Navigant Research Blog

Global Industrial Titans Join Efforts to Thwart Cybersecurity Threat, but Will They Work?

— May 31, 2018

The threat of cyber attacks to critical industrial Internet of Things (IoT) technologies has risen to a near crisis level and is driving more global industrial titans to band together. Recently, Cisco, Dell, oil & gas multinational Total, and testing and certification firm TÜV SÜD joined the Charter of Trust, an initiative spearheaded by Siemens.

The charter now boasts 16 members and is likely to add more. Its lofty goals are threefold:

  • Protect the data of individuals and companies
  • Prevent damage to people, companies, and infrastructure
  • Create a foundation for trust in the digital world

To reach these goals, members have also agreed to 10 principles that range from taking responsibility for securing the supply chain to focusing on user centricity to working with governments. Perhaps the most important and practical principle is the establishment of mandatory independent third-party certifications for critical infrastructure and IoT solutions. While that sounds good, the details are skimpy.

Reasons to Worry

There are clear reasons for corporate leaders to be worried and motivated to act. A study among cyber risk managers in the US oil & gas industry found 68% had experienced at least one security breach in the last year, resulting in the loss of confidential information or operational technology (OT) disruption. A different survey of IT security professionals found that 85% foresee a cyber attack on critical infrastructure taking place in the next 5 years. Then there is the sobering message from the US Department of Energy last year that said the electricity system faces “imminent danger” from cyber attacks, which are growing more frequent and sophisticated.

But one wonders how Siemens’ initiative is any better or all that much different than Microsoft’s call for a digital Geneva Convention, or the more recent Cybersecurity Tech Accord. Yes, the Microsoft push leans more toward discouraging government or state-sponsored hacking. But both companies are focused broadly on cybersecurity and the myriad threats to individuals and corporations.

Trust Issues

So which company should we trust and will these efforts actually work? As Sasha Romanosky, a former cyber policy adviser at the Pentagon’s office of Under Secretary of Defense for Policy says, the firms joining Siemens’ charter might have noble goals, but not all companies have the same incentives. For example, some firms might have a greater focus on environmental concerns or health issues or child labor. The threat from cyber attacks might not be as important to some companies, and without widespread participation and a closer alignment of goals, the dangerous level of cyber threats will persist.

These doubts are not raised to discourage efforts to prevent cyber attacks. In fact, a recent Navigant Research report, Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem, recommends grid operators and other enterprises set up a comprehensive cybersecurity plan and use it. But how many broad initiatives are really going to make a difference? The Industrial Internet Consortium (IIC) has its Industrial Internet Security Framework. Germany’s Industrie 4.0 has a working group focused on security. In the US, NIST has its own program for IoT cybersecurity.

I’m all for serious steps to thwart the bad guys. But count me skeptical until we see demonstrable evidence that these initiatives, alliances, and frameworks are making a difference in keeping data and processes safe. It is hard to be otherwise when some companies and governments are known to skirt the rules to their advantage.


Learning from Facebook’s Mistakes

— May 17, 2018

For those of us who abstain from social media, the ongoing scandal with Cambridge Analytica has validated this decision to opt-out. However, the decision to opt-in or opt-out of data collection and still be able to use Facebook is not available. The Facebook and Cambridge Analytica debacle shines a light on the issue of collecting data from unassuming consumers and on how that data is used and manipulated. No matter how policymakers respond to this event, their decisions will have wide-reaching implications for all data-sharing industries, especially for the Internet of Things (IoT) ecosystem.

Can Lawmakers Bring Clarity to Data Collection Ethics?

Data protection laws in the US are relatively new and continue to evolve on an ad hoc basis in response to ongoing data hacks and security breaches. Addressing these issues requires a more sophisticated regulatory environment that considers how data is being collected and used. This brings up an ethical concern—when a company’s profitability depends on sharing user information, the ethics of data collection become muddled. Lawmakers in Europe are some of the first to respond to these issues. In April, the EU’s General Data Protection Regulation (GDPR) was finally approved after 4 years of preparation and debate. GDPR will replace the EU’s Data Protection Directive 95/46/EC and will take effect May 25, 2018. Changes to the directive include extending the law’s jurisdiction to apply to all processors of personal data, regardless of whether the processing takes place in the EU or not.

Laws like GDPR will have a significant impact on the data-sharing industry, especially for businesses that rely on tracking consumer behavior through IoT-enabled devices. These laws require that companies clearly and succinctly spell out their intentions for data collection in their user agreement contracts. Ensuring that all parties clearly understand the service terms strengthens conditions for consumer consent and gives consumers more control over their personal data. The policy’s push for greater transparency may force some businesses to rethink their approach to data collection. Manufacturers of smart devices are thus encouraged to move away from long terms of service and instead, provide real-time information with opt-in choices.

Industries Must Build Trust with Consumers

Informing consumers on how their data will be collected and used will help to alleviate privacy concerns and build trust. As technology continues to advance in making phones, cars, and buildings smarter, it’s important for businesses operating in these data-driven industries to build a trusting consumer base. Doing so will enhance the competitiveness of those buildings as customers will be more willing to consent to new user agreements. Manufacturers of smart devices can avoid making the same mistakes as Facebook by taking note from the EU and being more transparent in their user agreement contracts. Both providers and consumers of smart devices stand to benefit from stronger protections to prevent future abuse.


The Vulnerable Electric Grid Might Be Tougher Than You Think

— April 10, 2018

The ongoing struggle to keep the US electric grid safe from attacks can seem like a losing proposition, especially given recent reports of Russian-sponsored hacking attempts and a serious warning about increasing vulnerability. However, there are quieter accounts of progress among those working to keep the grid safe.

Berkeley Lab Threat Detection Tool

One is a 3-year project led by Berkeley Lab researchers and supported by several key partners that features a new tool to detect cyber-physical attacks. The researchers designed a new architecture that combines a micro phasor measurement unit (μPMU) that captures data about the grid’s physical state with information from commonly used SCADA monitoring systems. Together, the combined data provides real-time feedback about grid performance through a redundant set of measurements with high fidelity. The idea is to bridge the gap between the physical world and the cyber world and find discrepancies that could indicate certain types of attacks are underway against grid components.

The Department of Energy (DOE) supported Berkeley Lab project is moving to the technology transfer stage, with the team preparing a final report and meeting with industry stakeholders to introduce them to this novel security framework. Partners on the project included EnerNex, EPRI, Riverside Public Utilities, and Southern Company.

Insurance Model to Protect the Grid?

In what seems like a stretch, two University of Wisconsin-Milwaukee researchers are investigating the potential of a new insurance model aimed at motivating utilities and regulators to invest more in cybersecurity assets. The idea is to support utilities implementing high cybersecurity tools with lower insurance premiums, and to penalize those with low cybersecurity processes with higher premiums. The two have funding from the National Science Foundation to build predictive models in a project that blends several disciplines, including electrical engineering, computer science, actuarial science, and statistics. More to come on this front, for sure.

Going Retro for Grid Security?

Meanwhile, there is a move in Congress to support older style tools to help safeguard the grid. The retro effort comes in the form of a senate bill that, if passed, would direct the national laboratories to partner with private companies to identify analog approaches that do not rely on digital infrastructure or tools. According to senators supporting the bill, the idea springs from the 2015 cyber attack on Ukraine’s energy grid in which operators restored power relatively quickly using human-powered or analog systems instead of digital. The bill is not without critics, one of whom claims it is a mistake to look backward for answers such as the ones proposed, though he applauds the focus being placed on enhanced security.

So the Grid Could Be Okay?

The takeaway from these disparate and under-the-radar efforts should be a sense of calm that not all is doom and gloom when it comes to grid security. The grid might be tougher than you think. The good guys are working on new solutions, too (be sure to check out Navigant Research’s recent report, Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem). Some solutions might have limited effects, like going retro, but there is hope future attacks will be countered with robust defenses that thwart attacks and keep the grid safe.

Power Standards Lab μPMU

Note: Developed at Power Standards Lab under a project led by Berkeley Lab and funded by DOE’s ARPA-E program, µPMUs are designed to increase situational awareness at the power distribution grid level.

(Source: Power Standards Lab)


Hacks, Hacks Everywhere: FERC, US Energy Grid, Atlanta Are All Targets

— April 3, 2018

Like Amazon deliveries, cyber attacks keep showing up on a regular basis. In recent days: the US charged nine Iranian citizens with a state-sponsored attack against a range of companies and agencies, including the Federal Energy Regulatory Commission (FERC); the Trump administration blamed Russia for ongoing attempts to hack the US energy grid and other critical infrastructure; and key parts of Atlanta’s municipal computer system were knocked out by a ransomware attacker. Reports like these are becoming all too common.

State-Sponsored Attacks Warrant Concern

The first two raise serious red flags. State-sponsored attacks fall into the highest level of sophisticated cyber attacks. The hackers use the most advanced tools to break in, and with governments behind them they have nearly limitless resources to achieve their nefarious goals. Plus, they have the time to mount attacks over years if need be, probing on many fronts for the weak spots, and lurking in the background of computer systems or devices with almost undetected code. The Iranian attackers were said to have been operating from 2013 until the end of 2017, or roughly 4 years.

Hacking a federal agency or probing critical infrastructure poses dangerous threats. Messing with critical infrastructure can be viewed as an act of war, or a precursor to such hostilities. These types of attacks are not new, of course, and more than likely the US itself engages in these cyber techniques of probing and spying on friends and enemies on a regular basis. Experts warn that state-sponsored attacks are growing in scale, frequency, and sophistication, according to Leo Taddeo, chief information security officer at Cyxtera, a provider of infrastructure security solutions.

To Thwart Cyber Attacks, Cities Must Plan and Budget

Atlanta’s case is somewhat more benign. The attack kept some customers from paying bills, and residents were unable to access court-related information. As much as 4 days after the initial report of the attack the city’s servers were still struggling to enable online bill payments or the collection of fees. Moreover, the city had not said whether it would pay the ransom demand or not. For Atlanta, this cyber attack must sting, since it prides itself as a leading-edge smart city. Part of being on that leading edge, though, is accepting risks that come with newer technologies and learning hard lessons. The lesson here: make sure you plan and budget for the latest tools and best people to thwart cybercriminals, because this type of threat is not going away anytime soon.

These cyber attacks underscore the challenges of a connected Internet of Things (IoT) world. As governments, corporations, and utilities take advantage of IoT technologies, they must keep security measures at the forefront of all they do (see Navigant Research’s report, Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem, for practical steps to reduce the risks posed by cyber attacks). A smart grid or a smart city looks rather dumb when the security piece gets short shrift.


Blog Articles

Most Recent

By Date


Building Innovations, Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Finance & Investing, Policy & Regulation, Renewable Energy, Transportation Efficiencies, Utility Transformations

By Author