A truly digital, smart grid is within reach, but we can’t safely implement it without robust security
We are optimists. A few years ago, cyber security experts and energy executives were speaking different languages. Now, the security of the emerging smart grid is firmly on business leaders’ agendas. That’s progress.
But the technology is still catching up and, at the moment, we’re stuck at an impasse. A truly digital, smart grid is within reach, but we can’t safely implement it without robust security. However, the cyber security industry is understandably slow to create the right security solutions without the digital grid there to protect. We’re waiting for the chicken to lay the egg and for the egg to hatch the chicken.
So, the questions are: why? And what can we do about it? Our answers are because we are stuck in a reactive mode of thinking when designing security solutions and we should be building proactive solutions to complement them. If we have good proactive, pre-emptive security in place, we can start building smarter grids and break the impasse.
Very important chickens and vital eggs
The benefits of the smart grid and the broader Internet of Things (IoT) are well known. A digitally connected energy grid supported by smart analytics will allow the energy industry to more intelligently match supply to demand, integrate more renewable energy and roll out clever new services to consumers and businesses. It will mean a leaner and cleaner grid.
The security problems this poses are also starting to become familiar. A lot of the infield, physical operational technology (OT) is decades old, expensive to replace and designed at a time when ‘cyber’ was a prefix consigned to sci-fi. By networking more and more infrastructure, you create more and more potential doors for hackers, many of them poorly guarded. Few people have an overview of all of these connections, so different teams excitedly press ahead, connecting this or pulling data from that, to create new functionality, only dimly aware of the security implications.
As the energy system becomes more connected, the stakes also get higher. Suddenly, you’re not talking about a substation going down, but a potential grid-wide attack. As the risk escalates, so does the reward for hackers. This has meant that the hacker profile has changed. In the past, the biggest concern may have been hobbyists, but now the potential for ransom or harm has attracted sophisticated organised criminals and even state-sponsored actors. If there’s ever a third world war, our money is on it being fought in cyberspace, and shutting down the power grid will be one of the top strategic targets.
In short, you get a big plate of IT and OT spaghetti, all tangled up and with the potential to create a big mess.
It’s worth thinking about how cyber security traditionally works. The vast majority of current solutions are based on creating tools that protect existing systems. For example, you might install sophisticated firewalls and anti-malware software to try and keep out the cyber criminals and to find and fix problems quickly when they do get in. Then, when the hackers up their game and create new malware, the security companies rush to update their systems and patch new holes. It’s a constant race. It’s reactive.
You can see the chicken and egg problem: the very premise of these solutions is that they’re built to protect systems already there. But utilities are reluctant to build those systems before the security is in place.
Getting proactive and pre-emptive
We advocate something complimentary but different.
If you were an engineer designing a bridge, you would build it digitally first in a CAD tool. You can then test it for different variables and adjust the design accordingly. For example, you could stress test it against certain wind speeds, or a particular number of trucks driving over it and then change the building material. Of course, you’d need to run real life tests once you’d built it too, but this stage provides a degree of confidence without which you’d never dare to dig the foundations.
Exactly the same approach can apply to cyber security. Using intricate attack trees (picture a flow diagram mapping out ways of attacking), it’s possible to model a digital system and stress test it against potential threats. It’s truly creating security by design.
Others have tried this before. However, efforts have typically failed for two related reasons. Firstly, they have relied on someone with knowledge of the system manually building it within the software. With networks as complicated as this, it’s hugely difficult to find someone with that whole-system overview, and very easy to miss things. Then, similarly, it would be up to the user to dream up and try out the attacks in the model. Again, this is hardly systematic and prone to human error.
By contrast, there are new CAD based systems that can plug into an existing system, either already live or still in the design phase, and automatically map out the entire network, combing it with algorithmic precision and not relying on a knowledgeable but fallible architect to sketch it out in the programme.
Then, the stress test is carried out using attack trees populated with mathematical probabilities. Probabilistic calculations look at the whole system and identify the shortest and most likely attack paths. Engineers can then design a fix and re-test. These calculations are based on decades of combined experience from the Swedish Royal Institute of Technology’s (KTH) electrical engineering faculty.
This approach means energy companies can confidently install smart grid systems, cracking the chicken-egg conundrum. However, it’s important to note that this is not a replacement for reactive cyber security as it’s not a system to fight intruders. Instead, the two types of security should be seen as symbiotic, feeding into one another.
How can you fireproof when you’re busy fighting fires?
So, the technology is there; the will to invest in security is there, so that’s everything in place, right?
Actually, there’s one more structural barrier to how cyber security is addressed in energy organisations.
It’s great to see dedicated budgets and teams emerge to take cyber security seriously, as we have over the last few years. However, as with any team, resources are limited. There’s a finite amount of time and money to spend.
This is a problem, not necessarily because the budgets are too low, but because their attention is entirely tied up with reacting to threats with fire fighting.
Someone spots a vulnerability that needs to be patched. Then there’s a malware alert to deal with. Then there’s a new virus going around that they need to ensure they’re protected against, it’s never ending.
In these circumstances, it’s extremely difficult for cyber security teams to carve out time to strategically invest proactive systems. When there’s always another fire to fight, how do you make time for fireproofing?
What’s needed are separate departments or teams within one cyber security department with their own budgets completely focussed on reactive and proactive cyber security respectively. Obviously they will need to work closely together, but this will ensure that utilities can fireproof as well as firefight.
It’s a fairly big ask, it’s already difficult for energy companies to find and invest in cyber security, especially with top talent so scarce. However, the smart grid is a big project, and its security a big priority. At least though, there’s a way out of that infuriating conundrum of which needs to come first, the chicken or the egg, it’s proactive smart grid cyber security design.
Dr. Arshad Saleem is the technology expert for smart grids and energy storage at InnoEnergy, a publicly funded but commercially-minded European organisation that looks to help the next generation of energy innovations in Europe that will contribute to a cleaner, more secure grid.
He obtained a Ph.D degree in electrical power engineering from Technical University of Denmark in 2010. Prior to joining InnoEnergy he worked in industry and academia in Denmark, USA and Sweden. At InnoEnergy, he works with innovation projects and startup companies on technology, business models and markets expansion.
Robert Lagerström is an associate professor at KTH Royal Institute of Technology, Stockholm Sweden. His topics of interest include cyber security, enterprise architecture and software applications portfolio complexity. He is responsible for the IT management with enterprise architecture education at KTH. In addition, he supervises Ph.D students and master thesis projects.
Robert has written more than 50 academic publications (journals, conferences, and workshops), also he is a co-author of the books IT Management with Enterprise Architecture, and Enterprise Architecture: Models and Analyses for Information Systems Decision Making. Robert is one of the founders and board members of the KTH spin-off proactive cyber security company Foreseeti AB. He has been a member of the Young Academy of Sweden since 2016.
If you enjoyed this, you may wish to view the following:
Joining forces to protect Europe against cyber attacks
ENCS and ENTSO-E collaborate to increase the resilience of Europe’s power system against cyber-attacks
Atos and Siemens team up to boost industrial cyber defences
Companies will collaborate in the area of cyber-security for the utilities, oil and gas industries in the US