Protecting the Smart Grid
IN THE UNITED STATES and around the world, the idea of a “smarter” electricity infrastructure is being pushed as a way to improve energy efficiency, among other benefits. It’s called the smart grid in part because it allows two-way communication between utilities and consumer devices linked through home area networks (HANs), making it possible to manage demand cycles, for example. But because the smart grid makes the utility much more susceptible to cyberattack from many points that did not previously exist, we have to be smart about how we address the security risks if the benefits are to outweigh the problems.
Complicating the issue is the fact that current applications of smart grids and the future roadmaps for smart grids are varied and somewhat uncertain. While “smart metering,” or “automated metering,” is often the focus of smart grid discussions, that is only one component of a smart grid. A future view suggests that as smart grid and smart technologies develop and reach further into “the cloud,” new attack vectors will emerge with the potential for a hacker to control critical infrastructure via grid networks leading to supervisory control and data acquisition (SCADA) systems and programmable logic controller (PLC) devices at the heart of utility operations. Additional disruptions to revenue metering and customer power delivery, as well as privacy implications, form part of the risk profile.
WITH MORE THAN 4,000 vulnerabilities identified across the smart-grid environment (not all IT-related), the scope for security is daunting. The challenge is significant but not insurmountable. The key is to apply effective analysis and to develop corresponding protection practices from one end of the infrastructure to the other. Through effective risk management, we should be able to identify what is critical to the sustained delivery of electricity and apply effective policy and standards to mitigate the risk.
Of course, the sticking point is what constitutes effective policy and who gets to set those standards. Under the Energy Independence and Security Act of 2007, the National Institute of Standards and Technology (NIST) was given lead responsibility for the development of a smart grid security standards framework. In 2010, the Federal Energy Regulatory Commission (FERC) received NIST’s interoperability standards as part of the national standards strategy for the electrical sector. FERC has continued to wrestle with the pros and cons of adopting a national standard to regulate smart grid cybersecurity versus allowing industry to regulate itself.
At a recent congressional hearing on infrastructure cybersecurity, James A. Lewis of the Center for Strategic and International Studies argued that voluntary action has not worked and is “a recipe for disaster.” But the industry believes that poorly conceived standards that get set in stone and frozen in time can be equally disastrous.
Meanwhile, the smart grid is being deployed and utilities have to address the risk. Anything less than a comprehensive, multilayered protection plan for the smart grid will fail.
Some utilities are stepping up to the plate and attempting to tackle these issues. To develop effective standards for a smart metering network, one utility developed a comprehensive process for full assessment of the end-to-end solution through a series of focused workshops and analysis—dissecting the solution piece by piece, with a team of subject matter experts driving the process.
The team developed a security and privacy framework document that would serve as the starting point for identifying and addressing security gaps that would not be readily evident if one merely followed an existing guideline. This framework focused on the integrated nature of the smart grid and its components. It took into account that individual components of the infrastructure need to be assessed, including the smart meter across its circuitry, processors, communications chips, ports, and interfaces.
It highlighted as a basic premise that the complexity of the smart grid environment makes integrated security management a must. For example, a meter cannot be viewed in isolation; it must be viewed as a system of interconnected components, each with its own vulnerabilities. Even then, the device must be considered in terms of its environment and its deployment to assess contributing factors that may expose vulnerabilities or increase the risk potential. One must also consider how legacy systems are affected when new systems are brought into the equation. Building new infrastructure on unstable foundations does not make sense from a security standpoint.
The framework document broke down the solution into categories of concern, including application security, network security, integration security, data security, physical security, infrastructure security, privacy, and so on, to achieve the full security solution. A focused discussion in each area enabled the identification of existing policies, standards, regulations, and laws the company must adhere to, and gaps between the current state and the required end state for the architecture.
It is important to note that smart grid security can build on some existing best practices; in other words, the wheel need not be reinvented, but no framework currently goes far enough. Using this framework development as a best practice, the utility incorporated the 75 existing standards identified by NIST as applicable to smart grid security. As additional steps, utilities can also leverage existing information management policies, such as those in ISO 27000 and NIST, among others. They can also build on FERC’s cyber standards. They should, of course, identify all interfaces within the end-to-end architecture where data is in motion as well as applications where data is at rest for analysis. They can then extend the analysis to the deployment project plan itself to identify processes within the project where personal and sensitive information will be handled and shared with third parties in order to facilitate deployment.
All information interface points in a smart metering or smart grid solution require analysis to ensure effective security standards applications to protect information and layer on security according to the threat environment and overall risk. Project plan analysis should include the test environment, any off shore services contemplated, as well as security and privacy issues around procurement and project office activities. Combined, this analysis should address most of the utility’s security concerns with regard to a smart grid solution.
It is important to include vendors who will supply smart grid devices and applications, deployment services, and end-to-end integration solutions to ensure that each component of the architecture is appropriately analyzed. Where gaps exist, the security team must work to establish a standard that will effectively respond to the gaps. Over the life of the project, continuous ethical hacking, risk assessment work, vulnerability assessment, and audit work will validate standards and bring to light new gaps for analysis and remediation.
The end product will be more comprehensive than if available industry guidelines were simply adopted, and it will be better because it will be tailored to the specific solution and specific devices and applications deployed, addressing both new and legacy systems and architecture.
A solution based on this approach would include: an end-to-end security framework from HAN to legacy systems, with improved security at all legacy applications; better segmentation of applications, with higher security on public-facing networks; improved security analysis and screening on all segments, applications, and appliances; better encryption; physical hardening on all critical cyber assets, including hardening facilities where smart meter critical applications are housed; end-to-end penetration testing including working directly with the meter supplier to validate meter penetration testing; improved role based access, with higher restrictions to administrative functions, and improved password management employing very complex passwords on all administrative functions.
It would also include provisions against clear text messaging in flight or in storage. Moreover, it would require full background screening for all employees and contractors. To further protect data, all meter data-collection features not required for basic utility metering functions would be required to be kept switched off to avoid exploitation. No private data would be stored outside the trusted domain; and there would be enhanced customer portal security and customer access security using a layered approach, including password, failed attempt lockout, time out policy, and least privileged policy.
Other provisions would include increased training and updated policies for all work streams addressing smart metering infrastructure and meter data, audited employee access to customer files in all departments, a secured firmware download process, and enhanced disaster recovery and redundancy processes.
In addition, while physical security has typically been pushed to the back seat in the smart grid security discussion because of the dominance of IT issues, physical security must not be neglected. If a utility experiences consistent energy theft, setting up response plans for energy diversions found during meter replacement is also an important security consideration and requires coordination with police.
Another physical security concern is related to protests against deployment of smart meters, in some cases because of privacy concerns and also because of health concerns over radio frequency waves associated with smart metering. Physical security planning must address efforts to sabotage and damage new infrastructure as well as efforts to attack installation crews.
This is only a partial list of what can be done; it is intended to demonstrate the complexity of security solutions applied across the smart metering infrastructure. A significant number of other security and privacy protection solutions were also applied by the utility referenced here. And, of course, this is a dynamic process that must continue to evolve to keep pace with changing technology and threats.
In evaluating the smart grid security challenge, although there are certainly new components and new devices to worry about, the bottom line is that, while a huge task, it does not require a lot of new security expertise. What it does require is top management commitment. Not every utility is as proactive as the one highlighted here. The greatest vulnerability, therefore, is the tendency of decision makers to fail to make security and privacy solutions a priority. This attitude has to change or nothing else will.
Doug Powell, CPP, PSP, is manager, security, privacy, and safety for British Columbia Hydro’s smart metering program, headquartered in Vancouver, British Columbia, Canada. He is second vice chair of the ASIS International Utilities Security Council and Electricity Sector chair as well as vice chair of the Critical Infrastructure Working Group. Powell is also vice chair of the Canadian Electricity Association’s Security Infrastructure Protection Committee.