The 3 kinds of cybersecurity every utility needs (and a reference architecture you need to know about)
By Brian Smith
It is no secret that cybersecurity related to smart grid systems and deployments has garnered much attention over the past several years. Much of it has been and still is negative in the form of criticism that the industry as a whole is not doing enough to address cybersecurity. While most utilities today agree on the need to secure these systems and are actively working to do so, the debate of the adequacy of the industry’s efforts is not likely to subside anytime soon.
One of the drivers in this debate is the degree to which the various utility systems employed today are integrated and interconnected and the fact that these systems will be more so interconnected in the future. As their infrastructure has evolved over the years, utilities have become well versed in system design. Requirements are developed and systems are designed, built, and tested to validate that they meet these requirements. Once operational, they system(s) remain relatively unchanged until the need to modify, upgrade, or replace them is justified by identifying new or changing requirements, usually in the timeframe of months or even years. It’s a model that the electric utility industry understands well.
The challenge with cybersecurity and smart grid
The challenge with cybersecurity and smart grid is that there is no finish line, at least not one that remains constant throughout the life of the system being protected. Adversaries and threats evolve constantly and new vulnerabilities can be discovered at anytime which means that for cybersecurity, the system requirements are always changing to a certain extent. On one hand, there have been many technical solutions developed or customized for the smart grid environment which has lead to tangible improvements. On the other hand, the industry’s ability to evolve and deploy solutions struggles to keep pace with these threats.
While these are legitimate security controls for more business centric systems, they fall short of the mark when trying to mitigate risks to control systems which in turn translates to risks to the stability of the real-time process; generating, transmitting, and distributing electric power in this case. To be effective in control systems supporting Smart Grid functions, Detective and Corrective security controls need to be invoked as soon as possible from the start of the event.
All three security control types are utilized together to form an effective defense. If a security control to prevent an event is ineffective or cannot be deployed in a timely manner, then there must be a mechanism in place to detect that an event is happening as quickly as possible. Detecting an event in progress many times is not enough so there must also be corrective mechanisms in place to react to the detected event. The key for electric utilities is that they need all three types of security controls in Smart Grid deployments implemented in a manner that creates an agile defense.
One key aspect of attaining this improved cyber defense agility is information sharing. EnerNex is fortunate enough to be participating in the Situational Awareness Reference Architecture (SARA) pilot project lead by the folks at the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). One of the key components of the SARA project is fostering the adoption of automated Machine-to-Machine knowledge sharing. The notion that a trusted source can share threat information tailored for the utility control systems environment and have that information automatically downloaded and available to the utility’s monitoring systems in real-time or near real-time is a powerful concept and those of you who may not be familiar with the SARA pilot will find it worthwhile to check out.
Brian Smith is a Principal Consultant on the Smart Grid Engineering team at EnerNex. He provides utilities with cyber security and systems engineering support for smart grid areas such as substation and distribution automation, AMI and other utility convergence and infrastructure applications. He has over 23 years of experience in the electric utility field and his areas of expertise include substation automation, utility communications, integration, Supervisory Control and Data Acquisition (SCADA), Energy Management Systems (EMS) and teleprotection applications. He also has experience with a range of communications and protocol technologies.