Cleantech Market Intelligence
Smart Grid Cyber Security Moves From Hype to Hard Work
Smart grid cyber security gets a lot less hype than it did 2 years ago – and that’s a good thing. The reason for less hype: people have stopped talking so much about it and actually started doing something about it. Securing a smart grid is incredibly difficult work, as this blog has noted many times. Not only are we dealing with perhaps the most critical of critical infrastructures, but some of the devices to secure are decades old with decades of service life remaining. It’s not for the faint of heart.
The people who are talking about smart grid cyber security nowadays are the people who are actually securing the grids. The people in the trenches. So it’s no surprise that conferences full of security vendors with solutions for the world’s ills are fewer and farther between.
As evidence, the IEEE SmartGridComm conference in Vancouver included a full afternoon workshop on smart grid cyber security. The speakers embodied the progression from hype to hard work in utility cyber security:
- Neil Rerup, president, Enterprise CyberSecurity Architects
- Justin Clarke, security researcher, Cylance
- Patrick Miller, managing principal, The Anfield Group
- Frank Turbide, technical analyst for the Canadian Cyber Incident Response Centre (CCIRC)
- Myself, Navigant Research’s Smart Utilities research director
The panel was chaired by Dr. Hassan Farhangi, director of research at the British Columbia Institute of Technology. The presentations progressed from utility business drivers down to extremely technical talks on hacking smart grids inexpensively, and then back out to cyber incident response.
The heart of my talk was observations on the current state of cyber security in utilities. In a nutshell: there is good technology to protect control networks, but it is rarely deployed as an integrated whole. There are few legal requirements driving cyber security – cyber security at any given utility is only good if the executives want it to be.
Cheap & Dangerous
I had hoped that my comments would be scary enough to grab the audience’s attention for the rest of the afternoon session. Turns out, I was the optimist of the bunch.
Justin Clarke was his usual entertaining and frightening self. To be fair, he’s entertaining; it’s his comments that are frightening. He displayed some easily available tools for attacking smart grids. An inexpensive device to hack smart meter optical maintenance ports even qualifies for free shipping with Amazon Prime. He displayed a $120 open-source Bluetooth monitoring and developing platform – in other words, a hacking tool. Bluetooth appears increasingly in control devices such as reclosers, so that lineworkers don’t have to physically access those devices during a thunderstorm. That is a fantastic safety advance, but if Bluetooth is not properly secured, then the price to compromise that recloser is $120.
Patrick Miller reminded us that attackers have three things that cyber security departments rarely have: time, people, and money. The more creative attacks against control networks – Stuxnet, Duqu, Night Dragon – were clearly the work of organizations with effectively limitless resources. Contrast that with day-to-day fights for spending budgets that is the life of a chief security officer.
Finally, Frank Turbide discussed the activities of the CCIRC. Incidents run from sophisticated denial-of-service attacks to poor implementations that have control devices linked directly to the Internet. The CCIRC issues alerts on current threats and vulnerabilities to its member organizations, of which the most common are malware and phishing attacks. During the past 3 months, energy and utilities have been the second-most attacked industry after telecommunications.
There are still lots of attackers out there, and useful attack tools are dropping quickly in price. And yet, there are good guys looking at more efficient and thorough ways to protect a control network. There is still hope for protecting our control networks, so let us remain vigilant but optimistic.