Unisys recently entered the smart grid cyber security market with a white paper, titled Innovatively Evade Energy and Utility Cyber-Assaults, which introduces its cyber security offering, Unisys Stealth. Unlike many other mainstream security companies that have attempted to enter utility cyber security, Unisys appears to understand that control systems are different and need to be thought about differently.
The paper lists six threats that smart grids face. One is modernization – although, without modernization, there is no smart grid. It is a necessary evil. This section begins, “Paradoxically, modernization within the industry is also introducing new vulnerabilities.” Of course. When you replace an electromechanical device with an IT-enabled device, it’s a given that the IT threat vectors will increase substantially. As I pointed out in a recent blog, there are indeed new risks, but they are more than offset by new benefits.
The same paragraph continues by explaining that these industrial control systems (ICSs) are “often subject to periodic patches and firmware upgrades.” There is a common misconception among enterprise IT security practitioners that control systems are patched in the same way as enterprise IT systems – but that’s not the case. Many control systems have one maintenance window every 2 years, and that’s the only time they will be patched. We don’t do Black Tuesday in the control system world.
Unisys accurately states that many existing cyber security technologies are reactive and, therefore, are useless against unknown (zero-day) attacks. However, this is not news to the ICS community, and application whitelisting and behavior-learning security tools that observe anomalous traffic have been in place for some time now.
I would also like to know if Stealth runs on its own hardware, and, if it runs in line with the control network, what kind of latency it adds to communications.
The white paper claims, “The primary reason for maintaining status quo regarding improved security is the concern that any new measure may introduce instability in highly reliable systems.” I disagree; the primary reason that the status remains quo is lack of funding. Whether that’s due to utilities being cash-strapped or security officers being unable to create a compelling business case for the funding is an open question. The second reason for the status quo is that many devices are too old to have any security onboard but still have remaining service life and aren’t going anywhere.
The strongest point that Unisys makes is that the main obstacle to winning the cyber war is a patchwork strategy. This is the crux of control system cyber security. My research in the past 18 months has uncovered a marked increase in the number of utilities asking for security architectures, for a single approach to security for their control systems. Whether those architectures will translate to implementations is unclear. But at least utilities are asking to see the big picture. It would be good if Unisys offered to be part of that large-scale solution, but the conclusion of this white paper seems to say that Stealth is the solution. All security vendors can be part of the solution. None of them are the solution.