A host of government initiatives and new technologies are helping to raise cybersecurity standards within the power industry. Sean Ottewell examines the consequences.
According to market research firm Pike Research, utility companies have increased their cybersecurity awareness over the last 12-18 months and are now demanding to know more about protection products. So much so, in fact, that Pike predicts that cumulative smart grid cybersecurity investment from 2011 to 2018 will total US $14b (EUR10.7b).
"Cybersecurity remains a check-the-box exercise for many utilities, with spending limited to whatever is needed to survive compliance audits," says senior analyst Bob Lockhart. "As some technologies, such as smart metering, near a decade of thought and deployment, the approach to cybersecurity has become more thoughtful. One thing, unfortunately, has not changed: cybersecurity is still way behind the attackers."
Meanwhile, Lockhart adds, control system security has begun to receive the attention it deserves as a critical element of grid stability. As utilities' operations teams have become savvier about security, the likelihood that IT security solutions will be considered as immediate fits for control systems, without modification, has lessened. Smart grid technology vendors are now proactively seeking out security vendors for assistance in building cybersecurity into their new products. As a result, 63 per cent of smart grid cybersecurity investment through to 2018 will be focused on utility control system segments. [Page Break]
Security options
TDi Technologies has announced the availability of its new, automated baseline configuration management (BCM) solution designed to provide managerial visibility and control over the BCM practice while eliminating the majority of sources where human error can result in unintentional device configuration changes that impact the overall security practice.
"Without automation, BCM is a costly operations activity that is difficult to manage and prone to mistakes that can leave the utility provider vulnerable to cyber attack," said Terry Schurter, TDi Technologies vp of marketing, ConsoleWorks BCM solution looks at the problem holistically by taking a device and platform agnostic approach for supporting all routable protocol devices."
In the US, the utilities industry in particular, is required to meet certain NERC-CIP (reliability) requirements for establishing and retaining a set of secure configuration profiles across hundreds, often thousands, of cyber assets.
ConsoleWorks automates BCM of all cyber assets from the control room, to the substation, to the pole. It periodically retrieves the current configuration of each monitored asset and compares it to the established baseline. If a difference is detected, an event is created and logged and a notification is sent to a designated person for further assessment.
Also in the US, Sensus has announced a partnership with EnerNex and Oak Ridge National Laboratory (ORNL) to conduct a demonstration of the automated vulnerability detection (AVUD) system. The AVUD project is developing a system for cybersecurity vulnerability detection in smart grid components. The system, known as the function extraction (FX) system, will apply the newly developed technology of software behaviour computation. The project will initially focus on improving security in software that controls smart meters.
As part of the joint collaboration, Sensus is providing smart meter architecture, firmware and source code to be evaluated, with EnerNex contributing expertise in evaluating smart grid utility technologies. ORNL devised the FX technology evaluation platform to perform static analysis of the compiled software and device firmware. FX technology is a powerful analytical technique that will be used to compute the behaviour of software in all circumstances of use to determine everything it does, and detect inclusion of both unintended and maliciously inserted vulnerabilities in smart grid components. [Page Break]
By directly analysing the compiled software, AVUD will be able to detect the inclusion of both such vulnerabilities. Based on this information mitigations for these vulnerabilities can be recommended.
According to Sandy Bacik, principal consultant and AVUD co-principal investigator at EnerNex, once the AVUD project is complete, the FX technology could prove beneficial in the development life cycle for smart grid components in tandem with ongoing quality assurance testing: "The software present in smart meters is the initial target for this effort. While testing can only provide information about the specific scenarios actually observed, static analysis with FX can provide information about system behavior under any circumstances of use, and provides a significantly more robust means of vulnerability detection."
Rick Linger, senior cybersecurity researcher and AVUD co-principal investigator at ORNL, said: "It is our hope and anticipation that this gives us a more powerful analysis capability to detect any vulnerabilities that may be present in the code."
For its part ABB anticipates the security challenges and constantly adapts its systems to the latest developments in security (Fig.1).
One of its key offerings is the new RTU560 that responds specifically to the needs of the power industries and assure a high level of cybersecurity. User access control, security logging, hardware hardening are implemented according to NERC-CIP and IEEE 1686 standards. Different algorithms and various encryption standards are used for password and log file storage.
In terms of user access control, the RTU560 supports user authentication and authorisation on an individual user level. User authentication is required and authorisation is enforced for all interactive access to the device. It also allows full management of user accounts - creating, editing and deleting them freely. User names and passwords can be configured according to customers' requirements.
The RTU560 also creates audit trails (log files) of all security relevant user activities. Security events that are being logged include user login, logout, change of parameters, configurations, or updates of firmware. For each event date and time, user, event ID, outcome and source of event are logged. Access to the audit trail is available to authorised users only. Security events and alarms can be sent via host protocol to the control systems.
ABB strives to improve the security and robustness of its products by performing security testing and hardening. So the RTU560 has been systematically hardened, for example unused services have been removed and unused ports closed. Furthermore the RTU560 has been thoroughly tested at ABB's dedicated, independent security test centre using state-of-the-art commercial and open-source security testing tools. [Page Break]
According to Intergraph, security planning must anticipate intelligent, adaptive adversaries and large-scale emergencies that create terror and confusion, and complicate response by causing multiple, simultaneous incidents. In those circumstances, the sheer volume of inputs from alarms, sensors, video cameras, and other sources can overwhelm a security team and provide a confusing picture of the unfolding situation.
"That's why security systems must do more than provide raw information - they must provide automation, intelligence, and interoperability to streamline work processes and maximise resources," says the company.
Intergraph's critical infrastructure protection solutions provide domain awareness in day-to-day operations, as well as emergency incidents, and the ability to execute multi-tiered security plans. The company's common operating picture integrates incoming data at a rapid rate, giving you the advantage of real-time, actionable intelligence when seconds count.
Its PSIM and PSIM+ solutions incorporate a suite of applications that work well individually or in concert. While most security systems only detect and perhaps assess potential threats, Intergraph says that its solutions enable users to detect, assess, and respond to an incident of any magnitude.
US initiative focuses on cyber threats to electric grid
US energy secretary Steven Chu has announced an initiative to further protect the country's electrical grid from cyber attacks. The 'Electric Sector Cybersecurity Risk Management Maturity' project, a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security, will leverage the insight of private industry and public sector experts to build on existing cybersecurity measures and strategies to create a more comprehensive and consistent approach to protecting the nation's energy delivery system.
"This initiative is another important step forward in improving the security of the nation's energy infrastructure and ensuring that the country's electrical systems remain secure, reliable and resilient," said Chu. "Establishing a comprehensive cybersecurity approach will give utility companies and grid operators another important tool to improve the grid's ability to respond to cybersecurity risks."
"This effort will be focused on performance-based strategies and concrete steps to measure progress of cybersecurity in the electric sector," noted White House cybersecurity coordinator Howard A Schmidt. "It is important to understand the sector's strengths and remaining gaps across the grid to inform investment planning and R&D, and enhance our public-private partnership efforts."
The new initiative will develop a 'maturity model' that allows utility companies and grid operators to measure their current capabilities and analyse gaps in their cyber defences. Maturity models, which rely on best practices to identify an organisation's strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality
