilities. They have demonstrated how to disable a utility substation or control console via the serial protocol DNP3. This is critical because DNP3, which is non-routable, had been previously considered immune to attack. Another safe assumption bites the dust. Eric Byres of Tofino Security gave a surprisingly accessible description of deep packet inspection in control networks – a topic normally best saved for researchers and PhDs. There was also a fascinating Trend Micro report on a control network honeypot deployment, which will be the subject of my next blog.
The unifying theme at both conferences was that protecting control networks is hard work that is never really finished. Our reports, including Industrial Control Systems Security, have been saying this for 4 years now. Utility cyber security vendors are finally getting the message. And to be fair, a few vendors have always understood.
But challenges remain. At both conferences, my remarks described the existential threat facing many utilities. One U.S. utility CEO declares that the grid’s days are numbered. The Economist reports that European utilities have lost half a trillion euros of market cap since 2008. Reactions to that news were often blank stares or utter confusion – as if the financial health of utilities has nothing to do with their deployment of cyber security.
This too must change. Security vendors are not competing with each other, so much as they are wrestling with the future of the industry. Just as understanding settles upon the community, the odds become daunting.