Security 'chaos' leaves utility grids vulnerable, report says

In one example, Pike Research shows how a $60 smart-phone app could give an attacker control over parts of a power grid. But what is being done about it?

An aging infrastructure, a lack of standards and inadequate spending have left the security of critical global utility grids in a “state of near chaos,” according to a recent white paper from Pike Research. In one example, it shows how a $60 smart-phone app could enable an attack.

“The attackers clearly have the upper hand,” says the paper on "Utility Cyber Security."

Increased awareness of and spending on control system security provides one bright spot in the picture, as utility systems, and particularly power grids, are becoming increasingly automated and networked.


Related stories:

Secure the smart grid or face 'serious consequences,' Chu says

Top 6 hurdles to securing a smart grid


Although the report describes cybersecurity of utilities a global problem, it points out that there is no single global infrastructure. Regional differences in the technologies deployed will define attack surfaces, threats and trends that are specific to each region and will continue to define regional investments in security.

Much of the attention in development of the smart-grid electric transmission and distribution system now being developed and deployed has been on security end-point technology, including smart meters that enable two-way communications between distributors and consumers. But the critical role and vulnerability of industrial control systems have become apparent in the last year, thanks in part to the discovery of Stuxnet, which sabotaged Iranian uranium processing equipment.

“Stuxnet was a mission and not simply a piece of malicious code,” the report says. “It was not detected until after it had accomplished its purpose and, most likely, evaded detection for more than a year after its release. Few utilities, vendors or analysts are willing to discuss that even more sophisticated attacks may now be in process, which, so far, have completely evaded detection.”

The concern is likely to spur spending in this area. In North America, annual spending on ICS security is forecast to go from a few million dollars in 2011 to about $750 million in 2018.

Spending is hampered by a lack of enforceable government or industry standards for security.

In the United States, the National Institute of Standards and Technology has produced a final set of guidelines for a smart-grid security architecture in its “Interagency Report 7628, Guidelines for Smart Grid Cyber Security.” The three-volume guidelines provide a framework for developing effective cybersecurity strategies to address smart grid-related characteristics, risks and vulnerabilities. The methods and supporting information can be used to assess risk and identify appropriate security requirements.

These and other publications provide well-thought-out guidance, the Pike report says, but none of the guidelines is an enforceable standard and each takes pains to point out that it is a series of recommendations and not a baseline for audit or certification.

“This lack of enforceable requirements leads to a scene of mass chaos in utility cybersecurity,” the report says. “Many utilities – as with large companies in any industry – will only invest in cybersecurity when financial punishment for not investing is threatened, similar to failing an audit and being fined.”

Industrial control and supervisory control and data acquisition (SCADA) systems are part of an aging infrastructure that complicates securing any utility grid. The longevity of legacy systems deployed in infrastructures makes architecting a secure grid difficult, the report says. “SCADA networks must support a mix of old and new, possibly for another 30 years until all the old devices’ service lives have run their course.”

Hardening components of grids is not enough to secure the entire infrastructure, the report says. Because the networks are not architected for security, attackers can seek and attack a weak link. The report gives an example of a $60 smart-phone app that could reach a Wi-Fi-enabled SCADA device, potentially giving an outside attacker control over parts of the system via an inside path.

The report does identify five promising trends in grid cybersecurity:

  • Use of multi-factor authentication:  This can help ensure that stolen passwords are not enough to compromise the network.
  • Control network isolation: Network traffic from enterprise networks to control networks should be limited to the absolute minimum necessary to manage the control network.
  • Application whitelisting: Whitelisting software records a list of permitted actions on a host and allows nothing else, and normally is faster, requires less updating and less computing power than blacklisting.
  • Data encryption: This makes data unreadable and prevents man-in-the-middle attacks against smart-grid networks.
  • Security event logging and correlation: Event correlation in control networks requires a view into the data, rather than just its wrapper. Control system traffic that is perfectly formatted and follows all the rules of the network can still contain malicious set points or other data designed to destabilize a control network.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.