In one example, Pike Research shows how a $60 smart-phone app could give an attacker control over parts of a power grid. But what is being done about it?
An aging infrastructure, a lack of standards and inadequate spending have left the security of critical global utility grids in a “state of near chaos,” according to a recent white paper from Pike Research. In one example, it shows how a $60 smart-phone app could enable an attack.
“The attackers clearly have the upper hand,” says the paper on "Utility Cyber Security."
Increased awareness of and spending on control system security provides one bright spot in the picture, as utility systems, and particularly power grids, are becoming increasingly automated and networked.
Although the report describes cybersecurity of utilities a global problem, it points out that there is no single global infrastructure. Regional differences in the technologies deployed will define attack surfaces, threats and trends that are specific to each region and will continue to define regional investments in security.
Much of the attention in development of the smart-grid electric transmission and distribution system now being developed and deployed has been on security end-point technology, including smart meters that enable two-way communications between distributors and consumers. But the critical role and vulnerability of industrial control systems have become apparent in the last year, thanks in part to the discovery of Stuxnet, which sabotaged Iranian uranium processing equipment.
“Stuxnet was a mission and not simply a piece of malicious code,” the report says. “It was not detected until after it had accomplished its purpose and, most likely, evaded detection for more than a year after its release. Few utilities, vendors or analysts are willing to discuss that even more sophisticated attacks may now be in process, which, so far, have completely evaded detection.”
The concern is likely to spur spending in this area. In North America, annual spending on ICS security is forecast to go from a few million dollars in 2011 to about $750 million in 2018.
Spending is hampered by a lack of enforceable government or industry standards for security.
In the United States, the National Institute of Standards and Technology has produced a final set of guidelines for a smart-grid security architecture in its “Interagency Report 7628, Guidelines for Smart Grid Cyber Security.” The three-volume guidelines provide a framework for developing effective cybersecurity strategies to address smart grid-related characteristics, risks and vulnerabilities. The methods and supporting information can be used to assess risk and identify appropriate security requirements.
These and other publications provide well-thought-out guidance, the Pike report says, but none of the guidelines is an enforceable standard and each takes pains to point out that it is a series of recommendations and not a baseline for audit or certification.
“This lack of enforceable requirements leads to a scene of mass chaos in utility cybersecurity,” the report says. “Many utilities – as with large companies in any industry – will only invest in cybersecurity when financial punishment for not investing is threatened, similar to failing an audit and being fined.”
Industrial control and supervisory control and data acquisition (SCADA) systems are part of an aging infrastructure that complicates securing any utility grid. The longevity of legacy systems deployed in infrastructures makes architecting a secure grid difficult, the report says. “SCADA networks must support a mix of old and new, possibly for another 30 years until all the old devices’ service lives have run their course.”
Hardening components of grids is not enough to secure the entire infrastructure, the report says. Because the networks are not architected for security, attackers can seek and attack a weak link. The report gives an example of a $60 smart-phone app that could reach a Wi-Fi-enabled SCADA device, potentially giving an outside attacker control over parts of the system via an inside path.
The report does identify five promising trends in grid cybersecurity:
- Use of multi-factor authentication: This can help ensure that stolen passwords are not enough to compromise the network.
- Control network isolation: Network traffic from enterprise networks to control networks should be limited to the absolute minimum necessary to manage the control network.
- Application whitelisting: Whitelisting software records a list of permitted actions on a host and allows nothing else, and normally is faster, requires less updating and less computing power than blacklisting.
- Data encryption: This makes data unreadable and prevents man-in-the-middle attacks against smart-grid networks.
- Security event logging and correlation: Event correlation in control networks requires a view into the data, rather than just its wrapper. Control system traffic that is perfectly formatted and follows all the rules of the network can still contain malicious set points or other data designed to destabilize a control network.