The emergence of stealthy advanced threats targeting critical systems raises the stakes in trusting our energy system to IP networks.
Standards for enabling an interoperable, interconnected electric energy system are emerging at a time when the appearance of a new class of threats is changing the way we think about cybersecurity.
There is an assumption that systems and networks already are or will be compromised and a growing emphasis on responding to rather than preventing breaches. C-level executives attending a recent discussion convened in Washington by RSA and TechAmerica concluded that advanced persistent threats are a new fact of life and that organizations should assume that they already have been or will be breached.
“If someone really has you in their sights, they’ve got you,” said Tim Roxey, director of risk assessment at the North American Electric Reliability Corp., which issued alerts about two new threats to power distributors this summer.
This is the new landscape in which the nation is moving one of the most critical elements of its infrastructure — the electric energy grid — to a next-generation network that will enable the two-way flow of information and energy. Standards for security are being developed along with standards for interoperability. But if officials are being forced to concede they cannot keep out a determined attacker, how do we ensure the security of our power system?
"I am concerned,” said Dick DeBlasio, chief engineer at the Energy Department’s National Renewable Energy Lab, who also is chairman of an Institute of Electrical and Electronics Engineers working group that develops smart-grid standards. The working group wrestled with the security question while developing an interoperability reference model for Energy's smart grid. “It was tough,” DeBlasio said, and in the end, “it wasn’t something we could answer.”
The short answer is that there are no assurances of security in a system as complex and expansive as a smart grid. There will be too many endpoints to ensure isolation from the Internet — too many doors, windows and cracks to ensure that a targeted threat does not get through.
However, DeBlasio is optimistic about the smart grid. The cooperation of multiple disciplines, including power systems, communications and IT, in developing standards makes him confident that the system can be made safe, if not secure.
If the grid cannot be made impervious to attacks, it is all the more important that it be fault-tolerant, resilient and transparent. Fault tolerance will allow it to work around problems and bypass damaged or malfunctioning sections without bringing down the whole grid or even large sections of it. Resilience will be needed to spring back from the problems once they have been identified and isolated.
Perhaps most important, transparency will allow visibility into the system so that if — or when — malicious code is executed and it interferes with the generation or flow of power or information, the anomaly can be immediately detected. This is a tough job. The Stuxnet worm apparently was able to hide the damage it was doing to centrifuges in an Iranian uranium processing plant until the damage was done. Stuxnet has at least demonstrated that we cannot depend on nominal displays of system activity to identify anomalous behavior.
In the end, we most likely will need to set our eyes on having a grid that is good enough, not perfect. DeBlasio is confident that we can do that. “The best thing we can do is get better at what we do,” he said.
NEXT STORY: When mobile meets 911, it's often hit or miss