Cyber security is, at the best of times, still barely knowable. The best deceptions are discovered long after they are done. The greatest heroes and the most heinous villains are unknown – except to each other. The spy wars of the 1960s have moved online and are still waged undetected, right under our noses. Recently a number of home devices, including one smart refrigerator, were compromised and used to send out 750,000 spam emails. Junk email from your fridge!
Preparing for a talk at SMi’s European Smart Grid and SCADA Security conference in London, I checked in with some of my frequent research contacts for their views. The consensus: there has been a lot of movement in cyber security during the past 12 months – by the attackers. Cyber defenses haven’t appreciably improved. There is more talk about security architectures and assessments, but talk is not protection.
My contacts relate tales of hostile infiltration and data exfiltration in large control networks. Utilities are targets, as are oil & gas facilities. The attackers appear to be stealing data but not otherwise harming the networks. Why the attackers are doing this, only they know. They could be gathering data for competitive business advantage or for a future attack. Most of my contacts (and I) believe that it is the former.
Old and Vulnerable
While that scenario unfolds, large security problems remain unsolved. We still have no good solution for protecting older grid control devices that have little or no ability to protect themselves. There are approaches such as network segmenting but nothing that could be called a solution. Cyber security practitioners are consuming a fair amount of energy just debating an approach to this problem.
Meanwhile the Sistrunk/Crain vulnerabilities discovered last year have exposed weaknesses in the Distributed Network Protocol (DNP3) used in many SCADA networks. A non-routable protocol, DNP3 is immune from attacks that target routable protocols such at the Internet Protocol (IP). NERC CIP reliability standards have, therefore, ignored non-routable protocols, assuming that they were safe. However, the Sistrunk/Crain vulnerabilities show that that assumption is no longer reliable.
Meanwhile, many utilities are looking at how to use their smart metering networks to enable distribution automation (DA). That approach can get a utility into DA much faster than building out a new control network. But it can also transform the advanced metering infrastructure (AMI) from a network of cash registers to a network of grid controllers. The accompanying change in security requirements is substantial, and some utility operations teams understandably refuse to allow this integration. Perhaps for good reason: one AMI vendor assessed 20 large deployments of its system and found that data encryption had not been activated in any of them.
Yet, there have been no blackouts yet. Even the Metcalf Substation attack – little known for 10 months until recently reported by The Wall Street Journal – did not result in a loss of power for anyone. That’s because PG&E had already engineered resiliency into its grid. But will utilities always be that lucky?
So much conflicting input demands a reliable read of the situation, and if you want to get to the bottom-line reality, find out what the bookies think. Or next best, the actuaries. This is where things become worrying. Lloyds of London’s Kiln Syndicate will not insure utilities’ control systems – transmission and distribution – against cyber-attack. In other words, we can all talk all we want, but the people who assess risk, not for a living but for a return on investment, don’t think that utility cyber security is a very good bet to make right now.
Tags: Conferences & Events, Cyber Security, Smart Grid Security, Smart Utilities Program
| No Comments »