Bob Lockhart is a senior analyst focusing on cyber security within smart energy practice at independent research and consultancy firm Pike Research.
Following last week's calls for the UK government to co-ordinate a smart grid security policy, Lockhart tells Computing about the security measures utility companies are implementing, but also says that return on investment (ROI) and best practice are often difficult to identify.
Computing: What is the worst case scenario for utility companies – power outage caused by terrorist or cyber attacks, or data loss?
Lockhart: The most effective cyber attacks enlist insiders who have or can easily obtain legitimate access to the assets that will be attacked, but even without insider help it would be unwise to discount any possibilities via cyber attack. It is better for a utility company to assume that they will be successfully attacked and have a Plan B in place.
It is also important to remember that physical attacks upon the infrastructure can be quite damaging. Some power grid assets, such as the AMI [advanced metering infrascture] head-end, are well secured inside a utility's plant, but others, such as substation assets, are out there in the open.
Where do security vulnerabilities in power company networks and information control systems (ICS) tend to lie?
Everywhere. A vulnerability particular to ICS is that much of the equipment, networks and software are older, and adding security can be problematic. Although lot of ICS equipment, SCADA [supervisory control and data acquisition] devices and networks were designed to be isolated from the internet and from corporate Enterprise IT networks, this has been difficult to accomplish. There are many ways to circumvent this isolation, such as remote support capabilities or even USB sticks.
As we saw with Stuxnet, some application software arrives with a default password that cannot be changed without threatening the integrity of the software. There are web sites that list all known default passwords for ICS applications.
What specific technologies can power distribution companies implement to address these threats?
A remote support connection can undermine quite a lot of expensive network perimeter security. The connection between an ICS network and an enterprise IT network should at least be isolated via a tightly controlled DMZ [demilitarised zone subnetwork].
Likewise, encryption can be incredibly effective if it is well-installed, but almost useless if the key management is not done right. Any security deployed into an ICS network should not adversely affect the ultra-low latency required. Standard enterprise IT network procedures, such as frequently pinging or daily scans to map network devices, can disrupt a control network, so more passive approaches are needed.
Situational awareness tools – which monitor systems and applications, and stop them if incidents occur in real time – are in their infancy but becoming more popular.
Change management can reduce the number of unplanned or poorly executed changes to the ICS network, while good business continuity plans mean devices and utilities can survive for days or weeks without some levels of connectivity.
Are updates to existing management and control systems in power stations and substations too expensive?
They are indeed expensive and tend to follow equipment refresh cycles, not vulnerability assessments. It is probably not realistic to expect utilities to bring forwards large amounts of technology refresh for the sake of security.
Utilities can get some protection without upgrading or replacing existing systems. Some "bump in the wire" solutions can add security to an existing network: encryption in front of a sensor or a controller, for example, or middleware that acts as a buffer between sensors and the rest of the world.
One famous attack that destroyed a transformer was conducted via a dial-up support modem. An easy workaround could be to insert a switch or an old PC in the phone line before the transformer, and programme it to not accept an incoming call unless it meets certain conditions. Perhaps the calling phone number must be pre-registered with the switch, or there must be a change control entry or an incident response ticket for the transformer before it will accept any calls.
Even more important, updating or replacing control systems brings a tremendous risk to the reliability and stability of the systems that they are controlling. Utilities' operations departments are rightly hesitant to replace something that is working reliably.
How can power companies recoup investment they make in cyber security measures?
It is possible, but rarely easy, to determine a reasonable ROI on a cyber security deployment or even know if the investment has ever been recouped. It's a success if one utility implemented such strong security that an attacker went elsewhere to an easier target, but how do you ever know it happened?
There are some in the utilities industry who aren't sure that security will prevent an attack, but it will look better when the lawsuits are filed if there had been a level of due care protection of assets in place.
What are power companies across the world doing, if anything, to improve network/ICS security measures and what are their concerns?
All of the technical approaches mentioned above are happening at utilities somewhere, but there is no pattern at all and it largely comes down to the talent of the individual chief security officer.
Security vendors tell me that selling security to utilities is mostly a push, not a pull: few utilities are inviting the security vendors for a chat, but there is usually a positive response when a vendor calls.
Utility company security officers in Europe and in the US both have the same concerns: lack of standards, weak compliance regimes, too many security vendors selling point solutions rather than solving business problems.
Much security is purchased solely to meet local compliance requirements, not specifically to protect the grid, though there is more focus on data privacy in Europe. But I'd wish there was more work on resiliency and business continuity.
Would it be useful for utility companies to join industry bodies, such as the international cyber security protection alliance?
Yes, very useful. Because most security practitioners have an IT background, it is useful to have operations personnel in these bodies with experience of delivering utility commodities.
Without their participation, it is very difficult to end up with a realistic set of standards that address ICS security.
It is true that utilities will sometimes drag their feet and oppose strong standards. Every utility I've spoken with wants a secure grid, but they would rather not have legislated fines for failure to act, or to act in a stated timeframe.
But that's worth accepting in order to have a realistic set of standards in place.