Security 'chaos' leaves utility grids vulnerable, report says

An aging infrastructure, a lack of standards and inadequate spending have left the security of critical global utility grids in a “state of near chaos,” according to a recent white paper from Pike Research. In one example, it shows how a $60 smart-phone app could enable an attack.

“The attackers clearly have the upper hand,” says the paper on "Utility Cyber Security."

Increased awareness of and spending on control system security provides one bright spot in the picture, as utility systems, and particularly power grids, are becoming increasingly automated and networked.

Related stories:

Secure the smart grid or face 'serious consequences,' Chu says

Top 6 hurdles to securing a smart grid

Although the report describes cybersecurity of utilities a global problem, it points out that there is no single global infrastructure. Regional differences in the technologies deployed will define attack surfaces, threats and trends that are specific to each region and will continue to define regional investments in security.

Much of the attention in development of the smart-grid electric transmission and distribution system now being developed and deployed has been on security end-point technology, including smart meters that enable two-way communications between distributors and consumers. But the critical role and vulnerability of industrial control systems have become apparent in the last year, thanks in part to the discovery of Stuxnet, which sabotaged Iranian uranium processing equipment.

“Stuxnet was a mission and not simply a piece of malicious code,” the report says. “It was not detected until after it had accomplished its purpose and, most likely, evaded detection for more than a year after its release. Few utilities, vendors or analysts are willing to discuss that even more sophisticated attacks may now be in process, which, so far, have completely evaded detection.”

The concern is likely to spur spending in this area. In North America, annual spending on ICS security is forecast to go from a few million dollars in 2011 to about $750 million in 2018.

Spending is hampered by a lack of enforceable government or industry standards for security.

In the United States, the National Institute of Standards and Technology has produced a final set of guidelines for a smart-grid security architecture in its “Interagency Report 7628, Guidelines for Smart Grid Cyber Security.” The three-volume guidelines provide a framework for developing effective cybersecurity strategies to address smart grid-related characteristics, risks and vulnerabilities. The methods and supporting information can be used to assess risk and identify appropriate security requirements.

These and other publications provide well-thought-out guidance, the Pike report says, but none of the guidelines is an enforceable standard and each takes pains to point out that it is a series of recommendations and not a baseline for audit or certification.

“This lack of enforceable requirements leads to a scene of mass chaos in utility cybersecurity,” the report says. “Many utilities – as with large companies in any industry – will only invest in cybersecurity when financial punishment for not investing is threatened, similar to failing an audit and being fined.”

Industrial control and supervisory control and data acquisition (SCADA) systems are part of an aging infrastructure that complicates securing any utility grid. The longevity of legacy systems deployed in infrastructures makes architecting a secure grid difficult, the report says. “SCADA networks must support a mix of old and new, possibly for another 30 years until all the old devices’ service lives have run their course.”

Hardening components of grids is not enough to secure the entire infrastructure, the report says. Because the networks are not architected for security, attackers can seek and attack a weak link. The report gives an example of a $60 smart-phone app that could reach a Wi-Fi-enabled SCADA device, potentially giving an outside attacker control over parts of the system via an inside path.

The report does identify five promising trends in grid cybersecurity:

  • Use of multi-factor authentication:  This can help ensure that stolen passwords are not enough to compromise the network.
  • Control network isolation: Network traffic from enterprise networks to control networks should be limited to the absolute minimum necessary to manage the control network.
  • Application whitelisting: Whitelisting software records a list of permitted actions on a host and allows nothing else, and normally is faster, requires less updating and less computing power than blacklisting.
  • Data encryption: This makes data unreadable and prevents man-in-the-middle attacks against smart-grid networks.
  • Security event logging and correlation: Event correlation in control networks requires a view into the data, rather than just its wrapper. Control system traffic that is perfectly formatted and follows all the rules of the network can still contain malicious set points or other data designed to destabilize a control network.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • NIST cloud-based storefront

    NIST wants to consolidate its e-commerce in a Salesforce cloud

Reader Comments

Mon, Dec 5, 2011 SoutheastUS

Communication paths should definitely be encrypted for all control signals passing outside of a local, hardwired, control network. Authentication definitely needs beefing up. Even though it may complicate initial configuration and set-up, linking controls wirelessly only to known good electronic serial numbers, MAC addresses, etc. would reduce the potential for attack. I said reduce, because if the signal is not encrypted, packet sniffing could allow the discovery of the IDs of the allowed devices, which could then be "spoofed", allowing an attack. Industrial sabotage has a high enough economic impact that it attracts very cunning criminals. It won't be easy to prevent attacks.

Fri, Nov 25, 2011

At the risk of sounding like a broken record, why are critical systems even visible from public internet?

Thu, Nov 17, 2011

This would seem an ideal time for utilities to get ahead of the curve by investing in intel-driven people and programs. Those that don't are only increasing their exposure.

Wed, Nov 16, 2011

My concern here is we are creating the smart grid ultimately to save money and now we have to spend $750 million annually in 2018 and assumably beyond to keep them safe. How does this expenditure figure into the money saving equation?

Wed, Nov 16, 2011 robert

I read through the document and it never says what the $60 application is but it does use an iPhone in their drawing. Other than causing legal problems for not properly referencing this trademarked image, saying something is threatening SCADAs then not referencing what that application is is common FUD tactics. If an iPhone can do it, so can any laptop so what's the point of singling out an iPhone? Or did you think Samsung phones look close enough to iPhones so the image was a generic cell phone?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group