In 2009 the Journal of Energy Security published an article, The Security Vulnerabilities of the Smart Grid, which described how many characteristics of the emerging Smart Grid were likely going to make it more susceptible to cyber attack. This article attempts to describe vulnerabilities, their sources, the conditions that have lead to them, and some of the ways utilities are combating them even as they deploy new Smart Grid components.
The following factors have accelerated to move toward a Smart Grid:
• There has been a well documented increase in recent years in the number and cost of outages.
• Much of the current grid infrastructure is reaching the end of its expected life cycle. Some of the grid infrastructure is being replaced, but Smart Grid-derived efficiencies may help extend the life of some of this equipment as well.
• Nearly 50% the people who run the grid are within a few years of retirement. Increased automation of many tasks may help ease the burden on the smaller utility workforce in the next few years.
• While states are mandating greater use of renewable energy sources, the old grid is unable to handle intermittent generation, both grid-scale and distributed.
• The arrival in 2011 of what’s anticipated to eventually be a significant new source of load, all electric vehicles (EVs) and plug-in hybrid electric vehicles (PHEVs), will put additional stresses on systems already functioning close to their design capacity.
• The desire to exploit new efficiency gains made possible by increasing use of smart meters, distribution automation, myriad new sensor and measurement devices, etc.
As the last bullet suggests, the Smart Grid revolution is being driven by information and lots of it. In order to capture, transmit, analyze and use this information to the fullest extent, we’re basically connecting everything to everything … and therein we find the security-rub.
In the past, while enterprise-class cyber security controls on utility systems were not widely implemented, the fact that important systems were largely isolated and disconnected from external networks made it difficult if not impossible for cyber attackers to reach them. Now we’re purposefully constructing pathways that make it easier for those intent on navigating networks, probing for vulnerabilities, and exploiting them to steal sensitive data or disrupt operations. On top of that, while there are islands of security excellence among electric utilities, the overall reputation of the industry is that it’s lagging on cyber security awareness and preparations when compared to other sectors. But there’s more to this story than is at first apparent. Let’s start with vulnerabilities …
Vulnerabilities are conditions no one wants but everyone, and every system, has (some more than others). For the past several years, hundreds of cyber security experts have been working on classifying and prioritizing lists of vulnerabilities that utilities need to be cognizant of, not just to build risk awareness,but to develop capabilities to identify and remove or otherwise mitigate them on an ongoing basis.
And it’s not just the vulnerabilities that are being targeted, but also the behaviors that lead to them. Whether in the supply chain, in the design, in the deployment and lifecycle maintenance processes of old and new systems, or in the training and education (or lack thereof) of utility professionals, business processes are now being reconsidered through a security lens. Lawmakers, regulators, standards’ bodies, and many other government, academic and industry organizations are identifying the many and varied sources of risk (often distilled down to vulnerability classes) to the grid and the emerging Smart Grid. They are developing standards and guidance that utilities and their service providers can follow.
Here are the two most prominent sets of guidance at the time of this writing, one from the North American Electric Reliability Corporation (NERC), the other from the National Institute of Standards and Technology (NIST):
1) NERC’s Critical Infrastructure Protection (CIP) standards – this document doesn’t list vulnerabilities to watch for, but rather calls out required security processes intended to reduce and mitigate them. These include perimeter network defenses (firewalls), strong passwords, identity and access management controls, and recurring vulnerability assessments via penetration testing and other means. Here’s what members of the industry need to know about the current version of the CIP standards:
• They pertain to only a small, albeit very important, part of the grid: generation and transmission assets, and their attendant cyber systems, deemed to be important enough that their failure could cause a painful ripple effect across other systems and regions;
• The largest part of the grid matrix, the distribution system, is regulated not at the Federal level, but at state and local levels where they often have very few security provisions;
• The CIPs have utilities’ attention because failures to pass CIP audits carry with them substantial and embarrassing fines;
• The CIP standards development team is working on future versions that would potentially cover many more systems.
2) NIST’s Interagency Report (NISTIR) 7628, “Guidelines for Smart Grid Cyber Security” – though formulated as high-level guidance, and not as enforceable requirements, this document gets more explicit by naming high-level classes of vulnerability-generating actions or situations, including:
• People, policies and procedures
• Platform software/firmware vulnerabilities
• Platform vulnerabilities
It then goes deeper and discusses representative individual types of cyber vulnerabilities that utilities and their providers need to combat. Of the hundreds cited, a few are:
• Buffer overflows – a type of programming error that attackers can exploit to take control of a computer system;
• Hard-coded passwords – easy for hackers to guess and gain access to a system;
• Cross site request forgery – allows unauthorized commands to be transmitted from a user who is trusted by a website;
• Race conditions – a programming error where an attacker can gain advantage by influencing or changing the timing of events in computer systems.
Feedback from state and other regulators reveals that while they seek to reference and recommend the NIST Guidelines to their utilities, the intentionally general nature of the guidance in the 1.0 version makes it difficult if not impossible to implement. In response, NIST is now working on more detailed implementation guides.
Vulnerability types and trends
Utilities’ cyber-vulnerabilities can be grouped into the following categories:
• Operational systems – generators, transformers, Supervisory Control & Data Acquisition (SCADA) Systems & Energy Management Systems (EMS), programmable logic controllers (PLCs), substations, smart meters, and other intelligent electrical devices (IEDs) that control the creation and flow of power
• IT systems – PCs, servers, mainframes, applications, databases, web sites, web services, etc.
• Communications networks and protocols – Ethernet, Wi-Fi, Zigbee, 4G, DNP3, etc.
• End points – smart meters, EVs, smart phones and other mobile devices
• Human factors – lack of training and awareness, social engineering attacks, phishing attacks, misuse of USB drives, etc.
While a small minority of vulnerabilities may be intentionally introduced, most are included accidentally or inadvertently by the professionals designing, building, configuring, deploying and maintaining these complex pieces of technology.
Drawing on a global collection system, IBM’s X-Force publishes a definitive report on cyber security vulnerability trends twice each year. Longtime followers of the report may forget the names of individual vulnerability types, but one thing they likely all remember: the number of new vulnerabilities climbs higher and higher as time progresses.
Number of New Smart Grid Vulnerabilities
Overall, 4,396 new vulnerabilities were detected by the X-Force Research and Development team in the first half of 2010, a 36% increase over the same time period observed the previous year. Source: IBM
This means that utilities must ensure they are protecting not just against all known and documented vulnerabilities, but are continuously updating their systems and educating appropriate staff members to catch new and emerging vulnerabilities. There are tools that help automate this process, and professional services that bring expertise to bear when internal staff can’t do the job. But ultimately utilities must decide for themselves how important this task is to them based on their desire to avoid fines and/or successful breaches.
An important distinction must be made between IT systems and operational technology (OT) systems. The practices of vulnerability assessment, management and mitigation can be completely different in IT and OT environments, and there are many more experienced cyber security professionals available to help with IT issues than there are with OT. This imbalance needs to be addressed, and several organizations are working on it today. The powerful Stuxnet attack on Internet Connection Sharing (ICS) systems has greatly heightened the community’s awareness of this issue.
Grid Wise Alliance
The Grid Wise Alliance
represents a broad range of the energy supply chain, from utilities to large tech companies to academia to venture capitalists to emerging tech companies. The Alliance maintains a set of “Principles on Interoperability and Cyber Security,” which address many of the challenges related to managing and reducing the number of vulnerabilities in the Smart Grid. Here are a few selected excerpts from the Grid Wise Alliance principles:
• Smart grid stakeholders should use appropriate system and energy usage information in ways that enable coordinated grid response, reconfiguration and self-healing.
• Grid Wise Alliance supports the process being coordinated by NIST along with standards development underway at various standards organizations as an appropriate means to achieve the necessary framework of standards for a secure and interoperable smart grid. Additionally, Grid Wise Alliance members support the work being done at NERC and within such collaborations as the US Department of Energy (DOE) Roadmap to Secure Control Systems and the Department of Homeland Security (DHS) Industrial Control System Joint Working Group.
• Grid Wise Alliance recommends a risk management approach that focuses on protecting the functions of the electric power system. All smart grid projects must consider a risk-based approach to selecting and implementing security controls that provide effective and cost-effective security commensurate with potential impacts to safe and reliable power system operations.
• Smart Grid component manufacturers (hardware and software) should apply sound security processes in design and development to minimize the risk and severity of vulnerabilities in their products and services. Smart grid components will be in service for many years and subject to threats that could not be imagined at design time. It is critical that smart grid providers plan for addressing security requirements throughout the lifecycle of the system.
• Smart Grid service providers (including utilities) have an important role to implement operational security procedures across their environment. The interconnected nature of power systems requires that each and every smart grid service provider recognize the potential for intentional or unintentional misuse of their systems and take steps to guard against such misuse, whether by third-party adversaries or their own employees.
• Existing facility, hardware, and software features and practices should be leveraged and built upon as part of the approach to securing a smart grid. The grid itself, to a greater extent than many other infrastructures, has additional methods of coping with events of different geographic size, severity and scope. These existing features, such as special protection features or operating modes, mobile generators and transformers, and excess capacity for large portions of the year or day, will provide a secure baseline.
• The cyber security concept of “defense in depth” should be employed in any approach to securing a smart grid. “Defense in depth” is an industry concept that insists upon incorporating layers of security, a combination of requirements that provide a reasonable assurance of sufficient protection. In this scheme, if a single security element fails, a backup or redundant requirement provides a secondary level of protection.
How we’re getting it (more) right this time
The arrival of the public internet set off a wave of rapid modernization in many sectors, including the financial and telecommunications sectors and the big pieces of critical national infrastructure with which they operate. Those early movers often proceeded without a clear understanding of the new types of vulnerabilities that internet connections, web architectures, and increased integration of legacy and modern, web-oriented software systems would bring. Security gaps were found and exploited by attackers, lessons were learned, and these systems have grown steadily more secure over time as both attackers and defenders learn and evolve their approaches.
With the Smart Grid, lessons are being drawn from the early movers and security thinking put in the foreground in ways that most have never seen before. For example, the 2009 American Recovery and Reinvestment Act (ARRA)’s Smart Grid Investment Grant (SGIG), which offered utilities matching funds for Smart Grid projects, included the requirement that award decisions would include a thorough review of candidate projects’ security strategy. Surveys of utility executives continue to reveal that cyber security is in the top 3 on their lists of critical concerns. As mandated by the 2007 Energy Independence and Security Act (EISA), NIST has worked with uncommon speed, rallying experts from industry, academia and government to identify security risks and to develop security policies and procedures that address them.
Another trend worth noting is that vendors and suppliers are awakening to the importance of their role in reducing vulnerabilities in utility systems:
• Smart meter vendors report now running regular security scans of their code … something they didn’t do prior to being embarrassed with live smart meter exploit demonstrations at high profile security conferences.
• Vendors of electric plant control system equipment are reconsidering their products’ security functions in the wake of recent advanced persistent threats (APTs) such as Stuxnet and Aurora. Each of these demonstrated that control systems, once thought immune from the type of cyber attacks that have afflicted IT systems for years, can be reached and successfully attacked by bad actors.
• Larger utilities are adding secure development policies, practices and tools to their application development groups’ software development lifecycle (SDLC).
• Other utilities are outsourcing their application development and maintenance activities, and are holding their providers accountable for delivering and maintaining applications within proscribed tolerances for certain vulnerability classes.
• More utilities are creating or hiring a Chief Information Security Officer (CISO) or Chief Security Officer (CSO).
• Another category of looming Smart Grid vulnerability, privacy, is being addressed aggressively by Office of the Information and Privacy Commissioner of Ontario, the Canadian utility Hydro One, and a handful of Smart Grid technology companies including IBM, GE and Telvent. Their just published report can be found here.
Don’t get too comfortable - recent highlights (and lowlights) on Federal Smart Grid security and vulnerability policy
A January 2011 report from the Government Accountability Office (GAO) titled “Electricity Grid Modernization: Progress Being Made on Cyber Security Guidelines, but Key Challenges Remain to be Addressed” highlighted security shortcomings in the 1.0 version NISTIR 7628, pointing out what NIST had already revealed itself—that it hadn’t been able to address every topic it originally intended by the 1 September 2010 deadline, and was working now to remedy the situation. It also criticizes FERC’s lack of authority to regulate grid security beyond large generation and transmission systems.
Later in January, the Department of Energy’s Office of the Inspector General (IG) issued its report on this matter titled “Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security” in which it found FERC cyber security standards (as implemented by NERC) and the overall approach for regulating the national grid quite lacking, saying:
"… even if the standards had been implemented properly, they 'were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner."
In addition, on January 31, 2011, FERC convened a hearing to ascertain whether an initial set of basic interoperability standards were ready to be considered for formal adoption. A panel of experts responded to questions from the Chairman and uniformly stated that too many security flaws remained in the draft standards for them to recommend moving towards adoption in their current state. While the final determination has yet to be made, in an atmosphere charged with the desire to move forward as quickly as possible on all fronts, this highlighted the seriousness with which security issues are being considered in the overall process.
Towards a more intelligent, adaptive, resilient grid
In addition to working to ensure we get basics (people, policies and procedures, systems, software, communications and networks) right, here are some of the more forward-looking capabilities we’re building in to the new grid to help it better deal with increasingly numerous and sophisticated security threats:
• Deploying sensors and sensing systems to detect attacks earlier and block them;
• Leveraging increased automation and intelligence to enable fast reconfiguration and self healing infrastructure attributes;
• Building and deploying better investigative tools to understand attacks after the fact and adjust defenses accordingly;
• Engaging in wide-area situational awareness to detect less concentrated attacks not protected for by localized pieces of security equipment;
• And lastly, when defenses prove insufficient, making better preparations for recovery from successful cyber attacks via disaster response, business continuity and emergency recovery procedures.
Anyone involved in this sector and its effort to better secure itself would freely admit that we’ve got a long way to go. But what’s different, and quite promising, this time is that security is being taken seriously up front, and among senior leadership. It’s weighted more heavily in design and procurement decisions than ever before. Security experts from within the industry and from other sectors are pitching in to share best practices, lessons learned, and ideas for how to better secure complex systems.
As we improve our ability to detect and mitigate vulnerabilities in grid systems, we need to do a better job measuring what we’re doing. Utilities that can demonstrate to their auditors, and to themselves, that they are not just avoiding compliance penalties, but making progress in reducing risk, will be in the best position to deliver the full promise of the reliable and secure Smart Grid upon which the nation is counting.
Contributor Guido Bartels, is General Manager, Global Energy & Utilities Industry, IBM. He also serves as the Chairman of the Global Smart Grid Federation.