PKI Management for the Largest Interconnected Machine
Nearing the six month mark of this year, 2017 has brought about increased concerns for global cybersecurity awareness. From a cursory review of the seven major data breaches of the previous year, just getting that checklist of threats mitigated is a tremendous undertaking for any infosec team. Now, with North Korea rattling their saber again, along with tense US. -Russian relations, there appears to be renewed awareness for increased security measures around the power and utility grid’s cyber infrastructure.
In addition to natural electromagnetic pulse (EMP) threats and the man-made EMP attack risk potential, we have known our power grids are also susceptible to cyber-attacks, with multiple recent occurrences in the Ukraine as leading and learning examples.
But could a hacker really bring down what we consider (and all take for granted) the most complex service delivery infrastructure ever created?
The Largest Interconnected Machine
The US electricity grid is a complex digital and physical system crucial to life and commerce in this country. Today, it is made up of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines. This web of generators, substations and power lines is organized into three major interconnections, operated by 66 balancing authorities and 3,000 different utilities. That’s a lot of power, and many possible vulnerabilities.
The utility industry in the United States is predominantly self-regulated, and sets its own guidelines and best practices for securing infrastructure (cabling, substations, transformers, interconnections, machines and other endpoints). Not to be caught off guard, and in order to try and stay ahead of what could be imminent threats, the United States Congress proposed the GRID Act a few years ago.
The Grid Reliability and Infrastructure Defense Act or the GRID Act, is actually an amendment to the earlier Federal Power Act to authorize the Federal Energy Regulatory Commission (FERC), to issue orders for emergency measures to protect critical electric infrastructure whenever the President suspects an imminent grid security threat.
Lobbies and legislators on both sides fought for years over who would be in control and set standards. For the US Government, what appeared to be a great first step in shoring up power grid defenses, the GRID Act got mired in legislation and is currently “in review.” In the meantime, the utility industry is continuing to self-regulate and is busy with defining compliance standards and regulation-setting to guard against cyber-threats.
What to Protect?
During the 2011 testimony of Joseph McClelland, the Director of the Office of Electric Reliability, as part of the Federal Energy Regulatory Commission, he stated at a hearing:
- Smart grid applications will automate many decisions on the supply and use of electricity to increase efficiencies and ultimately to allow cost savings.
- Without adequate protections, this automation may allow adversaries to gain access to the rest of the company’s data and control systems and cause significant harm.
- Security features must be an integral consideration. Regarding data, there are multiple ways in which smart grid technologies may introduce new cyber-vulnerabilities into the system. For example, an attacker could gain access to a remote or intermediate smart grid device and change data values monitored or received from down-stream devices and pass the incorrect data up-stream to cause operators or automatic programs to take incorrect actions.
- In regard to control systems, an attacker that gains access to the communication channels could order metering devices to disconnect customers, order previously shed load to come back on line prematurely, or order dispersed generation sources to turn off during periods when load is approaching generation capacity, causing instability and outages on the bulk power system.
- One of the potential capabilities of the smart grid is the ability to remotely disconnect service using advanced metering infrastructure (AMI). If insufficient security measures are implemented in a company’s AMI application, an adversary may be able to access the AMI system and could conceivably disconnect every customer with an AMI device.
- If such an attack is widespread enough, the resultant disconnection of load on the distribution system could result in impacts to the bulk power system. If an adversary follows this disconnection event with a subsequent and targeted cyber attack against remote meters, the restoration of service could be greatly delayed.
To summarize, a power utility will need to protect just about everything in its entire infrastructure.
Who Sets the Standards?
Security standards for utility companies are essential. The details in the recent Newsweek article point to the North American Electric Reliability Corporation, which oversees the grid in the US and Canada, as having a set of Critical Infrastructure Protection (CIP) compliance rules and guidelines for how electric companies must protect the power grid both physically and electronically. This includes monitoring the grid for attacks, as well as requiring safeguards such as multi-factor user authentication to keep unauthorized intruders from accessing control networks.
The US National Institute of Standards and Technology has its own recommendations, though they are not mandatory for utilities. A draft version of a new set of guidelines was just released, adding both urgency and detail for utility companies.
As Lila Kee, Chief Product Officer at GlobalSign, pointed out in her blog last year:
Grid providers should continue to work with government on pen testing to close vulnerabilities before they are exploited. We should future proof grid systems by creating IoT security standards for specific industries (e.g. grid providers), so the commercial world is consistently building strong authentication, access control and encryption into the products before they are deployed into the field.
PKI and NAESB Digital Certificates - Where Do You Start?
It’s long been maintained that PKI is the foundation of any cybersecurity infrastructure. To that end, the North American Energy Standards Board (NAESB) created a PKI standard to address an ever increasing power grid cyber-threat landscape. High stake energy applications such as energy trading, off-peak consumption, smart metering expansion and eTagging require strong authentication and encryption provided through NAESB complaint certificates.
NAESB is an industry-run voluntary standard's body including wholesale and retail gas and electric participants (generators, distributors, marketers and end users) that focus on creating and promoting voluntary standards affecting the North America grid leading to a seamless marketplace for grid operators, regulators, and customers. One such area of standard's development is the Cyber Security Subcommittee (CSS) that so far has created a standard around PKI called WEQ-012 (NAESB members only) that today many independent system operators follow.
As a leader and key contributor to the NAESB PKI standard and a NAESB Authorized Certificate Authority (ACA), GlobalSign's Digital Certificates can be used for multiple use cases including secure authentication to online services, access to the NAESB Electronic Industry Registry (EIR), digitally signing email and documents and the encryption of server communications.
GlobalSign's NAESB-compliant Digital Certificates are delivered via a web-based, Managed PKI portal, which allows compliance and security officers to easily issue, and manage certificates for users affiliated with their organization. Issuing certificates to new users or revoking user certificates is easy through Managed PKI's self-service.
In addition, below are some important dates and deadlines to keep in mind, as well as links to more information, updated certificates and presentations to shore up your cyber-secure power grid and PKI landscape.
- NYISO participants transition to NAESB ACA Certificates by May 2017
- Video Update
- Other individual ISO - NAESB ACA certificates, requirements and mandates:
- MidContinent ISO
- Southwest Power Pool
- Electric Reliability Council of Texas
- California ISO
- Alberta Electric System Operator
- Whitepaper: Secure Critical Infrastructure Networks Against Cyber Attacks
- ALL Energy Sector Digital Certificate Inquiries
- Reference: Testimony of Joseph McClelland Director, Office of Electric Reliability Federal Energy Regulatory Commission Before the Committee on Energy and Commerce Subcommittee on Energy and Power United States House of Representatives May 31, 2011. https://www.ferc.gov/EventCalendar/Files/20110531082541-Testimony.pdf