Better Safe Than Compliant


Protecting the smart grid requires a broader strategy.

Fortnightly Magazine - August 2011

When Heather Adkins, Google’s incident response manager, told her fellow security managers last February1 that “Compliance is the death of security,” she was reflecting the lessons learned by having one of the world’s largest bullseyes painted on her company’s back—and the burden of being accountable for maintaining the integrity of systems that handle several hundred million inquiries from more than 90 million different users every day.

This reality of today’s cyber-threat environment will become more apparent to utility security managers in coming months and years as the industry builds out a smart grid that will more closely resemble the larger, more complex Google network, or an advanced telecom system, than it does traditional in-house communications and control systems.

With the stakes of success measured in the reliable delivery of essential electric power rather than serving up an email message or music video, utility managers and regulators have good reason to feel both increased pressure to perform and heightened concern about their systems’ ability to provide reliable delivery and maintain cyber security.

More than 60 percent of respondents to a 2010 industry survey of utilities and energy companies by the Ponemon Institute reported being extremely or moderately concerned about the threats to their networks from hackers, employees and vendor errors; and 70 percent doubted their ability to apply NERC CIP security standards in their communications and IT networks.

Couple that industry self-analysis with the same survey’s finding that more than half of the country’s power plant and critical infrastructure computer networks have suffered sophisticated infiltrations. Then factor in that the DOE’s inspector general has concluded that FERC and its cooperating organizations might not be able to identify and mitigate cyber security vulnerabilities in the U.S. electric system. Conclusion: We have a problem.

Problem Solving

The U.S. utility industry has a history of successfully addressing problems of this magnitude and greater, from harnessing the nation’s hydro power, to recovering from huge natural disasters such as Hurricane Katrina or the Joplin tornado, to moving past the Three Mile Island accident. This has been due in large part to the industry’s engineering skills, can-do attitude, and ability to organize and manage its resources in a hierarchical manner to define project objectives and create significant in-house capabilities for delivering solutions.

Over the decades, the consensus that reliability is the industry’s overarching objective has, in general, made sufficient resources available for the systems, staffing and infrastructure needed to surmount problems, accommodate growth and maintain standards. But the cyber security threat is entirely different, posing new potential risks to millions of individuals in a way that isn’t easy to combat centrally and resists easy risk-cost-reward valuation.

But here’s the rub.

The emphasis on cyber security for the North American bulk electric system takes the form of the NERC Critical Infrastructure Protection (CIP) standards. These standards really set a minimum level of security performance for the utilities to comply—and only for the high voltage transmission systems, not the distribution grid. Unfortunately, a compliance checklist approach—which the NERC CIPs tend to require—might inherently lack the scope and adaptability needed to counter digital adversaries’ continually emerging and evolving strategies and tactics. In other words there’s a tendency by regulators and legislators to enforce security through compliance with the NERC CIP standards and not necessarily to focus on protecting the most critical assets or addressing the highest cyber risks.

“Hackers don’t have checklists,” said Chris Villarreal, the California Public Utilities Commission’s smart grid staff lead, at the Utilities Telecom Council’s Smart Grid Policy Summit in April, adding that utilities can’t think they’re secure by simply checking off a list of compliance requirements.

Hamstringing Security

Having recognized the immediacy and scale of the smart grid cyber security challenge, utility management and regulatory officials understandably feel a great deal of urgency to show their customers, ratepayers and constituents that they are taking appropriate and effective protective action. Ironically, moving quickly without a complete understanding of the technical, policy and regulatory implications for the security environment can produce results that don’t necessarily address the highest threats.

For instance, compliance with the NERC CIP standards might not prevent Stuxnet-like attacks. Additionally, the NERC CIP standards don’t apply to the distribution grid, where most of the smart grid deployments are taking place.

In another example, consider the new smart meters that are now being installed. Currently there are no specific cyber security standards in place for smart meters; however, that doesn’t preclude aggressive testing of the meters to identify vulnerabilities and establish corrective fixes to make the meters more secure. Unfortunately in a compliance-focused environment, proactive security testing of meters might not be encouraged or even considered valid. And the expense of the testing isn’t considered “required,” and thus it’s excluded from the system design and deployment.

Lack of coordination among multiple federal, state and regional jurisdictions asserting authority over smart grid security is also likely to generate confusion, conflicts and unsupported confidence in system security. Already, the California PUC is expecting to issue its own cyber security standards in the face of early smart grid rollouts, and other states, including Ohio and New York, have similar inquiries in the works. But such action would still generate confusion and inconsistent implementation of these standards, because the California PUC only has jurisdiction over the investor-owned utilities in the state (e.g., San Diego Gas & Electric, Southern California Edison, and Pacific Gas & Electric) thus excluding such large public utilities as Los Angeles Department of Water and Power (LADWP) and Sacramento Municipal Utility District (SMUD).

EES North America

The combined effects of well-intentioned early action and incomplete or contradicting guidelines from various jurisdictions increases the likelihood that the policy and operational focus will remain on compliance—reporting and documentation that can be mandated and measured—rather than a more holistic, risk-based philosophy that has been used successfully in the non-utility world, and is a foundation of U.S. federal agency information security programs.

Holistic Risk-Based Answers

Because the smart grid’s ability to deliver intelligence will be the result of secure two-way data flow throughout a system of meters, switches, gateways, SCADA/EMS control centers, databases and energy sources, the entire system must be viewed holistically and the data must be protected from the meter to the utility and back. In addition, utilities and regulators will need to take a new holistic view of resource allocation and performance expectations, balancing—or allowing the market to balance—benefits, risks and costs.

As Gartner Research observed in its April 2010 report The Myth of Smart Grid Security, “There is no such thing as perfect security, and residual risk will always be an issue. Utilities need to assess the risks and make good decisions over which controls are reasonable and appropriate to their situation.” Of course, this approach might be problematic with the regulators. However, simple legislation and adding more rules might not help fill the gap to maintain security of the transmission and distribution grids. Therefore, there needs to be a balance between the accountability on which regulatory systems rely and the flexibility needed to respond to changing risks.

The weakest link in this chain will be different in every system and will change from day to day. Each link could yield a potential vulnerability to allow penetration by outsiders and chances of damaging mistakes by employees. But both cyber- and physical security vigilance across this system will be the price for the immense opportunities of real-time pricing, load and consumption management, cost savings, improved environmental impact, and more effective distributed power integration.

The industry has taken productive initial steps to increase cyber security vigilance with NERC CIP mandates—which don’t directly address all smart grid deployments because of the NERC CIP focus on the bulk electric system. These actions have included participation in the NERC Smart Grid Task Force, the NIST Smart Grid Cyber Security Working Group, and GridWise, to name a few.

But in the intensive next phases of work to be done to protect the confidentiality, integrity, and availability of the smart grid’s two-way data streams, the industry needs to consider a risk-based, holistic security approach that’s more consistent with major global standards, such as ISO27001 and NIST 800-39, which are used across many industries worldwide.

Work is underway on that front. “NERC recognizes that there needs to be additional emphasis on identifying critical assets and increasing the focus on risk-based approaches to security,” observes Mark Weatherford, NERC vice president and chief security officer. “NERC, DOE, NIST and selected utilities are currently working together in a public-private collaboration to develop cyber security risk management guidelines that provide a consistent, repeatable, and adaptable process for the entire electricity sector. These voluntary guidelines sit on top of current CIP standards and will enable organizations to proactively manage risk.”

Tiered Defense & Tools

In implementation, utility smart grid deployments must be able to contend with potential threats on three levels: administrative, physical and logical security. In assuring the adequacy and currency of implementation, utilities and regulators must develop an expanded focus with a range of evaluation and oversight requirements that go beyond the current NERC CIPs, which tend to be more of a required minimum.

An effective, comprehensive tiered defense structure functions on four primary levels:

1) Risk framework: The foundation for an effective security approach is to evaluate your assets and identify those that are most critical—i.e., critical data stores, critical assets most important to the utility’s core purpose, etc. Then with these assets in mind, identifying the key threats to the utility and the vulnerabilities of concern can help lead to a comprehensive security defense focused on protecting the critical assets.

2) Administrative security: Policies and standards for the organization and its vendors to maintain a secure network, including development of a robust program, identification of leadership, determination of key smart grid assets, a security exception management process, an information protection program, policies on change control and configuration management, an audit and oversight function, and properly trained personnel.

3) Physical security: Protection of critical assets and smart grid components and systems from direct physical attack or environmental impact by use of fences, surveillance systems, robust component design, and alert systems.

4) Logical security: Processes and steps to protect the digital data flowing through the system, including encryption, authentication requirements, application security controls, security patches, malware removal, maintenance hooks, and testing and hardening,

Constant vigilance will be required to maintain cyber security, including focused awareness of the threats, continuous monitoring for intrusion or abnormalities, real-time reporting and monitoring of metrics, and preparation of and practicing an incident management and recovery plan.

To address and move beyond current compliance and oversight standards, utilities will need to expand their focus. Basic NERC CIP compliance should be extended to cover non-routable protocols and associated electronics and systems that are important to the control and reliability of the electric grid. Regulators also should adopt a performance-based oversight and assessment scheme to focus on a utility’s actual security posture and performance, rather than on the quality or content of its supporting paperwork. In other words, utilities should first spend their resources on identifying and protecting the critical assets, then complete the NERC CIP paperwork.

Additionally, the industry should consider risk-based security practices from other industries, such as defense, banking, and financial services, including improved monitoring and alerting capabilities in a holistic, risk-based perspective.

Utilities should implement best practices defined by internationally recognized ISO standards, such as ISO27001/2, that are focused on risk-management and will establish a base of fundamental performance-oriented security practices on which the organization can build.

Finally, we should learn lessons from industrial controls failures and data breach investigations. As the strategies, tactics and technologies used by those attempting to invade secure systems evolves, an important response by security professionals as an industry is to gather information about attempted and successful invasions as a basis for updating and adjusting standards and procedures. Utilities will move to a higher level of preparedness by participating in this process.

The deployment of the smart grid will bring an increasingly complex command, control and information system and a multiplicity of new communications paths with two-way data flows. This is likely to open new vulnerabilities to attacks on the confidentiality, integrity and availability of data belonging to individuals, businesses, organizations and governmental units. Utilities must develop new protection processes to complement those already in place to protect systems and other assets, in order to be better prepared to address not only deliberate attacks from disgruntled employees, competitors and terrorists, but also inadvertent compromises of information due to errors, equipment failures and natural disasters.

With a secure and reliable communications infrastructure incorporating a tiered, risk-based defense system and available tools and standards, it will be entirely feasible to have a smart grid that is as smart as it should be from end to end.

And on the way to that point, the entire utility industry will learn that security is the life of compliance.



1. RSA Conference 2011, San Francisco.