"What I found most interesting is the assertion by some vendors that the meters have security features built in that utilities often choose not to implement for their own reasons."
This article -- courtesy of Muniwireless -- is an edited conversation with Mike Ahmadi, cyber security consultant and conference chairman of the two-day Cyber Security Conference and Expo that took place last week in San Jose, Calif. Ahmadi offered his insight and reflected on panelists' presentations regarding where we are and where we need to be in smart-grid security.
Ahmadi: Security is a very dynamic environment, and keeping current with what is going on in the world of security is no small task. First of all, despite what anyone may tell you, security is about economics. Ultimately the biggest driver for any organization to secure anything is to prevent getting hit in the pocketbook.
Karisny: Scott Borg, director and chief economist, U.S. Cyber Consequences Unit addressed calculating the value of smart-grid security compared to the expense of a power-grid security breach. What points did you find most important?
The most striking point? The economic models he and his associates created showed that 3-4 days without power is essentially inconsequential from an economic standpoint. Any organization can recover from this relatively short plunge into the "Dark Ages." As you approach the fifth day, however, things change quickly. There is a precipitous drop in economic activity, and by the seventh day the economy is at 30 percent capacity. This was quite startling to many in the crowd, and emphasized the importance of not underestimating the consequences of a prolonged failure in the grid.
I would strongly suggest those who are interested in a comprehensive look at how the Smart Grid will shape the security market to purchase Pike Research's excellent report. According to their research, there will be opportunities for security component manufacturers, security software vendors, identity and authentication management solutions, and consulting services (just to name a few).
The media has bombarded the public with articles warning of cyber-security threats. How would you assess hype from reality, and what points did your best practices panel make for threat scenarios we should really expect in the next few years?
The news media is indeed driven by sensationalist and entertaining stories, and this can, at times, lead to those who a story targets being a bit upset, which can create a cascading effect. Elinor Mills of CNET stated that when she hears information about AMI security flaws, she tries to get information from the vendors, but they either do not respond at all or deliver somewhat canned responses. Robert Former of Itron stated that his employers have instructed him to not share information without prior approval from his organization in order to avoid bad press. What was suggested (and well received) was for vendors and other stakeholders to build a relationship with members of the media in order for them to better understand each other, and that this would perhaps lead to less sensationalism. Hopefully this will pan out, but only time will tell.
Matt Carpenter of Inguardians asserted that the biggest threat will probably come from organized crime syndicates who will use the threat of exploits as a means of extortion. While the panelists acknowledged that random hackers may cause some trouble, they will probably not be as troublesome as some have postulated.
I find it interesting that the conference ended focusing on the concern of potential of bad press or worse press sensationalism. With the importance of moving forward in addressing real smart grid cyber security issues, we need to get beyond government and business political properness and start addressing the real task at hand:
securing the grid.
In terms of regulation, Commissioner Philip Moeller, of the Federal Energy Regulatory Commission (FERC), delivered some straight talk, saying that they simply do not have all the answers yet, despite all the work that has been done in Washington to address Smart Grid security. He emphasized the importance of events like the Smart Grid Cyber Security Summit, and that FERC was seeking input from the very people in the audience.
Our current power grid infrastructures have legacy control systems that frankly don't fit today's digital IP technologies. What are some of the unique issues with control systems, what can be done to secure them, and what shouldn't be done to assure the proper migration to new secure digital technologies?
Joe Weiss, in his presentation, said that the world of ICS (Industrial Control Systems) and the world of IT (Information Technology) have to start working together to better understand the nuts and bolts of how each world operates. Joe also said that the NERC CIP requirements potentially create a security environment that is worse for the ICS world because they exclude specific interfaces and protocols commonly found in ICS. He feels that FERC and NERC need to reexamine the requirements with more consideration being given to common ICS systems.
There will be virtually millions of smart-nodes connecting to billions of smart-grid network devices. Is there a simple, manageable and secure method of addressing such complexity in this massive security undertaking?
The short answer is no, but there are various pieces and parts that can be put together to build a good system. Chris Hanebeck addressed the effects of traditional encryption algorithms on the extremely resource-constrained devices at the edge of the smart grid (such as meters), and it was surprising to learn how challenging it will be to come up with solutions that will work efficiently in the environment. Although he proposed a proprietary low-overhead algorithm that addressed some of these challenges, we still have quite a bit of work to do at the implementation level before we can call this a solution (and that is only if and when everyone agrees to what the pieces and parts should be).
NERC and other regulatory standards groups are trying to direct the path of smart grid security. How difficult is it for power companies to meet these requirements while future requirements are already being drafted to reduce smart-grid security risks?
Perhaps the most difficult task power companies face in meeting requirements is in fully understanding what requirements need to be met. Requirements are in a state of flux, and who has authority over what is still an open question.
There are a lot of people concerned with what rights of privacy they may have to forfeit for smart grid security. Is there a balance that can be met?
I fully believe a balance can be met, but that is really dependant on how well received the smart grid is by the public. While privacy is indeed important to everyone, we have proven time and again that we are all willing to face privacy challenges if we realize some real benefits on a personal level. We live in a world where anyone with a cell phone can be tracked anywhere they are, but we all seem to be willing to accept this invasion of privacy because of the benefits cell phones provide us.
Since the smart grid represents an additional cost to the ratepayer in the short term (we are all going to have to pay for building the smart grid), I believe privacy
will be a rallying cry that will be heard for some time to come. I believe once the smart grid becomes something that helps the ratepayer save money, the cry will be a bit softer. Not only because of the benefits, but also because those responsible for building and managing the smart grid will ostensibly have better security and privacy controls in place.
What are leading industry executives saying about the reality of cyber threats today and the cost/benefit of undergoing a review of security vulnerabilities?
The utilities represented on this panel stated that most of the threats are still quite theoretical. They fully believe that the threats are real, but have not experienced any of the malicious exploits.
Despite not having suffered attacks, the utilities take security quite seriously, and they do not want to be perceived as not caring or not doing anything about security. They also do not want to face the potentially massive fines associated with failing a security review from NERC, and stated that NERC CIP has helped them become more secure.
There has been a concern if we have enough qualified people out there to even supply the expertise to build the smart grid. How will that affect the smart grid moving forward?
Dr. Cohen gave a very good presentation of the issues. Dr. Cohen founded the California Sciences Institute, and offers Ph.D. courses in national security and critical infrastructure protection (among others). Although the expertise falls short of need, he believes we can eventually achieve the requisite level, but it will take several generations to get there. How it will affect the grid in the short term does not necessarily look promising, since a lack of expertise usually means bad decisions. Only time will tell.
Some AMI vendors have made some mistakes regarding security in the past, and are now working hard to make sure the same mistakes are not repeated. Some vendors believe that securing end points (meters) to the point they can be considered "trusted" may not be too important, and others asked the question "secured against what?" What I found most interesting is the assertion by some vendors that the meters have security features built in that utilities often choose not to implement for their own reasons. It is important to understand that security only works if those who are tasked with using the security actually do so.
The issue of meter authentication was interesting, and the various vendors had differing opinions regarding what level of authentication was adequate. Regardless of their opinions, however, the most important point was that AMI vendors build what their customers (the utilities) demand, and if the utilities do not demand specific security features, they are not likely to be as important to the vendors.
What are the advantage and disadvantages to PKI security? Could this be the one-size-fits-all security solution for the grid?
The obvious advantage to PKI is that it has been around a long time and is well entrenched. PKI is used in banking, the military, and everywhere strong authentication is necessary. The disadvantage is that it requires infrastructure and good key management, and creates additional overhead. What is great about the solution proposed by Renesas is that they have built a solution that includes the necessary security components (chips) and a key management solution to go with it. I am not sure if this can be considered a one-size-fits-all solution, but it is indeed a good start.
There is a lot of talk about microgrids
and macrogrids when talking about smart grids. What are they and why are they such a security challenge?
Microgrids are small power systems managed outside of the larger utility network. An example of this would be a college campus that gets its power from solar panels on the campus. The advantage they offer is that a malicious attack on a microgrid is isolated from the larger power grid, so the impact is not nearly as far reaching. The disadvantage is that if a microgrid is built with less concern for security, it could potentially create a weakness that could become problematical if the microgrid should ever become part of the larger macrogrid (i.e. if a utility buys the power system, or the needs become greater than the amount of power the microgrid can provide). The bottom line is that securing microgrids is as important as securing the Smart Grid.