Predicting the future has proven to be a futile endeavor time and again. However, sometimes there are larger, connected developments that allow us to anticipate events. For example, take the end of the internet bubble or that of the recent housing excesses. Most of us just knew that it wouldn't last forever. Smart grid cyber-security may well fall into the same bucket. Signs of challenges and issues are mounting at the moment. The recent and highly public discussion of Stuxnet is simply the most visible indicator of this development.
In this light, we have certainly seen some commotion within the industry. If you allow the density and popularity of conferences as a lead indicator for smart grid cyber-security concerns, then there truly is a sustained interest in the topic. Recently, there have been two notable events: the popular Smart Grid Cyber Security conference in San Jose and the very interesting Applied Control Solutions Control System Cyber Security conference in Washington, D.C. Both offered a surprisingly nuanced take on the issue with their quality of speakers, breadth of topics, depth of knowledge and the ease with which insights were shared. Our impression was that participants and speakers agreed on the mounting evidence for smart grid cyber-security challenges. What became clear at both events is that securing backend systems and their communication capabilities does not suffice.
Take the intrusion of smart meters, for example. Scott Borg, head of the U.S. Cyber Consequences Unit, stated that it is feasible to attack large numbers of smart meters, which implies that any false sense of security derived from the fact that the large systems seem safe is very dangerous. Most surprising, Borg mentioned the possibility that hackers could commit arson after breaking into smart meters, e.g., by cycling relays until they burn. Although fires would start in only a tiny percentage of cases, he said, the scale possible with cyber-attacks makes such scenarios a real worry. He also discussed the economic consequences of a cyber-attack by explaining that supply chain resilience breaks down after about three and a half days, which means that power outages beyond that point can potentially turn into a threat to national security.
A similar message came from Matt Carpenter at InGuardians, who stated that organized crime and nation-states take monetary and incendiary interest in power grid control systems. Prompted for what he sees as the biggest challenge today, he pointed to possible difficulties in communication between utilities and technology vendors, which can lead to security vulnerabilities. Carpenter made it clear that AES-128 implementations alone will not secure the overall system. He also stressed that smart grid security and IT security are not one and the same because of very different tolerance levels: rebooting a PC is easy compared to rebooting a network of devices in the transmission or distribution grid. Most important, IT and smart grid security will have to work hand-in-hand to achieve acceptable levels of security.
This point was further supported by Joe Weiss, a well-known author and leading industry expert, who stated that many of the existing devices in ICS (SCADA/control system) networks are unsecured today and thus subject to vulnerabilities. Weiss emphasized that 70% of ICS network devices still use serial ports, which are highly susceptible to cyber-attacks. In his view, one of the key requirements for any security solution is that it cannot interfere with system performance. In our opinion, this point, which many participants reiterated, necessitates the development of small, highly efficient security solutions in terms of the cipher, authentication protocol and key management solution.
A related issue came up during a panel discussion with several smart meter vendors at the San Jose event. All agreed that smart grid security features will need to consider power as a key requirement. The power efficiency of a security solution matters greatly to consumers and utility clients, and thus to meter manufacturers. This could well become a competitive advantage for those vendors that move into energy-efficient security solutions quickly. It was very reassuring to hear that most vendors quietly collaborate with one another to seek and deploy tighter security features. This is certainly the wrong field to compete against one another, for obvious reasons.
Some additional, highly interesting findings included the fact that there have been roughly 2,600 cases where SCADA manuals and tutorials have been found in the hacker community in the last year alone. That is an alarming figure, as threats to industrial control systems might well rise once Stuxnet has been analyzed and fully understood. According to unconfirmed sources, one of the highest priorities within cyber-security at the Department of Homeland Security is the current and imminent threat to U.S. infrastructure. Somewhat surprisingly, we have also heard about vulnerabilities in vehicles, which seems reasonable from the perspective that automobiles are becoming increasingly connected and are not sufficiently secured against cyber-attackers.
Within these recent conferences there has been a predominant focus on the problem rather than the solution. This is understandable since solutions are a lot harder to come by today than problems. In our assessment, cyber-security solutions for the smart grid and ICS will follow once the discussion of threats and vulnerabilities is led in an open and collaborative way. Hopefully, it won’t be long before we see more solutions than issues at highly relevant events such as these.
Chris Hanebeck is the VP of Product Management at Revere Security.