The night Benazir Bhutto came out of exile, the streetlights went dark.
When the former prime minister returned to Pakistan on Oct. 18, 2007, her homecoming caravan was bombed. Nearly 140 people were killed, including 50 of Bhutto’s guards. Afterward, she suggested the darkened streetlights were no accident, but were part of an assassination plot.
“We need to have an inquiry as to why the streetlights have been shut [off],” she said in a press conference in Karachi.
In a world where streetlights can be used as a weapon, controlling local utility networks becomes more than just a matter of public convenience and necessity. It becomes a matter of public safety and even national security. And in that world, the idea of an inter-networked, automated distribution grid poses troubling questions about cybersecurity vulnerabilities.
“As soon as you connect a device to the communication network, and you can read and remotely control it, it’s subject to cyber attack,” says Joe Bucciero, senior vice president with KEMA Consulting in Philadelphia, Pa. “The real unknown is the potential for misuse, to deny service or do things that impact the grid. For a house it’s not a big deal, but for a power station or a transmission substation it becomes a big problem.”
Of course, Karachi isn’t powered by a smart grid: If the power outage was part of a conspiracy against Bhutto, a human hand pulled a breaker somewhere to shut off the lights. But with an automated, IP-networked distribution system, such a hand could be located almost anywhere in the world. And it could wreak greater havoc.
Although U.S. utilities focus heavily on reliability and safety, in terms of legal compliance, distribution systems aren’t considered critical infrastructure (see “CIP Goes Live”). But distribution systems can be critical in terms of their effect on local populations and other vital infrastructure.
“If a city has water-treatment facilities served by a major substation, some utilities aren’t addressing that substation as a critical asset,” says Tobias Whitney, compliance and infrastructure-protection practice leader at Burns & McDonnell in St. Louis. “But major airports, refineries, large data centers and other shared infrastructure are high on a city’s priority list, in terms of criticality.”
Thus, security is becoming a more urgent priority as utilities build out the smart grid. And as distribution systems become more automated and networked, they become larger and more important targets for cyber attack.
“A metering system doesn’t look a lot like a SCADA system,” says Greg Stone, an IT manager with Duke Energy. “But once you start talking about in-home applications and direct control over distribution assets, it starts looking like a SCADA system. And all the concerns around protecting a SCADA system come into play” (see “Aurora Attack”).
Accordingly, security issues feature prominently in utility smart-grid RFPs. For example, in Duke’s Utility of the Future project, now in early phases of development, the company posed a series of questions to vendors and consultants about security safeguards for smart-grid systems. “We asked for ideas about design criteria and architectural recommendations,” Stone says. “We recognize the security issues that are out there, and that’s why we’re trying to bake security into the architecture.”
That means designing new devices and systems with strong security measures. But it also means adding security patches, encryption and authentication measures to existing systems; maintaining all those systems so they are up to date with changing threats and countermeasures; and diligently applying security protocols to ensure only authorized users and valid data are admitted into the system.
“The big challenge with security is managing credentials,” said Ron Ambrosio, who manages the Internet-scale control systems project at IBM’s Thomas J. Watson Research Center, speaking at the Grid-Interop event in November. “In smart-grid application, if I need to get from a thermostat to a real-time market, I need a secure path through there, even if it’s passing through other people’s machines. We need to include security credentials in a cyber-physical business-systems architecture, so encryption is being managed from end to end.”
However, this kind of security is easier said than done.
Encrypted data can travel securely through every link in the smart-grid chain. But each link in that chain might create an opening for an adversary to corrupt the data stream—or worse, to hack into data-management systems. Adding authentication protocols to every link can prevent adversaries from accessing the network and intercepting or misusing data. But it also can create a bigger operational problem.
“The issue is in control systems, where timing is so critical,” Bucciero says. “The existing systems were designed to function in a safe environment.” Securing such systems can be difficult; it requires careful engineering to allow authentication and encryption while still maintaining the timing sequences necessary to keep equipment functioning.
Even with end-to-end encryption in place, effective security also must include intrusion-detection systems to catch hackers or malicious code that might somehow penetrate the perimeter, and block whatever they’re trying to do (see “What Price, Security?”).
“With surveillance and management of the network, we can observe what’s going on,” says Jake Rasweiler, vice president of engineering and network operation for Arcadian Networks. The company provides wireless networks for distribution systems, with built-in layers of security, including authentication and encryption. “If someone gets into the network and does something they shouldn’t, an effective monitoring system allows the utility to track that and take it down,” Rasweiler says.
Securing the smart grid requires a multi-level strategy, rather than one that relies on a single impenetrable wall to keep adversaries out. Such a strategy includes both physical and electronic safeguards, to repel intruders at every doorway into and throughout the system.
“You don’t want a hard, crunchy exterior and a soft, chewy interior,” says Darren Highfill, utility communications security architect with consulting firm EnerNex Corp. “You want many layers of security. The outer layers are deterrents. The next layer is prevention, and several other layers follow behind that.”
Such a layered approach helps contain a cyber attack that is partly successful; to stop it or at least slow it down, so operators can intervene. “You want a well-planned set of procedures for responding to different types of attacks,” Highfill says.
The final layer of cybersecurity is the human layer—the people who perform, maintain and update cyber security protocols. Adversaries in the cyber security battle are human beings, with objectives and tactics that will shift and adapt over time. Likewise, securing the smart grid will require smart and adaptive people, as well as a corporate culture, focused on protecting the system.
“We’re not operating in a safe environment, but we need the smart grid,” Bucciero says. “This is part of the culture change the industry is going through. It’s a matter of plain economics, and a matter of being safe.”