Current wisdom is that it’s not a question of if but rather when your utility will have a security breach, whether from something as basic as an employee opening a spambot mail on their PC to something substantially more serious.
“Accurate statistics are hard to come by, but there is evidence of an increase in the numbers of attacks,” says Dr Klaus Kursawe, Chief Scientist at the European Network for Cyber Security (ENCS).
“Smart meter hacking is now a real business and for example in Malta an insider attack resulted in several millions of euros of damage,” he says, also referring to a report from Iskraemeco suggesting that up to half of smart meters have been hacked. He also notes an increase in the number of attacks on SCADA systems, citing as an example an attack on a local tram system in Poland by a 14-year-old resulting in derailments and passenger injuries.
This is why cyber security is so important for the smart grid, says Dr Kursawe, who discusses smart grid cyber security in an Engerati briefing, Cyber-Security in Smart Grids, what we see today.
The ENCS is a non-profit organization created and owned by European DSOs to understand and address relevant security issues with research, training and information sharing.
Critical infrastructure security no longer optional
“The smart grid is a system of enormous complexity and while the ideal would be to stop development until we fully understand it, that is obviously impractical,” says Dr Kursawe, pointing out that in any event in Europe, security and privacy is no longer optional. In terms of the NIS Directive, which explicitly includes the energy sector and is expected to become part of national law before the year end, organizations are required both to take “appropriate technical and organizational measures” and to inform the authorities of any significant incident. Failure to comply will result in significant sanctions.
Dr Kursawe says implementing cyber security is not without its challenges, as for example attackers prefer to stay invisible while they are planning an attack and the ROI on cyber security investment is hard to measure. Stating that 100% cyber security is “a myth,” as breaching any system is only a matter of effort – with an ROI for the attacker – he offers a five part process.
Security as a process
This starts with learning to gain a full understanding of one’s own system, including what devices there are and their security levels and weaknesses, and the potential impacts of a cyber attack. On this basis a cyber security system can be designed, which protects as well as it can. If the system detects a security breach then the company reacts, and this feeds back into the learning process and potentially a system redesign, etc.
“Done this way the system can start with what can be handled and can grow to become more secure,” says Dr Kursawe.
As a case study, Dr Kursawe discusses the Stuxnet Uranium enrichmnent programme attack, saying this had a multi-year attack preparation likely involving the use of field agents with four novel attack technologies and attack on at least two software vendors at a cost in the double digit millions. “But still the attack got found and could be mitigated and shows that we can do something.”
Security is an organizational issue
Dr Kursawe also reminds that security is ultimately an organizational issue and responsibility and that the technology will only work if the organization is fully prepared. “Security is everywhere in organization processes and requires a use case analysis and risk assessment leading to high level security requirements.”
A key is to transform these requirements into vendor requirements, as “if you don’t ask for security, you don’t get it.” Such vendor requirements for smart metering security prepared by ENCS for oesterrechs energie have been published by the company and are now being developed into a harmonized minimum set of requirements for European DSOs.
“We should remember that security isn’t a competitive issue and all the DSOs have the same issues and limited resources to resolve them. Such a coordinated set of requirements should make for cheaper and better components and solutions.”
For more insights on smart grid cyber security, register for the briefing.