Girding the grid for cyber attacks

- The future of the U.S. energy grid is at a crossroads.

Energy grids and power distribution systems face a number of daunting challenges. One of the most critical is the ability to respond to changing variables in real-time. Meanwhile, the energy industry is often slow to implement new technology that optimizes energy consumption and bolsters the power grid from electronic intrusion.

Energy generation, supply, consumption, distribution and security pose numerous high-tech challenges. Every change in these components requires the execution of sophisticated analytics to predict the downstream or upstream impact and the required actions to re-balance the network. In addition, the ever-increasing number of nodes on the energy network provide new potential security holes, which need to be monitored and managed.

"It is critical that any legislation to secure the electric grid include proper identity assurance. This will ensure that even successful hackers/intruders are curtailed at every access point and an audit trail created should an intrusion occur. Identity assurance limits access and accessibility, and the standards already exist," Dominic Fedronic, CTO of ActivIdentity and chairperson of the GlobalPlatform Government Task Force (GTF), told TechNewsWorld.

At least some of what Fedronic called for may be in the works. Last month, the North American Electric Reliability Corporation's (NERC) independent board of trustees approved eight revised cybersecurity standards for the North American bulk power system.

This action represents the completion of the first phase of the NERC's cybersecurity standards revision work plan, which was launched in July 2008. Work continues on phase two of the revision plan, with new standards already under development, according to the NERC.

The standards comprise some 40 good housekeeping requirements designed to lay a solid foundation of security practices. If properly implemented, the energy industry will develop the capabilities needed to secure critical infrastructure from cybersecurity threats, according to the NERC. Roughly half of those requirements were modified to clarify or strengthen the standards in this initial phase.

These revisions begin to address the concerns the Federal Energy Regulatory Commission (FERC) raised in its Order No. 706, according to the NERC. That order conditionally approved the standards currently in effect.

Organizations that violate the standards can be fined up to $1 million per day per violation in the U.S., with other enforcement provisions in place throughout much of Canada. Audits for compliance with 13 requirements in the cybersecurity standards currently in effect will begin on July 1.

"The approval of these revisions is evidence that NERC's industry-driven standards development process is producing results, with the aim of developing a strong foundation for the cybersecurity of the electric grid," said Michael Assante, vice president and chief security officer at the NERC.

The NERC expects to act on the revisions for phase two in early 2010, according to Assante.

However, he cautioned that these standards are not designed to address specific, imminent cybersecurity threats. For that, direct legislative action is needed.

"We firmly believe carefully crafted emergency authority is needed at the government level to address this gap," he said.

However, critics say the NERC's action in revising the standards for grid cyber-protection may be falling short. It will take more stringent action to make the energy grids more dependable and secure, according to their arguments.

"Just as all critical infrastructure government systems are subjected to best practice security hardening, the energy grid cannot be an exception. Hardening includes securing network access with firewalls, applying intrusion detection, protecting critical applications with strong authentication and TLS (transport layer security), equipping personnel with FIPS 201 PIV credentials and requiring strong authentication through VPNs for any remote access," ActivIdentity's Fedronic said.

The NERC's revisions are falling short, agreed JT Keating, vice president of marketing for security firm CoreTrace. Critical Infrastructure Protection (CIP) requirements are driving utilities' implementation of alternative solutions, like application whitelisting, designed to stop malware and prevent unapproved applications installed by employees and contractors, he explained.

"Despite months of work, the only notable change to these particular CIPs was a slightly expanded definition of which assets need to be protected against malware.

Fundamentally, the CIPs need to be changed to reflect their actual purpose, preventing the execution of any unauthorized code, rather than prescribing specific technologies — especially technologies that are completely inconsistent with the operational realities of energy management systems and distributed control systems that are the core of the critical infrastructure," Keating told TechNewsWorld.

With much of the energy industry relying on the Internet, concern has been raised about the potential for security exploitation, especially considering the popularity of active (and sometimes vulnerability-ridden) content on Web sites.

"There was not much active content five years ago. The Internet carried not much more than simple HTML and Java coding. Today that is too boring. Today any browser can bring down active content. This is the biggest threat today," Jay Chaudhry, CEO of cloud security firm Zscaler, told TechNewsWorld.

The concern isn't so much with the security or lack thereof with Microsoft Windows so much as the vulnerability of the browser, he explained. The energy grid is threaded across the Internet. Workers access this grid from within physical plants as well as remotely, making a common security bridge.

"The browser has become the new OS for desktops. They are more powerful and can do so much more. That combination is very deadly," said Chaudhry.

He likened using the Internet to using a kitchen knife — it's a good tool when used right and a dangerous weapon when used wrong, he said.

The entire system needs better authentication to regulate those who log onto the systems that regulate the grid, according to Chaudhry. Power grid management programs are old and in many cases need to be upgraded, he noted.

"This is a tough job. Upgrading is often delayed due to complacency and complexity," said Chaudhry.

Some security firms focus on products to provide a single access control point. Others preach the benefits of multiple access.

Single control is both good and bad, Chaudhry believes. Nothing is wrong with multiple control agencies; what is more important is knowing who is running on the grid and managing it and whether the bad guy is being spotted, he argued.

"The problem is multifaceted. The industry needs to figure out where to start. Not much is being done yet," he said.

Energy grid engineers are looking ahead to transition into a type of infrastructure known as a "smart grid" — in other words, a power grid that not only delivers energy but also communicates data to both users and operators.

One problem a smart grid addresses is the need to optimize traditional energy sources and integrate new sources of energy from new suppliers like wind generators, water dams, etc., according to John Morrell, vice president of product marketing at Aleri. His company develops complex event processing (CEP) technology solutions.

"Companies are looking to create a smarter energy grid. This is a real interesting area. With today's economy, people are going in with economic stimulus funds. The problems that need fixing can take two to four years to solve," Morrell told TechNewsWorld.

Infrastructure issues include smart metering technology. These new types of meters are gradually being installed at customer locations. However, the huge volume of data they generate largely goes unused by many companies, he explained.

For instance, many energy companies aren't currently convinced about how reliable the data is and haven't determined how to use it. The data about all of the dynamics associated with energy distribution and consumption flows like water from a fire hose.

"Even basic business issues such as overcharging or undercharging customers can occur due to lack of familiarity with the new technology," he said.

Smart meters could give energy users the ability to reduce their consumption more reliably and provide more dependable billing cycles. Customers that agree to these opt-in programs could get much better energy rates. Energy companies could send alerts to heavy consumers. This would help consumers monitor the causes of excessive consumption, according to Morrell.

"Another benefit is the cost effectiveness. There won't be a need to read meters every other month. This technology is out there. Companies are learning how to use it," he said.

The smart grid requires that both production and distribution centers be secured. End-user end-points must be ultimately as secure as any other access point in the grid, according to Fedronic.

Secure terminals will have to be created. It makes sense to equip these terminal points with certified security chips that can operate cryptographic algorithms, he noted.

"With secure terminals using certified security chips and operating cryptographic algorithms, cybersecurity easily moves to immediate capabilities of analysis, isolation and elimination. Today, through strong authentication methodologies of varied types, users or machines can be suspended in action and access shut down in seconds at the first alert to any inconsistency or any pre-set parameters," Fedronic explained.