SAN FRANCISCO -- Smart grid security issues are many and varied, but a panel of experts at RSA Conference 2011 said those problems won't be solved unless information security pros find a way to bridge the huge chasm between them and utility infrastructure teams.
A smart grid is essentially an energy grid merged with IP-based network capabilities to enable bi-directional communication, coordination and control. The goal is to make the energy grid more decentralized, resilient, secure and responsive to consumer demand and utility supply. However, adding Internet technologies to energy grids exposes them to many of the security threats traditional networks face, most notably the danger of cyberterrorists taking down utilities' critical infrastructure.
Each of those silos has its own IT groups... They don't want to converge with typical IT because they see typical IT
as the risk.
Salt River Project
Panelist Gib Sorebo, chief cybersecurity technologist with McLean, Va.-based utility technology solution provider Science Applications International Corp. (SAIC), said it's critical for information security teams to begin learning how to apply security to smart grid elements like grid automation, substation automation, power transmission and synchrophasors, even if technology implementations are a ways off.
"This is an industry where you have hundreds of different standards, whether it's substation automation or a distribution management project, and they all have different protocols," Sorebo said. "So understanding how all that is going to work, even if you're not implementing [smart grid technology] for another five or 10 years, is critical. You have to have that roadmap defined to address those risks."
To illustrate the scope of the security challenges, Sorebo said one utility company his organization works with is developing its smart grid, and eventually each of its 100,000 customers will have an Internet-enabled meter, which will become nodes on the provider's smart grid network. He said the utility has only 150 employees and likely can't afford to hire more to manage and secure those devices, meaning it must find automated ways to secure the meters without dramatically increasing overhead.
The threats we see in the smart grid today are exploiting very traditional IT system weaknesses.
Landis & Gyr
Speaker Heath Thompson, vice president and chief technology officer with Switzerland-based utility infrastructure provider Landis & Gyr, was a strong advocate of using existing security tools and tactics. He said smart grid systems have huge potential to provide security data that can be accepted by today's information security management and threat mitigation tools.
The transition to smart grids has gained momentum in recent years, but one of the smart grid security issues that has been static for decades is the internal structure of utility companies. Panelist Mike Echols, critical infrastructure protection program manager for the Salt River Project, an Arizona-based utility company, said most utilities' power generation, distribution and transmission teams all operate independently from each other, as well as the IT organization.
Plus, Echols added, most power companies have a separate infrastructure security team that oversees security and continuity for the grid, control relays and other electrical devices. He said the operations teams believe structure is sufficient, when in reality it doesn't take information security into consideration.
"Each of those silos has its own IT groups, and there's a reason for that," Echols said. "They don't want to converge with typical IT because they see typical IT as the risk."
Echols said information security teams must try to break down those barriers by educating business leaders about the potential threats smart grids introduce and convincing those leaders that cybersecurity needs to have a leadership position in the smart grid deployment process.
We're embedded in IT, so we don't really have a voice, but that's changing, and NERC CIP compliance is driving that change.
Salt River Project
Plus, Thompson said, as new smart grid infrastructure elements emerge, like electric vehicle charging stations, integrated security will become even more important to the overall business. "If you're thinking about having charging stations without security, you're leaving a point of vulnerability in the network," he said. "The threats we see in the smart grid today are exploiting very traditional IT system weaknesses."
One factor that will likely give information security teams more leverage in securing smart grids is the demand for compliance with the North American Electric Reliability Corp.'s Critical Infrastructure Protection (NERC CIP) plan. Comprising more than 100 NERC reliability standards, the CIP establishes requirements for the protection of critical electrical grid assets.
With information security being a key element of NERC CIP compliance, Echols said it's giving cybersecurity teams more leverage within many utility organizations. "We're embedded in IT, so we [in information security] don't really have a voice, but that's changing, and NERC CIP compliance is driving that change."
Information security teams must adjust to the culture of utility operations as well. Echols said infosec has to realize that real-time mission-critical utility systems can't be taken offline to remediate security issues like IT systems would. Even using traditional security tools like protocol analyzers to diagnose problems can affect system performance beyond what utility operations teams consider acceptable.
"It's a trust issue," Echols said. "In a utility company, if [security pros] talk to operations managers, they don't trust you to touch the power system because you might break it." He said security pros have "to be a little more humble and understand the perspective" when communicating with their utility operations counterparts.
Attendee Lynda Morrison-Rader, a utility information security consultant based in Nevada, said that trust between information security and utility operations teams can only be built slowly over time by ensuring both groups listen to each other.
"The problem is," Morrison-Rader said, "the security risks are moving faster than they're able to solve."