by Ann Longmore-Etheridge
A new report by Pike Research puts it bluntly: utility smart-grid cybersecurity is "in a clear state of chaos."
A new report released by Pike Research, “Utility Cyber Security: Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond,” puts it bluntly: “Utility cyber security is in a state of near chaos. After years of…utilities investing in compliance minimums rather than full security and attackers having free rein, the attackers clearly have the upper hand.”
A discussion of the report at Infosec Island notes, “One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality."
A lack of security standards is also a huge problem. Currently there are no enforceable smart-grid security standards anywhere in the world for power distribution grids. This lack of a stick to make utilities focus on smart-grid security has led to many utilities investing in cyber security only “when financial punishment for not investing is threatened,” the report says.
Carefully crafted guidelines such as U.S. NIST Interagency Report (NISTIR) 7628 are helping but because they are not enforceable standards, “utilities and vendors that would like to take action now to produce secure smart grids face a quandary: Which guidelines are going to survive? How is it possible to stake a direction now for cyber security and know with assurance that laws enacted several years from now will support that direction?.... Those who choose to plow ahead now risk losing their entire investment if future laws invalidate their approach.”
Promising tech. The report also reviews the top five most promising smart grid cyber security technologies. The first of these are multi-factor authentication—the use of something you have (a smart key), something you know (a password), and a biometric measurement—on control systems; control network isolation, where “network traffic from enterprise networks to control networks [is] limited to the absolute minimum necessary to manage the control network;” and application whitelisting as an alternative approach to stopping the execution of malicious software. Others are stronger data encryption, and security logging and correlation, “to correlate the infrastructure-level events, such as those from firewalls and logons, with those from the control devices themselves. Good correlation makes it possible to prevent incidents before they occur, by linking infrastructure-level and control-level events together and analyzing them.”