If you based everything off what major news outlets are saying, you’d think our Critical National Infrastructure, particularly the energy sector, is riddled with weaknesses and ripe for a catastrophic cyber-attack. But the reality is, we haven’t experienced one yet (thankfully). Putting aside larger political reasons (fear of retaliation, widespread economic effects, etc.), is it possible that we haven’t seen one because these vulnerabilities have been overstated or the likelihood has been exaggerated? Below are some of my personal thoughts on the matter.
Note: To be clear, I do not mean to imply we are “in the clear” and don’t need to worry about cybersecurity for the energy grid. On the contrary, continual efforts on best practices development, standards creation, regulation and vertical-specific technologies is of the utmost importance, especially as energy systems are brought online. I’m merely trying to see through the FUD and showcase the efforts that have helped keep the grid safe so far.
Major Systems Have Been Offline and New Smart Systems Will Be Secured from the Start
Grid providers are being hacked every day (303 incidents were reported to the Industrial Control Systems Cyber Emergency Response Team [ICS-CERT] in 2015), but most of those hacks were unsuccessful due to major systems that could cause devastation being either off-line or accessible only by private networks (i.e. not run over the internet). Vulnerabilities to older systems are being addressed through retrofits, but again most of these systems are offline.
The good news is the next generation of smart grid systems are being designed with security in mind from day one. One good example is the Open Field Message Bus (OpenFMB) framework that provides a specification for intelligent power systems field devices to leverage a nonproprietary and standards-based reference architecture, which consists of internet protocol (IP) networking and Internet of Things (IoT) messaging. OpenFMB is one of Smart Grid Interoperability Panel’s (SGIP) Energy IoT initiative projects, developed to accelerate IoT innovation within the energy industry.
As seen in other industries such as automotive, manufacturing and smart cities, the value added services around energy grid IoT innovation are virtually limitless. However, just like other industries, security concerns are top of mind. That’s where the North American Energy Standards Board’s (NAESB) role really proves vital. OpenFMB has smartly teamed with NAESB to develop a complementary set of standards for utility providers to follow. Given NAESB’s track record of standards development and tight relationship with NERC and FERC, a set of standards to accompany OpenFMB’s specification is more likely to gather industry participation and accelerate adoption.
Our Grid System Works in Our Favor
Based on the way the grid systems are managed, I don’t see a country-wide grid outage. Yes, maybe a very bad high density outage in a major U.S. city, but that scenario is more likely to be the result of explosives being thrown in a manhole that includes cables to many energy distribution points. I think the focus on cyber versus physical vulnerabilities lately has detracted from the physical vulnerabilities a bit.
Don't Forget - Cybersecurity Is in a Grid Providers' Best Interests
It’s important to remember that grid providers are a business when it comes down to it and will do anything to prevent an incident that could affect their ability to generate and transmit electricity (i.e. earn a profit). Reliability of the grid is their number one priority, so they are extremely motivated to plug in holes and avoid outages.
Grid providers have taken significant steps to protect against unauthorized system access, one of the most common weaknesses in these types of systems. In fact, utility company “end users” were very active in the National Cybersecurity Center of Excellence’s (NCCoE) Identity and Access Management (IAM) initiative to help the electric market implement more secure IAM controls that map to existing energy standards.
Also, incident response measures are a huge part of North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, the set of standards designed to protect the electric grid from cybersecurity-related threats with which all providers must comply, so in the event of an attack or outage, the consequences can hopefully be mitigated.
In terms of putting these standards and plans into action, I see the Independent System Operators (ISOs) and Regional Transmission Operators (RTOs) heavily involved in dealing with emergencies in terms of restoring power. For example, ISO New England’s emergency action plan.
Is a Large Scale Attack Still Inevitable?
I’m sure I’m going to regret these words, but I don’t see a country-wide catastrophic attack being likely. I see pockets of attacks that for sure could be devastating to a given region. I think with the recent, now enforceable, NERC CIP v5 standards, our nation is much more prepared to prevent, contain and stop, cyber related outages and support grid modernization such as OpenFMB.
Grid providers should continue to work with government on pen testing to close vulnerabilities before they are exploited. We should future proof grid systems by creating IoT security standards for specific industries (e.g. grid providers), so the commercial world is consistently building strong authentication, access control and encryption into the products before they are deployed into the field.
As a long-standing and active member of NAESB’s Cybersecurity Sub Committee and Electric Quadrant leadership team, GlobalSign is excited to develop standards-based, strong identity solutions for the energy sector. Building off foundational cyber security standards that serve Operational Technology (OT) today, our focus has shifted to strong identity solutions that are resilient, interoperability and built for scale.