Cybersecurity-No Finish Line

Smart grid security relies on real-time prevention, detection and correction.
Published: Wed 09 Apr 2014

Cybersecurity for smart grid systems and deployments has gained a great deal of attention over the past several years. Most of this attention has been in the form of negative criticism as many believe that the industry as a whole is not doing enough to tackle cybersecurity.

There is no doubt that utilities agree that there is a great need to secure these systems and many are adopting solutions in response. However, there is still doubt over the adequacy of the industry’s efforts.

Cybersecurity and smart grid-the challenges

There is no finish line when it comes to cybersecurity and the smart grid. Systems change and hackers learn new tricks. Adversaries and threats are constantly evolving and new vulnerabilities can be revealed. As a result, system requirements are always changing.

There have been many technical solutions developed or customized for the smart grid environment which has seen tangible improvements. However, the industry continues to struggle with the ability to evolve and deploy solutions in the face of threats which seem to be growing in intensity and complexity. Simply put, the utility is battling to keep up.

The bottom line for utilities is to reduce risks that any system or application poses to the operational and business aspects of the power grid. While this can be attained by limiting or even removing system functionality, it’s a safe bet that the industry will follow the opposite direction. They will rely more on and increase the functionality of these systems in the future.

All facets should be considered

This evolution drives the need for constant improvement of the employed cybersecurity solutions. Many cybersecurity solutions are aimed at blocking unauthorized activity (malicious or otherwise) within the utility’s control systems. While preventative measures, such as these are critical, they represent only one facet of technical security controls. According to Brian Smith, Principal Consultant on the Smart Grid Engineering team at EnerNex, these can be organized into three basic types:

  • Preventative security controls help to block a threat from a utility control system weakness or vulnerability

  • Detective security controls help identify that a security event (malicious or otherwise) is present within the utility’s control the system

  • Corrective security controls help mitigate or reduce the effects of an event affecting the utility’s control system

Of the three types of security controls, preventative controls are typically the most popular in any security program since they limit the possibility of loss by preventing an event from occurring. These are normally designed, tested, and validated with specific threats and vulnerabilities in mind.

The challenge with preventative security controls in control systems, which support smart grid functions, is that the utility’s ability to quickly deploy new or modified security controls may become limited. Utilities invest a lot of effort in the testing and validation of their control systems’ operations. This may create an overly rigid environment when the need for new or modified security controls comes about.

In many cases, system updates, modification, and subsequent testing is not feasible until an outage of the supported power system assets, such as the case for a generating plant Distributed Control System (DCS). As new threats and vulnerabilities are revealed, utilities may not be able to deal with the associated risks until new or modified preventative security controls are adopted. In order to resolve this, detective and corrective security controls will become the utilities’ main defence.

Creating a robust security system

In many electric utility control system deployments, detective and corrective controls are not implemented in a real-time fashion. As a result, they prove to be less effective in mitigating potential impact to real-time power system operations. Often, these controls are applied after the fact such as examination of security logs to detect an event that has already happened or a system restart to reload an application.

While these are legitimate security controls for more business centric systems, they often come short when attempting to limit risks to control systems. This can cause a risk to stability in the security system which may lead to increase vulnerability.

To be effective in control systems supporting smart grid functions, detective and corrective security controls have to be invoked as soon as possible from the start of the event.

Together, all three security control types form an effective defence system. If one type is ineffective or cannot be deployed in a timely manner, a mechanism must be employed in order to detect an event as quickly as possible. Often, detection alone may not be enough. Therefore, corrective mechanisms must be put in place to react to the detected event.

Basically, electric utilities need all three types of security controls in smart grid deployments as this will create a robust defence mechanism.