Weâ€™re not doing enough about security: But what SHOULD we do?
By Doug Peeples
In the first article in our Next Next Thing series, industry professionals contributed their thoughts and recommendations on how to manage and wring the most value from Big Data from a variety of perspectives. Now we turn our attention to cybersecurity and physical security, which has become a sore spot for many utilitiesâ€¦ to put it mildly.
Steady criticism has zeroed in on how utilities have been handling cyber and physical security in their operations for some time, and it seemed to begin when stimulus funding launched a flurry of smart grid projects, like advanced metering, and programs in 2009. Even then, critics were warning that security needed to be built in from the outset, not bolted on later as an afterthought. And the criticism continues from several sources: stakeholders, policy makers, standards organizations and companies, as well as regulators. They say utilities arenâ€™t doing enough to guarantee grid security and stability, donâ€™t know enough about how to implement top notch security programs or simply arenâ€™t interested or committed enough to make meaningful progress.
As if that wasnâ€™t enough, alarming reports of security threats and attacks accelerating at a frightening pace in terms of numbers of attacks and their sophistication have cranked up the heat so much more.
So obviously, security isnâ€™t a new issue. And it may not sound like a candidate for the Next Next Thing which, as we explained earlier, is that technology, development, advance or new wrinkle in smart grid evolution thatâ€™s waiting just over the horizon. But itâ€™s quite possible that a working solution, a way to ensure the best, strongest and most effective security possible could be just that.
So, what do we do about it?
Two of our contributors believe the solution to effective cyber and physical security can only be achieved if itâ€™s a team effort, a collaboration.
As Kim Getgen, marketing VP for Tollgrade Communications, put it, â€œThe utility industry is not the first that has had to look at changing â€˜business as usualâ€™ to thwart cyber threats. The financial services industry in particular comes to mind. One of the most effective things they did was begin to share data about threats within their community. So, financial institutions who traditionally saw each other as competitors leanred they had to cooperate to fight these threats effectively.
â€œI think data sharing about threats across utilities and with the right law enforcement agencies will be the only way weâ€™ll successfully respond to the sophisticated nature of the threats as the grid becomes more networked.â€
The utility sector is unique
While numerous industries and institutions face security threats, Stephen M. Diebold, senior director for product management, Advanced BI Solutions, at Ventyx, sees utilities as different. â€œThe electric utility sector is unique in the reliance of Asset Owners and Operators (AOO) upon each other in order to support the electric grid. So the security issue must be addressed by all AOO to the same level of defensive posture. The weakest link applies here. One of the easiest and most cost-effective steps is to sign up at NERCâ€™s Electricity Sector â€“ Information Sharing and Analysis Center (ES-ISAC). This center establishes situational awareness, incident management, coordination, and communication capabilities within the electricity sector through timely, reliable and secure information exchange. The ES-ISAC enhances the ability of AOO to prepare for and respond to cyber and physical threats, vulnerabilities and incidents.â€
Balu Ambady, director of security for Sensus, also has some nuts and bolts advice for utilities to consider now, and for the future. â€œWorms, viruses, malware, hackers, disgruntled employees and innocent mistakes â€“ all of the risks faced by enterprise networks and the Internet â€“ could be considerations for utility networks as well. Even as standards evolve, utilities can take a lead from the enterprise network world and apply proven methods for multi-layered security, from physical controls to encryption to virtual private networking, vendor security certifications and more.
â€œThe good news is that network developers and operators have a broad range of security options available, from firewalls to encryption to using third party certified AMI vendors. By using multiple security approaches in tandem, organizations can create a multi-layered security scheme appropriate for the critical nature of AMI communications.â€
Schneider Electricâ€™s Andrew Bennett, senior VP, Energy, summed up the issues nicely, and cast yet another vote for collaboration. He also identified why physical and cybersecurity could become the Next Next Thing. â€œCybersecurity is the monster issue of our time and it cannot be resolved if we wait for the â€˜other guyâ€™ to address it. Best practices change almost weekly as threats become more sophisticated. Attack vectors could range from a direct attack on a control room to a virus uploaded from an electric vehicle to the grid through its charging equipment. It is not feasible to prevent all such attacks, but it is very important to identify attacks quickly and to know how to respond.
â€œIt is not realistic to place the onus on one industry. This is an issue of national security that needs the attention of the kind of public-private partnerships that brought the Internet to fruition in the first place.â€
Miss the first installment in our Next Next Thing series? You can read it hereâ€¦