Smart meters, smart grids, smart distributed energy resources (DERs), smart energy management, and demand response technology connected to a host of customer systems, smart chargers, and energy storage controls, and the list of mind-numbingly capable technologies we are incorporating into our interconnected electrical networks goes on. A common thread is all these systems communicate in some fashion with other parts of the network; many also generate, use, and share large quantities of data. As our electric infrastructure and the flow of energy as well as data becomes more complex and distributed, can we maintain control of the safety and security of these systems?
CapitalOne thought their security was sound. So did Equifax, J.P Morgan Chase, and others. The CapitalOne data breach discovered last month resulted in compromised data for roughly 100 million U.S. customers as well as 6 million customers in Canada. The Equifax breach uncovered in 2017 affected personal information of 145 million Americans. And the list goes on with at least 15 major breaches affecting millions of people who provided confidential information to major financial, health, and other institutions. If such major institutions whose businesses evolve around collecting and safeguarding confidential information cannot prevent breaches, are the increasingly digital electric industry and their customers just breaches waiting to happen?
The potential market for cybersecurity in the energy sector has not gone unnoticed. Researchandmarkets.com recently reported that its newly available research report indicates the cloud security market in the energy sector is expected to grow at a compounded annual rate of 11.2% from 2019 to 2024. In addition, the risks posed by the merging of the internet and energy infrastructure appropriately remains forefront in the minds of our country’s lawmakers as evidenced by the introduction of Senate Bill 174 (S.174), Securing Energy Infrastructure Act, in Congress this year. S.174 calls for the U.S. Department of Energy (DOE) to develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities.
There appears to be agreement that the electric industry must do more to deter, detect, and defeat cyber-threats as connectivity increases. A recent article in CIOReview reinforced a strategy that already is being employed by Sandia National Laboratories (SNL) in a newly patented alternative realty program designed to beat cyber criminals at their own game through the use of deception techniques. The CIOReview article states that most cybersecurity methods used for the smart grid rely on perimeter defenses. Its recommendation is to create internal defenses in addition to perimeter defenses, acknowledging that perimeter protection will eventually be defeated. Internal defenses are designed to reveal intruders and mislead them with false intel. This is exactly what the SNL High-Fidelity Adaptive Deception & Emulation System (HADES) program does. It feeds hackers simulated information that appears to be what they would find on the target site, providing time for the intruder to be identified and mitigated.
More than 10 years ago, the National Institute of Standards and Technology (NIST) established the Smart Grid Interoperability Panel (SGIP) and a cybersecurity committee (SGCC) to address the cross-cutting issue of cybersecurity. The primary goal is to develop a cybersecurity risk management strategy for the smart grid to enable secure interoperability of solutions across different domains and components. Information and results from this effort can be found here. NIST initiated programs have provided baseline cybersecurity guidance, reviews, and recommendations for standards and requirements, outreach, and technology transfer as well as cybersecurity expert networks for the smart grid.
Unfortunately, every day we are reminded that cyberthreats are ever present, so the SGCC’s job is certainly not over. According to UtilityDive, the security firm Proofpoint identified an apparently foreign sponsored phishing campaign wagered in July that was targeting U.S. utilities. The problem we now face as we strive to extend connectivity and interoperability across the grid and into homes and businesses was described in a useful background study from North Carolina State University titled Cyber Security in the Smart Grid: Survey and Challenges. The systems we are dealing with contain hugely disparate devices with vastly different time scales, scalability, and capabilities of embedded devices. The authors conclude it would be impractical to use a single security approach across the smart grid. Instead, they predict that many fine-grained security solutions designed specifically for distinct network applications may be needed to protect our infrastructure. It’s a good bet our government, academic, and industry experts are up for the challenge!