Good and bad news about cyber security for smart grids in Europe – awareness is growing and there is realization that it’s a problem and something needs to be done, but knowing what to do and how to address the specific issues of the sector are the challenges.
In an interview with Engerati at the Smart Energy UK & Europe Summit 2015, Klaus Kursawe, head of the R&D team at the European Network for Cyber Security (ENCS), recalls his first foray into smart grid, gaining notoriety but unpopularity in advocating that it should be halted until the security issues were understood. “People say their system is secure but secure against what? If someone spends enough money or if the NSA really wants to get into a smart meter they’ll put the budget on it and there’s no way to stop them,” he says. “It’s a matter of the security levels and finances of attackers, and right now we have a low level of security. We can’t make an attack impossible – but we can make it harder than it is right now.”
Smart grid use cases
Kursawe points to specific challenges of smart grid. Among these is its very different nature to traditional IT. “If I have a virus on my computer I can shut it down and start forensics or get a new one. One can’t simply turn off a substation and spend a week analyzing how to get a virus out.”
Then there are the cost constraints, with the additional costs required for in-built security. With energy customers footing the bills for items such as smart meters, the business case will need to be made to the regulator.
And third are the changing use cases, with hardware such as smart meters typically expected to be in the field for 20 years or more. “A smart meter that is put out now may only do billing but I have no idea what it will be doing in 10 years – maybe still billing or maybe a smart home hub,” he says. “With each case comes a threat and we are designing for now but the use cases are in the future.”
An example that Kursawe says he likes quoting is that of the ‘safe’. In the past this would have been used principally for money, but today it is more likely to be used for documents. Whereas the safe was effective for storing money, it is less so for documents as the ease has been demonstrated of drilling a small hole to insert an endoscope to read the documents. “The use of the safe has changed and what used to be secure isn’t anymore,” he says.
Cyber security in Europe
Kursawe says that in an ideal world it would be possible to spend time figuring out the smart grid and then build a secure system. However, this clearly isn’t possible and he likens it the airline industry introducing a new plane, which – after designing it as safe as economically feasible before the launch – is measured, observed and analyzed during operation to mitigate safety risks before they become catastrophic. While not ideal from a pure security point of view, in reality a similar procedure appears to be the best possibility for the smart grid, with constant observation and updating of the security procedures.
However, in Europe there are two main needs at present. One is a global overview of cyber security activities, and a new EU directive is expected to lead to the development of an appropriate platform for information and knowledge sharing on security incidents.
The second pertains to standards and the need for greater harmonization between the European member states, with some having their own standards and others having no security requirements at all.
Smart grid cyber security in Europe
Kursawe says that there are several key requirements to improving smart grid cyber security in Europe. Security requirements including upgradeability need to be included in tenders. There is a need for awareness training at C-level and particularly among engineering and procurement personnel.
There is also a need to build the business case arguing for future-proofing. “Spend a bit more to assure not having to replace,” he says. There are examples of systems that are supposed to stay in the field for more 15 years or more but already have no resources left for software upgrades. Thus, he predicts, we are creating tomorrow’s legacy systems now for which an incident could force us to choose between living with a vulnerable system or having to replace several million meters.
Major security incidents in Europe?
In reality such an incident is unlikely in the near future, Kursawe believes, saying there will probably be ‘demonstrator’ attacks but not on a large scale.
When it comes to smart meters, Kursawe says that most meter attacks wouldn’t scale well. For example, with PLC all meters on the same line could be attacked but it would be harder to extend that attack to others. The greatest short term risk in the smart meter is the remote on-off switch, he says, and if say 100,000 households could be switched off that would do severe damage to the grid. Principally as a result of this vulnerability, in the Netherlands for example, inclusion of the switch, previously mandatory, is now optional.
However, for him the bigger concern is at the back end – substation automation and the bigger systems. “There, hack one system and it has a large scale effect.”