December 8, 2010 By Larry Karisny
Q: Who do you see as the responsible party for securing the grid; power companies, third-party security vendors or government entities?
Lockhart: In countries where the power grid is a government monopoly it’s pretty straightforward. In the USA however, there is no responsible party for securing the grid. Lots of organizations have a say but no one “owns” security of the smart grid. Some have tried to put NERC in that role but NERC’s remit covers generation and transmission. Most of what constitutes the smart grid happens in distribution, which today is outside NERC’s scope.
NIST has published some very good standards for Smart Grid security including the recent NISTIR 7628 series but they remain only standards. The Bulk Electric System has nothing analogous to HIPAA for health care information or PCI DSS for payment card processing. Compounding the issue, there is a fair amount of personally identifiable information (PII) flowing through smart-grid management systems. That PII comes under the jurisdiction of personal data privacy laws, but we have no national privacy legislation -- each state has its own laws.
Q: Where are we today when it comes to securely adding intelligent infrastructure to our utility and power grids?
Lockhart: Behind and losing ground. As with nearly every technology, the focus in smart grids has been to get it working, then later realize that security is an issue. Two dynamics make this even worse: first many security providers have equated smart grid with smart metering, ignoring the major innovations necessary in distribution automation and substations. Second, there has been precious little attention paid to security of industrial control systems (ICS), such as SCADA, some of which are so old that they are still analog. Since most information security experts have an IT background they do not understand that IT security solutions may not work and may actually disrupt an ICS network.
Q: With billions already awarded in federal grants and billions more put in by the power companies, where are all the smart grid projects?
Lockhart: In my analysis I only looked at smart grid cyber security projects of which there are precious few being funded by ARRA, though there are some. In the case of cyber security it is often difficult to credibly forecast an ROI -- after all an effective security program is one that you never see. So given funds to invest and an enterprise’s need to justify the investment via some measurable return, many are going to minimize security spending unless it’s necessary to comply with a regulation such as NERC CIP.
Q: What is the best start for securing the grid network infrastructure today? Is it just a process of add as you go?
Lockhart: It’s the same as securing any other environment. You start with an assessment of risks against most valuable assets and prioritize security investment based upon the results of that assessment. Some of the quantitative risk assessment methods can take years to reach completion and are not realistic for the current situation but there are qualitative techniques that yield useful analysis in a relatively short time. The keys to success are getting a complete asset list and fully understanding risks to each. Again there can be problems if no one involved in the assessment truly understands industrial control systems.
So it’s not really possible to say, for example, that every utility should immediately upgrade its identity management capability or deploy security event management. Each situation will be unique and requires someone to seriously think about what is at risk and what needs to be done.
Q: Some people are saying we should be addressing the transmission and distribution side of the grid first before the demand side. What do you think about that as it relates to security?
Lockhart: Well ideally security would be integrated as part of whatever smart- grid projects are undertaken by a utility. If it’s smart metering, then securing consumer data and resiliency in the networks should be part of the project. Those are much more expensive to bolt on later. Likewise if it’s updates to the distribution grid, maybe smarter transformers, then secure communications and other measures should be built into those projects as well. So the ideal situation is that security rides along with smart grid projects as undertaken by the utility. When that doesn’t happen, then you have to go back to the security risk assessment discussed above, and address the risks as prioritized, maybe taking some low hanging fruit early on -- simple measures that can be implemented quickly and with little expense. Early success in a security program can bolster it immensely within an enterprise.
One area of security that gets too little attention in smart grids is employee awareness. It is critical for employees of utilities, systems integrators and other involved entities to understand what security is implemented, why it is there, and their responsibilities to support it. This requires a proactive education program. Whether we’re talking e-mails, Web courses, or stand-up instruction matters less than that the points are gotten across to the workforce.
Q: Is here a one-size-fits-all security approach or is layer security going to be the rule of thumb for the grid?
Lockhart: Again, countries with a government monopoly grid can take a one-size-fits-all approach. On the down side for them, that implies that a single attack against their entire national grid could be successful and there is probably a single point of attack for that grid. Here in the USA we have over 3,200 utilities -- some with millions of customers, others with a few thousand. So obviously they are not going to all be running on the same infrastructure and therefore the same security approaches will not work for all. It is not unthinkable that some smaller utilities will end up clients of service providers running cloud computing environments. Those will probably be private clouds, but still a centralized, third-party cloud. Personally I think that’s a good thing because small enterprises cannot afford as sophisticated security as a large-scale integrator of clouds will implement.
In either case layered security or defense-in-depth will be the preferred solution. In my studies and work with clients I’ve been emphasizing not only the need for well-known network and endpoint security controls but also that networks need to be resilient. Whether we’re talking smart metering or ICS, endpoints and central systems need to be able to survive several days or maybe weeks out of contact with each other.
Q: Are there already lessons learned from mistakes and some solutions found?
Lockhart: What I’ve seen is more an evolution of increased protection rather than a grand disaster followed by a step change in the level of smart-grid security. There is still quite a bit of disunity among the smart-grid community as to how bad things are or are not. That suggests to me that nothing truly terrible has happened to galvanize the industry. In my research when I ask how bad things are, answers range from no problems at all to critical.
But most of the lessons learned that I’ve seen are straightforward: better ways to identify and prevent fraud, nearly everyone understands the importance of encryption, and there is a slowly dawning awareness that the security-by-obscurity approach that protects most SCADA deployments is not going to be effective. But I do see more targeted point solutions than overarching grid-security programs.
Q: Is Stuxnet the warning shot of more cyber attacks and just how bad could thins get as it relate to our power grid?
Lockhart: Slammer and Blaster, each 7-8 years ago, should have been warning enough -- even if they were not directly aimed at grids. I recently blogged Stuxnet and I think the security community has its head in the sand. If my analysis is correct then Stuxnet was developed late in 2007 or early in 2008. We security experts call Stuxnet state-of-the-art because we arrogantly think we know everything that’s happening, but we don’t. The Stuxnet code and attack could be three years old -- that’s two iterations of Moore’s Law. If true, then things probably have already gotten much worse than we understand. We’re just blissfully ignorant of how bad.
Q: In summary, where we are today as it relates to the smart grid? Where do we need to be in a fast track short-term solution and what do you think the future of smart-grid security will look like?
Lockhart: If Stuxnet is any indication, then the serious attackers are way ahead of us and can pretty much operate with impunity. Less sophisticated attackers may be able to hold a grid to ransom if it is not well protected. Some security vendors seem focused on finding problems that suit their existing offerings rather than seeking how to protect our grids, although there are some exceptions. One utility complained to me, “If one more security vendor walks into my office and asks me what keeps me awake at night…”
Here in the USA our patchwork grid may protect us for some time to come. I’ve asked several utilities and smart-grid experts if an attack could wipe the entire U.S. electrical grid. The common answer has been something like, “If only we were actually that well integrated. But no.” Still, any one grid could be successfully attacked so no one can really rest.
It’s hard to prioritize remedies outside the context of a risk assessment, and that’s going to be unique for each utility. But if I had to prioritize anything in general I’d look at better resiliency throughout networks -- both IT and ICS. And I would like to see IT and operations staffs at utilities work together more effectively. I can’t see any other way to get a whole-picture view of the grids and what really needs to be done.
Unfortunately we may see continued selling of point solutions for quite some time to come. There are people taking a holistic view of smart-grid security, including some utilities’ chief security officers, systems integrators, and even some of the smart-meter manufacturers with their bundled solutions. However there is quite a bit of point selling going on out there. Utilities expect a meter -- smart or otherwise -- to have a service life of 20 years. What is going to happen in smart metering when that expectation collides with Moore’s Law? Certainly that could drive another round of point-solution selling.