At one time electromechanical and pneumatic devices controlled electrical grids. Clunky by today’s standards, the devices worked, but did not age well.
Now, computers running on open and interoperable software are using the Internet Protocol (IP) to communicate control the grid – and they are not secure.
Wireless and Bluetooth capabilities are appearing in supervisory control and data acquisition (SCADA) devices that are integral to the backbone of grid operations. All of these new features open an entire world of possibilities for more efficient utility operations, but also an entire world of risks.
Those risks will require utilities to make significant new investments in cyber security for industrial control systems (ICS), which will total $4.1 billion over the years between 2011 and 2018, according to a new report by industry researcher Pike Research.
“The smart grid changes everything, but when it comes to cyber security issues, much of the story remains the same,” said senior analyst Bob Lockhart. “Integrating information technology into a power grid presents enormous potential to deliver energy more efficiently and profitably, but also brings inherent risks in terms of security vulnerabilities. The discovery of the Stuxnet worm in 2010 let the world know what security experts knew for years and that was the fragility of industrial control systems such as SCADA. That awareness has created a new urgency among security vendors and utility managers alike. Nearly overnight, ICS security went from being a non-issue to being critical.”
ICS security initiatives will include major investments in control consoles and systems, telecommunications security, human-machine interfaces, and sensors and collectors, Lockhart said. ICS security enhancements will serve key grid operations application areas such as distribution automation, substation automation, and transmission upgrades.
Right now smart grid deployments are not globally uniform, so some organizations are ahead of the technology curve, Pike report said. Utilities tend to mitigate risks in transmission grids first, because a single outage in transmission can have such a wide-ranging effect, researchers said.
ICS security investments will increase at a relatively steady rate over the next seven years, rising from $309 million in 2011 to $692 million annually by 2018, Pike said. In addition to this revenue, a significant number of professional services opportunities exist, including development and maintenance of security reference architectures for utilities’ control networks, development of security policies and procedures, maintaining employee security awareness programs for ICS, and change management, among others.
Utilities, for their part, continue to deal with an internal cultural conflict between IT departments and grid operations departments, according to the report. However, this does appear to be thawing, with increasing evidence the two sides realize that each has something to offer in running a better business.
Security vendors must now acknowledge and deal with this conflict, since operations groups hold sway over any technology decisions that affect control of a grid.
Utility chief information officers and chief security officers, many of whom have an IT background, have begun to appreciate the need for operations input into security decisions. Security vendors who do not possess sufficient knowledge of utility operations are quickly exposed and dismissed from consideration.
Utilities still do not know all of the right questions to ask a security vendor, especially those relating to securing control systems.
Most SCADA systems were physically and logically isolated from the rest of the world and that isolation formed the sum total of a control network’s security. Stuxnet changed all that. Nearly overnight, ICS security went from a non-issue to being critical. As a result, most security vendors had very little time to think about or develop a methodical approach to securing ICS. Those security vendors who focused on ICS all along may have an advantage, the report said.
The two most commonly recurring themes to securing a control network are:
• Do not do anything that degrades grid reliability.
• Insulate the control network from the enterprise network.
Technologies necessary to secure a control network exist, although quite a few have deployed the technologies.
These technologies are important for smart grid ICS security:
• Change management, e.g., Information Technology Infrastructure Library (ITIL) v3
• Testing labs to simulate the live control grid
• Patch management
• One-way communications
• Network perimeter security, such as firewalls, intrusion prevention, and de-militarized zone (DMZ) deployments
• Application whitelisting
• Host intrusion protection systems (HIPS)
• Data encryption at rest and in motion
• Security overlays for legacy devices (“bump in the wire”)
• Identity and authentication management
• Multiple factor authentication
• Role-based access control (RBAC)
• Network access control (NAC)
• Digital rights management (DRM)
• Security information and event management (SIEM)
• Vulnerability scanning
• Cyber security incident response
• Backup communications routing
Pike Research’s report, “Industrial Control Systems Security”, analyzes and forecasts the market for ICS Security for Smart Grids, with an assessment of the major risks facing smart grid ICS environments.
The company identified risks through a combination of primary research and mapping the environments against key security baselines such as NIST Special Document 800-82, Guide to Industrial Control Systems Security, and ISO27002:2005, Information technology – Security techniques – Code of practice for information security management.