I’m an optimist. A few years ago, cyber security experts and energy executives were speaking different languages. Now, the security of the emerging smart grid is firmly on business leaders’ agendas. That’s progress.
But the technology is still catching up and, at the moment, we’re stuck at an impasse. A truly digital, smart grid is within reach, but we can’t safely implement it without robust security. However, the cyber security industry is understandably slow to create the right security solutions without the digital grid there to protect. We’re waiting for the chicken to lay the egg and for the egg to hatch the chicken.
So, the questions are: why? And what can we do about it? My answers are: because we are stuck in a reactive mode of thinking when designing security solutions. And that we should be building proactive solutions to complement them. If we have good proactive, pre-emptive security in place, we can start building smarter grids and break the impasse.
Very important chickens and vital eggs
The benefits of the smart grid – and the broader internet of things (IoT) – are well known. A digitally connected energy grid supported by smart analytics will allow the energy industry to more intelligently match supply to demand, integrate more renewable energy and roll out clever new services to consumers and businesses. It will mean a leaner and cleaner grid.
The security problems this poses are also starting to become familiar. A lot of the in-field, physical operational technology (OT) is decades old, expensive to replace and designed at a time when ‘cyber’ was a prefix consigned to sci-fi. By networking more and more infrastructure, you create more and more potential doors for hackers, many of them poorly guarded. Few people have an overview of all of these connections, so different teams excitedly press ahead, connecting this or pulling data from that, to create new functionality, only dimly aware of the security implications.
As our energy system becomes more connected, the stakes also get higher. Suddenly, you’re not talking about a substation going down, but a potential grid-wide attack. As the risk escalates, so does the reward for hackers. This has meant that the hacker profile has changed. Whilst before the biggest concern may have been hobbyists, now the potential for ransom or harm has attracted sophisticated organised criminals and even state-sponsored actors. If there’s ever a third world war, my money's on it being fought in cyberspace, and shutting down the power grid will be one of the top strategic targets.
In short, you get a big plate of IT and OT spaghetti, all tangled up and with the potential to create a big mess.
It’s worth thinking about how cyber security traditionally works. The vast majority of current solutions are based on creating tools that protect existing systems. For example, you might install sophisticated firewalls and anti-malware software to try and keep out the cyber criminals and to find and fix problems quickly when they do get in. Then, when the hackers up their game and create new malware, the security companies rush to update their systems and patch new holes. It’s a constant race. It’s reactive.
You can see the chicken and egg problem: the very premise of these solutions is that they’re built to protect systems already there. But utilities are reluctant to build those systems before the security is in place.
Getting proactive and pre-emptive
We advocate something complimentary but different.
If you were an engineer designing a bridge, you would build it digitally first in a CAD tool. You can then test it for different variables and adjust the design accordingly. For example, you could stress test it against certain wind speeds, or a particular number of trucks driving over it and then change the building material. Of course, you’d need to run real life tests once you’d built it too – but this stage provides a degree of confidence without which you’d never dare to dig the foundations.
Exactly the same approach can apply to cyber security. Using intricate attack trees (picture a flow diagram mapping out ways of attacking), it’s possible to model a digital system and stress test it against potential threats. It’s truly creating security by design.
Others have tried this before. However, efforts have typically failed for two related reasons. Firstly, they have relied on someone with knowledge of the system manually building it within the software. With networks as complicated as this, it’s hugely difficult to find someone with that whole-system overview, and very easy to miss things.
Then, similarly, it would be up to the user to dream up and try out the attacks in the model. Again, this is hardly systematic and prone to human error.
By contrast, there are new CAD based systems that can plug into an existing system – either already live or still in the design phase – and automatically map out the entire network, combing it with algorithmic precision and not relying on a knowledgeable but fallible architect to sketch it out in the programme.
Then, the stress test is carried out using attack trees populated with mathematical probabilities. Probabilistic calculations look at the whole system and identify the shortest and most likely attack paths. Engineers can then design a fix and re-test. These calculations are based on decades of combined experience from the Swedish Royal Institute of Technology’s (KTH) electrical engineering faculty.
This approach means energy companies can confidently install smart grid systems, cracking the chicken-egg conundrum. However, it’s important to note that this is not a replacement for reactive cyber security as it’s not a system to fight intruders. Instead, the two types of security should be seen as symbiotic, feeding into one another.
How can you fireproof when you’re busy fighting fires?
So, the technology is there; the will to invest in security is there – that’s everything in place, right?
Actually, there’s one more structural barrier to how cyber security is addressed in energy organisations.
It’s great to see dedicated budgets and teams emerge to take cyber security seriously, as we have over the last few years. However, as with any team, resources are limited. There’s a finite amount of time and money to spend.
This is a problem – not necessarily because the budgets are too low – but because their attention is entirely tied up with reacting to threats. With firefighting.
Someone spots a vulnerability that needs to be patched. Then there’s a malware alert to deal with. Then there’s a new virus going around that they need to ensure they’re protected against – it’s never ending.
In these circumstances, it’s extremely difficult for cyber security teams to carve out time to strategically invest proactive systems. When there’s always another fire to fight, how do you make time for fireproofing?
What’s needed are separate departments – or teams within one cyber security department – with their own budgets completely focussed on reactive and proactive cybersecurity respectively. Obviously they will need to work closely together, but this will ensure that utilities can fireproof as well as firefight.
It’s a fairly big ask – it’s already difficult for energy companies to find and invest in cyber security, especially with top talent so scarce. However, the smart grid is a big project, and its security a big priority. At least though, there’s a way out of that infuriating conundrum of which needs to come first – the chicken or the egg: proactive smart grid cyber security design.