Insecurity, the Grid, and Getting Smarter About It All

In a recent series of conversations with people versed in the space of evolving the existing grid into the Smart Grid, I have been frustrated by the apparent disconnect that exists between the accepted standard practices among the IT and Internet security communities and the current state of the art, or education, or experience, among many of the implementers and advocates of grid advancement. It really made little sense to me, in as much as we have been working on these challenges and their resolution for more than 20 years. How is it possible that the most critical of all of our infrastructures, our electrical power, was not leading the charge for more and better IT security? It only made sense that the builders of the world’s largest, most complex, and most important system, would be the titans to tackle the most thorny challenge, securing it.

The past several months, though, have been eye-openers to the historical reasons behind this disconnect, this lag, and I think it is useful to take a look at those causes and conditions. By looking at the reasons for the current insufficient state of security, we can first stop blaming the industry for its vulnerability, and we can begin to conceive of methods and motivators for changing those behaviors.

At this point, I ask any superior-feeling IT security personnel to check their egos at the door. There is little to gain from rock throwing and facetious comments, and a thoughtful perspective can help to inform the right steps to hardening these systems. Secondly, I would ask the valued but vanishing IT and control folks from the utility community to similarly stand-down on their defensive rhetoric. I believe there has been a lack of common history and heritage between them, and it is through sharing information that we can help to bridge these two communities.

So no bullies allowed.

"Why Are Utilities So Far Behind Banks and Retailers and Even the Government (gasp) in IT Security?"

This is a question we have seen published openly, and heard as an undertone in examinations of cyber incidents on the grid. While it feels like the truth, this type of characterization is not really fair.

Utilities are very different from most businesses because their smooth operation is not a differentiator, it is a requirement. You can see this in the regulations which drive utility policies, most of which state clearly that "reliability" is the goal, and "security" is usually, conspicuously, absent.

Most commercial concerns, and even the government, are investing constantly in new information technology to connect and capitalize on their relationships with clients and communities, with goals of scale, or sharing, or speed. Leading or "bleeding" edge adopters are making an educated bet that new technologies will bring them new goodness in terms of revenue, image, cost-savings, or growth, and security is a necessary drag-along to implement them. We need to remember that many industries, like banks, are mainly software and software operations firms now, since the money, or the transaction, or the data, is largely stored in 1's and 0's, not in vaults. Retailers or the Registry of Motor Vehicles are trying to find ways to increase the ease and speed of your transaction while reducing the cost of executing it. Again, security comes as a cost for these groundbreaking changes in the customer/provider relationship.

Utilities are very different. They are still responsible for keeping the lights on, first and foremost. It sounds strange, but in the pre-Smart Grid period, there was strikingly little focus on differentiated services, and even marketing, from the perspective of most utilities. Many Americans can't name their electricity provider, and certainly have nothing like a close relationship with them or their plans and data. This means that the investment and the payout on new technologies are not easily understood, measured, or desired, in the way that they are in other industries. This becomes more obvious as we look more closely at some of these differences:

Mother May I?

First off, because it is such a basic and foundational commodity in our lives, and one that is so expensive to create in bulk, electricity is a highly regulated institution. If not, years ago the unscrupulous would have capitalized on and bankrupted the base. In the period before the creation of the Rural Electrification Administration by Franklin Roosevelt in 1935, rural farmsteads were extremely underserved because of the prohibitive cost and lack of profitability. Individual farmers would be forced to pay for their own connections, to the tune of $20,000 in today's dollars, after which the utility would own the constructed lines. The REA changed this, but it also introduced a group of new federal and local regulating bodies. Even today, if a utility wants to institute a new program or policy, it needs to justify that investment to regulators, who represent the ratepayers who will ultimately have to bear the upfront and operational costs of any improvements. While this clearly complicates any major investment, it makes more granular and speculative investments (like securing grids against attackers that haven't been widely seen yet,) become downright impossible, as ratepayers would be asked to pay more money for the same power that they have been receiving right along, and will likely see only minimal positive impact over a long period of time.

Stability vs. Agility

At this point, it is useful to think about another rationale for the lack of progress on some of these more advanced IT fronts, prior to the Smart Grid's introduction. The question is a simple one. "Why?" Why should they have been integrating new technologies over the previous decades? Frankly, the power has stayed on pretty well in the main. Each year has brought its occasional black-outs, but nothing so significant that the world could find substantial fault in the currently underlying architectures and tools. Given that, once again, how would one justify any massive funding to achieve growth and cost-savings? Lacking this, there is no substantial pull in the market to incorporate groundbreaking IT, and there is certainly nothing like the competitive technical blood-letting that has defined the competition between retailers, between banks, between media firms, and among government organizations. No pull, no motion. Like a train.

Experts and Expertise

There is a lack of knowledge about utility implementations that is rife outside of the E&U market, and a comparable lack of comprehensive knowledge of the coming overlaps with advance IT within the E&U market. The complex and largely proprietary systems that have evolved to service the growing market for power has bred its own priests and priestesses who can conjure the connections between sensors and centralization, and between remote units and controllers. This is a very different skill than weaving a consistent pattern of routers, hubs, and access controls. These control networks are the "backbones" that create the possibility of reliable power, and while security is most definitely a requirement, it has meant something very different until recently. Where Internet and IT teams are looking at understanding likely breaches, utility teams have sought out likely failures. Where utilities are focused on uptime and reliability, Internet and IT are concerned with fraud, theft, and corruption. So it is understandable that there are not many who are expert in one area who have also had the time, inclination, and opportunity, to be similarly skilled in the other. No money for the new technology, no one asking for the new technology, means that there is unlikely to be any organic development of resources with the overlapping skill set.

Bringing it all together
So what does all this mean? One thing it means to me, and likely to other readers sensitized to the space, is that we can stop looking for some native incapacity or reticence on the part of utilities professionals to learn the techniques and technologies of security in their new and/or looming IT/Internet-based infrastructures. Another thing is that the influx of funding, from governmental and private buckets, is creating the opportunity to attract both new skilled resources from elsewhere in the market, and to provide support for the development of those personnel from the inside out. Understanding that the need for pervasive internetworking is being driven by advancements in energy generation and energy technology, not by a more base desire to "catch up" with mainstream IT, will help to create a much more attractive playing field and mission. Previously resisting utility teams can acknowledge that there is an important role these newer and sometimes less stable technologies, and incoming IT professionals can take the lessons they have learned by interconnecting other industries to create a smoother and more successful path forward to the Smart Grid.

Jack Danahy and Andy Bochman are authors of the Smart Grid Security Blog.

.

   Smarter Grid ... Struggling SCADA?

.