Girding the Grid for Cyberattacks

The future of the U.S. energy grid is at a crossroads. Energy gridsand power distribution systems face a number of daunting challenges. One of the most critical is the ability to respond to changing variables in real-time.Meanwhile, the energy industry is often slow to implement newtechnology that optimizes energy consumption and bolsters the powergrid from electronic intrusion.

Energy generation, supply, consumption, distribution and security posenumerous high-tech challenges. Every change in these components requiresthe execution of sophisticated analytics to predict the downstream orupstream impact and the required actions to re-balance the network. Inaddition, the ever-increasing number of nodes on the energy network provide newpotential security holes, which need to be monitored and managed.

“It is critical that any legislation to secure the electric gridinclude proper identity assurance. This will ensure that evensuccessful hackers/intruders are curtailed at every access point andan audit trail created should an intrusion occur. Identity assurancelimits access and accessibility, and the standards already exist,” DominicFedronic, CTO of ActivIdentity and chairperson of the GlobalPlatformGovernment Task Force (GTF), told TechNewsWorld

Government Action

At least some of what Fedronic called for may be in the works. Last month, theNorth American Electric Reliability Corporation’s (NERC) independentboard of trustees approved eight revised cybersecuritystandards for the North American bulk power system.

This action represents the completion of the first phase of the NERC’s cybersecurity standards revision work plan, which was launched in July 2008.Work continues on phase two of the revision plan, with newstandards already under development, according to the NERC.

The standards comprise some 40 good housekeeping requirements designed to lay a solid foundation of security practices. Ifproperly implemented, the energy industry will develop thecapabilities needed to secure critical infrastructure from cybersecurity threats, according to the NERC. Roughly half of those requirements were modified toclarify or strengthen the standards in this initial phase.

Heavy Fines

These revisions begin to address the concerns the Federal EnergyRegulatory Commission (FERC) raised in its Order No. 706, according tothe NERC. That order conditionallyapproved the standards currently in effect.

Organizations that violate the standards can be fined up to US$1 millionper day per violation in the U.S., with other enforcement provisionsin place throughout much of Canada. Audits for compliance with 13requirements in the cybersecurity standards currently in effect willbegin on July 1, 2009.

“The approval of these revisions is evidence that NERC’sindustry-driven standards development process is producing results,with the aim of developing a strong foundation for the cybersecurityof the electric grid,” said Michael Assante, vice president and chiefsecurity officer at the NERC.

More to Come

The NERC expects to act on the revisions for phase two in early 2010,according to Assante.

However, he cautioned that these standards are not designed to addressspecific, imminent cybersecurity threats. For that, directlegislative action is needed.

“We firmly believe carefully crafted emergency authority is needed atthe government level to address this gap,” he said.

All Not Happy

However, critics say the NERC’s action in revising the standards for grid cyber-protection maybe falling short. It will take more stringent action to make the energy grids moredependable and secure, according to their arguments.

“Just as all critical infrastructure government systems are subjectedto best practice security hardening, the energy grid cannot be anexception. Hardening includes securing network access with firewalls,applying intrusion detection, protecting critical applications withstrong authentication and TLS (transport layer securit), equipping personnel with FIPS 201 PIVcredentials and requiring strong authentication through VPNs for anyremote access,” ActivIdentity’s Fedronic said.

The NERC’s revisions are falling short, agreed JT Keating,vice president of marketing for security firm CoreTrace. Critical Infrastructure Protection (CIP) requirements are drivingutilities’ implementation of alternative solutions, like applicationwhitelisting, designed to stop malware and prevent unapproved applications installed by employeesand contractors, he explained.

“Despite months of work, the only notable change to these particularCIPs was a slightly expanded definition of which assets need to beprotected against malware. Fundamentally, the CIPs need to be changedto reflect their actual purpose, preventing the execution of anyunauthorized code, rather than prescribing specific technologies — especially technologiesthat are completely inconsistent with the operational realities ofenergy management systems and distributed control systems that are thecore of the critical infrastructure,” Keating told TechNewsWorld.

Growing Threats

With much of the energy industry relying on the Internet, concern has been raised about the potential for security exploitation, especially considering the popularity of active (and sometimes vulnerability-ridden) content on Web sites.

“There was not much active content five years ago. The Internetcarried not much more than simple HTML and Java coding. Today that istoo boring.Today any browser can bring down active content. This is the biggestthreat today,” Jay Chaudhry, CEO of cloud security firm Zscaler, toldTechNewsWorld.

The concern isn’t so much with the security or lack thereof with Microsoft Windows so much as the vulnerability of the browser, he explained. The energygrid is threaded across the Internet. Workers access this gridfrom within physical plants as well as remotely, making a commonsecurity bridge.

“The browser has become the new OS for desktops. They are morepowerful and can do so much more. That combination is very deadly,”said Chaudhry.

He likened using the Internet to using a kitchenknife — it’s a good tool when used right and a dangerous weapon when used wrong, he said.

Security Holes

The entire system needs better authentication to regulate those wholog onto the systems that regulate the grid, according to Chaudhry. Power grid management programs are old and in many cases need to be upgraded, he noted.

“This is a tough job. Upgrading is often delayed due to complacencyand complexity,” said Chaudhry.

Some security firms focus on products to provide a single accesscontrol point. Others preach the benefits of multiple access.

Single control is both good and bad, Chaudhry believes. Nothing iswrong with multiple control agencies; what is more important isknowing who is running on the grid and managing it and whether the badguy is being spotted, he argued.

“The problem is multifaceted. The industry needs to figure out whereto start. Not much is being done yet,” he said.

Smart Grid Mentality

Energy grid engineers are looking ahead to transition into a type of infrastructure known as a “smart grid” — in other words, a power grid that not only delivers energy but also communicates data to both users and operators.

One problem a smart grid addresses is the need tooptimize traditional energy sources and integrate new sources ofenergy from new suppliers like wind generators, water dams, etc., according toJohn Morrell, vice president of product marketing at Aleri. Hiscompany develops complex event processing (CEP) technology solutions.

“Companies are looking to create a smarter energy grid. This is a realinteresting area. With today’s economy, people are going in witheconomic stimulus funds. The problems that need fixing can take two tofour years to solve,” Morrell told TechNewsWorld.

Infrastructure issues include smart metering technology. These newtypes of meters are gradually being installed at customer locations. However,the huge volume of data they generate largely goesunused by many companies, he explained.

For instance, many energy companies aren’t currently convinced about how reliablethe data is and haven’t determined how to use it. The data about all of the dynamics associated with energy distribution and consumption flows like water from a fire hose.

“Even basic business issues such as overcharging or underchargingcustomers can occur due to lack of familiarity with the newtechnology,” he said.

What It Does

Smart meters could give energy users the ability to reduce their consumptionmore reliably and provide more dependable billing cycles.Customers that agree to these opt-in programs could get much betterenergy rates. Energy companies could send alerts to heavy consumers.This would help consumers monitor the causes of excessive consumption,according to Morrell.

“Another benefit is the cost effectiveness. There won’t be a need toread meters every other month. This technology is out there. Companiesare learning how to use it,” he said.

Locking Up the Grid

The smart grid requires that both production and distribution centersbe secured. End-user end-points must be ultimately as secure as anyother access point in the grid, according to Fedronic.

Secure terminals will have to be created. It makes sense to equipthese terminal points with certified security chips that can operatecryptographic algorithms, he noted.

“With secure terminals using certified security chips and operatingcryptographic algorithms, cybersecurity easily moves to immediatecapabilities of analysis, isolation and elimination. Today, throughstrong authentication methodologies of varied types, users or machinescan be suspended in action and access shut down in seconds at thefirst alert to any inconsistency or any pre-set parameters,” Fedronicexplained.